0 x00 preface

When hacking, the collapse of the system in companies, or other events affect the normal operation of the business security, need for the first time for processing, make the enterprise of the network information system in the shortest possible time back to normal work, further find intrusion sources, reducing invasion accidents process, solutions and preventive measures are given at the same time, for the enterprise to save or reduce economic loss.

In view of the common attack events, combined with the work emergency response event analysis and solution method, summed up some ideas of Linux server intrusion investigation.

0x01 Intrusion Detection Idea

I. Account security

Basic use:

1, user information file/etc/passwd root: x: 0-0: root: / root: / bin/bash account: password: UID, GID: GECOS: directory: shell user name: password: the user ID, group ID, user details: Home directory: shell after login note: No password allows only login on the machine, Remote login is not allowed. 2 root:$6$oGs1PqhL2p3ZetrE$X7o7bzoouHQVSEmSgsYN5UD4.kMHx6qgbTqwNVC5oOAouXvcjQSt.Ft7ql1WpkopY0UV9ajBwUt1DpYxTCVvI/:16809:0: 99999:7::: Username: encryption Password: last password change date: Interval between password changes: Password validity period: warning days before password change expires: grace days after password expiration: Account expiration time: ReservedCopy the code
Who View the current logged-in user (TTY local logged-in PTS remote logged-in) w View the system information and want to know the user's behavior at a certain time. Uptime View the logged-in duration, number of users, and loadCopy the code

Intrusion detection:

[root@localhost ~]# awk -f: '$3 = = 0} {print $1'/etc/passwd 2, queries can be remote login account information/root @ localhost ~ # awk '/ | \ \ $1 $6 / {print $1}'/etc/shadow 3, except for the root account, Check whether other accounts have sudo permission. If not required by management, Ordinary account should be deleted sudo permissions/root @ localhost ~ # more/etc/sudoers | grep -v "^ # \ | ^ $" | grep" ALL = (ALL) "4, disable or remove excess and suspicious account usermod - L User Disable the account, the account cannot be logged in, /etc/shadow the second column is! Start userdel user Delete user user userdel -r user Will delete user and the user directory in /homeCopy the code

Second, history command

Basic use:

Run the. Bash_history command to view the system commands executed by the account. 1. Run the histroy command to view the history of the root account. 2. 1) Save 10,000 commands sed -i 's/^HISTSIZE=1000/HISTSIZE=10000/g' /etc/profile 2) Add the following configuration information to the end of the /etc/profile file:  ######jiagu history xianshi######### USER_IP=`who -u am i 2>/dev/null | awk '{print $NF}' | sed -e 's/[()]//g'` if [ "$USER_IP" = "" ] then USER_IP=`hostname` fi export HISTTIMEFORMAT="%F %T $USER_IP `whoami` " shopt -s histappend export PROMPT_COMMAND="history -a" ######### jiagu history xianshi ########## 3) source /etc/profile Enable the configuration to take effect 1 2018-07-10 19:45:39 192.168.204.1 root source /etc/profile History -c However, this command does not clear the records saved in the file, so you need to manually delete the records in the. Bash_profile file.Copy the code

Intrusion detection:

Go to the user directory cat.bash_history >> history.txtCopy the code

Three, ports,

Use the netstat network connection command to analyze suspected ports, IP addresses, and PID

Netstat antlp | more view file path under the pid of the process, run the ls - l/proc / $pid/exe or the file/proc / $pid/exe ($pid for the corresponding pid number)Copy the code

Four, processes,

Analyze the process using the ps command


ps aux | grep pid 
Copy the code

5. Boot options

Basic use:

Schematic diagram of system operation level:

Run level meaning
0 To turn it off
1 Single user mode, which can be thought of as Windows safe mode, is mainly used for system repair
2 Incomplete command line mode, without NFS service
3 The full command line mode is the standard character interface
4 System to keep
5 Graphics mode
6 restart

View the runlevel command

Default allowed level

Vi /etc/inittab ID =3: Indicates the running level of initdefault after the system is startedCopy the code

Boot configuration file


/etc/rc.local
/etc/rc.d/rc[0~6].d
Copy the code

Example: When we need to start our own script on startup, we simply drop the executable script in /etc/init.d and create a soft link in /etc/rc.d/rc*.d


root@localhost ~]# ln -s /etc/init.d/sshd /etc/rc.d/rc3.d/S100ssh
Copy the code

Here, SSHD is the script file of the specific service, S100ssh is the soft link, starting with S indicates that the service starts automatically upon loading. If the script file starts with K, it must be closed for run-level loading.

Intrusion detection:

Start file: more /etc/rc.local /etc/rc.d/rc[0~6]. D ls -l /etc/rc.d/rc3.d/

6. Scheduled tasks

The basic use

1. Create scheduled tasks using cronTab

  • Basic commands

Crontab -l Lists the cron service details of a user

Tips: The default crontab file will be saved in /var/spool/cron/ username, for example, /var/spool/cron/root

Crontab -r delete each user cront task (caution: delete all scheduled tasks)

Crontab -e Edit the current crontab file using the editor

For example: */1 * * * * echo “hello world” >> / TMP /test.txt Writes files every minute

2. Use Anacron to realize asynchronous scheduled task scheduling

  • Use case

Run the /home/backup.sh script every day: vi /etc/anacrontab@daily 10 example.daily /bin/bash /home/backup.sh

When the machine is powered off when backup.sh is expected to run, Anacron will run the machine ten minutes after it is started, instead of waiting another seven days.

The invasion of screening

Pay attention to whether malicious scripts exist in the following directories


/var/spool/cron/* 
/etc/crontab
/etc/cron.d/*
/etc/cron.daily/* 
/etc/cron.hourly/* 
/etc/cron.monthly/*
/etc/cron.weekly/
/etc/anacrontab
/var/spool/anacron/*
Copy the code

Tip:

More /etc/cron.daily/* View all files in the directoryCopy the code

Seven, services,

Service startup

The first modification method:

The chkconfig [- level runlevel] [independent service name] [on | off] since the launch of the chkconfig - level 2345 HTTPD on open the chkconfig HTTPD on (the default level is 2345)Copy the code

The second modification method:

Add /etc/init.d/ HTTPD start to /etc/re.d/rc.localCopy the code

The third modification method:

You can manage independent services and xinetd services by using the ntsysv command to manage automatic startup.

The invasion of screening

1, Query the installed services:

RPM package to install services

Chkconfig --list check the service startup status, Can see all of the RPM package installation service ps aux | grep crond view the current service system startup item under 3 and 5 level Chinese environment the chkconfig -- list | grep "3: enable \ | 5: to enable the chkconfig English environment --list | grep "3:on\|5:on"Copy the code

Source package installed services

To check the installation location of the service, run the /etc/rc.d/init.d/ command at /user/local/ service HTTPD start to check whether the service existsCopy the code

8. System logs

The default directory for storing logs is /var/log/

Run the more /etc/rsyslog.conf command to check log configurations

The log file instructions
/var/log/cron Logs about scheduled system tasks are recorded
/var/log/cups Records logs about the printed information
/var/log/dmesg The kernel self-check information is recorded during system startup. You can also run the dmesg command to view the kernel self-check information
/var/log/mailog Recording Email Messages
/var/log/message Logs record important system information. This log file contains most of the important information about the Linux system and is the first place to check if there is a problem with the system
/var/log/btmp This file is a binary file and cannot be viewed directly with vi. Instead, use lastb command to view it
/var/log/lastlog This file is a binary file. You can run the lastlog command to view the last login time of all users in the system
/var/log/wtmp Permanently record the login and logout information of all users, and record the system startup, restart, and shutdown events. This file is also a binary file, you can not directly vi, you need to use the last command to view
/var/log/utmp This file records the information about the currently logged in user. The file changes with the login and logout of the user and only records the information about the currently logged in user. Also, this file can not be directly vi, but use w,who,users commands to query
/var/log/secure Log authentication and authorization information. Anything that involves an account or password is logged, such as SSH login, su switching, sudo authorization, and even adding and changing a user’s password is logged in this log file

Log analysis techniques:

1. Locate how many IP addresses are in the root account of the blasting host: Grep "Failed password for root"/var/log/secure | awk '} {print $11 '| sort | uniq -c | sort - nr | more locate what IP in blasting:  grep "Failed password" /var/log/secure|grep -E -o "(25[0-5]|2[0-4][0-9]|[01]? [0-9] [0-9]?) \. (25 [0 to 5] | 2 [0 to 4] [0-9] | [01]? [0-9] [0-9]?) \. (25 [0 to 5] | 2 [0 to 4] [0-9] | [01]? [0-9] [0-9]?) \. (25 [0 to 5] | 2 [0 to 4] [0-9] | [01]? [0-9] [0-9]?) "| uniq -c blasting user name what is in the dictionary? grep "Failed password" /var/log/secure|perl -e 'while($_=<>){ /for(.*?) from/; print "$1\n"; } '| | uniq - c sort - nr 2 what are the IP and login successfully: Grep "Accepted"/var/log/secure | awk '} {print $11 '| sort | uniq -c | sort - nr | more login successful date, user name, IP: Grep "Accepted"/var/log/secure | awk '{print $1, $2, $3, $9 to $11}' 3, kali increase a user logs:  Jul 10 00:12:15 localhost useradd[2382]: new group: name=kali, GID=1001 Jul 10 00:12:15 localhost useradd[2382]: new user: name=kali, UID=1001, GID=1001, home=/home/kali , shell=/bin/bash Jul 10 00:12:58 localhost passwd: pam_unix(passwd:chauthtok): Password changed for kali #grep "useradd" /var/log/secure delete user 'kali' Jul 10 00:14:17 localhost userdel[2393]: removed group 'kali' owned by 'kali' Jul 10 00:14:17 localhost userdel[2393]: Removed shadow group 'kali' owned by 'kali' # grep "userdel" /var/log/secure 5, su switch user: Jul 10 00:38:13 localhost su: Pam_unix (su-l:session): session opened for user good by root(uid=0) sudo good : TTY=pts/4 ; PWD=/home/good ; USER=root ; COMMAND=/sbin/shutdown -r nowCopy the code

0 x03 tools

1. Check and kill Rootkit

  • chkrootkit

    Website: www.chkrootkit.org

    Usage: Wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz tar ZXVF chkrootkit. Tar. Gz CD chkrootkit 0.52 make sense # check if no error is reported./chkrootkitCopy the code

  • rkhunter

    Website: rkhunter.sourceforge.net

    Usage: Wget tar ZXVF - https://nchc.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.4/rkhunter-1.4.4.tar.gz Gz CD rkhunter-1.4.4. / Installer. sh --install rkhunter-1.4.4Copy the code

Ii. Virus detection and elimination

  • Clamav

    ClamAV is the official download address: www.clamav.net/download.ht…

    Installation method 1:

    Install zlib: Wget http://nchc.dl.sourceforge.net/project/libpng/zlib/1.2.7/zlib-1.2.7.tar.gz tar ZXVF - zlib - 1.2.7. Tar. Gz CD Zlib-1.2.7 # install GCC /configure --prefix= /usr/local/zlib/ make && make install Groupadd clamav useradd -g clamav -s /bin/false -c "Clam AntiVirus" Clamav 3, Install clamav tar -zxvf clamav-0.97.6.tar.gz CD Clamav-0.97.6./configure --prefix=/opt/clamav -- disable-clamav-with-zlib =/usr/local/zlib make make install 4  mkdir /opt/clamav/logs mkdir /opt/clamav/updata touch /opt/clamav/logs/freshclam.log touch /opt/clamav/logs/clamd.log CD /opt/clamav/logs chown Clamav :clamav clamd.log chown Clamav: clamclamclam.log / opt/clamav. / bin/freshclam upgrade the virus/clamscan - h to see the corresponding help information. The/home/clamscan - r scan all the user's home directory is used. / clamscan - r - bell - I/bin Scans the bin directory and displays the scan results for the files in questionCopy the code

    Installation Method two:

    Clamscan-r /etc --max-dir-recursion=5 -l /root /etc/clamclamav. log clamscan -r /bin --max-dir-recursion=5 -l /root/binclamav.log clamscan -r /usr --max-dir-recursion=5 -l /root/usrclamav.log Clamscan -r --remove /usr/bin/bsd-port Clamscan -r --remove /usr/bin/clamscan -r --remove /usr/local/zabbix/sbin --remove /usr/local/zabbix/sbin # to check the log FOUND that cat/root/usrclamav. Log | grep FOUNDCopy the code

Webshell kills

The Linux version:

Hippo webshell killing: http://www.shellpub.com deep convinced webshell website back door: http://edr.sangfor.com.cn/backdoor_detection.htmlCopy the code

RPM check

System integrity can be verified by RPM -va to check all RPM packages to see which commands are replaced:


./rpm -Va > rpm.log
Copy the code

If everything is checked correctly, no output will be generated. If there are any inconsistencies, they will be displayed. The output format is an 8-bit string, each character representing the result of the comparison between the file and an attribute in the RPM database. (dot) indicates that the test passed.

The details of the eight verification items are as follows: S Whether the file size is changed. M Whether the file type or the file permission (RWX) is changed. 5 Whether the MD5 check of the file is changed. Whether the slave code changes the path of file L Whether the owner of file U is changed Whether the owner group of file G is changed Whether the modification time of file T is changedCopy the code

If the command is replaced and if restored:

File extraction and restoration cases: RPM -qf /bin/ls Run the following command to query the software package to which the ls command belongs: mv /bin/ls/TMP Missing the illusion of the ls command rpm2cpio/MNT/cdrom/Packages/coreutils - 8.4-19. El6. I686. RPM | cpio - idv. / bin/ls to extract the RPM package the ls command to the current directory under the/bin/ls of cp /root/bin/ls /bin/ Copy the ls command to the /bin/ directory to repair the file lossCopy the code

The last

Welcome to pay attention to personal wechat public number: Bypass–, an original technical dry goods every week.

 

Reference links:

Cloud.tencent.com/document/pr…