Usually have some friends met the problem server is black, after the collection and related materials related to the consolidation, where I found a Linux server for everyone to be black solution, I hope you will see a lot of harvest. If you installed all the correct patches, firewalls have been tested and are activated at several levels of advanced intrusion detection system, then only in one case you will be black, that is, you too lazy even I did not do the right thing, for example, BIND install the latest patches.
Accidentally being black did feel embarrassed, even more serious is that some script kid will download some well-known "root kits" or the popular spy tools, which are taking up your CPU, memory, data and bandwidth. These bad guys are from there started it? This from the root kit to begin with.
A root kit is actually a package, hackers use it to provide access to have their own root level of your machine. Once the hacker can access your machine as root, everything is finished. The only way to do that is with the efficiency of the fastest backup your data, clearing the hard drive, then reinstall the operating system. In any case, once your machine is taking over someone in order to recover is not an easy thing.
Can you trust your ps command it?
Find out the root kit's first trick is to run the ps command. It is possible for you, everything seems normal. It illustrates an example of a ps command output. The real question is, "everything is really normal?" Hacker used a trick is to replace the ps command, and this replaced the ps will not show illegal programs running on your machine that is. To test one, should check your ps file size, it is usually located in / bin / ps. In our Linux machines in it about 60kB. I recently met a root kit is replaced ps program, this thing is only about 12kB in size.
Another obvious scam is to link root command history file to / dev / null. The command history file is used to track and record a user login on a Linux machine used by the command. Hackers to redirect your history file to / dev / null The purpose is to make you can not see that they have entered the command.
You can by typing history at the shell prompt to access your history file. If you find yourself using the history command, but it does not appear in the list of commands used before, you have to look at your ~ / .bash_history file. If this file is empty, on the implementation of a ls -l ~ / .bash_history command. After you execute the above command you will see output similar to the following:
-rw ------- 1 JD JD 13829 Oct 10 17:06 /home/jd/.bash_history
Or, you might see output similar to the following: lrwxrwxrwx 1 jd jd 9 Oct 10 19:40 /home/jd/.bash_history -> / dev / null
If you see a second, it indicates this. bash_history file has been redirected to / dev / null. This is a fatal message, now immediately cut off your machine from the Internet, back up your data as much as possible and begin to re-install the system.
Solve Linux server is black, need to find unknown user account:
you intend for your Linux machine do a test when the first check for an unknown user account is undoubtedly wise. The next time you log on to your Linux server, typing the following command:
grep: the X-: 0: / etc / passwd
Only one line, I stress again, in a standard Linux installation where, grep command should only return one row, similar to the following:
root: the X-: 0: 0: root: / root: / bin / bash
if more than one line in the results after typing the grep command before the system returns you, that might have a problem. There should be only one user's UID is 0, and if grep command returns the results of more than one line, it means more than one user. Seriously, although the discovery of hacking, these are some good basic approach. But these techniques does not in itself constitute sufficient security, and its depth and breadth and intrusion detection systems in the first-mentioned article also compared even close.
Over to you on that a little knowledge, about the linux server is black solution.