1 ssh Backdoor
Prosecution Statement :
Grep-e "User,pas|user:pas"/usr/bin/*/usr/local/sbin/*/usr/local/bin/*/bin/*/usr/sbin/*/root/bin/*-al
procuratorial method : If found in the following three red box one of the Please and record , basically identified as the existence of the backdoor
2 Nginx rear door
Prosecutorial Statement : grep "pwnginx=" ' which Nginx '-al
procuratorial method : If the search out the basic can determine the existence of the back door, please and record .
no Ann NGINX words can be Ctrl + C exit query
3rd Log Search
Prosecution Statement :
More/var/log/messages* |grep Drawing
more/var/log/messages* | grep glistering
more/var/log/secure* |grep-e ' Failed password '-e ' Accepted password '
procuratorial method : above the first two procuratorial sentences , such as search , as follows
the above two are mainly detected network card modification information , such as the non-native IP address , please record .
The following is more/var/log/secure* |grep-e ' Failed password '-e ' Accepted password '
Search out the login success and failure , please detailed troubleshooting the following IP, and recording time and IP.
4 procuratorial Anomaly Account
Prosecution Statement :
more/etc/passwd
More/etc/sudoer
procuratorial method : View user identification number : Group identification number if one of the 0 is an exception user ( except ROOT and self-established ). Also See if the/etc/sudoer file has other users such as :
5 Login IP and Time
Prosecution Statement :
Who/var/log/wtmp
procuratorial method : Check the abnormal login time and IP, If there is an exception, please record the time IP
6 Abnormal Port prosecution
Prosecution Statement :
Netstat-an|more
procuratorial method : Check the abnormal connection to the local IP and the non-known port . If the problem please record .
7 Network card Query
Prosecution Statement :
Ifconfig
procuratorial method : If there are anomalies , such as the network clamp interface and other non-self-configuration , please record
8 Full-site scanning using the Trojan Scan Tool
useful tools for the time being recommended WINDOWS version of the tool , LINUX version false positives too much , and do not take advantage of observation .
The directory can be copied out for scanning , scanning the 4-5 level of the problem can be identified as a malicious file .
9 Use the query statement , in the server query about illegal pages included in the keywords or words , Locate the location of the illegal page . and query creation time and so on , and focus on checking the files produced during that time period, etc.
10 procuratorial History Operation Information
Prosecution Statement :
History
Inspection method "to see if there are abnormal operations , if there is an exception, please confirm the record
Linux Security check