1. See which users have/bin/bash permissions
cat/etc/passwd
2. Check if common commands have been tampered with
(1) Find the path to the command file (Whereis and which)
whereis netstatwhich netstat
which netstat/bin/netstatwhereis netstatnetstat: /bin/netstat /usr/share/man/man8/netstat.8.gz
(2) Observe the properties of the command, mainly look at the modification time and size (stat and LL)
stat /bin/netstatll -h /bin/ps -rwxr-xr-x. 1 root root 81K Nov 15 2012 /bin/ps
If the command is found to be abnormal, may be tampered with, can be uploaded to the micro-step identification. To eliminate interference, it is recommended that you copy the command set from other normal systems.
Stat can view file access, modification, change time
The file's access time to the file after using the More\less\cat command changes to the last access time, and the file's modification time and change time have not changed.
stat /bin/netstatFile: `/bin/netstat‘Size: 123360 (Byte) Blocks: 248 IO Block: 4096 regular fileDevice: fc01h/64513d Inode: 5219 Links: 1Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2018-05-07 17:00:50.927556605 +0800Modify: 2012-05-10 16:17:33.000000000 +0800Change: 2015-11-17 18:47:03.594999914 +0800
Observe the size of the file, if it is particularly large it may be abnormal
Observe the last modification time of the third line listed, which is likely to be abnormal near the time of the incident
3. File Hidden Properties Attrtest
(1) Show file Attrtest hidden properties
lsattr attrtest
(2) Add or remove the I attribute to the file attrtest
chattr +i attrtestchattr -i attrtest
4. Check the history command output is empty
Ls-l ~/.bash_history
After you have executed the above command, you will see a normal output similar to the following:
-rw—— 1 jd jd 13829 Oct 10 17:06 /home/jd/.bash_history
If you see the following output:
LRWXRWXRWX 1 JD JD 9 OCT 19:40/home/jd/.bash_history-/dev/null
Indicates that the. bash_history file has been redirected to/dev/null. This is a deadly message.
How do I clear history?
Linux emptying history and recording principle
1, the current session execution of the command, placed in the cache, execution exit, the cache information is written to ~/.bash_history
2. When the session is killed directly, the history command in the cache is not written to ~/.bash_history
3. How to properly empty the current user's history
~/.bash_history
History-c #清空当前缓存中的命令
Exit #关闭shell连接 to avoid writing to ~/.bash_history
#执行exit, the command is logged to the ~/.bash_history file.
5. Environment variables and current connection IP
env
6. Welcome language
cat /etc/motd 切数据,勒索的多用
7. Restart the shutdown record
8. Kicking out a malicious user's connection, kill malicious process, reset user password
(1) Ask suspicious users according to TTY:pkill -kill -t tty1
(2) Kill malicious process according to PID:kill -9 31685
(3) Modify user password
修改user1的密码passwd user1修改当前用户的密码passwd
9.rm Delete malicious files
To delete a folder:
rm -rf /var/log/httpd/access将会删除/var/log/httpd/access目录以及其下所有文件、文件夹
To delete a file:
rm -f /var/log/httpd/access.log将会强制删除/var/log/httpd/access.log这个文件
10.Iptables Save, restart, close, list rules, add rules
Iptables Related usage Instructions
(1) Save iptables Configurationservice iptables save
(2) Shut down, turn on, restart the firewall
/etc/init.d/iptables stop/etc/init.d/iptables start/etc/init.d/iptables restart/etc/init.d/iptables status
service iptables startservice iptables stopservice iptables restartservice iptables status
(3) All modifications to iptables should be saved and reset
(4) View iptables forwarding rules:cat /etc/sysconfig/iptables或者service iptables status
iptables -L列出规则iptables -L -n -v" "Iptables规则:只允许192.168段的IP访问iptables -A INPUT -p tcp --dport 54321 -j DROPiptables -A INPUT -p tcp -s 192.168.0.0/16 --dport 54321 -j ACCEPT 或iptables -I INPUT -p tcp --dport 11211 -j DROPiptables -I INPUT -s 192.168.0.0/16 -p tcp --dport 11211 -j ACCEPTservice iptables saveservice iptables restart
Iptables删除规则iptables -D INPUT -p tcp --dport 11211 -j DROP
重启网卡 "启动、关闭、重启网卡eth0ifconfig eth0 upifconfig eth0 downifconfig eth0 down && ifconfig eth0 upifdown eth0
In some cases, service commands are received for root use, while ordinary users can still use ifconfig under certain circumstances.
Linux intrusion Analysis (iii) Clean up trojans and problem users