View Linux File security from an emergency response
The cause of the event is simple. A website page is tampered. The customer's requirement is also very simple. Delete the page that has been tampered.
We can imagine that if you can simply delete it, there will be no such emergency. The system is linux, and the permission to view files is as follows:
File with "+", the first linux File security knowledge point "linux File ACL" appears here ". What is "ACL" is to set the operation permissions for a file/folder for a specific user or user group, this ACL contains the linux File Permission that we usually set in chmod to ls-l.
You can use getfacl to view a tampered file and find that a special permission "user: root:-" is added, which means that root has no permissions on the file. Direct rm cannot be deleted, for example:
Here, we first think of using setfacl-m u: root: rwx to set the root permission back so that the root user can delete the tampered files. However, after setfacl-m is executed, the system prompts that you do not have the permission to modify the settings. When setfacl-B cancels all ACLs again, the system still prompts that the acl has no permission to be modified. The current user is root. Why is there no permission? Here is the second knowledge related to linux File security: "file hiding attributes ".
[Root @ localhost 05] # lsattr 013989.shtml -- I --- 013989.shtml
[root@localhost 05]# lsattr 013989.shtml—-i——– 013989.shtml
It is found that all files are marked with the I attribute (any modification to the file is prohibited), which is why setfacl cannot restore permissions. Use the chattr-I command to remove the "I" attribute without any returned information. Check again and find that the "I" attribute has not been removed.
Here is the third linux File security knowledge point "system command replacement", chattr does not take effect, it is suspected that the system command has been replaced by intruders. An experiment was conducted: Using chattr + a to set the attribute for a page file, you can set it normally, and then using chattr-a to remove the attribute. In the/tmpdirectory, a new 1.txt file is created. Multiple hidden attributes are set for 1.txt using chattr +ais, and the attributes are canceled using chattr-ais. It is found that only the I attribute cannot be undone, and previous speculation has been confirmed.
Restoring system commands is complicated, and it is too troublesome to remotely assist QQ with bastion hosts. We couldn't find an alternative solution. We thought of the commonly used system command toolkit busybox for android testing, and finally busybox chattr-I solved the problem.
PS: if the server can connect to the Internet, use
yum install e2fsprogs
You can reinstall the chattr command.
[Via @ STD brothers]