Implanted attack intrusion detection Solution

Implanted attack intrusion detection Solution
1. What is an implant attack?

What is an implant attack? In other words, Trojan horses are used to upload Trojans to your system, modify the original programs, or disguise programs. It is hard for you to find out, and resident systems.

2. Why do hackers implant Trojans in your system?

In general, Trojan attacks target hackers and seldom damage your system. Instead, they use your system.

For example, using your network for DDOS attacks, downloading your data and selling money, etc.

3. When will the trojan be infected?

Sometimes you go to a new company and take over a pile of mess, commonly known as "wiping your ass ". This is the result of leaving China, laying off employees in Chinese style, and handing over work in Chinese style... and all kinds of wonderful work is waiting for you.

The first task you take over is work handover. The most important task may be to check the system backdoor. Usually there is little active cooperation in work handover, and it is up to you.

4. Where is the trojan?

During my years of work, I have encountered many types of Trojans, including Linux-based rootkit, PHP script Trojan, Java Trojan, and ASP Trojan. Generally, hackers implant database browsing tools, file directory management tools, and compression and decompression tools.

5. Who will mount a trojan in your system?

98% is hacker intrusion, 1% is done by the inner, and 1% is opened for work convenience only.

This article is powerless to the existing system and can only monitor new intrusion implants.

6. How to monitor implanted attacks 6.1. program and data separation

Programs include scripts and variant files, which are usually read-only.

Data is a file generated by a program, such as a log.

Separate programs from data, store them in different directories, and set different permissions. For more information, see the article "extended reading.

Here we will focus on what to do once a running program is written and modified, including intrusion entry and legal entry. In short, we need to be able to quickly know which program files are modified. The premise is that we need to separate the program from the data in order to better monitor the program directory.

6.2. Monitoring file changes

I use Incron to monitor file changes

# yum install -y incron # systemctl enable incrond # systemctl start incrond

Install the log push Program

$ git clone https://github.com/netkiller/logging.git $ cd logging$ python3 setup.py sdist$ python3 setup.py install

Configure trigger events

# incrontab -e /etc IN_MODIFY /srv/bin/monitor.sh $@/$# /www IN_MODIFY /srv/bin/monitor.sh $@/$# # incrontab -l /etc IN_MODIFY /srv/bin/monitor.sh $@/$# /www IN_MODIFY /srv/bin/monitor.sh $@/$#

 

/Srv/bin/monitor. sh script

# cat /srv/bin/monitor.sh #!/bin/bash echo $@ | /usr/local/bin/rlog -d -H 172.16.0.10 -p 1220 --stdin

If any file in the/etc and/www directories is modified, run/srv/bin/monitor again. sh script,/srv/bin/monitor. THE sh script sends the file path data to the remote host 172.16.0.10 through the/usr/local/bin/rlog program.

6.3. Install the log collection program

$ git clone https://github.com/netkiller/logging.git $ cd logging$ python3 setup.py sdist$ python3 setup.py install

Configure the collection port and edit the file logging/init. d/ucollection

done << EOF 1220 /backup/172.16.0.10/incron.log 1221 /backup/172.16.0.11/incron.log 1222 /backup/172.16.0.12/incron.log EOF