People are born free, but they are free from shackles. They think that they are all other masters, but they are slaves than everything else.
Recently, I encountered many examples of server intrusion. In order to facilitate future intrusion detection and troubleshooting, I queried some information about the intrusion forensics of Linux server, and summarized it for later reference.
Common signs of server intrusion, including but not limited to: sending large numbers of packets from inside to outside (DDOS broiler), server resources being exhausted (mining program), abnormal port connections (reverse shell, etc.), server logs Maliciously deleted, etc. So since it is intrusion detection, the first thing to judge is whether the server is compromised. It must be ruled out that the administrator is not operating properly. Therefore, the first task of intrusion detection is to ask the administrator server for anomalies. Judging is very important.
After asking about the abnormal information and excluding the administrator’s operation errors, etc., you can start the formal server for intrusion detection and forensic operations.
April 21, 2017
View the running process named
You can see the process through the file or the tcp udp protocol.
Can see the file modification time, size and other information
Look at the load module
See rpc service open
See if the network card is promiscuous mod
This command can be used to view the successful login, shutdown, restart, etc. of our system. The essence is to format the /var/log/wtmp file, so if the file is deleted, the result cannot be output.
Last -10(-n) View the last 10 records
Last -x reboot View the restarted record
Last -x shutdown View the shutdown record
Last -d view the log in
Last –help command help information
Last -f wtmp Use the last command to view the wtmp file (cannot be viewed directly)
This command is used to view the login failure. The essence is to format the /var/log/btmp file.
Lastb name(root) View root user login failure record
Lastb -10(-n) View the last 10 login failure records
Lastb –heplp command help information
This command is used to view the user’s last login status. The essence is to format the /var/log/lastlog file.
Lastlog All users last login record
Lastlog -u username(root) The last login record of the root user
Lastlog –help command help information
This command allows the user to view the current login system. The essence is to format the /var/log/utmp file. Mainly used to view the current user name, as well as the ip address information of the login, w command is the same as who, will be more detailed.
Viewing the history command record, in fact, is to view the contents of the root /.bash_history file, delete this file, the record is gone.
History View all history
History -10 View the last 10 records
History | grep “wget” View the record of wget related information
History –help command help information
History shows the timestamp:
Different Linux users have different operation rights, but all users will record in /etc/passwd, /etc/shadow, /etc/group files.
Note: Linux sets a blank password: passwd -d username
Generally, the invaded server will run some malicious programs, or mining programs, or DDOS programs, etc. If the program is running, you can find some information by viewing the process.
If no exceptions are found in the process, you can see if some hidden processes are turned on.
Note: The above 3 steps are to check the hidden process.
In the hacked website, usually the file is changed. You can check whether the file has been changed by comparing the file creation time, integrity, file path, and so on.
The purpose of checking the network is to check whether the hacker does the traffic sniffing by tampering with the NIC type.
When we try to kill a malicious program, we often encounter problems that are automatically started by the kill program, so we must check the cron.
Tools can be used, such as: Conmodo, rkhunter, etc. Of course, you can also manually enter the command to check.
Check out the famous wooden door back door program:
If the web application is running on the server, you need to check whether the server is invaded through the web vulnerability. The specific judgment method can be combined with the middleware log and the system log, but the process takes a long time. We can also determine whether the hacker has invaded the server through the web application by checking whether there is a backdoor trojan placed on the server by the intruder.
- In the website directory, the files with jsp, php, asp, and aspx files in the file name (note that they are included) are copied and compressed.
- Scan the packaged directory through the [D Shield] (http://www.d99net.net/) tool under Windows to scan whether the Webshell (Web Portal)
Directly use the [MaskFindShell] (https://github.com/tengzhangchao/MaskFindShell) tool for webshell scanning (currently only scan jsp and php sites, and php’s false positives are high)
For detailed usage of MaskFindShell, please refer to: [MaskFindShell-Document] (https://github.com/tengzhangchao/MaskFindShell/blob/master/README.md)
Regardless of the method of webshell lookup, the first thing to determine is the path to the web server installation, because webshells are placed under the web path.
- Ask the administrator, website developer
- [SearchWebPath] (https://github.com/tengzhangchao/SearchWebPath), specific usage reference: [SearchWebPath usage] (http://thief.one/2017/03/10/SearchWebPath/)
When we do all the intrusion detection analysis, we need to copy some log files to the local for further detailed analysis, how to package the server related information, and copy to the local?
The package file name contains the jsp file, and the packaged file is my_txt_files.tar:
Several ways to transfer files from the server to your local computer.
If the client connected to ssh is xshell, etc., you can install the lrzsz command (putty cannot be used)
Upload files to linux, rz; download linux files, sz file names.
Open ftp here I did not introduce, many online tutorials, here mainly talk about opening http services.
Generally, linux server has python installed by default, so you can quickly open an http service with python. For details, refer to: [Python-based WebServer] (http://thief.one/2016/09/14/%E5%9F%BA% E4%BA%8EPython%E7%9A%84WebServer/)
If we are not connected by ssh, but directly connected to the server through the monitor to operate, then you can try U disk transfer.
This article summarizes some of the most basic commands for Linux intrusion detection. As for how to use these commands well, it is necessary to combine the actual situation, mainly to see the experience. The above complaints are only the stage of intrusion detection information collection. As for how to analyze the intrusion path through existing information, other tools and knowledge are needed.
Reference link: http://www.jb51.net/hack/421908.html