[Make it clear, to say it! Emergency response procedures] Linux system

Contents:
(a) Overview
(b) Identify the symptoms
(three) closed reveal all
(four) marked with common Web vulnerability patch

---

(A) Overview
(1.1) deal with emergency response events under Linux environment is often more difficult, as compared to Windows systems, Linux is not like emergency response tool procexp, there is no uniform emergency response processes. So we need to sort out the processes and systematic handling of emergencies Linux environment.
(1.2) Linux emergency response process is divided into four areas: Identify the symptoms -> eliminate the virus -> Closed Loop reveal all the details -> System reinforcement
(1.3) from the first trigger abnormal host user scenarios, first identify suspicious phenomenon virus. Then navigate to the specific process of the virus and the virus file, to clear them. Before the completion of Step 2 is not enough, the virus usually through some since the start of daemons and repeated infections, so we have to reveal all the details to ensure that the virus no longer perform closed loop is created. After the entry of the virus on the host cleaned, and finally the system is reinforced, to prevent the virus from Web invade come in again. These four sectors, constitute a complete emergency response processes.

---

(B) Identify the symptoms
(2.1) The first part requires us to run through the state system, security alarm equipment and found that the host anomalies, and identifying suspicious behavior of the virus. By the top command enumeration process, using the CPU in descending order, if the CPU occupancy rate of over 70% and more suspicious of the name of the process, a high probability that the virus mining.
# Top --- enumeration process, using the CPU descending order

(2.2) using the ps command enumeration process, to find out whether there is suspicious process, carrying the virus are generally suspicious of the command line when you find the command line with the url and so strange when the strings, we should note, it is likely that a virus Downloader

(2.3) Note secure gateway or without alarm
(2.3.1) recognizes that threaten the security gateway is most directly from the alarm, but confirmed that the host has been infected with a virus just the first step, then have to locate the specific process in which it communicates.
Process (2.3.2) to monitor IP communication with the target
# the while to true; do netstat -antp | grep 192.168.26.51; DONE

(2.3.3) and sometimes not all the security gateway detects malicious IP, there may be a domain name, such case, the corresponding IP is changing, we can not be monitored directly by the methods described above. We can now / etc / hosts file, add a rule, the malicious domain is redirected to a random IP address, and then to random IP addresses to monitor in order to get it communicates with the malicious processes.

(2.4) watch for suspicious history command
to traverse the host command history, command to find whether the malicious

(2.5) to remove the virus
traced back to process information from a link, it will help us to locate the virus and the virus file process to achieve clear.
(2.6) End the virus process
cleared a suspicious process chain process
# Ps -elf | grep 1861 --- check out the suspicious process
# kill -9 1861 --- kill the suspicious process ends

(2.7) to remove the virus files
# ls -al / proc / 2209 / exe --- Query 2209 exe files in the path of progress
# rm -rf / usr / libexec / gvfs-udisks2-volume-monitor --- the actual file links pointing to delete files

---

（三）闭环兜底
Linux下的病毒持久化驻留方式相比于Windows较少，主要有以下4种方式。
(3.1)检查是否存在可疑定时任务
枚举定时任务：# crontab -l（图8-1），同时查看anacron异步定时任务：# cat /etc/anacrontab（图8-2）


(3.2)检查是否存在可疑服务
(3.2.1)枚举主机所有服务，查看是否存在恶意服务
# service --status-all---枚举主机所有服务
(3.2.2)检查系统文件是否被劫持，枚举系统文件夹的文件，按修改事件排序查看7天内被修改过的文件：
# find /usr/bin/ /usr/sbin/ /bin/ /usr/local/bin/ -type f -mtime +7 | xargs ls -la |less

(3.2.3)检查是否存在病毒守护进程，监控守护进程的行为：
# lsof -p 13570---查询PID为13570的进程的被哪些文件打开了
# strace -tt -T -etrace=all -p 658---查询PID为658的进程，其中-tt表示在输出中的每一行前加上时间信息（微秒级），-T表示显示每一调用所耗的时间，-etrace=all表示跟踪除了all以外的其他调用


(3.3)扫描是否存在恶意驱动
(3.3.1)扫描系统驱动：# lsmod

(3.3.2)安装chkrootkit进行扫描，这是一款在Linux系统下查找并检测rootkit后门的工具。（【一点一滴，成材之基！】Linux后门Trojan Horse检测工具）
(3.3.3)安装rkhunter进行扫描，这是一款专业的监测系统是否感染rootkit的工具，它通过执行一系列的脚本来确认服务器是否已经感染rootkit。（【一点一滴，成材之基！】Linux后门Trojan Horse检测工具）
(3.3.4)最后一个环节往往是大家比较容易遗忘的，Linux平台下90%的病毒是通过网络传播感染的，所以，你的主机之所以会感染病毒，大部分原因也是因为Web安全防护不够，需要检查一下：修改SSH弱密码。
(3.3.5)查询log主机登录日志：
# grep "Accepted" /var/log/secure* | awk '{print $1,$2,$3,$9,$11}'

(3.3.6)定位有爆破的源IP（brute-force attack），或参考【我的Linux，我做主！】通配符和正则表达式深层解析中IP地址表示方法
# grep "Failed password" /var/log/secure|grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"|uniq -c
(3.3.7)爆破日志的用户名和密码：
# grep "Failed password" /var/log/secure|perl -e 'while($_=<>){ /for(.*?) from/; print "$1\n";}'|uniq -c|sort -nr
(3.3.8)SSH爆破是Linux病毒最常用的传播手段，若存在弱密码的主机，很容易被其他感染主机SSH爆破成功，从而再次感染病毒。
(3.4)添加命令审计
为历史的命令增加登录的IP地址、执行命令时间等信息
(3.4.1)修改/etc/profile文件，默认让系统保存1万条命令：
# sed -i 's/^HISTSIZE=1000/HISTSIZE=10000/g' /etc/profile


(3.4.2)在/etc/profile文件尾部添加如下行数的配置信息。

(3.4.3)让修改的配置生效，查看history命令的最后10行内容，已经产生了时间、登陆IP等信息
# source /etc/profile

---

(D) marked with common Web vulnerabilities patch
1.structs2 series RCE vulnerability
2.thinkphp5.XRCE vulnerability
3.Redis Unauthorized Access Vulnerability
4.ConfluenceRCE vulnerability (CVE_2019_3396)
5.DrupalRCE Vulnerability (CVE-2018-7600)
6.ThinkPHPRCE vulnerabilities ( CVE-2019-9082)
malicious software under Linux platform threaten to mining botnet worms and viruses mainly because most Linux as a server exposed to the public network and Web application vulnerabilities emerging, so it is easy to attack a wide range of common virus: DDG, systemdMiner, BillGates, watchdogs , XorDDos, in many Linux have, we have to develop not use weak passwords, patch of ground a good habit.

------ This concludes the article, thanks for reading ------