Usually have some friends meet the server is black problem, after collecting and sorting related materials, here I give you find the Linux server is black solution, I hope you will see a lot of harvest. If you have all the correct patches installed, with a tested firewall and an advanced intrusion detection system activated at multiple levels, only in one case will you be hacked, that is, you are too lazy to do what you need to do, for example, to install the latest patch for bind.
It's really embarrassing to be black, and even worse, some script kiddies will also download some of the well-known "root kits" or popular spying tools that take up your CPU, memory, data, and bandwidth. Where do the bad guys start? This is going to start with root kit.
A root kit is actually a software package that hackers use to provide you with root-level access to your machine. Once the hacker is able to access your machine as root, it's all over. The only thing you can do is back up your data with the fastest efficiency, clean the hard drive, and then reinstall the operating system. In any case, once your machine is taken over by someone, it's not easy to recover.
Can you trust your PS command?
The first trick to find root kit is to run the PS command. It's possible that everything seems normal to you. The illustration is an example of a PS command output. The real question is, "is everything really normal?" A common trick for hackers is to replace the PS command, and the replacement PS will not show the illegal programs that are running on your machine. To test A, you should check the size of your PS file, which is usually located in/bin/ps. It's about 60kB in our Linux machine. I recently encountered a PS program that was replaced by root kit, which is only about 12kB in size.
Another obvious scam is to link Root's command history file to/dev/null. This command history file is used to track and record a user's command to log on to a Linux machine. Hackers redirect your history files to/dev/null to make it impossible for you to see the commands they have entered.
You can access your history files by typing history at the shell prompt. If you find yourself using the history command, and it does not appear in the list of previously used commands, you should take a look at your ~/.bash_history file. If the file is empty, execute a ls-l ~/.bash_history command. After you have executed the above command you will see output similar to the following:
-RW ——-1 JD JD 13829 OCT 17:06/home/jd/.bash_history
Alternatively, you may see output similar to the following: lrwxrwxrwx 1 JD JD 9 OCT 19:40/home/jd/.bash_history->/dev/null
If you see the second one, it means that the. bash_history file has been redirected to/dev/null. This is a deadly message and now you have to break your machine off the Internet, back up your data as much as possible and start reinstalling the system.
Solve Linux server is hacked, need to look for unknown user account:
When you're going to test your Linux machine, it's wise to check for an unknown user account first. The next time you log on to your Linux server, typing the following command:
grep:0:/etc/passwd
Just one line, I stress again, in a standard Linux installation, the grep command should return only one row, similar to the following:
Root:x:0:0:root:/root:/bin/bash
If your system returned more than one row after you typed the grep command, that might be a problem. Only one user should have a UID of 0, and if the grep command returns more than one row, that means more than a single user. Seriously, these are some of the best basic methods for discovering hacker behavior. But the techniques themselves do not constitute enough security, and their depth and breadth are far worse than the intrusion detection systems mentioned in the article's head.