Putty and WinSCP backdoor check and cleaning methods

Check and cleanup Methods
 
Check whether/var/log is deleted #/usr/bin/stat/var/log
If it is deleted, it indicates it is a trick.
View/var/log folder content # ls-al/var/log
If there are very few files, it indicates it is a trick.
Monitoring process named fsyslog and osysllog #/usr/bin/watch-n 1/bin/ps-AFZ f \ |/bin/grep syslog
If the process is known as fsyslog or osyslog, it indicates it is a trick. Be sure not to confuse it with the normal system log process.
Check whether the/etc/init. d/sshd File Header has been tampered with #/usr/bin/head/etc/init. d/sshd
Check whether the/etc/init. d/sendmail File Header has been tampered with #/usr/bin/head/etc/init. d/sendmail
Check whether port 82 of the external connection exists #/bin/netstat-anp |/bin/grep ': 82'
If yes, and you have not set it, it means you have already completed the trick.
Check whether there is a link to 98.126.55.226 #/bin/netstat-anp |/bin/grep '98 \. '-- color
If yes, it indicates it is successful.
Check the hidden file. fsyslog. osyslog In The/etc folder, and check the hidden file. fsyslog. osyslog in the/lib folder.
/Usr/bin/find/etc-name '. * '-printf' % a % c % t % M % g: % u % p \ n' |/bin/grep 2012 -- color
/Usr/bin/find/lib-name '. * '-printf' % a % c % t % M % g: % u % p \ n' |/bin/grep 2012 -- color
/Usr/bin/find/etc-name 'syslog '-printf' % a % c % t % M % g: % u % p \ n' |/bin/grep 2012 -- color
/Usr/bin/find/lib-name 'syslog '-printf' % a % c % t % M % g: % u % p \ n' |/bin/grep 2012 -- color
If a file named fsyslog or osyslog has been modified recently, it indicates it has been recruited.
 
Recover System Logs
 
View the system log folder # ls-al/var/log
Create a system log folder #/bin/mkdir/var/log
If deleted, you need to create
View System log Service #/usr/bin/find/etc/init. d/-name '* log *'
You need to differentiate the Log Service used by your server
Disable System Log service #/sbin/service syslog stop
Your server's Log service name may be another name
Start System Log service #/sbin/service syslog start
Your server's Log service name may be another name
Create an error log file #/bin/touch/var/log/btmp
Set User Group for log files with errors #/bin/chown root: utmp/var/log/btmp
Set the logon log file permissions #/bin/chmod 600/var/log/btmp
Create a log file #/bin/touch/var/log/wtmp
Set logon log File user group #/bin/chown root: utmp/var/log/wtmp
Set logon log file permissions #/bin/chmod 664/var/log/wtmp
 
Restore SELinux settings
 
View SELinux status #/usr/sbin/sestatus-v
Check the security context of the/var/log folder #/sbin/restorecon-rn-vv/var/log
Restore the security context of the/var/log folder #/sbin/restorecon-r-vv/var/log
Check the security context of the/etc folder #/sbin/restorecon-rn-vv/etc 2>/dev/null
Restore the security context of the/etc folder #/sbin/restorecon-r-vv/etc 2>/dev/null
Check the security context of the/lib folder #/sbin/restorecon-rn-vv/lib 2>/dev/null
 
Author Hu jinghui