Symptoms of Linux server being compromised, and what to do?
The invaded server will consume very high resources, especially the CPU. You can use this machine to mine, send spam, and consume bandwidth to launch DOS attacks.
Performance: The server slows down. If the webpage is running (the web application service is running), the website opens slowly.
ps aux View process information statically.
Top dynamic display of machine load information
load average x,x,x cpu 1 5 15-minute average load
I was logged into the machine by a hacker, what do you do?
W Check who logged on to the server during the current period
last Check who logged on to the server before.
Review the historical commands and see what the bad guys did? (History)
vim ~ /.bash_history
ls -a (show hidden files)
If it is deleted, if you encounter a master, check the machine carefully.
Check which processes are consuming CPU (find out the high ones), -sort
check the network connection and
don’t go at this time Frighten the snake, T drop the bad guy.
Immediately carry out security reinforcement,
such as modifying the SSH port and prohibiting root remote login. pkill -u kill -9
prohibits root remote login: add an ordinary user and
escalate privileges ps aux --sort -%mem | head -6 | grep -v USER to
view the 5 processes with the highest memory usage, without the description of the first line Information
top dynamic view
ps aux | less static view
ps -ef | less
free -m view memory usage
ps aux ps -ef View process information statically.
Top dynamic displays the load status of the machine
load average x, x ,x cpu 1 5 15 minute average
free -m
sed -ri s / ^ # baseurl / baseurl / g /etc/yum.repos.d/CentOS-Base.repo
sed -ri s/^mirrorlist/#mirrorlist/g /etc/yum.repos.d/CentOS-Base.repo
yum -y install httpd install httpd service
systemctl restart httpd start
ps aux | grep httpd view httpd process
ps aux | less page view process
space q
yum -y install lsof
lsof -i:22 view port command
lsof -i:80 view httpd 80 port command
kill -9 PID
pkill -u zhangsan
pkill httpd
ps aux --sort -%cpu | less View the process with the most CPU usage of this machine
ps aux --sort -%cpu | head -6 | grep -v USER
view process sorting CPU, the first 6 lines of filtering are reversed (reverse matching)
yum -y install psmisc-22.20-16.el7.x86_64
killall httpd Kill all processes to view history, who has logged in to the server.
bash_history
w
last
Inspection
PS the AUX --sort - 3DF -h
1, the application service is normal.
1 Look at the process port ps aux lsof -i:22
2 The usage of the machine's cpu and mem.
ps aux --sort-
3 machine's disk space usage
free-m
df -h
1 Please say the command to view the machine process and port
ps aux | less
top
ps -ef
lsof -i: port number
2 Write the linux command you know now
pwd
ls
cat head tail more
cd
ll ll -d
chattr +/- a ,i file/directory name
lsattr
chown user name file name
chgrp
chmod
useradd
groupadd
usermod
lsof -i:22
top
ps aux
userdel
groupdel
3 What should you do if a bad guy gets on your machine?
W Check who is logged in on the server
last check who has logged in to the server.
Review the historical commands and see what the bad guys have executed
vim ~ /.bash_history
ls -a (show hidden files)
If it is deleted, you meet a master, carefully Check the machine
Check which processes are consuming the CPU (find out the high ones), -sort
check the network connection.
Don't be scared at this time, T drop the bad guys.
Immediately carry out security hardening (such as modifying the SSH port and prohibiting root remote login.
pkill -u
kill -9
prohibits root remote login: add a normal user and escalate privileges)
4 Sort the memory usage of the machine, from largest to smallest
ps aux --sort -%cpu | less
5 Kill a single process
kill -9 PID
6 What should I do if the lsof command is not installed and lsof is unavailable?
sed -ri s/^#baseurl/baseurl/g /etc/yum.repos.d/CentOS-Base.repo
sed -ri s/^mirrorlist/#mirrorlist/g /etc/yum.repos.d/CentOS-Base .repo
install lsof command
yum -y install lsof
7 Your virtual machine cannot connect, what should you do?
View IP View process View service status
8 What is the difference between inverting grep and ignoring case?
grep -v keyword
grep -i "Mm"
9 Set the httpd service to start automatically when booting.
systemctl enable httpd
10 Learn about the server model and basic configuration parameters (dell Dell) to see on Jingdong
Dell (DELL) R740 2U rack server host (R730 upgrade version) Single bronze 3204 06 core 1.9G|495W 1 mainstream 16G memory |1.2T 10K 2 | H330
11 kicked out zhangsan users.
pkill -u zhangsan
12 View port 22 8080 of this machine
lsof -i:22
lsof -i:8080
13 What is the configuration of the public cloud server? How to pay? What is the network bandwidth?
A 1 core CPU, 4G memory, 1M bandwidth, system centos 7.6 version.
Annual subscription and monthly subscription
14 What public cloud have you used? ?
Tencent Cloud Alibaba Cloud Baidu Cloud Huawei Cloud
15 Find out the 2 processes that occupy the most CPU of the machine. After 10 minutes of writing to /tmp/load.txt, continue to find the 2 processes that occupy the most memory and continue writing to the load.txt file.
ps aux --sort -%cpu | head -2 | grep -v USER> /tmp load.txt
ps aux --sort -%mem | head -2 | grep -v USER >> /tmp load.txt