1. Accounts check
# Less/etc/passwd
# Grep: 0:/etc/passwd
Note that the new user, UID, and GID are 0 users.
2. Log check
Note "entered promiscuous mode"
Error Message
Note: Remote Procedure Call (rpc) programs with a log entry that includes des a large number (> 20) strange characters (-^ PM)
The last article has not been understood yet and has never been met. Which of the following experts understands the comments and I am very grateful)
3. Processes check
# Ps-aux
Note that the UID is 0
# Suspicious lsof-p process number
View the ports and files opened by the Process
4. Files check
# Find/-uid 0-perm-4000-print
# Find/-size + 10000 k-print
# Find/-name "..."-print
# Find/-name ".."-print
# Find/-name "."-print
# Find/-name "-print
Note the SUID File, which is more than 10 MB,...,... and space.
5. Rpm check
# Rpm-Va
Output Format:
S-File size differs
M-Mode differs (permissions)
5-MD5 sum differs
D-Device number mismatch
L-readLink path mismatch
U-user ownership differs
G-group ownership differs
T-modification time differs
Note that/sbin,/bin,/usr/sbin, and/usr/bin
Check MD5 when installing third-party files.
There will be a lot of 5 or missing prompts during the operation. If it is not the above pass directory, do not pay too much attention
6. Network Check
# Ip link | grep PROMISC
The normal Nic should not be in promisc mode, except for the security server. Otherwise, someone may intrude into the sniffer.
# Lsof-I
# Netstat-nap
Check the TCP/UDP ports that are not normally opened. Hey hey, you need to pay attention to them at ordinary times. It seems that I have never done this too well :)
# Arp-
This is even more frightening. Is it true that all MAC addresses of document are used first?
7. Schedule check
Note that the root and UID are 0 schedule
# Crontab-u root-l
# Cat/etc/crontab
# Ls/etc/cron .*
Related Articles]
- How to customize a Secure Linux System Service Platform
- Overview of common security check methods in Linux
- Linux security configuration steps