Article Title: how to block system attackers in Linux. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
In the network attack environment, this is possible. When an attacker uses a system vulnerability to illegally intrude into your system. When you use the ps command to list all processes in the system, there is no evidence of exceptions. You can view your password file as well. What happened? After the system enters your system, the first step is to replace some specific files on the system, such as the netstat command. When you use the netstat-a command, the system's attacker information is not displayed. Of course, attackers will replace all files that may leak their existing files. Generally, this includes:
/Bin/ps
/Bin/netstat
/Usr/bin/top
Because these files have been replaced. Therefore, simply using the ls command to view these files does not show any flaws. There are several ways to verify the integrity of system files. If you have installed Red Hat, Caldera, TurboLinux or any system that uses RPM. You can use RPM to verify the integrity of system files:
First, you should find out which software package the files you want to view come from. you can use the rpm command to find out which file belongs to a certain package:
# Rpm-qf/bin/netstat
Net-tools-1.51-3
Then, you can scan the entire rpm Package to view the changes. If you use this command for a packet that has not changed, there will be no output information, as shown below:
# Rpm-V net-tools
#
Replace the binary executable file of netstat 5.2 with version 6.0 and then use the following command:
... T/bin/netstat
This indicates that the/bin/netstat/file has been modified. If I use the rpm-qf command to test the ps and top command, I can get that it belongs to the package procps, and then verify the integrity of the package procps. The following is the result of a hacked site:
# Rpm-qf/bin/ps
Procps.2.0.2-2
# Rpm-V procps
Sm5.. UGT/bin/ps
Sm5.. UGT/usr/bin/top
Attackers intrude into the system and use their own ps and top commands to replace the commands in our system. The administrator may not be able to see the running process. it may be a sniffer that listens to all the user's data in and out of the network and finds the password information.
Below is a small script to scan all the rpm libraries in your system and check whether all the packages have been tampered. However, it should be noted that not all issues reported by the scripts indicate that the system file is damaged by attackers. For example, your apssword file must be different from your system installation:
#! /Bin/bash
#
# Run through rpm database and report inconsistencies
#
For rpmlist in 'rpm-qa '# These quotes are back quotes
Do
Echo "----- $ rpmlist -----"; rpm-V $ rpmlist
Done>/tmp/rpmverify. out
When you run the scripts, the output is directed to the file/tmp/rpmverify. out. you can use the less command to view the file. However, text files such as/etc/passwd and/etc/inetd. conf may be displayed as modified. But how do you know whether these are modified by the administrator or by intruders? when you make sure that your system is clean and not infiltrated by attackers, you create fingerprints for these system files. Use these fingerprint information when you suspect that your system has been intruded to determine whether the system has been intruded. The fingerprint information of the created file is implemented by running the md5sum command:
These data are the fingerprints of files on my system. The fingerprint information of files on different systems may be different. you should use md5sum to calculate the fingerprint information of your system files. The following are some files for which you should create fingerprint information;
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
