Computer intrusion investigation
Linux systems Ubuntu`, `Debian`,` RedHat`, `CentOS`,` ArchLinux` part of the method of `Mac OSX` operating system is also applicable to unusual accounts and privileges " abnormalities account Search user `CAT / etc / passwd
screening : `` `shcat / etc / the passwd | awk -F: ' {}. 7 Print $ ' | Sort | the uniq - c``` effect is to change the print command shell and a corresponding number of all types, for the user's shell, to double-check. check the user if a previous step to obtain an exception username (assumed to be `hacker`), the user can check in detail in the following ways: - to view the user id and group information: id Hacker - View recent user login information : lastlog - U Hacker - View user login history information: Last Hacker - see Login failed for user information: lastb Hacker - View comprehensive information: finger hacker Note: `finger` command in some operating systems are not built-in, you can use the package itself installation management tools, such as: > Ubuntu / Debian: APT- GET install finger > CentOS / RedHat: yum install finger > ArchLinux: pacman - S finger other non-built-in commands mentioned below similar abnormalities permissions general Linux users will use `sudo` to allow ordinary users root operation may be performed, and therefore for the average user already exists, can not be taken lightly. `sudo` rights managed, in` / etc / sudoers` and `/ etc / sudoers.d` can view, best changed frequently check files to ensure that no unexpected ordinary users get permission for each ordinary user, you can use the command `groups username` to query the group to which they belong, if you are root or sudo group, or the group in` / etc / sudoers` file . in, it would have to have your wits about an " unusual since the start " since the start of the process under Linux, depending on their service manager and different, commonly used are the following three: Upstart [Upstart] [Upstart] is based on the event , to replace the old / sbin / the init process to approach tasks and services from the start. Check the file type from the start can use the following command: - See all since the launch of the project: `the initctl list` - view a project from the start: the initctl` show- config evil` SystemV [SystemV] [SystemV] is commonly used Service Start ` / STOP / Status xxx.service` command behind the service management system to see the type of self-starting file can use the following command: - View from the startup script: LS /etc/init.d/ ` ` - see how it works level symbolic link: `ls /etc/rc*.d/ ` systemD [systemD] [systemd] is a modern service management system, a relatively new version of Linux have migrated to the systemD. there are two ways to view all since the launch of the service: -` systemctl List-Unit-Files the -type = service ` -` LS / lib / systemd / System / * . .service / etc / systemd / System / * service` older versions of Linux are generally Upstart and SystemV mix, new versions are mostly migrated to systemD up. " unusual addition to the scheduled task since the launch of the service, also under Linux can be run by a scheduled task persistence, check abnormal scheduled task is relatively simple, only need to look at `/ etc under / crontab` and subdirectories` / etc / cron. * `scheduled task file. bash initialization check "used Linux all know, in` $ HOME / .bashrc` configuration file can be initialized and applied to each shell, that is to say inside the script at a time to open a new terminal there all the time may be running. such profiles include `.bashrc`,` .bash_profile`, `.bash_login` ,` .profile` , etc. are logged when they are being run and the order of operation is invoked by the shell, and whether the interaction run to decide, for bash, the flow of execution in the following table: script name | interactive logon | interactive non-login | script (ie, non-interactive) ------------------ | - ------- | ---------- | -------------- `/ etc / Profile` | A | | `/etc/bash.bashrc `| | A | ` ~ / .bashrc `| | B | ` ~ / .bash_profile `| Bl | | ` ~ / `.bash_login | B2 | | ` ~ / .profile `| B3 | | BASHENV $ `` | | | A `` | | | `~ /` .bash_logout | C | | wherein execution order `A-> B-> C`, B [123] represents a script exists only when the first time . it will be performed by a flowchart as follows: ! [startup sequence] ( http://www.solipsys.co.uk/images/BashStartupFiles1.png ) on Log / Log shell and a content of non-interactive / non-interactive shell may refer to other online presentation, there will not start. just know the order of their shell initialization file executed, and check the files to see if there is suspicious command, which can be found abnormal information application level from the start to find all suspicious from startup items is difficult, an experienced attacker can modify an existing script from the start, pull up additional commands, thereby reducing the risk of detection. Some Linux Desktop version also responsible for running a similar command from the start, such as my favorite xfce, in `Settings -> Session Starup -> application Autostart` can add applications from the start. unusual record Abnormal command history in general, will execute certain commands on it after hackers get shell, we can see the command had been run by `history` command or simply look at` ~ / .bash_history` file. Clever hackers bad finish might clean up the traces, but if history is found malicious cleared, or abnormally tampered with, that's enough to give us a warning signal. abnormal logging "log, especially in the system log, is our great helper, the following commands can be used to read the log files and output related information: - view each user's most recent login time and ip: `lastlog` - view each user's login record:` last` - view each user's login attempt (including failure) record: `lastb` - view the currently logged on user, ip, and the command is doing:` w` of course, will be determined attacker to hide their traces of these commands, such as using small tools [hidemyass .] [hidemyass] system log rsyslogd generally produced by the process of configuration in `/ etc / rsyslog.conf` file and` etc / rsyslog.d the / / `directories, common log: - / var / log / Mess ages: general system log - /var/log/kern.log: Kernel Log - /var/log/boot.log: boot log - /var/log/auth.log: Log related logs, such as ssh / sudo success or failure of the log are here - / var / log / secure: ditto - /var/log/cron.d: cron scheduled task execution log abnormal the process "to find abnormal process, you can view the programs that are running with the command` top` Resources used, or use `ps -ef` lists the processes currently used by the system. If the discovery process they do not know, you can conduct a detailed inspection with the following command: - complete command to see the process start line: `PS EHO the Command -p $ PID` - when viewing the directory where the process starts:` readlink / proc / $ PID / cwd` - View the complete environment variable when the process starts: strings -f `/ proc / $ PID / Environ | Cut -f2 -d ''` - list all files opened by the process: `lsof -p $ PID` - listed by the process open network connections:` netstat -pan | grep $ PID` hidden processes - investigation by LKM module
abnormal network traffic Linux desktop users -wireshark Linux server -tcpdump
McAfee McAfee's VirusScan Console check
inspection McAfee HIP Firewall
Windows Firewall
check the IIS settings and site directory access
checking account administrator
to check the Windows log
inspection IIS Web site access logs
to check FTP log
checking server process
backup data