[Emergency Response] Linux intrusion detection

0 x00 preface

When hacking, the collapse of the system in companies, or other events affect the normal operation of the business security, need for the first time for processing, make the enterprise of the network information system in the shortest possible time back to normal work, further find intrusion sources, reducing invasion accidents process, solutions and preventive measures are given at the same time, for the enterprise to save or reduce economic loss.

In view of the common attack events, combined with the work emergency response event analysis and solution method, summed up some ideas of Linux server intrusion investigation.

0x01 Intrusion Detection Idea

1.1 Account Security

Basic use:

1, user information file/etc/passwd root: x: 0-0: root: / root: / bin/bash account: password: UID, GID: GECOS: directory: shell user name: password: the user ID, group ID, user details: Home directory: shell after login note: No password allows only login on the machine, Remote login is not allowed. 2 root:$6$oGs1PqhL2p3ZetrE$X7o7bzoouHQVSEmSgsYN5UD4.kMHx6qgbTqwNVC5oOAouXvcjQSt.Ft7ql1WpkopY0UV9ajBwUt1DpYxTCVvI/:16809:0: 99999:7: : : Username: encryption password: last password change date: Interval between password changes: Password validity period: warning days before password change: grace days after password expiration: Account expiration time: Reserved who view current logged-in user (TTY local logged-in PTS remote logged-in) w View system information, want to know user behavior at a certain time upTime View logged-in how long, how many users, loadCopy the code

Intrusion detection:

[root@localhost ~]# awk -f: '$3 = = 0} {print $1'/etc/passwd 2, queries can be remote login account information/root @ localhost ~ # awk '/ | \ \ $1 $6 / {print $1}'/etc/shadow 3, except for the root account, Check whether other accounts have sudo permission. If not required by management, Ordinary account should be deleted sudo permissions/root @ localhost ~ # more/etc/sudoers | grep -v "^ # \ | ^ $" | grep" ALL = (ALL) "4, disable or remove excess and suspicious account usermod - L User Disable the account, the account cannot be logged in, /etc/shadow the second column is! Start userdel user Delete user user userdel -r user Will delete user and the user directory in /homeCopy the code

1.2 Historical Commands

Basic use:

Run the. Bash_history command to view the system commands executed by the account. 1. Run the histroy command to view the history of the root account. 2. 1) Save 10,000 commands sed -i 's/^HISTSIZE=1000/HISTSIZE=10000/g' /etc/profile 2) Add the following configuration information to the end of the /etc/profile file:  ######jiagu history xianshi######### USER_IP=`who -u am i 2>/dev/null | awk '{print $NF}' | sed -e 's/[()]//g'` if [ "$USER_IP" = "" ] then USER_IP=`hostname` fi export HISTTIMEFORMAT="%F %T $USER_IP `whoami` " shopt -s histappend export PROMPT_COMMAND="history -a" ######### jiagu history xianshi ########## 3) source /etc/profile Enable the configuration to take effect 1 2018-07-10 19:45:39 192.168.204.1 root source /etc/profile History -c However, this command does not clear the records saved in the file, so you need to manually delete the records in the. Bash_profile file.Copy the code

Intrusion detection:

Go to the user directory cat.bash_history >> history.txtCopy the code

1.3 Checking Abnormal Ports

Use the netstat network connection command to analyze suspected ports, IP addresses, and PID

Netstat antlp | more view file path under the pid of the process, run the ls - l/proc / $pid/exe or the file/proc / $pid/exe ($pid for the corresponding pid number)Copy the code

1.4 Checking Abnormal Processes

Analyze the process using the ps command

ps aux | grep pid 
Copy the code

1.5 Checking startup Items

Basic use:

Schematic diagram of system operation level:

View run level commands

runlevel

Default allowed level

Vi /etc/inittab ID =3: Indicates the running level of initdefault after the system is startedCopy the code

Boot configuration file

/etc/rc.local
/etc/rc.d/rc[0~6].d
Copy the code

Example: When we need to start our own script on startup, we simply drop the executable script in /etc/init.d and create a soft link in /etc/rc.d/rc*.d

root@localhost ~]# ln -s /etc/init.d/sshd /etc/rc.d/rc3.d/S100ssh
Copy the code

Here, SSHD is the script file of the specific service, S100ssh is the soft link, starting with S indicates that the service starts automatically upon loading. If the script file starts with K, it must be closed for run-level loading.

Intrusion detection:

Start file: more /etc/rc.local /etc/rc.d/rc[0~6]. D ls -l /etc/rc.d/rc3.d/

1.6 Checking Scheduled Tasks

The basic use

1. Create scheduled tasks using cronTab

• Basic commands

Crontab -l Lists the cron service details of a user

Tips: The default crontab file will be saved in /var/spool/cron/ username, for example, /var/spool/cron/root

Crontab -r delete each user cront task (caution: delete all scheduled tasks)

Crontab -e Edit the current crontab file using the editor

For example: */1 * * * * echo “hello world” >> / TMP /test.txt Writes files every minute

2. Use Anacron to realize asynchronous scheduled task scheduling

• Use case

Run the /home/backup.sh script every day:

vi /etc/anacrontab

@daily 10 example.daily /bin/bash /home/backup.sh

When the machine is powered off when backup.sh is expected to run, Anacron will run the machine ten minutes after it is started, instead of waiting another seven days.

The invasion of screening

Pay attention to whether malicious scripts exist in the following directories

/var/spool/cron/* 
/etc/crontab
/etc/cron.d/*
/etc/cron.daily/* 
/etc/cron.hourly/* 
/etc/cron.monthly/*
/etc/cron.weekly/
/etc/anacrontab
/var/spool/anacron/*
Copy the code

Tip:

More /etc/cron.daily/* View all files in the directoryCopy the code

1.7 Checking Services

Service startup

The first modification method:

The chkconfig [- level runlevel] [independent service name] [on | off] since the launch of the chkconfig - level 2345 HTTPD on open the chkconfig HTTPD on (the default level is 2345)Copy the code

The second modification method:

Add /etc/init.d/ HTTPD start to /etc/re.d/rc.localCopy the code

The third modification method:

You can manage independent services and xinetd services by using the ntsysv command to manage automatic startup.

The invasion of screening

1, Query the installed services:

RPM package to install services

Chkconfig --list check the service startup status, Can see all of the RPM package installation service ps aux | grep crond view the current service system startup item under 3 and 5 level Chinese environment the chkconfig -- list | grep "3: enable \ | 5: to enable the chkconfig English environment --list | grep "3:on\|5:on"Copy the code

Source package installed services

To check the installation location of the service, run the /etc/rc.d/init.d/ command at /user/local/ service HTTPD start to check whether the service existsCopy the code

1.8 Checking Abnormal Files

1. View files in sensitive directories, such as/TMP, and hide the files in the.. The folder with the name has hidden properties

2. How to find out the creation time of WEBSHELL and remote control Trojan horse within the same time range?

You can run the find command, for example, find /opt -iname “*” -atime 1-type f to find the files accessed by /opt one day earlier

3. For suspicious files, you can use stat to create and modify the time.

1.9 Checking System Logs

The default directory for storing logs is /var/log/

Run the more /etc/rsyslog.conf command to check log configurations

Log analysis techniques:

1. Locate how many IP addresses are in the root account of the blasting host: Grep "Failed password for root"/var/log/secure | awk '} {print $11 '| sort | uniq -c | sort - nr | more locate what IP in blasting:  grep "Failed password" /var/log/secure|grep -E -o "(25[0-5]|2[0-4][0-9]|[01]? [0-9] [0-9]?) \. (25 [0 to 5] | 2 [0 to 4] [0-9] | [01]? [0-9] [0-9]?) \. (25 [0 to 5] | 2 [0 to 4] [0-9] | [01]? [0-9] [0-9]?) \. (25 [0 to 5] | 2 [0 to 4] [0-9] | [01]? [0-9] [0-9]?) "| uniq -c blasting user name what is in the dictionary? grep "Failed password" /var/log/secure|perl -e 'while($_=<>){ /for(.*?) from/; print "$1\n"; } '| | uniq - c sort - nr 2 what are the IP and login successfully: Grep "Accepted"/var/log/secure | awk '} {print $11 '| sort | uniq -c | sort - nr | more login successful date, user name, IP: Grep "Accepted"/var/log/secure | awk '{print $1, $2, $3, $9 to $11}' 3, kali increase a user logs:  Jul 10 00:12:15 localhost useradd[2382]: new group: name=kali, GID=1001 Jul 10 00:12:15 localhost useradd[2382]: new user: name=kali, UID=1001, GID=1001, home=/home/kali , shell=/bin/bash Jul 10 00:12:58 localhost passwd: pam_unix(passwd:chauthtok): Password changed for kali #grep "useradd" /var/log/secure delete user 'kali' Jul 10 00:14:17 localhost userdel[2393]: removed group 'kali' owned by 'kali' Jul 10 00:14:17 localhost userdel[2393]: Removed shadow group 'kali' owned by 'kali' # grep "userdel" /var/log/secure 5, su switch user: Jul 10 00:38:13 localhost su: Pam_unix (su-l:session): session opened for user good by root(uid=0) sudo good : TTY=pts/4 ; PWD=/home/good ; USER=root ; COMMAND=/sbin/shutdown -r nowCopy the code