How to discover network "intruders" in users' computers"

It is critical to promptly discover hacker intrusions, find intruders, and take effective solutions.

How to discover intruders

It is probably the worst thing to know if the system is intruded. The following uses a UNIX system as an example to show you how to determine whether your network system has intruders Based on the Analysis of Network exceptions.

Abnormal access logs

Intruders often use scanning tools or manual scanning methods to detect the system before they intrude into and control the system to obtain more information. Such scanning behaviors are recorded by system service logs. For example, an IP address appears repeatedly in various service logs of the system and attempts to exploit the vulnerability. For example, an IP address establishes a null connection to multiple services of the same system for multiple times, this is probably because intruders are collecting version information about a service.

Note! In a UNIX operating system, if someone accesses unnecessary services or services with serious security risks, such as finger and rpc; alternatively, if a large number of consecutive failed logon records appear in Telnet, FTP, POP3, and other service logs, it is likely that intruders are trying to guess the system password. These are the precursor to attacks!

Increasing network traffic

If the access traffic of the server suddenly increases, it indicates that your system may have been controlled by intruders and intruded into to scan and attack other servers. It turns out that many intruders scan remote hosts, identify security vulnerabilities, and then launch attacks. These actions will cause a sudden increase in network traffic.

Illegal Access

If you find that a user attempts to access control and modify/etc/shadow, system logs, and system configuration files, it is very likely that the user has been controlled by intruders and is trying to gain higher permissions.

Normal Service Termination

For example, if the System Log Service suddenly stops unexpectedly or your IDS program suddenly stops, it implies that intruders are trying to stop these threatening services, to avoid "trace" on system logs ".

Suspicious processes or illegal services

Any suspicious process in the system should be checked carefully, for example, the http service started with root, or the Service originally closed in the system should be restarted. These suspicious processes and services may be attack processes, backdoor processes, or Sniffer processes initiated by intruders.

System files or users

Intruders usually change the configuration files in the system to avoid tracing, or load software such as backdoors and attack programs to facilitate next access. For example, for UNIX, intruders or syslog modification. conf file to remove the secure entries to avoid login backdoor audit, or modify hosts. deny, hosts. allow to remove tcpwrapper from filtering the IP addresses of intruders; or even add an entry in rc. d to enable the backdoor program when the system starts. Therefore, the illegal modification of system files or the addition of a user may mean that your system may be controlled by intruders.

Suspicious data

If the system finds a name such as space, dot plus space, ".. ^ M "(Click ctrl + M),"... "(DOT) and other suspicious directories, you need to pay attention, because intruders often use and hide files in such directories, such as some directories (especially in the/tmp directory) A temporary file generated by the scanner appears.