The Linux administrator must pay attention to the security concerns. The fact that Linux is hacked is the least acceptable to the Administrator. How to check whether the system managed by the Administrator is secure, can I check if my Linux is hacked? Here are some simple methods.
The guy, commonly known as "script kid", is a type of bad hacker, because many of them and most people are so unskillful. It can be said that if you install all the correct patches, have a tested firewall, and activate an Advanced Intrusion Detection System at multiple levels, then you will be hacked only in one situation, that is, you are too lazy to do what to do, such as installing the latest BIND patch.
It is really embarrassing to be hacked without being careful. More seriously, some script moles will download some well-known "root kits" or popular spying tools, these occupy your CPU, memory, data, and bandwidth. Where did these bad guys start? This starts with the root kit.
A root kit is actually a software package that hackers use to provide themselves with root-level access permissions to your machine. Once the hacker can access your machine as root, everything is done. The only thing you can do is to back up your data with the fastest efficiency, clear the hard disk, and reinstall the operating system. In any case, it is not easy to restore your machine once it is taken over by someone.
Can you trust your ps command?
The first trick to find out the root kit is to run the ps command. Everything may seem normal to you. The figure below shows an example of ps command output. The real problem is, "Is everything really normal ?" A common trick for hackers is to replace the ps command, and the ps on the replace will not show illegal programs running on your machine. To test files, check the size of your ps file, which is usually located in/bin/ps. In our Linux machine, it is about 60 kb. I recently met a ps Program replaced by the root kit, which is about 12 kb in size.
Another obvious scam is to link the root command history file to/dev/null. This command history file is used to track and record commands used by a user after logging on to a Linux machine. Hackers redirect your history files to/dev/null so that you cannot see the commands they have input.
You can access your history file by typing history at the shell prompt. If you find that you are using the history command and it does not appear in the list of commands you have used before, you should take a look at your ~ /. Bash_history file. If the file is empty, execute an ls-l ~ /. Bash_history command. After you execute the preceding command, you will see the following output:
-Rw ------- 1 jd 13829 Oct 10/home/jd/. bash_history
Alternatively, you may see output similar to the following:
Lrwxrwxrwx 1 jd 9 Oct 10 :40/home/jd/. bash_history-& gt;/dev/null
If you see the second one, it indicates that the. bash_history file has been redirected to/dev/null. This is a fatal message. Now, you can immediately disconnect your machine from the Internet, back up your data as much as possible, and reinstall the system.
Searching for unknown user accounts
When you plan to perform a test on your Linux machine, it is wise to first check whether an unknown user account exists. When you log on to your Linux server the next time, run the following command:
Grep: x: 0:/etc/passwd
There is only one line. I will emphasize that in a standard Linux installation, the grep command should return only one line, similar to the following:
Root: x: 0: 0: root:/bin/bash
If your system returns more than one row after the previous grep command is typed, the problem may occur. The UID of only one user should be 0. If the returned result of the grep command exceeds one row, more than one user will be returned.
Seriously, the above are some good basic methods for discovering hacker behavior. However, these techniques cannot constitute sufficient security, and their depth and breadth are far from the intrusion detection system mentioned in the article.
My suggestion is, If you suspect that your Linux has been hacked, call a Linux security expert and follow his advice. After all, Linux security cannot be completed at once.
- Solve the Linux ssh backdoor Problem
- Solve Linux garbled characters
- Introduction to Linux Log Files
- 10 new Linux knowledge points
- Solve Linux grub startup Problems