Common linux commands used to trace hacker attacks

Common linux commands used to trace hacker attacks

1

The process where filename is running can be obtained.

# Pidoffilename

2

You can see the process through the file or tcpudp Protocol

# Fuser-ntcpport

3

You can view the file modification time, size, and other information.

# Statfilename

4

View the loading Module

# Lsmod

5

View rpc service opening

# Rpcinfo-p

6

Promiscuousmod)

# Dmesg | grepeth0

7

Check whether the command is changed, like md5sum.

# Rpm-Vf/bin/ls

Rpm-Vf/bin/ps: No output; otherwise, a prompt such as sm5..... T/bin/su is output.

If the rpm database is modified, it is unreliable. It can only be compared through the network or the rpm database in cdrom.

For example: rpm-Vvpftp: // mirror. site/dir/RedHat/RPMS/fileutils-3.16-10.i386.rpm

The following common commands need to be checked:

/Usr/bin/chfn

Usr/bin/chsh

/Bin/login

/Bin/ls

/Usr/bin/passwd

/Bin/ps

/Usr/bin/top

/Usr/sbin/in. rshd

/Bin/netstat

/Sbin/ifconfig

/Usr/sbin/syslogd

/Usr/sbin/inetd

/Usr/sbin/tcpd

/Usr/bin/killall

/Sbin/pidof

/Usr/bin/find

8

If you are checking the machine that has been identified as a hacker, we recommend that you:

1. dd a backup hard disk

2. mount an optical drive with commonly used tools such as the statically compiled program lspsnetstat.

3. Use nc to output the execution steps to a remote machine.

9

Use md5sum to save a Global File

Find/sbin-typef | xargsmd5sum> 1st

Check for changes

Md5sum-c1st | grepOK

10

To avoid excessive write operations on the attacked machine, you can:

1. Run on another machine 192.168.20.191

Nc-L-p1234> some_audit_output.log Note L is in uppercase and can be listened permanently

2. Run on the attacked Machine

Command | nc192.168.255.192.1634

Or

Script>/mnt/export. log

After detection, press ctrl + d to save the record.

11

Methods for searching suspicious programs through processes:

1. netstat-anp this step mainly relies on experience to record all suspicious items

2. Go to the memory directory cd/proc/3299

3. ls-la. Generally, exe can see the path of the execution file,

4. Go to the fd directory to view the file handle. At this point, you can find the executable program.

5. ps-awx: Check the suspicious process.

12

If hacker deletes the log:

1. Search for all thoroughly deleted logs, such as history and sniffer logs.

2. In the/proc/pid/fd directory, the system prompts that the file has been deleted.

L-wx ------ 1rootroot64Aug1020: 5415->/var/log/httpd/error_log (deleted)

L-wx ------ 1rootroot64Aug1020: 5418->/var/log/httpd/ssl_engine_log (deleted)

3. Use the statically compiled lsof | grepdeleted to check which files are deleted.

COMMANDPIDUSERFDTYPEDEVICESIZENODENAME

Gpm1650root1uREG8, 25149743/var/run/gpm208raa (deleted)

4. Obtain the inode Number of the file. The value is 149743.

5. Use sleuthkit to restore data,

Df/var: the hard disk location is sda1.

Icat/dev/sda1149743

6. Check the recovered files carefully. Generally, traces can be found.

This makes it difficult to analyze compiled programs.

Gcc-04-evil.c-oevil

Strip./edevil

1. Check the file type, whether the file is statically compiled, and whether the file has been strip

2. strings: display the asicc string in the program. Use the string to search for it on google.

3. strace is used to track system calls (this does not know how to use) strace-ppid

4. gdb (not to be used)

13

Some processes are not displayed in the process, but there are traces in/proc, you can find hidden processes

Proc is a pseudo file system that provides a structured interface for/dev/kmem, allowing the system to diagnose and view every running Executable File environment.

# Ps-ef | awk '{print $2}' | sort-n | uniq> 1

# Ls/porc | sort-n | uniq> 2

# Diff12

14

Emergency tool tct, which has many tools, including icat and other data recovery tools

If you have obtained evidence from the attacked machine, you can mount a hard disk or back up it to the network. The method is as follows:

A. Run nc-L-p1234> abc. img on network Machine

B. Running ddif =/dev/hdb5count20000bs = 1024 | nc192.168.0.000034-w3

If the backup is too large, you can listen to multiple ports, execute multiple dd copies, and then merge the files into cat2> 1.img

15

Ldd can display the dynamic library on which the executable program depends, but the indirect dependent library cannot be displayed.

[Root @ rh9bkroot] # ldd/bin/ls

Libtermcap. so.2 =>/lib/libtermcap. so.2 (0x40022000)

Libc. so.6 =>/lib/tls/libc. so.6 (0x42000000)

/Lib/ld-linux.so.2 =>/lib/ld-linux.so.2 (0x40000000)

The strace tool is a debugging tool that displays all system calls during execution of a program,

[Root @ rh9bkroot] # strace-eopen/bin/ls>/dev/null

Open ("/etc/ld. so. preload", O_RDONLY) =-1 ENOENT (Nosuchfileordirectory)

Open ("/etc/ld. so. cache", O_RDONLY) = 3

Open ("/lib/libtermcap. so.2", O_RDONLY) = 3

Open ("/lib/tls/libc. so.6", O_RDONLY) = 3

Open ("/usr/lib/locale-archive", O_RDONLY | O_LARGEFILE) = 3

Open (".", O_RDONLY | O_NONBLOCK | O_LARGEFILE | O_DIRECTORY) = 3

Open ("/etc/mtab", O_RDONLY) = 3

Open ("/proc/meminfo", O_RDONLY) = 3

Strace-oouttelnet192.168.100.100

The meaning of the o parameter is to generate the strace output information to the out file, which can be determined at will.

When we open the out file, we will find a lot of system call Information. We are mainly concerned with the information of the open system call. open is used to open the file. Not only do we need to open the dynamic library before calling it, open is also used to read the configuration file. Therefore, you can use sed to write a simple script to output all open information in the out file.

Sed-n-e '/^ open/P' out

The output information is as follows:

Open ("/etc/ld. so. preload", O_RDONLY) =-1 ENOENT (Nosuchfileordirectory)

Open ("/etc/ld. so. cache", O_RDONLY) = 3

Open ("/lib/libutil. so.1", O_RDONLY) = 3

Open ("/usr/lib/libncurses. so.5", O_RDONLY) = 3

Open ("/lib/i686/libc. so.6", O_RDONLY) = 3

Open ("/etc/resolv. conf", O_RDONLY) = 3

Open ("/etc/nsswitch. conf", O_RDONLY) = 3

Open ("/etc/ld. so. cache", O_RDONLY) = 3

Open ("/lib/libnss_files.so.2", O_RDONLY) = 3

Open ("/etc/services", O_RDONLY) = 3

Open ("/etc/host. conf", O_RDONLY) = 3

Open ("/etc/hosts", O_RDONLY) = 3

Open ("/etc/ld. so. cache", O_RDONLY) = 3

Open ("/lib/libnss_nisplus.so.2", O_RDONLY) = 3

Open ("/lib/libnsl. so.1", O_RDONLY) = 3

Open ("/var/nis/NIS_COLD_START", O_RDONLY) =-1 ENOENT (Nosuchfileordirectory)

Open ("/etc/ld. so. cache", O_RDONLY) = 3

Open ("/lib/libnss_dns.so.2", O_RDONLY) = 3

Open ("/lib/libresolv. so.2", O_RDONLY) = 3

Open ("/etc/services", O_RDONLY) = 3

Open ("/root/. telnetrc", O_RDONLY) =-1 ENOENT (Nosuchfileordirectory)

Open ("/usr/share/terminfo/l/linux", O_RDONLY) = 4

The output shows several libraries that cannot be displayed by ldd.

/Lib/libnss_dns.so.2,

/Lib/libresolv. so.2,

/Lib/libnsl. so.1,

/Lib/libnss_nisplus.so.2,

/Lib/libnss_files.so.2

Strace-oaa-ff-pPID generates multiple files starting with the name aa

Grepopenaa * | grep-v-eNo-enull-edenied | grepWR: view the file information of the open call.

16

To send logs to the log host, follow these steps:

A. vi/etc/syslog. conf *. * @ 192.168.20.163 send all logs to 192.168.20.163

B. servicesyslogrestart

C. Install kiwisyslogd on 192.168.20.163

D. log on remotely and enter the wrong password. You can see an alarm immediately on the log host. You can also observe tcpdumpport514.

17

If you know that the hacker is intruded by 0927, then:

Touch-t09270000/tmp/.

Find/\ (-newer/tmp/a-o-cnewer/tmp/a \)-l

In this way, the files changed and created on that day are listed.

18

Full disk Replication

Ddif =/dev/sdaof =/dev/sdbbs = 1024

Partition replication tested

Ddif =/dev/sda1of =/abcbs = 1024 this is saved in the root partition. Use mount to check that it is sda2.

Start another linux

Input: mount/dev/sda2/mnt

Here we can see the abc file, input: mountaa/tmp-oloop

Here we can see the image file content.

19 find

Find the file with the specified character (the binary file can also be found in the test, which is the content after strings)

Find/tmp-typef-execgrep "noexist" {}\;-print

Find/etc/rc. d-name '* crond'-execfile {};

Find/etc/rc. d. Run the file command to view the properties of all files ending with crond. Note: there is a space between exec and file, and a space between file and {}, file and; is a space,; Is a whole.

20

The kill-SIGSEGV process number will generate a core file, which can be viewed by strings. A c program can be used to re-build its executable program, and study/unix/will save an article. The test does not produce a core. The reason is unknown.