The quickest way to detect Unix intrusion

Identifying whether Unix systems are intruded requires high skills. Of course, there are some very simple methods.

A simple method is to check system logs, progress tables, and file systems to see if there are some "strange" messages, processes, or files. For example:

Two running inetd processes (only one should be available );

. Ssh runs with the root EUID instead of the root UID;

Core File of the RPC service under;

New setuid/setgid program;

Files with rapid growth in size;

The results of df and du are not similar;

Perfmeter/top/BMC Patrol/SNMP (the above are some monitoring programs) monitors and vmstat/ps results are inconsistent, much higher than the usual network traffic;

Common files and directory entries under dev, especially those with normal names;

/Etc/passwd and/etc/shadow. Check whether an abnormal or password-free account exists;

/Tmp,/var/tmp, and other strange file names in directories with write permission. Here, the strange object name is similar to "…". ). If you find such a name, but it is actually a directory, your system may be faulty.

Also check the/. rhosts,/etc/hosts. equiv,/. ssh/known_hosts and ~ /. Rhosts to check whether an inappropriate new entry exists.

In addition, you must pay close attention to the hidden trust relationships. For example, how does one Mount hosts on NFS? Which host has the. hosts,. shosts, and hosts. equiv entries for other hosts? Which host has the. netrc file? Who shares the CIDR Block with this host? You should continue to investigate it. Generally, attackers not only destroy one host, but also switch from one host to another, hiding traces and opening as many backdoors as possible.

If you have any suspicious findings, contact your local computer emergency response team to help check other hosts on the network and recover the damaged site.