A, linux possible invasion and representation
1, there is an illegal outreach bandwidth
2, there is an abnormal process or abnormal port
3, CPU, memory alarm
4, the server can not connect properly
5, unusual and abnormal account login
6, the site was injected into the Trojans, webshell
Second, the idea of investigation
First determine the information: a preliminary judgment hackers path
1, the server has external business
2, the application server to deploy what
3, password composition deploy applications
:: preliminary investigation using different methods and commands to troubleshoot a different appearance
1, the command system has been tampered with, if it is tampered with busybox installed instead of system commands, download address: https://github.com/mirror/busybox
2, check the login record, command history, abnormal account
View last login history
history to see production system root of the Executive
Open .bash_history under the / home directory for each account, view account history ordinary command
cat / etc / passwd see if there is abnormal account
3, see the abnormal abnormal outreach process and documents, pay attention to the file creation time
top view take up memory and cpu higher PID
ps -aux to see take up memory and cpu higher command position and the actual PID
netstat -anplt see suspicious outreach ip, port, PID
ls -l / proc / pid / exe see the file path corresponding yield
lsof -p pid pid find the corresponding program to open the file
ls -l /etc/init.d View startup items
pkill pid kill the process
pstree -h pid -p -a view of a process process tree
4, scheduled tasks and avoid close Login
crontab -l to check for suspicious scheduled tasks
Is there a secret key attacker uploaded ls -l /etc/.ssh
5, view recent modified files
find / -type f -atime -7 / 7 / + 7 7 days / 7 days / 7 days before
6, delete files
lsattr View linux files have special privileges (root user found insufficient permissions to delete files)
chattr -ai delete files and i have to get a permission
7, log analysis
/ Var / log / message including the global information
/var/log/auth.log system contains authorization information, including user logins and permissions mechanism used, etc.
Log / var / log / userlog user information records all grades
/ Var / log / cron record whether crontab command is executed correctly
/var/log/xferlog(vsftpd.log) recorded Linux FTP log
/ Var / log / lastlog records logged-on user, you can use the command lastlog View
/ Var / log / secure record for most applications input account and password, log on success
/ Var / log / wtmp record log successful account information, equivalent to the last command
/ Var / log / faillog record account information to log unsuccessful, will generally be deleted by hackers
8, tool
chkrootkit rootkit killing the download site: http://www.chkrootkit.org
rkhunter rootkit killing the download site: http://rkhunter.sourceforge.net/
clamav virus scan download site: http://www.clamav.net/download.html
webshell killing is no good way, suspect the site is downloaded to the local directory scanning with D Shield