Rootkit is the most common type of Trojan backdoor tool under the Linux platform, it mainly by replacing the system files to achieve the purpose of intrusion and concealment, this trojan than ordinary Trojan backdoor more dangerous and covert, ordinary detection tools and inspection means difficult to find this Trojan.
Generally divided into file-level and kernel-level:
FILE-level rootkit is usually through a program vulnerability or system vulnerability into the system, by modifying the system's important files to achieve the purpose of hiding.
A kernel-level rootkit is a more advanced form of intrusion than a file-level rootkit that allows an attacker to gain full control of the underlying system, where an attacker can modify the system kernel to intercept commands that the program submits to the kernel and redirect it to the program selected by the intruder and run the program. General system image to download the image from the official website or high-confidence site.
Rootkit Backdoor Detection Tool Rkhunter
Rkhunter is the main function of detecting rootkit;
MD5 Check test, check the file for changes
Detecting binary and System tool files used by rootkits
Detect the signature of a Trojan horse program
Detects if the file attributes of a common program are abnormal
Testing system-related tests
Detecting hidden files
Detection of suspicious core modules lkm
Detecting the listening port that the system has started
Rkhunter Download: wget https://sourceforge.net/projects/rkhunter/files/latest/download--no-check-certificate
Installation
Tar XF rkhunter-1.4.2.tar.gz
CD rkhunter-1.4.2
./installer.sh--install
Use: rkhunter-c
Common options:--check check
--skip-keypress usually stops after each check to wait for the input carriage to continue. Adding this option can be done automatically and does not require you to type enter key.
--cronjob Custom Task Scheduler
The following sections are monitored:
Checking system Commands ...
Checking for rootkits ...
Checking the network ...
Checking The Local host ...
Checking Application Versions ...
Finally, the monitoring process and reports are written to the/var/log/rkhunter.log file.
Here you can make a script launch to monitor:
Crontab-e
1 * * */usr/local/bin/rkhunter--check--cronjob
Actions after the server operation attack:
Generally, there is a bandwidth flow exception. If the high-traffic server is disconnected, the bandwidth flow is normal. Can prove that the server was compromised.
1. Disconnecting the network from the compromised server
If you have already installed Rkhunter, you can view the next log first. or run to view the results.
1. Find the source of the intrusion;
You can view the log of the system log/var/log/message and logon server/var/log/secure
DMESG Command View:
The DMESG command is used to check and control the ring buffer of the kernel. The kernel will store the boot information in the ring buffer. If you are too late to view the information, you can use DMESG to view it. Boot information saved in/VAR/LOG/DMESG file
1.1 Viewing Open ports: NETSTAT-LTUNP
1.2 View system load: Top command View time+ This column contains the cumulative time that the program ran.
1.3 Viewing process; Ps-ef
The general system processes have [] included. The installed program has a location. It is particularly important to note that the hidden file "." The beginning of the file. If you find a location. You can view hidden files with ls-a
1.4 Views/proc
The/proc directory on a Linux system is a file system, the proc file system. Unlike other common file systems,/proc is a pseudo-file system (also known as a virtual file system) that stores a series of special files that are currently running on the kernel, which users can use to view information about system hardware and the processes currently running. You can even change the running state of the kernel by changing some of these files.
Here you need to see the PID can be called by the command # PIDOF service Name
or union Ps-ef (view pid) # Ps-ef | awk ' {print $2,$8} ' # Ps-ef | awk ' {print $ ' \ t ' $8} '
#ll/proc/pid/exe
exe-a symbolic link to the executable file (full path) that initiates the current process, and a copy of the current process can be started by/proc/n/exe
#ll/PROC/PID/FD
Fd-This is a directory that contains the file descriptor for each file opened by the current process (the file descriptor), which is a symbolic link to the actual file
1.5 View histtory Command logging
More. Bash_history
2. If the business cannot be stopped. The first is to find the user. Lock the user.
3. Analysis of the causes and ways of intrusion
4. Back up user data (note that. See if there's a hidden attack source first)
5. Reinstall the System
6. Hotfix or vulnerability
7. Recover data and connect to the network.
This article is from the "Shong Linux Tour" blog, make sure to keep this source http://12042068.blog.51cto.com/12032068/1897576
The necessary work after the Linux intrusion. Rkhunter analysis of monitoring tools for rootkits and rootkit