Chkrootkit | grep infected
24306 pts/0 grep infected
Find the specified TTY process: PS aux | grep pts/0
Rkhunter
Rkhunter--check detection. If there is a red warning message, please check carefully if you have already been recruited.
查看产生的日志:cat /
var
/log/rkhunter.log | grep Warning
Automatically send reports
Detect and send notification messages at 5 points per day
Crontab-e5"[rkhunter] report ' hostname ' date '" [email protected]
4. Upgrade rkhunter:# Rkhunter--update
# SS-L -PL View the socket used by the process
Find the PID numbers related to crypto and bash services
PS aux | Egrep ' (cron|syslog) '
With lsof detection
Lsof-i: 22
-string--g gid +d/dir/+d/dir/ --n do not convert IP to hostname, default is not plus-i is used to display the condition of the process
Network behavior Analysis of grab bag I
Use the Grab Package command to view native attack programs
1 |
tcpdump -i eth1 dst xxx.xxx.xxx.xxx |
Kill terminates the process
There are more than 10 ways to control the process, here are some common methods:Kill-STOP [PID] sends Sigstop ( -, +, at) to stop a process and not eliminate the process. Kill-CONT [PID] Send Sigcont ( +, -, -) To restart a stopped process. Kill-KILL [PID] Send Sigkill (9forces the process to stop immediately and does not implement a cleanup operation. Kill-9-1Stop all the processes you have. SIGKILL and SIGSTOP signals cannot be captured, blocked, or ignored, but other signals can. So this is your ultimate weapon.
Write a script in shell script to automate the monitoring of Chkrootkit. If a rootkit is found, send an email to the root user and save the results in the/var/log/messages file.
[[Email protected] ~]# VI mychkrootkit← build chkrootkit autorun Script
#!/bin/bashpath=/usr/bin:/bintmplog= ' mktemp' # Run the Chkrootkit/usr/local/chkrootkit/chkrootkit > $TMPLOG # Output the Logcat $TMPLOG | logger-t chkrootkit# Bindshe of Smtpsllhow to do some wrongsif [!-Z] $ (grep 465 $TMPLOG) "] && [-Z $ (/usr/sbin/lsof-i:465|grep Bindshell)]; Thensed-i '/465/d ' $TMPLOGfi
# If The rootkit has been found,mail root[!-Z "$ (grep infected $TMPLOG)"] &&
grep infected $TMPLOG | mail -S "chkrootkit report in ' hostname '" rootrm-f $TMPLOG
Some gadgets:
iptraf-real-time LAN IP monitoring
Htop–linux Process Monitoring
Vnstat php– Network traffic monitoring
suricata– Network Security Monitoring
iotop– simple I/O monitor similar to top
Vnstat
-U-i eth0 vnstat
RELATED LINKS
18 command-line tools for monitoring Linux performance: http://os.51cto.com/art/201402/429890.htm
Linux 10 examples using the lsof command: http://www.tecmint.com/10-lsof-command-examples-in-linux/
Http://m.2cto.com/os/201606/517821.html
Common methods for Linux security detection