The discovery of linuxxxx traceability: Invasion of Farinose (version 1) (if this version feels nonsense, the next version will write specific points)

Speaking of Linux Discovery, then it is easy to think of Linux logs, through the log can really find a lot of problems, you can also find out whether Linux is, how to be . So what if Linux doesn't turn on the logs? The log was deleted? The general method is only applicable to regularEvent. Incurable diseases can only be a panacea (odd kinky coincidence).
Just like anti-virus software, the emergence of new viruses will always survive for a period of time, as a loophole, new vulnerabilities in a period of time is very useful. But when the method is published, the secret is no longer a secret, the method can only be used as a method, as a theoretical study written in writing. This article from the method and the way to say that Linux is after the discovery method. Mainly is the unification and the difference of each attribute.
If the normal system is not changed, then the system isThe change is the discovery system is the fundamental, following changes from the following aspects are said to beThe changes in the system, and where the mistakes are made, please point out.
Linux is in general, the following changes can be taken to determine whether the system is：

• The file has changed.
• Suspicious process
• The flow rate is changing
• Changes in business content

File changes, a system is *, if XXX left the back door, it will inevitably lead to changes in the file, some would say that the statistics file hash can be found to change the file. But there is a problem here, not every system administrator will go to record this hash, and after the hash record with the system updates a certain system of key files will also change, then there will be false positives. And according to the hash, especially MD5 this hash to do the file check itself there is a risk, MD5 this hash has been Xiao Professor in 2006 to crash the way to crack, simply said, can find two different files have the same hash. The change of the hash is said to change the contents of the file, then what other attributes does the file have besides the hash? What if it's a catalogue? Obviously, the hash here is out of the deal. We can list the various attributes and observe them from the following aspects.

• Unity: Whether it is the same as the normal system, and whether the surrounding documents form a unified. After unification there are two possible: 1, was *, XXX will file a variety of attributes should be consistent, this situation will always be out of the way. 2, the system is normal.
• Difference: There is a difference between the properties of the surrounding files and the difference is where the problem is.

Suspicious process, if the system is *, if XXX adds a backdoor, then the system process will change, and does not discuss the rootkit this situation, if the rootkit is difficult to say, it can hide a lot of key information. We will always find that Linux looks at the exception process with PS and then observe the exception process, then which is the exception process? How to differentiate? Textbooks may end in the abnormal process, judge the anomaly depends on experience? The exception process is also differentiated by methods:

• First, the above-mentioned changes in the file, for the selected files to include suspicious files, and to remember the attributes of the exception file, the attribute information loaded into your brain, so that encountered other similar situations can quickly respond, processes and files have similar properties, through the attribute comparison to find abnormal process.
• The second is the inter-process attribute comparison to find its unity and difference.
• Third, using anti-virus software

The flow of change, but also from the unity and differences. Traffic specifically reflected in the network connection related to the five-tuple, for the five-tuple attribute analysis of its unity and diversity, you can find the exception you want. Here are two examples:

• First, the vast part of the connection is from the domestic, then from abroad is very suspicious.
• Second, whether the connection initiated process is in the exception list.

Business content changes, such as website tampering, hang xxx or illegal advertising.

Finish

The discovery of linuxxxx traceability: Invasion of Farinose (version 1) (if this version feels nonsense, the next version will write specific points)