Linux System Emergency Response

0. Introduction
Incident emergency refers to the first time the system problems, error troubleshooting, intrusion process restore forensics, intrusion source tracking
and other emergency treatment.
Knowledge point 1, the common analysis start point
(1) file analysis
(2) Process analysis
(3) Network analysis
(4) Command analysis
(5) Log analysis
Generally speaking:
Part of the analysis of the command is also part of the file analysis, that is, the command analysis is a bit of the command source file hash check to prevent replacement.

I. File analysis:
Knowledge point 1, sensitive directory
(1)/tmp temp file
(2)/usr/bin,/usr/sbin,/bin the directory where the command is located
(3)/ETC/INIT.D boot directory
Knowledge point 2, sensitive files
(1)/etc/rc.local boot file
(2)/root/.bash_history command execution history information file
(3)/etc/password/etc/shadow user account information file
(4)/etc/cron* scheduled task information
Knowledge point 3, common commands
(1) Ls-alt [a View the hidden files starting with.; t sort by time; L View list details]
(2) Take the first X (x is a positive integer set) Head-n x
(3) View file details stat
(4) Find/-mtime (CTime) x-name "*.php"
[-mtime refers to file modification time without permission]
[-ctime File modification time with permissions]
[X for days 0-> 24h-1-48h and so on]
[-name is followed by the file name of the regular
(5) View file permissions find./*.py-perm 4777 [-perm back permission number]
(6) Check whether the command file is replaced and can be MD5 directly.

Second, network and process analysis
Knowledge point one, viewing process
(1) PS aux
(2) Connect grep to use, such as grep xxx or grep-v xxx [-v discharge XXX]
Knowledge point two, view network
(1) NETSTAT-ANTLP | More Basic Information Association view
(2) Lsof-i port to view ports corresponding program
Knowledge point three, viewing hidden processes
(1) ps-ef | awk ' {print} ' | Sort-n | Uniq > 1
Ls/proc | Sort-n | Uniq >2
Diff 1 2

Third, System Information analysis
Knowledge point 1, history analysis/root/.bash_history Analysis Historical Execution command
Knowledge point 2, sensitive file analysis (refer to sensitive files)
Knowledge point 3, boot start analysis (chkconfig)
Knowledge point 4, user information Analysis CAT/ETC/PASSWD | Grep-e "/bin/bash$" users who can log in
Knowledge point 5, environment variable system path analysis echo $PATH
Knowledge point 6, SSH analysis/etc/ssh/etc/.ssh

Four, log analysis
Knowledge point 1, log file
(1)/var/log/wtmp
(2)/var/run/utmp
(3)/var/log/lastlog
(4)/var/log/btmp
Knowledge point 2, keywords
(1) Accepted
(2) Failed
(3) Password
(4) Invalid
Knowledge point 3, log log analysis
(1) Lastlog recent successful login and last login failure related information
(2) Who queries current user information
(3) Whois similar (2)
(4) Users similar (2)
(5) Lastb similar (1)
(6) Finger
Knowledge points 4, two statements
(1) grep "Failed password for root"/var/log/auth.log | awk ' {print $11} ' | Sort | Uniq-nr | More
(2) grep "Accepted"/var/log/auth.log | awk ' {print $11} ' | Sort |uniq-c | Sort-nr | More

Four, backdoor troubleshooting
Knowledge point 1, Webshell find
(a) Order:
find/var/www/-name "*.php" | Xargs Egrep ' assert | Phpspy | C99sh | MILW0RM | eval | \ (gunerpress | \ (Bas464_encode | spider _bc | shell_exec | passthru | \ (\$\_\post\[|eval\ (str_rotl3 |. chr\c|\$\{\ "\_p|ev Al\c\$\_r | file_put_contents\c\.\*\$\_ | Base64_decode '

Five, the application of the class log a few tips:
Knowledge point 1,
Find. Access_log | grep xargs IP a.b.c.d
Find. Access_log | grep Xargs Trojan_name
Cat Access.log | Cut-f 1 (IP)/4 (URL) "" | Sort | uniq-c | Sort-k | -R head-10
Cat Access.log | Sort-k 2-n-r | Head-10

Linux System Emergency Response