The CentOS in Linux is checked after intrusion

Checking user logon Records

More/var/log/secure
Who/var/log/wtmp

Check System daemon

Check/etc/inetd.conf file, input: cat/etc/inetd.conf | Grep–v "^#", the output information is the remote service that your machine opens.

A general intruder can create a backdoor by directly replacing the IN.XXX program, such as using/bin/sh Replace the in.telnetd, and then restart the inetd service, all users who telnet to the server will get a Rootshell directly without entering a username and password.

Check network connections and listening ports

Enter Netstat-an to list all the connections and listening ports on this machine to see if there are any illegal connections.

Enter NETSTAT–RN to see if the router and gateway settings are correct for this machine.

Enter Ifconfig–a to view the NIC settings.

Check System log

Command Last | More view the history of all users who normally log on to this computer. But the last command relies on the syslog process, which has become an important target for intruders to attack. Intruders usually stop syslog on the system, look at the system's syslog process, and determine if the syslog last started properly, because syslog executes as root, and if the syslog is found to have been illegally moved, a significant intrusion event is indicated.

Enter Ls–al/var/log under Linux

Enter LS–AL/VAR/ADM under Solaris

Check wtmp utmp, including messgae file integrity and modification time is normal, which is also a manual erasure of the traces of a method

What did you do?

Input history under Root account

Can see this user history command, default to the last 1000

. Dial off the network cable

This is the safest way to disconnect a link, except to protect yourself, and it may protect other hosts in the same network segment.

2. Analyze login file information and search for possible ways to invade

After the invasion, it is not a reinstall on it, but also to analyze the host is the cause of intrusion and the way, if you find the problem point, it may make your host more secure later, but also improve their own Linux level.

If you don't know how to find a way to invade, the same thing can happen next time. General:

1. Analysis of login files: You can analyze some of the major login files to find each other's IP and possible vulnerabilities. The general analysis of the file is:/var/log/messages and/var/log/secure files. You can also use the last command to find the information of the final logged-on user.

2. Check the host Open services: Many Linux administrators do not know how many services are open on their host, each service has vulnerabilities or should not start the enhanced or test-type features. Identify the services on the system, check the service for vulnerabilities or errors on the set.

3. Important Data Backup
The so-called important data is not Linux on the original data, such as/ETC/PASSWD,/ETC/SHADOW,WWW Web page data,/home user files, as for the/etc/*,/usr/,/var directory of data, do not back up.

4. System Reload

It is important to choose the right package and not to install all the packages.

5. Package Vulnerability Repair

After installation, to update the system package immediately, update and then set the firewall mechanism, while shutting down some unnecessary services, and finally plug in the network cable.

6. Turn off or uninstall unwanted services

The fewer services that are started, the more likely the system intrusion will end

7. Data recovery and recovery service settings

The backed-up data is copied back to the system, and the provided service is reopened again.

8. Open the host to the network

Find the Webshell backdoor of intruders on CentOS Linux servers

Server to be hung horse or hacked friends should know that the first goal of hacking into a Web server is to upload a webshell to the server, with Webshell hackers can do more things. The site is hanging horse after many people will be helpless, no check up, in fact, is not complex, here I will take the PHP environment as an example to say a few tips, I hope to help.

First talk about the idea, if the server was uploaded Webshell then we can certainly find clues, such as PHP file time, if we can find the last site code updated after all the PHP files, the following method.
Assuming the last update is 10 days ago, we can look for the PHP files generated within 10 days:

Find/var/webroot-name "*.php"-mtime-10

Command Description:
/var/webroot is the site root directory
-name "*.php" to find all PHP files
-TIME-10 is 10 days from now.

If the file update time is uncertain, we can identify it by searching for the keyword. To check the exact need to be familiar with Webshell commonly used keywords, I listed here some common, other people can collect some webshell from the net, summed up their own keywords, parentheses inside my summary of some of the keywords (eval,shell_exec,passthru, Popen,system) Lookup method is as follows:

Find/var/webroot-name "*.php" |xargs grep "eval" |more
Find/var/webroot-name "*.php" |xargs grep "Shell_exec" |more
Find/var/webroot-name "*.php" |xargs grep "PassThru" |more

Of course, you can also export to the file, download the slow analysis:

Find/home-name "*.php" |xargs grep "Fsockopen" |more >test.log

Here I will not list, if there is a summary of their own keywords directly replace the keyword can be. Of course, not all of the files are Webshell need to make their own judgments, the method of judgment is also simple, directly from the browser to visit the file or to find some of their own webshell comparison, see much, basically a glance can be judged is not Webshell file