"Introduction to the author": CSDN top100, Alibaba Cloud blog expert, Huawei Cloud Sharing expert, and high-quality creators in the field
of network security
Recently, some fans have been asking me if I have been attacked by hackers, do I have to unplug the network cable? Is there any other way?
It stands to reason that if conditions permit, the network cable must be unplugged first to prevent lateral transmission.
But in many cases, it is not possible to unplug the network cable, such as cloud servers, and we cannot touch the network cable.
In fact, when encountering a hacker attack, there is not only one way to unplug the network cable. A hacker is also a human being. As long as he attacks, he will definitely leave clues.
Next, we will start from 7 directions, explain the analysis ideas, understand the attack path of hackers, and even countermeasures.
1. Account Analysis
/erc/passwdThe file stores user information.
/bin/bash indicates that the account status is available for login; /sbin/nologin indicates that the user status is not available for login.
/etc/groupFile stores user group information
1. Check suspicious accounts
Focus on checking users whose id is greater than 1000 (new users will have an id greater than 1000, and all system users are less than 500).
awk -F: '($2=="")' /etc/shadowFind the account with empty password
awk -F: '($3==0)' /etc/passwdor grep "0:0" /etc/passwdfind the super privilege account with UID 0, make sure only root.
grep "/bin/bash" /etc/passwdFind available accounts
2. Login status
who -blast boot time
wView the logged-in users (login time, login IP, and programs being executed).
lastbView user failure information.
lastlogView the last login information of all users.
lastView recent login information (including system power on and off)
3. Historical commands
historyView command history. ( will be history -ccleared ).
/root/.bash_historyThe file saves the history commands of root user
/home/user001/.bash_historyThe file saves the history commands of ordinary users
The historical commands in history will be history -ccleared , but the historical commands in the bash_history file need to be deleted to be cleared.
Focus on viewing suspicious historical commands, such as: wget (remote download), ssh (connect to the intranet), tar zip (compressed and packaged)
For reinstalling the SSH service with a backdoor (a built-in account, which is not displayed in the system), you can check the modification time or ssh -Vview the version.
2. Log Analysis
Linux system logs are placed by default in/var/log/
- /var/log/cron Scheduled task logs.
- /var/log/dmesg POST log (viewed by dmesg command).
- /var/log/maillog Mail log.
- /var/log/messages system log (when there is a problem with the system, focus on viewing this log).
- /var/log/secure Application login information and entered account password.
grep "Accepted" /var/log/secureFilter logs for successful logins
grep "Failed" /var/log/secureFilter logs for failed logins
/var/log/apache2/access.logApache access log
3. Process Analysis
Focus on those processes that will restart after the end, and analyze how it restarts according to the steps of the startup item.
1. Check the process
ps -efview all processes
ps -auxView all processes, showing CPU and memory usage at the same time.
topCheck for processes with particularly high CPU usage (over 80%), which may be mining or business peaks.
kill -9 PIDEnd process by PID.
2. View the process execution file
ls0f -p 1546Check the file opened by the process with PID 1546. The third line is the execution file corresponding to the process.
ll /proc/1546/exeView the execution program corresponding to the process with PID 1546.
lsof -i:22View the process corresponding to port 22.
4. Network connection
Check for suspicious network connections. Suspicious IPs, domain names, and suspicious files are sent to the threat intelligence platform for analysis.
1. View the status of the network link
netstat -anoptCheck the network connection status, LISTEN means listening status (waiting for connection); ESTABLISHED means open connection.
If the malicious IP is already known, you can filter to view the network connections communicating with the malicious IP netstat -anopt | grep 192.168.31.28.
If you only know the malicious domain name, you can modify /etc/hoststhe file to redirect the malicious domain name to any other IP, and then filter the network connection communicating with this IP.
2. Threat intelligence analysis
The threat intelligence platform can query the credibility of domain names, IPs, and files, and if there are any traces of attack, it will be blocked immediately.
Qi Anxin Threat Intelligence: https://ti.qianxin.com/
Weibu Online: https://x.threatbook.com/
VirusTotal: https://www.virustotal.com/gui/home/upload
Anheng Threat Intelligence: https://ti.dbappsecurity.com.cn/
Sangfor Threat Intelligence: https://ti.sangfor.com.cn/analysis-platform
VenusEye Threat Intelligence: https://www.venuseye.com.cn/
360 Threat Intelligence:https://ti.360.net/#/homepage
5. Startup items
In order to prevent the controlled machine from losing contact, many malicious programs will put themselves in the startup items.
1. Boot file
Check whether there is any abnormal self-starting file, and pay attention to whether the content of the file has been tampered with or inserted malicious instructions.
1)/etc/rc.local
The last line is the script, executed during boot.
/etc/rc.localIt /etc/rc.d/rc.localis a soft link, and the two files have the same effect.
2)/etc/init.d/
There are many startup scripts for system services in the directory, which are executed after the system starts (booting is completed).
/etc/init.d/It /etc/rc.d/init.d/is a soft link, and the two files have the same effect.
Ubuntu does not have /etc/rc.d/init.dthis directory. In order to maintain the uniformity of the same service used in CentOS and Ubuntu, all service scripts are placed /etc/init.din the directory.
3)/etc/rc*.d
Check whether the service startup script has been tampered with in other startup directories.
2. Boot command
systemctl list-unit-filesView service status
systemctl list-unit-files | grep firewalldView specified service status
systemctl stop firewalld.serviceStop service
systemctl disable firewalld.serviceDisable auto-start
Check the startup status of the service. Enabled means that it can be started automatically; disabled means that it cannot be started automatically.
Check whether the specified service starts automatically at boot, and disable auto start at boot.
3. Environment variable configuration file
These files are used to configure environment variables and start programs, and are triggered when the user is logged in at startup or switched users.
- /etc/bashrc
- /etc/profile
- ~/.bashrc
- ~/.bash_profile
6. Planning tasks
crontab -lView scheduled tasks for the current user.
crontab -l -u rootView scheduled tasks for a specified user.
/etc/crontabSave timed tasks
/etc/anacrontabSave asynchronous timed tasks
/var/spool/cron/The directory stores the timed tasks of each user.
/etc/cron.dThe directory stores the scheduled task files that need to be executed.
/etc/cron.hourly/Hourly task Execute daily
/etc/cron.daily/task
/etc/cron.weekly/Weekly task
/etc/cron.monthly/Execute monthly task
7. Sensitive directory files
Webshells usually contain malicious functions, such as:
- PHP:eval()、system()、assert()
- JSP:getRunTime()、FileOutputStream()
- ASP:eval()、execute()、ExecuteGlobal()
Look for suspicious files and check for such malicious functions in the file to determine if it is a webshell.
1. Recently modified files
find /root/ -ctime -2Find the newly created files in the /root/ directory within two days.
find /root/ -mtime -2Find files that have been modified within two days in the /root/ directory.
stat text.txtView the detailed information of the file, focusing on access/modification/time.
ls -altSort by file modification time
2. Sensitive directory
/tmp/ Temporary directory, ordinary users have read and write permissions to the files in the directory, usually used for privilege escalation.
/usr/bin/
/usr/sbin/
/etc/ssh/
Summarize:
Emergency response ideas can be roughly divided into three parts:
- find webshell
- Determine the attacking IP
- Retrace the attack operation and sort out the attack process.