1. Home > Operating_system >

The easiest and quickest way to detect whether the Unix operating system is invaded

Identifying whether a Unix system has been compromised requires a high level of skill, and of course there are some very simple methods.

  The simple way is to check the system log, process table and file system to see if there are any "strange" messages, processes or files. For example:

   two running inetd processes (there should be only one);

  .ssh runs as root's EUID instead of root's UID;
< br/>   the core file of the RPC service under "/";

   new setuid/setgid program;

   rapidly growing files;

  The results of df and du are not close;

  perfmeter/top/BMCPatrol/SNMP (the above are some monitoring programs) monitors do not match the results of vmstat/ps, much higher than usual Network traffic;

Common file and directory entries under   dev, especially those with normal names;

  /etc/passwd and /etc/shadow, are there any An account with abnormal or no password exists;

  /tmp, /var/tmp and other writable directories with strange file names. The strange file here refers to the name similar to "... "(3 points). If you find such a name, but it is actually a directory, then your system has problems in all likelihood.

   also pay attention to check /.rhosts, /etc/hosts.equiv, /.ssh/known_hosts and ~/.rhosts to see if there are any inappropriate new entries.

   Also, pay close attention to those hidden trust relationships. For example, how do hosts on NFS mount? Which host has .hosts, .shosts, and hosts.equiv entries about other hosts? Which host has the .netrc file? With whom does the host share the network segment? You It should continue to be investigated. Usually attackers don't just destroy one host, they jump from one host to another, hide their tracks, and open as many backdoors as possible.

   If you have any suspicious findings, please contact your local computer emergency response team to help check other hosts on the network and restore the damaged site.

This article is published by www.internetweblist.com and does not represent the position of www.internetweblist.com/:http://www.internetweblist.com/Operating_system/31332.html

Contact Us

Online consultation:click here to give a message