Methods for detecting unix intrusion

Source: Internet
Author: User

Without the help of other tools, how can we determine the current security of the system? How can we discover intrusions? The following describes some common check methods. LINUX and solaris are used as examples:

1. Check the system password file

First, check the passwd file, ls-l/etc/passwd, and check the file modification date.

Enter the command awk-F: '0 print'/etc/passwd to check which privileged users are in the passwd file. All users with uid 0 in the system will be displayed. By the way, check whether there is a blank password account in the system: awk-F: 'length () 0 print '/etc/shadow

2. Check the process to see if there are any strange processes.

Focus on the process: ps-aef grep inetd

Inetd is a UNIX system daemon, And the pid of the normal inetd is relatively high. If you see an output similar to inetd-s/tmp /. processes such as xxx focus on the content after inetd-s. Under normal circumstances, the inetd service in LINUX does not have the-s parameter after it, and of course it does not use inetd to start a file. In solaris, it is only inetd-s, it also does not use inetd to start a specific file. If you use the ps command to see that inetd started a file, and you did not use inetd to start this file, it means that someone has intruded into your system and started a simple backdoor with the root permission.

Enter ps-aef to view the output information, especially if there are any processes starting with./xxx. Once a suspicious process is found, check the backdoor program left by the intruder and run kill-9pid to kill the process. Then run ps-aef to check whether the process is killed; once such a process is killed and restarted, it indicates that the system has been placed with a script to automatically start the program. At this time, you need to perform a careful search: find/-name program name-print. if the system is really put into a backdoor by intruders, according to the directory where the found program is located, in UNIX, hidden processes are sometimes replaced by ps files. This method involves checking file integrity. We will discuss this method later. Next, find the file directory on the server where the attacker is located, and track it step by step.

3. Check the system daemon process

Check the/etc/inetd. conf file and enter cat/etc/inetd. conf grep-v "^ #". The output information is the remote service enabled on your machine. Generally, intruders can directly replace in. xxx program to create a backdoor, such as replacing in with/bin/sh. telnetd, and then restart the inetd service. Then, all users who telnet to the server will directly obtain a rootshell without entering the user name and password.

4. Check the network connection and listening port

Enter netstat-an to list all the connection and listening ports on the local machine and check whether there are any illegal connections.

Enter netstat-rn to check whether the local route and gateway settings are correct.

Enter ifconfig-a to view the NIC settings.

5. Check System Logs

Run the "lastmore" command to view the historical records of all users logging on to the local machine under normal conditions. However, the last command depends on the syslog process, which has become an important target of intruders. Intruders usually stop syslogs of the system, view the syslog process of the system, and determine whether the syslog was started normally at the last time. Because syslog is executed as root, if syslog is found to have been moved illegally, it indicates a major intrusion event.

Input ls-al/var/log in linux

Enter ls-al/var/adm under solaris

Check whether the integrity and modification time of wtmp utmp files, including messgae files, are normal. This is also a way to manually erase intrusion traces.

6. Check the core file in the system.

Sending malformed requests to attack a server's service to intrude into the system is a conventional intrusion method, which is a typical RPC attack. This method has a certain success rate. That is to say, it cannot successfully intrude into the system by 100%. In addition, core files are usually generated in the corresponding directory of the server and the core files in the system are searched globally, enter find/-name core-exec ls-l, and check whether there is any intrusion based on the directory where the core is located and the core file.

7. Check System File integrity

There are multiple methods to check file integrity. Generally, you can enter the ls-l file name to query and compare files. This method is simple but practical. However, if the ls files have been replaced, it is more troublesome. In LINUX, you can use rpm-V 'rpm-qf filename 'to query and check whether the query result is normal to check whether the file is complete. In LINUX, there are also many methods to use rpm to check file integrity. Here we will not repeat them here. manrpm can be used to obtain more formats.

In UNIX systems,/bin/login is a file often replaced by a backdoor by intruders. Next, let's talk about the login BACKDOOR:

In UNIX, the Login program is usually used to verify passwords of telnet users. Attackers can obtain and modify the source code of login so that they can check the backdoor password before entering and storing the password. If you press the backdoor password, it will ignore the password set by the Administrator to drive you straight into: This will allow intruders to access any account, or even the root directory. Because the backdoor password is an access generated before the user logs on and is logged to utmp and wtmP, intruders can log on to the shell without exposing this account. After the Administrator notices this backdoor, use the "strings" command to search the login program for text information. In many cases, the backdoor password is exposed. Intruders will start to encrypt or change the hidden password to invalidate the strings command. Therefore, many administrators use MD5 checksum to detect such backdoors. The md5sum command is available in UNIX systems. Enter the md5sum file name to check the md5 Signature of the file. The usage format is as follows: The md5sum-b reads the file in binary mode; md5sum-c reverse checks the MD5 Signature; md5sum-t reads the file in text mode.

As mentioned above, the daemon configuration file for the daemon is inetd. the lines not commented out in conf must be carefully compared. For example, if you open the telnet service, the daemon configuration file contains the following: telnetstreamtcp nowait root/usr/sbin/in. telnetd in. telnetd

The file used is/usr/sbin/in. telnetd checks the integrity of the file. Intruders often create a backdoor for themselves by replacing the service files allowed by the daemon.

In LINUX, the/etc/crontab file is often used by intruders. to check the integrity of the file, you can directly cat/etc/crontab, carefully read whether the file has been used by intruders to do other things.

There is a defect in using a process to start a backdoor without replacing files such as login, that is, the process is killed once the system restarts, so you have to enable this backdoor when the system starts. Check the files in/etc/rc. d to check whether the system starts with a backdoor.

Here, we also mention that if an existing file with the property "-rwsr-xr-x 1 root rootxxx" is issued in a directory. sh, which indicates that any user can obtain a rootshell after running this file. This is the setuid file. Run find-perm4000-print to perform a global look for such files and then delete such files.

8. Check for kernel-level Backdoors

If your system is installed with such a backdoor, it is usually troublesome. First, check the modules loaded by the system and use the lsmod command in LINUX, run the modinfo command in the solaris system. It should be noted that by default, LINUX is usually installed with fewer modules, usually the NIC Driver. There are many modules under solaris, and there is no other way, analysis is performed in one place. After the kernel is reinforced, the insertion or deletion of modules should be prohibited to protect system security. Otherwise, intruders may replace system calls again. We can replace create_module () and delete_module () to achieve the above purpose. In addition, the kernel should be reinforced as early as possible to prevent system calls from being replaced by intruders. If the system is loaded with backdoor modules, they are not displayed in the module list/proc/module. In this case, you need to carefully search for the/proc directory and identify the hidden and disguised processes based on the found files and experience. Of course, the directory may not be hidden.

Manual intrusion detection is only a cure for system security, and most of them rely on the skills and experience of administrators to enhance the security of the system. No, it is impossible to form a real security system, although it is better than not, it can detect and track some intrusion behaviors, but it is difficult to catch the trace if it encounters intruders who are also proficient in the system. To build a real security system, you must use an intrusion detection system. An excellent intrusion detection system, coupled with the skills and experience of the system administrator, can form a real security system, effectively judging and cutting off intrusion behaviors, protect hosts and data.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.