Whether the Linux system is combed by the Trojan horse's troubleshooting process

First, whether the intrusion check

1) Check the system log

Check the system error log, count the number of IP retries (last command is to view the system log, such as the system is reboot or logged in the situation)
[Email protected] ~]# last
2) Check the system user

To see if there is an exception for the system user
[Email protected] ~]# CAT/ETC/PASSWD
See if new users are generated, UID and GID 0 users
[[email protected] ~]# grep "0"/etc/passwd
Check the modification time of passwd to see if you want to add users without knowing
[Email protected] ~]# ls-l/etc/passwd
To see if a privileged user exists
[Email protected] ~]# awk-f: ' $3==0 {print $} '/etc/passwd
To see if a blank password account exists
[Email protected] ~]# awk-f: ' Length ($) ==0 {print $} '/etc/shadow
3) Check for abnormal processes
Note the process with a UID of 0
To view a process using the PS-EF command
View the ports and files opened by the process
[[email protected] ~]# lsof-p PID Command View
Check hidden processes
[Email protected] ~]# Ps-ef | awk ' {print} ' | Sort-n | Uniq >1
[Email protected] ~]# Ls/proc |sort-n|uniq >2
[[Email protected] ~]# diff 1 2
4) Check Abnormal system files
[Email protected] ~]# Find/-uid 0-perm-4000-print
[Email protected] ~]# Find/-size +10000k-print
[Email protected] ~]# Find/-name "..."-print
[[email protected] ~]# Find/-name "..."-print
[[email protected] ~]# Find/-name "."-print
[Email protected] ~]# Find/-name ""-print
5) Check System file integrity
[Email protected] ~]# Rpm-qf/bin/ls
[Email protected] ~]# Rpm-qf/bin/login
[[email protected] ~]# md5sum–b file name
[[email protected] ~]# md5sum–t file name
6) Check RPM for completeness
[Email protected] ~]# Rpm-va #注意相关的/sbin,/bin,/usr/sbin,/usr/bin
Output Format Description:
S–file size differs
M–mode differs (permissions)
5–MD5 sum differs
D–device number mismatch
L–readlink path mismatch
U–user ownership differs
G–group ownership differs
T–modification time differs
7) Check the network
[[Email protected] ~]# IP link | grep Promisc (normal NIC should not be in Promisc mode, there may be sniffer)
[Email protected] ~]# lsof-i
[[email protected] ~]# Netstat-nap (see TCP/UDP Port not normally open)
[Email protected] ~]# arp-a
8) Check System scheduled Tasks
[Email protected] ~]# crontab-u root-l
[Email protected] ~]# Cat/etc/crontab
[Email protected] ~]# ls/etc/cron.*
9) Check the system back door
[Email protected] ~]# Cat/etc/crontab
[Email protected] ~]# ls/var/spool/cron/
[Email protected] ~]# cat/etc/rc.d/rc.local
[Email protected] ~]# LS/ETC/RC.D
[Email protected] ~]# LS/ETC/RC3.D
10) Check System services
[Email protected] ~]# chkconfig-list
[[email protected] ~]# rpcinfo-p (view RPC service)
11) Check for rootkits
[Email protected] ~]# rkhunter-c
[Email protected] ~]# chkrootkit-q
Second, the Linux system is the appearance of intrusion/poisoning
The more common poisoning manifestations are shown in the following three areas:
1) server out of the bandwidth will run high this is a characteristic of poisoning
Because the server is poisoned and used by others, it is common to take it as a broiler to attack others, and to take your data.
Therefore, the server bandwidth needs special attention, if the server out of the bandwidth to run very high, it must be a bit unusual, need to check it in time!
2) The system will produce unnecessary users.
Poisoning or intrusion will cause the system to generate some unknown users or log in, so this aspect of the inspection can also see some anomalies.
3) Does the boot start up some unclear service and crond tasks are there some unknown tasks?
Because the poisoning will start with the system start, it will normally boot, check the start of the service or files are abnormal, generally in/etc/rc.local and crondtab-l display.

Whether the Linux system is combed by the Trojan horse's troubleshooting process