Servers that do a good job of security protection still need to be checked regularly. The following are some simple methods to determine whether a server is intruded:
1. check the logon log/var/log/secure to see if some abnormal logon information exists. if it is empty, check the specific information of the file ll/var/log/secure, whether the file is located on some empty files>/dev/null.
2. The history command can be used to view some of the commands you recently used. check whether there are any suspicious commands in the command. of course, it is very likely that the entire history command is empty (ll. bash_history will find that it is linked to/dev/null, or only records the history you just run (it has been cleared). These situations are suspicious and you must disconnect the network, back up your data...
3. the ps command is not necessarily reliable. when the rootkit exists and you cannot find it using the ps command, it indicates that your ps file has been replaced! Remember to run the md5sum/bin/ps command when installing the system to check your ps file md5 value and du-sh/bin/ps to check the ps file size, used to confirm whether the ps has been replaced.
4. grep: x: 0:/etc/passwd. check the number of super users in your system. normally, there is only one root: x: 0: 0: root:/bin/bash
In short, if any of the above situations occurs, you must carefully check your system and back up important data. I couldn't find the rootkit, so I had to reinstall it...
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
