Linux intrusion check utility commands

Linux intrusion check utility command 1 can get the process where filename is running # pidof filename2 can see the process through the file or tcp udp protocol # fuser-n tcp port3 can see the file modification time, size and other information # stat filename4 check the loading Module # lsmod5 check the rpc service opening # rpcinfo-p6 check whether the NIC is in mixed mode (promiscuous mod) # dmesg | grep eth0 7 check whether the command is changed, like md5sum # rpm-Vf/bin/lsrpm-Vf/bin/ps normally without output; otherwise, the output is sm5 .... t/bin/su prompts that the rpm database is not reliable if it is modified. You can only compare the rpm database in the network or cdrom, for example, rpm-Vvp restart.

/usr/bin/chfnusr/bin/chsh/bin/login/bin/ls/usr/bin/passwd/bin/ps/usr/bin/top/usr/sbin/in.rshd/bin/netstat/sbin/ifconfig/usr/sbin/syslogd/usr/sbin/inetd/usr/sbin/tcpd/usr/bin/killall/sbin/pidof/usr/bin/find

 

8. If you are checking the machine that has been confirmed to be attacked by hackers, we recommend that you: 1. dd One backup hard disk 2. mount an optical drive with commonly used tools such as static compiled programs ls ps netstat. use nc to output the execution steps to the remote machine. 9 use md5sum to save a Global File find/sbin-type f | xargs md5sum> 1st to check whether md5sum-c 1st | grep OK 10 avoid excessive write operations on the attacked machine, yes: 1. run nc-L-p 1234> some_audit_output.log on another machine 192.168.20.191. Note that L is in uppercase and can be listened permanently. run command | nc 192.168.20.191 1234 or script>/mnt/export on the attacked machine. after log detection is complete, use ctrl + d to save the record 11. find suspicious programs through the process. Method: 1. netstat-anp records all suspicious items based on experience. 2. enter the memory directory cd/proc/32993. ls-la. Generally, exe can see the path of the execution file, 4. go to the fd directory to view the file handle. At this point, we can usually find the execution program 5.ps-awx and check the suspicious process again. 12 if hacker deletes the log: 1. search for all logs that have not been completely deleted, such as history and sniffer logs. 2. the/proc/pid/fd directory prompts that the file has been deleted.

l-wx------ 1 root root 64 Aug 10 20:54 15 -> /var/log/httpd/error_log (deleted)l-wx------ 1 root root 64 Aug 10 20:54 18 -> /var/log/httpd/ssl_engine_log (deleted)l-wx------ 1 root root 64 Aug 10 20:54 19 -> /var/log/httpd/ssl_mutex.800 (deleted)l-wx------ 1 root root 64 Aug 10 20:54 20 -> /var/log/httpd/access_log (deleted)l-wx------ 1 root root 64 Aug 10 20:54 21 -> /var/log/httpd/access_log (deleted)l-wx------ 1 root root 64 Aug 10 20:54 22 -> /var/log/httpd/ssl_request_log (deleted)l-wx------ 1 root root 64 Aug 10 20:54 23 -> /var/log/httpd/ssl_mutex.800 (deleted)lrwx------ 1 root root 64 Aug 10 20:54 3 -> /var/run/httpd.mm.800.sem (deleted)lrwx------ 1 root root 64 Aug 10 20:54 4 -> /var/log/httpd/ssl_scache.sem (deleted)

 

3. use the statically compiled lsof | grep deleted to check which commands pid user fd type device size node NAMEgpm 1650 root 1u REG 8, 2 5 149743/var/run/gpm208raa (deleted) 4 are deleted. obtain the inode Number of the file, which is 1497435. use sleuthkit to restore the disk. df/var indicates that the hard disk location is sda1icat/dev/sda1 1497436. check the recovered files carefully. Generally, traces can be found. This will make it difficult to analyze the compiled program gcc-04-edevil. c-o evilstrip. /edevil 1. file to check the file type, whether static compilation, or whether strip is over 2. strings: displays the asicc string in the program, and returns it to google through the string. 3. strace is used to track system calls (this is not known how to use) strace-p pid4.gdb (not to be used) 13. Some processes are not displayed in the process, but there are traces in/proc, it can be found that the hidden process proc is a pseudo file system and provides a structured interface for/dev/kmem, environment that facilitates System Diagnosis and viewing of every running executable file # ps-ef | awk '{print $2}' | sort-n | uniq> 1 # ls/porc | sort-n | uniq> 2 # diff 1 2 14 emergency tool tct, there are many tools, including icat and other data recovery tools. If you collect evidence from the attacked machine, you can mount a hard disk or back up the data to the network.. run nc-L-p 1234> abc. imgb. running dd in broilers if =/dev/hdb5 count 20000 bs = 1024 | nc 192.168.0.1 1234-w 3 if the backup is too large, you can listen to multiple ports and execute multiple dd copies, then, merge the file cat 2> 1.img 15ldd to display the dynamic library on which the executable program depends, however, the indirect dependent library cannot display [root @ rh9bk root] # ldd/bin/lslibtermcap. so.2 =>/lib/libtermcap. so.2 (0x40022000) libc. so.6 =>/lib/tls/libc. so.6 (0x42000000)/lib/ld-linux.so.2 =>/lib/ld-linux.so.2 (0x40000000) strace tool is a debugging tool, it shows all system calls of a program during execution,

[root@rh9bk root]# strace -eopen /bin/ls >/dev/nullopen("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)open("/etc/ld.so.cache", O_RDONLY) = 3open("/lib/libtermcap.so.2", O_RDONLY) = 3open("/lib/tls/libc.so.6", O_RDONLY) = 3open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 3open(".", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 3open("/etc/mtab", O_RDONLY) = 3open("/proc/meminfo", O_RDONLY) = 3strace -o out telnet 192.168.100.100

 

The meaning of the o parameter is to generate the strace output information to the out file, which can be determined at will. When we open the out file, we will find a lot of system call Information. We are mainly concerned with the information of the open system call. open is used to open the file. Not only do we need to open the dynamic library before calling it, open is also used to read the configuration file, therefore, you can use sed to write a simple script to output all open information in the out file sed-n-e '/^ open/P' out. The output information is as follows:

open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)open("/etc/ld.so.cache", O_RDONLY) = 3open("/lib/libutil.so.1", O_RDONLY) = 3open("/usr/lib/libncurses.so.5", O_RDONLY) = 3open("/lib/i686/libc.so.6", O_RDONLY) = 3open("/etc/resolv.conf", O_RDONLY) = 3open("/etc/nsswitch.conf", O_RDONLY) = 3open("/etc/ld.so.cache", O_RDONLY) = 3open("/lib/libnss_files.so.2", O_RDONLY) = 3open("/etc/services", O_RDONLY) = 3open("/etc/host.conf", O_RDONLY) = 3open("/etc/hosts", O_RDONLY) = 3open("/etc/ld.so.cache", O_RDONLY) = 3open("/lib/libnss_nisplus.so.2", O_RDONLY) = 3open("/lib/libnsl.so.1", O_RDONLY) = 3open("/var/nis/NIS_COLD_START", O_RDONLY) = -1 ENOENT (No such file or directory)open("/etc/ld.so.cache", O_RDONLY) = 3open("/lib/libnss_dns.so.2", O_RDONLY) = 3open("/lib/libresolv.so.2", O_RDONLY) = 3open("/etc/services", O_RDONLY) = 3open("/root/.telnetrc", O_RDONLY) = -1 ENOENT (No such file or directory)open("/usr/share/terminfo/l/linux", O_RDONLY) = 4

 

The output shows several libraries that cannot be displayed by ldd.

/lib/libnss_dns.so.2 ，/lib/libresolv.so.2 ，/lib/libnsl.so.1，/lib/libnss_nisplus.so.2，/lib/libnss_files.so.2

 

Strace-o aa-ff-p PID generates multiple grep open aa * files starting with the name aa | grep-v-e No-e null-e denied | grep WR view its open the information of the called file. 16. To send logs to the log host, perform the following steps:. vi/etc/syslog. conf *. * @ 192.168.20.163 send all logs to 192.168.20.163b.service syslog restartc. install kiwisyslogdd on 192.168.20.163. remote Login, deliberately enter the wrong password, you can see that there is an alarm on the log host immediately, you can also tcpdump port 514 Observation 17 if you know that the hacker is 0927 intrusion, then: touch-t 09270000/tmp/afind/\ (-newer/tmp/a-o-cnewer/tmp/\) -l the files changed and created on that day are listed as 18 whole-disk replication dd if =/dev/sda of =/dev/sdb bs = 1024 partition replication tested dd if =/dev/ sda1 of =/abc bs = 1024 it is saved in the root partition, run mount to check whether sda2 starts another Linux input: mount/dev/sda2/mnt. Here we can see the abc file. input: mount aa/tmp-o loop here we can see that the file content of the image just now 19 find the file with the specified character (the test shows that the binary file can also be found, it is the content after strings) find/tmp-type f-exec grep "no exist" {}\;-print find/etc/rc. d-name '* crond'-exec file {}; find/etc/rc. d. Run the file command to view the properties of all files ending with crond. Note: there is a space between exec and file, and a space between file and {}, file and; is a space,; Is a whole. 20 kill-SIGSEGV process number will generate a core file. You can use strings to view the information and use a c program to re-build its executable program. study/unix/will save an article. The test does not produce a core. The reason is unknown.