1. Home > Operating_system >

The fastest way to detect whether Unix is ​​invaded

Identifying whether a Unix system has been compromised requires a high level of skill, and of course there are some very simple methods.

The simple way is to check the system log, process table and file system to see if there are any "strange" messages, processes or files. For example:

Two running inetd processes (there should be only one);

.ssh runs with root's EUID instead of root's UID;
< br/>The core file of the RPC service under "/";

New setuid/setgid program;

Files with rapidly growing size;

The results of df and du are not close;

The monitor of perfmeter/top/BMCPatrol/SNMP (the above are some monitoring programs) does not match the result of vmstat/ps, which is much higher than usual Network traffic;

Common file and directory entries under dev, especially those with normal names;

/etc/passwd and /etc/shadow, are there any An abnormal account or an account without a password exists;

/tmp, /var/tmp and other writable directories with strange file names. The strange file here refers to the name similar to "... "(3 points). If you find such a name, but it is actually a directory, then your system has problems in all likelihood.

Also pay attention to check /.rhosts, /etc/hosts.equiv, /.ssh/known_hosts and ~/.rhosts to see if there are any inappropriate new entries.

In addition, pay close attention to those hidden trust relationships. For example, how are the hosts mounted on NFS? Which host has .hosts, .shosts and hosts.equiv entries for other hosts? Which host has the .netrc file? With whom does this host share the network segment? You should continue to investigate it. Usually attackers don't just destroy one host, they jump from one host to another, hide their tracks, and open as many backdoors as possible.

If you have any suspicious findings, please contact your local computer emergency response team to help check other hosts on the network and restore the damaged site.

This article is published by www.internetweblist.com and does not represent the position of www.internetweblist.com/:http://www.internetweblist.com/Operating_system/31344.html

Contact Us

Online consultation:click here to give a message