Linux Server Intrusion Detection basics

Recently encountered many examples of server intrusion, in order to facilitate future intrusion detection and forensics, I queried some of the Linux server intrusion forensics related information, and in this summary sharing, in order to query later.
General server intrusion, including but not limited to: by sending a large number of packets (DDoS broiler), server resources are exhausted (mining program), abnormal port connections (reverse shell, etc.), server logs are malicious deletion, etc. Then, since it is intrusion detection, the first thing to judge is whether the server is compromised, must be excluded from the administrator's improper operation caused by the problem, so the first task of intrusion detection is to ask the Administrator server anomalies, which is very important after the intrusion type judgment.

After asking the relevant exception information, excluding the administrator operation errors and other reasons, then you can start the official server for intrusion detection and forensics operations.

Audit Command Last

This command can be used to view our system's successful login, shutdown, restart, etc., essentially the/var/log/wtmp file format output, so if the file is deleted, you cannot output the results.

Related parameters:
Last-10 (-N) See the last 10 records
Last-x reboot viewing the restarted record
Last-x shutdown viewing the shutdown record
last-d View Log in log
LAST–HELP Command Help information
Last-f wtmp to view the Wtmp file with the last command (direct open cannot be viewed)

Lastb

This command is used to view the failure of the login, essentially the/var/log/btmp file format output.

Related parameters:
Lastb name (root) to view the root user login failure record
Lastb-10 (-N) View recent 10 login failure records
LASTB–HEPLP Command Help information

Lastlog

This command is used to view the last login of the user, essentially to format the output of the/var/log/lastlog file.

Related parameters:
Lastlog All users last logged in
Lastlog-u username (root) root user last logged in
LASTLOG–HELP Command Help information

W.H.O.

This command users to view the current login system, the essence is to/var/log/utmp file format output. Mainly used to view the current user name, as well as the login IP address information, the W command, like who, will be more detailed.

History

View History command record, actually is to view root/.bash_history file content, delete this file, record is gone.

Related parameters:
History View all historical records
History-10 See the last 10 records
History | grep "wget" View records of wget related information
HISTORY–HELP Command Help information

History shows Timestamps:

12	export histtimeformat="%F%T ' WhoAmI '" History |

Check User

Linux different users, have different operation permissions, but all users will be in the/etc/passwd,/etc/shadow,/etc/group file records.

12345

LESS/ETC/PASSWD See if there is a new user grep:0/etc/passwd see if there is a privileged user (root user) ls -l/etc/passwd view passwd Last modified time awk-f: ' $3==0 {print '} '/etc/passwd to see if there is a privileged user awk-f: ' Length ($) ==0 {print '} '/etc/shadow to see if there are empty password users

Note: Linux Setup empty password: passwd-d username

Check process

Generally hacked server will run some malicious programs, or mining procedures, or DDoS programs, and so on, if the program is running, then through the viewing process can find some information.

Normal process

123456

Ps-aux View process Top view process lsof-p PID view open port and file lsof-c process name view Associated File Ps-aux | grep python | Cut- D '- F 2 | xargs kill kills Python-related processes Check the/etc/inetd.conf file, enter: cat/etc/inetd.conf | Grep–v "^#", the output information is the remote service that your machine opens.

If no exceptions are found in the process, then you can see if some hidden processes are turned on.

Hide Process

123	Ps-ef | awk ' {print} ' | sort-n | uniq >1LS/PROC | Sort-n |uniq >2diff 1 2

Note: The above 3 steps are for checking hidden processes.

Check file

The compromised website, which is usually changed, can be viewed by comparing file creation time, completeness, file path, etc. to see if the file has been altered.

123456789

Find/-uid 0-print look for privileged user files Find/-size +10000k-print find files larger than 10000k Find/-name "..."-prin find user named ...　　The file Find/-name core-exec ls- l {} \;　　Find the core file and list the details md5sum-b filename View the MD5 value of the file Rpm-qf/bin/ls check the integrity of the file (there are other files in the/bin directory) Whereis filename view file path ls-al filename Viewing file creation time Du-sh file size

Check Network

The purpose of checking the network is to see if the hacker has manipulated traffic sniffing by tampering with the network card type.

12345

IP link | grep Promisc Normal NIC should not exist Promisc if there may be snifferlsof-inetstat-nap view abnormal Port arp-a view ARP record is normal ifconfig-a view NIC Set

Check for Scheduled Tasks

When we try to kill a malicious program, often encounter the Kill program automatically start the problem, then we have to check the next scheduled task (cron).

1234	Crontab-u Root -L View the root user's scheduled Tasks Cat/etc/crontabls -l/etc/cron.* See the details of the cron file change Ls/var/spool/cron /

Check the system back door

Can use tools, such as: Conmodo, Rkhunter, etc., of course, you can manually enter the command check.

123	Vim $HOME/.ssh/authorized_keys view ssh permalink file lsmod check kernel module chkconfig–list/systemctl list-units–type= Service Check self-starter

View the famous wooden door backdoor program:

1234	Ls/etc/rc.d #系统开机后, files in this directory will be started ls/etc/rc3.d Find/-name ". Rhosts" –printFind/-name ". Forward" –p Rint

Check website Backdoor

If you are running a Web program on a server, you need to check to see if the server is compromised through web vulnerabilities, which can be combined to analyze the middleware logs and system logs, but the process takes a long time. We can also determine whether a hacker hacked into the server through a Web application by checking to see if there were any backdoor Trojans placed by intruders on the server.

Method One

• In the Site directory, the file name contains JSP, PHP, ASP, aspx files (note is included) are copied out and compressed.
• Scan the packaged directory through the D Shield tool under Windows, Scan for Webshell (back door)

Method A

Use the Maskfindshell tool directly for Webshell scanning (only JSP and PHP sites can be scanned at this time, and PHP's false positives are higher)
For Maskfindshell detailed usage, refer to: maskfindshell-document

Find the server physical path

Regardless of the method's Webshell lookup, the first thing to determine is the path to the Web server installation, because Webshell is placed under the Web path.

• Ask the administrator, website developer
• Searchwebpath, specific usage reference: Searchwebpath usage

Packaging files

When we do all the intrusion detection analysis, we need to copy some log files to the local for more detailed analysis, how to package the server information, and copy to local?

Packaging Web Files

The package file name contains the JSP files, and the packaged file is My_txt_files.tar:

1	Tar cvf my_txt_files.tar ' find. -type f-name "*.jsp*"

Packaging log files

1	TAR-CVF log.tar/var/Log

Packaging additional Information

123	Last > Last.lognetstat-an > Netstat.log ...

Transfer files to Local

Several ways to transfer files on the server to the local computer.

Lrzsz

If the SSH connection client is Xshell and so on, you can install the Lrzsz command (putty cannot be used)

1	Apt-get Install Lrzsz

Use:
Upload files to linux,rz; Download the Linux file, sz file name.

Turn on FTP or HTTP

Open FTP Here I do not introduce a lot of tutorials on the web, here is the main talk about turning on HTTP services.
Python is installed by default on Linux servers, so you can quickly open an HTTP service with Python for detailed reference: Python-based webserver

USB Stick Mount

If we are not connected by SSH, but directly through the monitor connection to the server to operate, then you can try to transfer the USB drive.

1234	Fdisk- l view USB drive path monut/dev/sdb4/mnt mount u disk cd/mnt Enter u disk umount/mnt exit U disk

This article summarizes some of the most basic Linux intrusion detection commands, as to how to use these commands, need to combine the actual situation, mainly to see experience. The above mentioned, but also is the intrusion detection information collection phase, as to how to analyze the intrusion through the existing information, but also need to use other tools and knowledge.

Reference Link: http://www.jb51.net/hack/421908.html

Linux Server intrusion detection basics