Article Title: How to check whether a Linux server is hacked with rootkit. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
The "script kid" guy is a type of bad hacker. Basically, many of them and most people have no tips. You can say that if you install all the correct patches, you have a tested firewall and if Advanced Intrusion Detection Systems are activated at multiple levels, you will be hacked only in some cases. That is, you are too lazy to do things, such as installing the latest BIND patch.
Being hacked is really embarrassing. More seriously, some script moles will download some well-known "root kits" or popular spying tools, which occupy your CPU memory data and bandwidth. where can I start? Starting with the root kit
A root kit is actually a Software package that hackers use to provide themselves with root-level access permissions to your machine. Once this hacker can access your machine as root, everything is done. it's just the fastest way to back up your data, clean up your hard disk, and reinstall the operating system. No matter how long your machine is taken over, it's not easy to restore it.
Can you trust your ps command?
The first trick to find out the root kit is to run the ps command. It may seem quite normal for you. The figure below shows an example of the ps command output. The real problem is, "Are you sure you are normal ?" A common trick for hackers is to replace the ps command, and the ps command will not show the illegal running on your machine. To test the command, check your ps file size. It is usually located in/bin/ ps in our Linux machine, it is about 60 kb. I recently encountered a problem where the root kit replaced ps. This is only about 12 kb.
Another obvious scam is to link the root command history file to the/dev/null command history file to track and record the user's usage of commands after logging on to the Linux server. your history file is redirected to/dev/null so that you cannot see that they have entered commands
You can access your history file by typing history at the shell prompt. If you find that you are using the history command and it does not appear in the previous command list, you should check it out. you ~ /. Bash_history file. If the file is empty, execute ls-l ~ /. Bash_history command after you execute the above command, you will see the output similar to the following:
-Rw --- 1 jd 13829 Oct 10/home/jd/. bash_history
Or you may see output similar to the following:
Lrwxrwxrwx 1 jd 9 Oct 10 :40/home/jd/. bash_history->/dev/null
If you see 2nd, it indicates this. the bash_history file has been redirected to/dev/null. This is a critical message. Now, immediately disconnect your machine from the Internet. Back up your data as much as possible and reinstall the system.
Search for unknown user accounts
When you want to perform a test on your Linux machine, it is wise to first check whether an unknown user account exists. Next time you log on to your Linux machine, run the following command:
Grep: x: 0:/etc/passwd
Only line I emphasize again in a standard Linux installation grep command should only return the line similar to the following:
Root: x: 0: 0: root:/bin/bash
If the system returns more than one line after the grep command is run, there may be a problem. Only one user UID should be 0. If the grep command returns more than one line, it means more users
Seriously, although the above are some good basic ideas and methods for discovering hacker behavior, these tips and techniques cannot constitute sufficient security and their depth and breadth are far inferior to the intrusion detection system mentioned in the article. diyuan