Linux intrusion Analysis (iii) Clean up trojans and problem users

Source: Internet
Author: User
Tags iptables

1. See which users have/bin/bash permissions

cat/etc/passwd

2. Check if common commands have been tampered with

(1) Find the path to the command file (Whereis and which)

whereis netstatwhich netstat
which netstat/bin/netstatwhereis netstatnetstat: /bin/netstat /usr/share/man/man8/netstat.8.gz

(2) Observe the properties of the command, mainly look at the modification time and size (stat and LL)

stat /bin/netstatll -h /bin/ps -rwxr-xr-x. 1 root root 81K Nov 15  2012 /bin/ps

If the command is found to be abnormal, may be tampered with, can be uploaded to the micro-step identification. To eliminate interference, it is recommended that you copy the command set from other normal systems.

Stat can view file access, modification, change time
The file's access time to the file after using the More\less\cat command changes to the last access time, and the file's modification time and change time have not changed.

stat /bin/netstatFile: `/bin/netstat‘Size: 123360 (Byte)    Blocks: 248        IO Block: 4096   regular fileDevice: fc01h/64513d Inode: 5219        Links: 1Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)Access: 2018-05-07 17:00:50.927556605 +0800Modify: 2012-05-10 16:17:33.000000000 +0800Change: 2015-11-17 18:47:03.594999914 +0800

Observe the size of the file, if it is particularly large it may be abnormal
Observe the last modification time of the third line listed, which is likely to be abnormal near the time of the incident

3. File Hidden Properties Attrtest

(1) Show file Attrtest hidden properties
lsattr attrtest

(2) Add or remove the I attribute to the file attrtest

chattr +i attrtestchattr -i attrtest
4. Check the history command output is empty

Ls-l ~/.bash_history

After you have executed the above command, you will see a normal output similar to the following:
-rw—— 1 jd jd 13829 Oct 10 17:06 /home/jd/.bash_history

If you see the following output:

LRWXRWXRWX 1 JD JD 9 OCT 19:40/home/jd/.bash_history-/dev/null

Indicates that the. bash_history file has been redirected to/dev/null. This is a deadly message.

How do I clear history?

Linux emptying history and recording principle
1, the current session execution of the command, placed in the cache, execution exit, the cache information is written to ~/.bash_history
2. When the session is killed directly, the history command in the cache is not written to ~/.bash_history
3. How to properly empty the current user's history

~/.bash_history
History-c #清空当前缓存中的命令
Exit #关闭shell连接 to avoid writing to ~/.bash_history
#执行exit, the command is logged to the ~/.bash_history file.

5. Environment variables and current connection IP

env

6. Welcome language

cat /etc/motd 切数据,勒索的多用

7. Restart the shutdown record
8. Kicking out a malicious user's connection, kill malicious process, reset user password

(1) Ask suspicious users according to TTY:pkill -kill -t tty1
(2) Kill malicious process according to PID:kill -9 31685
(3) Modify user password

修改user1的密码passwd user1修改当前用户的密码passwd  
9.rm Delete malicious files

To delete a folder:

rm -rf /var/log/httpd/access将会删除/var/log/httpd/access目录以及其下所有文件、文件夹

To delete a file:

rm -f /var/log/httpd/access.log将会强制删除/var/log/httpd/access.log这个文件
10.Iptables Save, restart, close, list rules, add rules

Iptables Related usage Instructions
(1) Save iptables Configurationservice iptables save
(2) Shut down, turn on, restart the firewall

/etc/init.d/iptables stop/etc/init.d/iptables start/etc/init.d/iptables restart/etc/init.d/iptables status
service iptables startservice iptables stopservice iptables restartservice iptables status

(3) All modifications to iptables should be saved and reset
(4) View iptables forwarding rules:cat /etc/sysconfig/iptables或者service iptables status

iptables -L列出规则iptables -L -n -v"  "Iptables规则:只允许192.168段的IP访问iptables -A INPUT -p tcp --dport 54321 -j DROPiptables -A INPUT -p tcp -s 192.168.0.0/16 --dport  54321 -j ACCEPT     或iptables -I INPUT -p tcp --dport 11211 -j DROPiptables -I INPUT -s 192.168.0.0/16 -p tcp --dport 11211 -j ACCEPTservice iptables saveservice iptables restart
Iptables删除规则iptables -D INPUT -p tcp --dport 11211 -j DROP
重启网卡    "启动、关闭、重启网卡eth0ifconfig eth0 upifconfig eth0 downifconfig eth0 down && ifconfig eth0 upifdown eth0  

In some cases, service commands are received for root use, while ordinary users can still use ifconfig under certain circumstances.

Linux intrusion Analysis (iii) Clean up trojans and problem users

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.