Ways to maintain a hacked server
When a server is hacked, what do you do? How to perform server maintenance? First of all, we can analyze that the malicious network behavior of the network server includes two aspects: one is malicious attack behavior, such as denial of service attack, network virus, etc., these behaviors are designed to consume server resources and affect the normal operation of the server, Even the network where the server is located is paralyzed; the other is malicious intrusion, which will lead to the leakage of sensitive information on the server, and the intruder can do whatever they want and destroy the server wantonly. Therefore, we need to ensure the security of the network server, so to speak, to minimize the impact of the network server by these two behaviors.
According to the above situation, we can do countermeasures and detections relative to server maintenance.
1. The server has been killed. The first thing I have to do is to temporarily shut down the development system first, and change the system account password. Please check whether there is a Trojan horse on the server before changing it. In order to avoid being hacked to give you Get Hash (obtain the hash value of the system password by some means and crack it to obtain the plaintext password) or plaintext.
2. Check the logs. It is generally impossible to clear some logs at the rookie level. You can take a good look at them, such as IIS, the log function that comes with the WEB system, system logs, etc. How did your server get killed.
3. Check whether there are redundant accounts in the system. Generally, there are manual and tool checks. I will talk about ideas here. You need to implement it yourself. For example, you can check C:\Documents and Settings\ here. If you create a new account and log in to 3389, you will regret it. Generate a folder corresponding to the account name here, even if it is a hidden account with \$ in Shenma, as well as in the registry, you should check it carefully. If you don't understand it, just use the tool. Baidu is so good.
4. Check the ports opened by the system, ignore the ports you are familiar with, and check if you are unfamiliar, what program is used before you use it, and sometimes you can check the ports used by Trojans or backdoors, and close all unnecessary ports. , to avoid accidents.
5. Check the operation permissions of each drive letter and key directory of the system. For example, a certain administrator has done server system maintenance for me. The E disk originally had no permissions. Later, I changed it to everyone, but he just didn't check it, so as long as I WEBSHELL If there is, the permissions are very large, especially with some power escalation tools, it will be better.
6. The script backdoor of the web system should be carefully checked. Generally, check the file operation time (but the file time can be changed), use tools to review, and manual review. It is to back up each system in advance. After a problem occurs, package the two files locally and use Beyond Compare for comparison and analysis. Of course, other comparison and analysis tools are also available. Make sure to eliminate the black and wide scripts, and find the most vulnerable web system. Well, if you know how Heiko works with your web system, you can fix it accordingly. Remember to pay attention to those scripts that are mutated and extended.
The above countermeasures are countermeasures after the server is attacked, but in order to prevent your own server from being hacked, it is best to use safe and reliable server security protection software for early protection. For example, a software that the landlord has been using is relatively good. Security protection and operation and maintenance management software to ensure the stability of the server and prevent attacks. This is the best way to ensure server security.
1. Specific methods
1. Cut off
the network All attacks come from the network. Therefore, after knowing that the system is being attacked by hackers, the first thing to do is to disconnect the network connection of the server, so that in addition to cutting off the source of the attack, It also protects other hosts on the same network as the server.
2. Find the attack source
You can analyze the system log or login log file to view suspicious information. At the same time, you should also check which ports are opened by the system, which processes are running, and which are suspicious programs through these processes. This process should be traced and analyzed based on experience and comprehensive judgment. The following sections describe in detail how this process is handled.
3. Analysis of Intrusion Causes and Ways
Since the system has been invaded, there are many reasons, which may be system loopholes or program loopholes. It is necessary to find out which reason is the cause, and also find out what was attacked. Find the source of the attack, because only by knowing the reason and method of the attack, can the source of the attack be deleted and the vulnerability repaired at the same time.
4. Backup user data
After the server is attacked, it is necessary to back up the user data on the server immediately, and at the same time, check whether the attack source is hidden in the data. If the source of the attack is in user data, be sure to delete it completely, and then back up the user data to a safe place.
5. Reinstall the system
Never think that you can completely remove the attack source, because no one knows the attack program better than hackers. After the server is attacked, the safest and easiest way is to reinstall the system, because most attack programs All are attached to the system files or the kernel, so reinstalling the system can completely remove the attack source.
6. Repair program or system loopholes
After discovering system loopholes or application loopholes, the first thing to do is to repair system loopholes or change program bugs, because only after the loopholes of the program are repaired can they be officially run on the server.
7. Restore data and connect to network
Re-copy the backed up data to the newly installed server, then start the service, and finally open the network connection to the server to provide services to the outside world.
2. How to check and lock suspicious users
1. Log in to the system to view suspicious users
Log in as root user, and then execute the "w" command to list all users who have logged in to the system.
Through this output, you can check whether there are suspicious or unfamiliar user logins. Running processes to determine whether they are illegal users.
2. Lock suspicious users
Once suspicious users are found, they must be locked immediately. For example, after executing the "w" command above, it is found that the nobody user should be a suspicious user (because nobody has no login permission by default), so first lock this user , perform the following operations:
[root@server ~]# passwd -l After nobody
is locked, it is possible that the user is still logged in, so the user needs to be kicked off the line. According to the output of the "w" command above, you can get The pid value of this user's login is as follows:
[root@server ~]# ps -ef|grep @pts/3
531 6051 6049 0 19:23 ? 00:00:00 sshd: nobody@pts/3
[root@ server ~]# kill -9 6051
This will kick the suspicious user nobody off the line. If this user tries to log in again, it will no longer be able to log in.
3. View user login events through the last command The
last command records the logs of all users logging in to the system, which can be used to find the login events of unauthorized users, and the output of the last command comes from the /var/log/wtmp file, with a little experience The intruders will delete /var/log/wtmp to clear their whereabouts, but will still reveal clues in this file.
3. View the system log
Viewing the system log is the best way to find the source of the attack. The system logs that can be checked include /var/log/messages, /var/log/secure, etc. These two log files can record the running status of the software and the login status of remote users , you can also view the .bash_history file in each user's directory, especially the .bash_history file in the /root directory, which records all historical commands executed by the user.
4. Check and close system suspicious processes
There are many commands for checking suspicious processes, such as ps, top, etc., but sometimes you only know the name of the process and cannot know the path. At this time, you can use the following command to check:
First, you can find the running process through the pidof command. For example, to find the PID of the sshd process, execute the following command:
1 [root@server ~]# pidof sshd
2 13276 12942 4284
Then enter the memory directory and check the information of the exe file in the corresponding PID directory:
1 [root@server ~]# ls -al /proc/
13276/exe 2 lrwxrwxrwx 1 root root 0 Oct 4 22:09 /proc/13276/exe -> /usr/sbin/sshd
This will find the complete execution path corresponding to the process. If you still have a handle to view the file, you can view the following directory:
[root@server ~]# ls -al /proc/13276/fd
In this way, you can basically find the complete execution information of any process, and there are many similar commands It can help system operation and maintenance personnel to find suspicious processes. For example, you can find the process PID by specifying the port or tcp, udp protocol, and then find the related process:
1 [root@server ~]# fuser -n tcp 111
2 111/tcp: 1579
3 [root@server ~]# fuser -n tcp 25
4 25/tcp: 2037
5 [root@server ~]# ps -ef|grep 2037
6 root 2037 1 0 Sep23 ? 00:00: 05 /usr/libexec/postfix/master
7 postfix 2046 2037 0 Sep23 ? 00:00:01 qmgr -l -t fifo -u
8 postfix 9612 2037 0 20:34 ? 00:00:00 pickup -l -t fifo - u
9 root 14927 12944 0 21:11 pts/1 00:00:00 grep 2037
In some cases, the attacker's program is deeply hidden, such as the rootkits backdoor program. In this case, commands such as ps, top, and netstat may also be It has been replaced. If you use the system's own commands to check suspicious processes, it will become untrustworthy. At this time, you need to use third-party tools to check system suspicious programs, such as the chkrootkit, RKHunter and other tools introduced earlier. These tools can easily find programs that have been replaced or tampered with.
Fifth, check the integrity of the file system
Checking whether the file attributes have changed is the simplest and most direct method to verify the integrity of the file system. For example, you can check whether the size of the /bin/ls file on the compromised server is the same as the size of the file on the normal system. the same size to verify that the file was replaced, but this method is low-level. At this point, you can use the rpm tool under Linux to complete the verification. The operation is as follows:
1 [root@server ~]# rpm -Va
2 ....L...c /etc/pam.d/system-auth
3 S.5.....c /etc/security/limits.conf
4 S.5....T c /etc /sysctl.conf
5 S.5....T /etc/sgml/docbook-simple.cat
6 S.5....T c /etc/login.defs
7 S.5.....c/ etc/openldap/ldap.conf
8 S.5....T c /etc/sudoers
9 ..5....T c /usr/lib64/security/classpath.security
10 ....L... c /etc/pam.d/system-auth
11 S.5..... c /etc/security/limits.conf
12 S.5..... c /etc/ldap.conf
13 S.5. ...T c /etc/ssh/sshd_config
The meaning of each token in the output is described as follows:
S means the file length has changed
M means the file access rights or file type has changed
5 means the MD5 checksum has changed
D means that the attributes of the device node have changed
L means that the symbolic link of the file has changed
U means that the owner of the file/subdirectory/device node has changed
G means that the group of the file/subdirectory/device node has changed
T indicates that the last modification time of the file has changed.
If there is an "M" mark in the output result, the corresponding file may have been tampered with or replaced. At this time, you can uninstall the rpm package and reinstall it to remove the attacked ones. document.
However, this command has a limitation, that is, it can only check all files installed by rpm package, and can do nothing for files installed by non-rpm package. At the same time, if the rpm tool is also replaced, this method cannot be used. At this time, a rpm tool can be copied from the normal system for detection.
Communication QQ: 1690808983 (Guangzhou operation and maintenance friends)