The quickest way to detect if UNIX is compromised _unix Linux

Identifying whether a UNIX system has been compromised requires a high level of skill and, of course, some very simple methods. The easy way to do this is to check the system log, the process table, and the file system to see if there are any "strange" messages, processes, or files. For example: Two running inetd processes (should have only one); SSH runs in root euid instead of root UID; RPC Service core file under "/"; new Setuid/setgid program; fast-growing file size; DF and du results are not similar; PERFMETER/TOP/BMC Patrol/snmp (the above are some of the monitoring procedures) of the monitor and vmstat/ps results, much higher than the usual network traffic; Dev under the normal file and directory entries, In particular, it seems that the name is more normal,/etc/passwd and/etc/shadow, whether there is an abnormal or no password of the account exists;/tmp,/VAR/TMP, and other strange filenames under a directory with writable permissions, where the odd name refers to the "..." (3 dots). If you find such a name, but it is actually a directory, then your system is a question of ten. Also pay attention to/.rhosts,/etc/hosts.equiv,/.ssh/known_hosts and ~/.rhosts to see if there are any inappropriate new entries. Also, keep a close eye on the hidden trust relationships. For example, how does a host Mount on NFS? Which host has the. hosts,. Shosts, and HOSTS.EQUIV entries for other hosts? Which host has a. netrc file? Who does the host share the network segment with? You should continue to do some research on it. Usually attackers not only destroy a host, they jump from one host to another, hide good traces, and open as many back doors as possible. If you have any suspicious findings, please contact your local Computer Emergency Response team to help check other hosts on the network and restore the damaged site.