Linux Security check

1 ssh Backdoor

Prosecution Statement :

Grep-e "User,pas|user:pas"/usr/bin/*/usr/local/sbin/*/usr/local/bin/*/bin/*/usr/sbin/*/root/bin/*-al

procuratorial method : If found in the following three red box one of the Please and record , basically identified as the existence of the backdoor

2 Nginx rear door

Prosecutorial Statement : grep "pwnginx=" ' which Nginx '-al

procuratorial method : If the search out the basic can determine the existence of the back door, please and record .

no Ann NGINX words can be Ctrl + C exit query

3rd Log Search

Prosecution Statement :

More/var/log/messages* |grep Drawing

more/var/log/messages* | grep glistering

more/var/log/secure* |grep-e ' Failed password '-e ' Accepted password '

procuratorial method : above the first two procuratorial sentences , such as search , as follows

the above two are mainly detected network card modification information , such as the non-native IP address , please record .

The following is more/var/log/secure* |grep-e ' Failed password '-e ' Accepted password '

Search out the login success and failure , please detailed troubleshooting the following IP, and recording time and IP.

4 procuratorial Anomaly Account

Prosecution Statement :

more/etc/passwd

More/etc/sudoer

procuratorial method : View user identification number : Group identification number if one of the 0 is an exception user ( except ROOT and self-established ). Also See if the/etc/sudoer file has other users such as :

5 Login IP and Time

Prosecution Statement :

Who/var/log/wtmp

procuratorial method : Check the abnormal login time and IP, If there is an exception, please record the time IP

6 Abnormal Port prosecution

Prosecution Statement :

Netstat-an|more

procuratorial method : Check the abnormal connection to the local IP and the non-known port . If the problem please record .

7 Network card Query

Prosecution Statement :

Ifconfig

procuratorial method : If there are anomalies , such as the network clamp interface and other non-self-configuration , please record

8 Full-site scanning using the Trojan Scan Tool

useful tools for the time being recommended WINDOWS version of the tool , LINUX version false positives too much , and do not take advantage of observation .

The directory can be copied out for scanning , scanning the 4-5 level of the problem can be identified as a malicious file .

9 Use the query statement , in the server query about illegal pages included in the keywords or words , Locate the location of the illegal page . and query creation time and so on , and focus on checking the files produced during that time period, etc.

10 procuratorial History Operation Information

Prosecution Statement :

History

Inspection method "to see if there are abnormal operations , if there is an exception, please confirm the record

Linux Security check