Simple Linux lookup Backdoor idea and shell script sharing _linux Shell

Each process will have a PID, and each PID will have a corresponding directory under the/proc directory, which is the implementation of Linux (current kernel 2.6) system.

General backdoor procedures, in the PS and other processes to see the tool can not be found, because these common tools and even the system library in the system after the invasion has been basically passive hands and feet (the internet spread a large number of rootkit. If it is a kernel-level trojan, then the method is invalid.
Because the modification system kernel is relatively complex (if the kernel has been modified, or the kernel-level trojan, it is more difficult to find), so in/proc, basically still can find the traces of the Trojan horse.

Ideas:

The process ID that exists in/proc is not visible in PS (hidden), and there must be a problem.

Copy Code code as follows:

#!/bin/bash

Str_pids= "' Ps-a | awk ' {print '} ';
For i in/proc/[[:d igit:]]*;
Todo
If echo "$str _pids" | Grep-qs ' basename ' "$i";
Then
:
Else
echo "Rootkit ' s PID: $ (basename" $i ")";
Fi
Done

Discuss:

Whether or not the system (Linux) is hacked, the complexity depends largely on how well the intruder "cleanup" works. For an invasion to do homework, it would be a delicate and painful thing to get rid of it, usually in a professional third party tool (with Open-source, like Tripwire, like aide).
and professional tools, deployment, use relatively troublesome, and not all administrators can skilled use.

In fact, the Linux system itself has provided a set of "checksum" mechanisms that have not been modified in the inspection system. For example, the RPM package management system provides the-V feature:

Copy Code code as follows:

Rpm-va

Can verify all the packages on the system, output and installation of the modified files and related information. But the RPM system may also be corrupted, such as being modified.