Linux intrusion Analysis (a) How do I find malicious processes and files?

1. Check CPU Memory

Top
Press the "P" key in uppercase to sort the content by CPU usage to see high-occupancy processes and PID

2.netstat viewing of network connectivity in the host

netstat   -anpnetstat –antlp netstat -anltp | morenetstat -tunplnetstat -antlp | grep -v -e nginx -e "140.205" -e   "192.168.0.3:80 " -e "mem"

Netstat-ltpe Use the-EP option to view both the process name and the user name.
Note-If you use the-N and-e options together, the user column's properties are the ID number of the users, not the user name.

3.netstat View Gateway

netstat -rn

4. Detection of host port opening on the host perimeter

nmap -Pn 1.2.3.4 -p 1-65535
Narrow the intrusion path based on open ports

5.redis 6379 Port has unauthorized access

(1) The public network uses other machines to execute the command "Telnet analysis host IP 6379", if the link is successful, there is Redis unauthorized access
(2) native test Redis non-authorized access: [[email protected] ~]# REDIS-CLI
127.0.0.1:6379> keys *
(3) Ps-ef | grep 6379 Checks if Redis is initiated by the root user, and if so, if there is a suspected Redis unauthorized access, it is recommended to start with a non-root user and set the password.
(4) Redis injection SSH Key
Check the/root/.ssh directory for the presence of Authorizedkeys and other sshkey files, if present and not user settings, suspected Redis unauthorized access

6. Find the process file location according to the PID

(1) Ps-ef |grep 31685
Ps-aux | grep Zabbix

(2) using/proc/pid
Ll/proc/pid a line with "EXE,/XXX/XXXX/XXXXX" is the process directory
Ls-l/proc/pid,/exe
File/proc/pid,/exe

(3) Lsof-p pid123456

7. Find the file location according to the program name

find / -name infodfind / -name “ *”find / -name “. *”find / -name “.. *”

8. Find the associated program file location according to user

(1) Find/-user Ubuntu | Grep-v '/home/ubuntu '
(2) Lsof-u Ubuntu

9. Check the last modified time of the program

ll/path/program name
ll equals Ls-l.
LS is the file that displays the current directory, "Ls-l" is the file details displayed in the current directory.

Ll/usr/sbin/httpd
-rwxr-xr-x 1 root root 523568 Oct 2017/usr/sbin/httpd

10. Process tree Pstree viewing child processes

yum install psmiscpstree -ppstree -p -a

Installation methods on three different systems:

#On Mac OS    :brew install   pstree  #On Fedora/Red Hat/CentOS  :yum install psmisc #using psmisc   package for pstree  #On Ubuntu/Debian APT  :apt-get install psmisc

11. Auto-Start Item

(1) View boot entry
Chkconfig--list or Cat/etc/rc.local

(2) Timed task script
crontab-l Command View
CRONTAB-L-U Oracle view scheduled tasks for Oracle users

Cron file directory, see if/etc/crontab,/etc/cron.d,/etc/cron.daily,cron.hourly/,cron.monthly,cron.weekly/exists can script or program

crontab -l 命令解释    */30 * * * * /var/tmp/". "/c    {minute} {hour} {day-of-month} {month} {day-of-week}   {full-path-to-shell-script}     o minute: 区间为 0 – 59       o hour: 区间为0 – 23       o day-of-month: 区间为0   – 31     o month: 区间为1 – 12. 1   是1月. 12是12月.       o Day-of-week: 区间为0 –   7. 周日可以是0或7.    "*/30"表示每30个单位,这里代表每30分钟

12. Trojan Identification website: micro-step online/virustotal identification of suspicious files and IP

https://x.threatbook.cn/
Www.virustotal.com
http://r.virscan.org

13. Packet Capture Analysis Flow

(1) Catching TCP packets
Tcpdump-i eth0-w Tel.pcap
(2) Packet catching HTTP
Tcpdump-xvvennss 0-i eth0 tcp[20:2]=0x4745 or tcp[20:2]=0x4854
Antivirus software ClamAV (1) Source: Yum Install Epel-release

14. Anti-virus software ClamAV

(1) Source:yum install epel-release

(2) Software:yum install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd -y

(3) Update virus database: Freshclam

• Scan all users ' home directories using CLAMSCAN-R/I
• Scan all files on your computer and display the scan results of all files, using Clamscan-r/
• Scan all files on your computer and display the scanned results of the problematic files using Clamscan-r--bell-i/

#感觉--bell no use, because scanned/sys/so will error 4000+
Libclamav Warning:fmap_readpage:pread fail:asked for 4077 bytes @ Offset, got 0
Warning:can ' t Open File/sys/bus/hid/drivers/topseed/bind:permission denied

Note: useclamscan --exclude-dir=/sys/ -i -r /
Due to the particularity of the/sys/directory, the scan will generate a large number of errors, over this folder.
-I represents only infected files,-R for subfolders to scan,/root directory

15. Tool Chkrootkit Check Intrusion

Https://www.lvtao.net/server/chkrootkit.html

Linux intrusion Analysis (a) How do I find malicious processes and files?