Many hackers invade the operating system, will do two common operations unset history and replace the command file (or the corresponding link library file), for these two points to do a record shelllog and Check that the link library class files and command files have changed recently .
RootkithunterSymptom evaluation--judging abnormal point performance based on host abnormal state resource tension (turns into card slow)#安装$sudo wget https://jaist.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.4/rkhunter-1.4.4.tar.gz$sudo tar zxvf rkhunter-1.4.4.tar.gz$sudo cd rkhunter-1.4.4$sudo sh install.sh --install#使用$/usr/local/bin/rkhunter --propupd$/usr/local/bin/rkhunter -c --sk --rwo
free -m #以MB为单位查看内存使用情况free -l #查看内存使用细节ps aux|head -1;ps aux|grep -v PID|sort -rn -k +4|head #查看内存使用前十名vmstat -a #查看内存和CPU使用情况vmstat -s #查看内存和CPU使用详情vmstat -d #查看读写IO情况ps aux|head -1;ps aux|grep -v PID|sort -rn -k +3|head # 查看CPU使用前十名top #查看进程性能资源消耗
dmesg -T #按时间点查看内核日志dmesg -T | grep memory #查看和内存相关的日志记录dmesg -T | grep crash #查看和崩溃相关的日志记录dmesg -T | grep reboot #查看和重启相关的日志记录cat /var/log/dmesg #内核日志cat /var/log/syslog #系统日志cat /var/log/kernel.log #内核日志(Ubuntu下是kern.log)
Application Service Problem Diagnosisiptables -L #查看防火墙cat /etc/resolv.conf #查看域名解析ifconfig -a #查看网卡信息
Intrusion point intrusion Feature troubleshootingHTTP /var/log/httpd/access.log #或者是HTTP服务器配置文件中的日志路径FTP /var/log/vsftp.log #或者是同路径下的xferlogSquid /var/log/squid #或者是squid.access.logNFS /var/log/nfsIPTABLES /var/log/iptables/……Samba /var/log/sambaDNS /var/log/messageDHCP /var/log/message #或者/var/lib/dhcp/db/dhcpd.leasesMail /var/log/maillog
Can log in and explode to troubleshoot## 可疑网络通信及进程排查 ##netstat -antlop #查看异常连接和对应的进程、文件ps -ef #查看进程信息ps aux # 查看进程信息lsof #查看进程关联账户信息lsof -g pid
Exploit intrusion and post-infiltration featureslast #登录或重启日志lastb #登录失败日志 或者是/var/log/faillogwho /var/log/wtmp #登录日志 另外可以 last -f /var/run/utmpcat /var/log/lastlog #最后的登录日志cat /var/log/secure #安全日志cat /var/log/cron #计划任务日志cat ~/.bash_history | more #历史操作grep "Failed password for root" /var/log/auth.log | awk ‘{print $11}‘ | sort | uniq -nr | more #查看root账户登录爆破尝试grep "Accepted" /var/log/auth.log | awk ‘{print $11}‘ | sort |uniq -c | sort -nr | more #查看登录成功日志信息strings /usr/bin/.sshd | egrep ‘[1-9]{1,3}.[1-9]{1,3}.‘
Web intrusion Point Check
#webshell查找find /var/www/ -name "*.php" | xargs egrep ‘assert | phpspy | c99sh | milw0rm | eval | \( gunerpress | \(bas464_encode | spider _bc | shell_exec | passthru | \(\$\_\POST\[|eval\(str_rotl3 | .chr\c|\$\{\"\_P|eval\C\$\_R | file_put_contents\C\.\*\$\_ | base64_decode‘# 脚本文件打包find /var/www/html/ |grep -E ".asp$|.aspx$|.jsp$|.jspx$|.jspf$|.php$|.php3$|.php4$|.php5$|.inc$|.phtml$|.jar$|.war$|.pl$|.py$|.cer$|.asa$|.cdx$|.ashx$|.ascx$|.cfm$|.cgi$ "|xargs tar zcvf /tmp/shellscript.tar.gz# 文件查找的相关命令:sudo find / -mtime(atime/ctime) -x #按照创建、修改时间查找sudo find ./ -perm 4777 #按照权限查找文件find ./ -mtime -1 -type f #按照文件类型查找
Based on historical experience, Access.log can be analyzed using the Https://github.com/cisp/AccessLogAnylast tool (I develop and maintain);
Appendix I:Linux Emergency handling Operations manual
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
