One
can draw the filename running processes
# pidof filename
2
can see the file or process tcp udp protocol
TCP port # fuser-n
3
can see the file modification time, size and other information
Stat filename #
4
to see loaded modules
# lsmod
5
to see rpc service open
# rpcinfo-P
6
to see whether the card promiscuous mode (promiscuous mod)
# dmesg | grep eth0
can draw the filename running processes
# pidof filename
2
can see the file or process tcp udp protocol
TCP port # fuser-n
3
can see the file modification time, size and other information
Stat filename #
4
to see loaded modules
# lsmod
5
to see rpc service open
# rpcinfo-P
6
to see whether the card promiscuous mode (promiscuous mod)
# dmesg | grep eth0
7
to see whether the command is changed, the same as the md5sum
# rpm-Vf / bin / ls
rpm-Vf / bin / PS normally no output, or output SM5 .... T / bin / su and the like prompted
if the rpm database is not modified reliable, and only through the network or if cdrom in the rpm database to compare
, such as: rpm-Vvp ftp://mirror.site/dir/RedHat/RPMS/fileutils-3.16-10.i386.rpm
the following commonly used commands need to check
/ usr / bin / chfn
usr / bin / chsh
/ bin / login
/ bin / ls
/ usr / bin / passwd
/ bin / PS
/ usr / bin / top
/ usr / sbin / in.rshd
/ bin / netstat
/ sbin / ifconfig
/ usr / sbin / syslogd
/ usr / sbin / inetd
/ usr / sbin / tcpd
/ usr / bin / killall
/ sbin / pidof
/ usr / bin / Find
to see whether the command is changed, the same as the md5sum
# rpm-Vf / bin / ls
rpm-Vf / bin / PS normally no output, or output SM5 .... T / bin / su and the like prompted
if the rpm database is not modified reliable, and only through the network or if cdrom in the rpm database to compare
, such as: rpm-Vvp ftp://mirror.site/dir/RedHat/RPMS/fileutils-3.16-10.i386.rpm
the following commonly used commands need to check
/ usr / bin / chfn
usr / bin / chsh
/ bin / login
/ bin / ls
/ usr / bin / passwd
/ bin / PS
/ usr / bin / top
/ usr / sbin / in.rshd
/ bin / netstat
/ sbin / ifconfig
/ usr / sbin / syslogd
/ usr / sbin / inetd
/ usr / sbin / tcpd
/ usr / bin / killall
/ sbin / pidof
/ usr / bin / Find
8
has confirmed that if the check is being hacked machine, the perfect proposal:
1.dd a backup hard drive
2.mount a drive, above the static-compiled program ls ps netstat and other common tools
3. nc to step out with to the remote machine
has confirmed that if the check is being hacked machine, the perfect proposal:
1.dd a backup hard drive
2.mount a drive, above the static-compiled program ls ps netstat and other common tools
3. nc to step out with to the remote machine
9
with the md5sum file to save a global
find / sbin-type f | xargs md5sum> 1st
check changed
md5sum-c 1st | grep OK
with the md5sum file to save a global
find / sbin-type f | xargs md5sum> 1st
check changed
md5sum-c 1st | grep OK
10
to avoid the attack machine has been too much writing, you can:
1. 192.168.20.191 on another machine running on the
nc-L-p 1234> some_audit_output.log Note that L is the capital, permanently listen
2 attack machine run
command | nc 192.168.20.191 1234
or
script> / mnt / export.log
after testing with the ctrl + d to save records
to avoid the attack machine has been too much writing, you can:
1. 192.168.20.191 on another machine running on the
nc-L-p 1234> some_audit_output.log Note that L is the capital, permanently listen
2 attack machine run
command | nc 192.168.20.191 1234
or
script> / mnt / export.log
after testing with the ctrl + d to save records
11
way through the process of looking for suspicious programs:
1.netstat-anp this step depends mainly on experience, to suspect all recorded
2 cd into the directory memory / proc/3299
3. ls-la, you can see the general execute exe file path,
4 re-entry to view the file handle fd directory, thus you can generally find the execution
5.ps-awx to observe the process again just suspicious
way through the process of looking for suspicious programs:
1.netstat-anp this step depends mainly on experience, to suspect all recorded
2 cd into the directory memory / proc/3299
3. ls-la, you can see the general execute exe file path,
4 re-entry to view the file handle fd directory, thus you can generally find the execution
5.ps-awx to observe the process again just suspicious
12
If the hacker to delete the log:
1 Find all the logs are not removed completely, such as history, sniffer logs
2./proc/pid/fd directory prompt files have been removed
l-wx - 1 root root 64 Aug 10 20:54 15 -> / var / log / httpd / error_log (deleted)
L-WX - 1 root root 64 Aug 10 20:54 18 -> / var / log / httpd / ssl_engine_log (deleted)
L-WX - 1 root root 64 Aug 10 20:54 19 -> / var/log/httpd/ssl_mutex.800 (deleted)
L-WX - 1 root root 64 Aug 10 20:54 20 -> / var / log / httpd / access_log (deleted)
L-WX - 1 root root 64 Aug 10 20:54 21 -> / var / log / httpd / access_log (deleted)
L-WX - 1 root root 64 Aug 10 20:54 22 -> / var / log / httpd / ssl_request_log (deleted)
L-WX - 1 root root 64 Aug 10 20:54 23 -> / var/log/httpd/ssl_mutex.800 (deleted)
lrwx - 1 root root 64 Aug 10 20: 54 3 -> / var/run/httpd.mm.800.sem (deleted)
lrwx - 1 root root 64 Aug 10 20:54 4 -> / var / log / httpd / ssl_scache.sem (deleted)
If the hacker to delete the log:
1 Find all the logs are not removed completely, such as history, sniffer logs
2./proc/pid/fd directory prompt files have been removed
l-wx - 1 root root 64 Aug 10 20:54 15 -> / var / log / httpd / error_log (deleted)
L-WX - 1 root root 64 Aug 10 20:54 18 -> / var / log / httpd / ssl_engine_log (deleted)
L-WX - 1 root root 64 Aug 10 20:54 19 -> / var/log/httpd/ssl_mutex.800 (deleted)
L-WX - 1 root root 64 Aug 10 20:54 20 -> / var / log / httpd / access_log (deleted)
L-WX - 1 root root 64 Aug 10 20:54 21 -> / var / log / httpd / access_log (deleted)
L-WX - 1 root root 64 Aug 10 20:54 22 -> / var / log / httpd / ssl_request_log (deleted)
L-WX - 1 root root 64 Aug 10 20:54 23 -> / var/log/httpd/ssl_mutex.800 (deleted)
lrwx - 1 root root 64 Aug 10 20: 54 3 -> / var/run/httpd.mm.800.sem (deleted)
lrwx - 1 root root 64 Aug 10 20:54 4 -> / var / log / httpd / ssl_scache.sem (deleted)
3 static compiled lsof | grep deleted see what was deleted
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
gpm 1650 root 1U REG 8,2 5 149743 / var/run/gpm208raa (deleted)
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
gpm 1650 root 1U REG 8,2 5 149743 / var/run/gpm208raa (deleted)
4. Get file inode number, here is the 149 743
5. sleuthkit tool used to restore,
df / var come to the hard disk location is sda1
ICAT / dev/sda1 149 743
6. to restore the file you look closely, you can find traces of a general
5. sleuthkit tool used to restore,
df / var come to the hard disk location is sda1
ICAT / dev/sda1 149 743
6. to restore the file you look closely, you can find traces of a general
This will make the program difficult to analyze compiled
GCC -04-evil.c-O Evil
strip. / Evil
GCC -04-evil.c-O Evil
strip. / Evil
1.file view the file type, whether static compilation, is strip off
2.strings display program asicc string by string and then google to find
3.strace is to track the system calls (this does not know how to use) strace -P PID
4.gdb (will not be good because more)
2.strings display program asicc string by string and then google to find
3.strace is to track the system calls (this does not know how to use) strace -P PID
4.gdb (will not be good because more)
13
process where some process is not shown, but in / proc are traces, comparable to find hidden processes
proc pseudo file system for / dev / kmem interface provides a structured, easy system diagnostics and look at each running executable environment
# PS-ef | awk '{Print $ 2}' | sort-n | uniq> 1
# ls / PORC | sort-n | uniq> 2
# diff 1 2
process where some process is not shown, but in / proc are traces, comparable to find hidden processes
proc pseudo file system for / dev / kmem interface provides a structured, easy system diagnostics and look at each running executable environment
# PS-ef | awk '{Print $ 2}' | sort-n | uniq> 1
# ls / PORC | sort-n | uniq> 2
# diff 1 2
14
emergency tool tct, there are many tools, including icat other data recovery
if the evidence in the attack machine, you can mount a hard disk, you can also backup to a network, the method:
A. machines in the network run nc-L-p 1234 > abc.img
B. chicken run dd if = / dev/hdb5 count 20000 bs = 1024 | nc 192.168.0.1 1234-w 3
if the backup is too large, you can listen on multiple ports, perform multiple dd to copy, and then file merge cat 2>> 1.img
emergency tool tct, there are many tools, including icat other data recovery
if the evidence in the attack machine, you can mount a hard disk, you can also backup to a network, the method:
A. machines in the network run nc-L-p 1234 > abc.img
B. chicken run dd if = / dev/hdb5 count 20000 bs = 1024 | nc 192.168.0.1 1234-w 3
if the backup is too large, you can listen on multiple ports, perform multiple dd to copy, and then file merge cat 2>> 1.img
15
ldd executable program can display depends on a dynamic library, but libraries can not be shown indirectly dependent on
[root @ rh9bk root] # ldd / bin / ls
libtermcap.so.2 => / lib/libtermcap.so.2 (0 × 40.022 million)
libc.so.6 => / lib/tls/libc.so.6 (0 × 42000000)
/ lib/ld-linux.so.2 => / lib/ld-linux.so.2 (0 × 40 million)
strace tool is a debugging tool that can show a program in the implementation process of all system calls,
[root @ rh9bk root] # strace-eOpen / bin / ls> / dev / null
Open ("/ etc / ld . so.preload ", O_RDONLY) = -1 ENOENT (No. such file or Directory)
Open ("/ etc / ld.so.cache", O_RDONLY) = 3
Open ("/ lib/libtermcap.so.2", O_RDONLY ) = 3
Open ("/ lib/tls/libc.so.6", O_RDONLY) = 3
Open ("/ usr / lib / locale / locale-Archive", O_RDONLY | O_LARGEFILE) = 3
Open (".", O_RDONLY | O_NONBLOCK | O_LARGEFILE | O_DIRECTORY) = 3
Open ("/ etc / mtab", O_RDONLY) = 3
Open ("/ proc / meminfo", O_RDONLY) = 3
ldd executable program can display depends on a dynamic library, but libraries can not be shown indirectly dependent on
[root @ rh9bk root] # ldd / bin / ls
libtermcap.so.2 => / lib/libtermcap.so.2 (0 × 40.022 million)
libc.so.6 => / lib/tls/libc.so.6 (0 × 42000000)
/ lib/ld-linux.so.2 => / lib/ld-linux.so.2 (0 × 40 million)
strace tool is a debugging tool that can show a program in the implementation process of all system calls,
[root @ rh9bk root] # strace-eOpen / bin / ls> / dev / null
Open ("/ etc / ld . so.preload ", O_RDONLY) = -1 ENOENT (No. such file or Directory)
Open ("/ etc / ld.so.cache", O_RDONLY) = 3
Open ("/ lib/libtermcap.so.2", O_RDONLY ) = 3
Open ("/ lib/tls/libc.so.6", O_RDONLY) = 3
Open ("/ usr / lib / locale / locale-Archive", O_RDONLY | O_LARGEFILE) = 3
Open (".", O_RDONLY | O_NONBLOCK | O_LARGEFILE | O_DIRECTORY) = 3
Open ("/ etc / mtab", O_RDONLY) = 3
Open ("/ proc / meminfo", O_RDONLY) = 3
strace-O out Telnet 192.168.100.100
O parameter is meant is the strace output information generated to the out file, the file name is free to develop.
We open out file system calls will find a lot of information, open our main concern is the system call information, open is used to open the file, not only with the first open call to open the dynamic library to read the configuration file uses the open, Therefore, the use sed to write a simple script file can be output out of all the open information
sed-n-e '/ ^ open / p' out
output is as follows:
Open ("/ etc / ld.so.preload", O_RDONLY) = -1 ENOENT (No. such file or Directory)
Open ("/ etc / ld.so.cache", O_RDONLY) = 3
Open ("/ lib/libutil.so.1", O_RDONLY) = 3
Open ("/ usr / lib/libncurses.so.5 ", O_RDONLY) = 3
Open ("/ lib/i686/libc.so.6", O_RDONLY) = 3
Open ("/ etc / resolv.conf", O_RDONLY) = 3
Open ( "/ etc / nsswitch.conf", O_RDONLY) = 3
Open ("/ etc / ld.so.cache", O_RDONLY) = 3
Open ("/ lib/libnss_files.so.2", O_RDONLY) = 3
Open (" / etc / Services ", O_RDONLY) = 3
Open ("/ etc / host.conf", O_RDONLY) = 3
Open ("/ etc / hosts", O_RDONLY) = 3
Open ("/ etc / ld.so.cache" , O_RDONLY) = 3
Open ("/ lib/libnss_nisplus.so.2", O_RDONLY) = 3
Open ("/ lib/libnsl.so.1", O_RDONLY) = 3
Open ("/ var / NIS / NIS_COLD_START", O_RDONLY) = -1 ENOENT (No. such file or Directory)
Open ("/ etc / ld.so.cache", O_RDONLY) = 3
Open ("/ lib/libnss_dns.so.2", O_RDONLY) = 3
Open (" / lib/libresolv.so.2 ", O_RDONLY) = 3
Open ("/ etc / Services", O_RDONLY) = 3
Open ("/ root / .telnetrc", O_RDONLY) = -1 ENOENT (No. such file or Directory)
open ("/ usr / share / terminfo / l / linux", O_RDONLY) = 4
can be found from the output of ldd does not show up a few libraries
/ lib/libnss_dns.so.2, /
lib/libresolv.so.2,
/ lib/libnsl.so.1,
/ lib/libnss_nisplus.so.2,
/ lib/libnss_files.so.2
O parameter is meant is the strace output information generated to the out file, the file name is free to develop.
We open out file system calls will find a lot of information, open our main concern is the system call information, open is used to open the file, not only with the first open call to open the dynamic library to read the configuration file uses the open, Therefore, the use sed to write a simple script file can be output out of all the open information
sed-n-e '/ ^ open / p' out
output is as follows:
Open ("/ etc / ld.so.preload", O_RDONLY) = -1 ENOENT (No. such file or Directory)
Open ("/ etc / ld.so.cache", O_RDONLY) = 3
Open ("/ lib/libutil.so.1", O_RDONLY) = 3
Open ("/ usr / lib/libncurses.so.5 ", O_RDONLY) = 3
Open ("/ lib/i686/libc.so.6", O_RDONLY) = 3
Open ("/ etc / resolv.conf", O_RDONLY) = 3
Open ( "/ etc / nsswitch.conf", O_RDONLY) = 3
Open ("/ etc / ld.so.cache", O_RDONLY) = 3
Open ("/ lib/libnss_files.so.2", O_RDONLY) = 3
Open (" / etc / Services ", O_RDONLY) = 3
Open ("/ etc / host.conf", O_RDONLY) = 3
Open ("/ etc / hosts", O_RDONLY) = 3
Open ("/ etc / ld.so.cache" , O_RDONLY) = 3
Open ("/ lib/libnss_nisplus.so.2", O_RDONLY) = 3
Open ("/ lib/libnsl.so.1", O_RDONLY) = 3
Open ("/ var / NIS / NIS_COLD_START", O_RDONLY) = -1 ENOENT (No. such file or Directory)
Open ("/ etc / ld.so.cache", O_RDONLY) = 3
Open ("/ lib/libnss_dns.so.2", O_RDONLY) = 3
Open (" / lib/libresolv.so.2 ", O_RDONLY) = 3
Open ("/ etc / Services", O_RDONLY) = 3
Open ("/ root / .telnetrc", O_RDONLY) = -1 ENOENT (No. such file or Directory)
open ("/ usr / share / terminfo / l / linux", O_RDONLY) = 4
can be found from the output of ldd does not show up a few libraries
/ lib/libnss_dns.so.2, /
lib/libresolv.so.2,
/ lib/libnsl.so.1,
/ lib/libnss_nisplus.so.2,
/ lib/libnss_files.so.2
strace-o aa-ff-p PID will have more than one file name starts with aa
grep open aa * | grep-v-e No-e null-e denied | grep WR call to open the file to view information.
16
should log to the log host steps:
a.vi / etc / syslog.conf *.* @ 192.168.20.163 192.168.20.163 all logs sent to
syslog restart b.service
C. In 192.168.20.163 installation kiwisyslogd
D. Remote landing, deliberately enter the wrong password, you can see immediately the alarm log host, you can also observe the tcpdump port 514
should log to the log host steps:
a.vi / etc / syslog.conf *.* @ 192.168.20.163 192.168.20.163 all logs sent to
syslog restart b.service
C. In 192.168.20.163 installation kiwisyslogd
D. Remote landing, deliberately enter the wrong password, you can see immediately the alarm log host, you can also observe the tcpdump port 514
17
If you know the hacker is 0927 invasion, is:
Touch-T 09.27 million / tmp / a
Find / \ (-newer / tmp / a-O-cnewer / tmp / a \)-L
so that files created the day to change and are listed out
If you know the hacker is 0927 invasion, is:
Touch-T 09.27 million / tmp / a
Find / \ (-newer / tmp / a-O-cnewer / tmp / a \)-L
so that files created the day to change and are listed out
18
full disk copy
dd if = / dev / sda of = / dev / sdb bs = 1024
partition copy tested
dd if = / dev/sda1 of = / abc bs = 1024 This is stored in the root partition with mount view is sda2
boot another linux
type: mount / dev/sda2 / mnt
where you can see just the abc file, enter: mount aa / tmp-o loop
image seen here is just the contents of the file
full disk copy
dd if = / dev / sda of = / dev / sdb bs = 1024
partition copy tested
dd if = / dev/sda1 of = / abc bs = 1024 This is stored in the root partition with mount view is sda2
boot another linux
type: mount / dev/sda2 / mnt
where you can see just the abc file, enter: mount aa / tmp-o loop
image seen here is just the contents of the file
19 find
find the file specified character (binary test that can also be found, is after the contents of the strings)
Find / tmp-type f-Exec grep "no exist" {} \;-Print
find the file specified character (binary test that can also be found, is after the contents of the strings)
Find / tmp-type f-Exec grep "no exist" {} \;-Print
find / etc / rc.d-name '* crond'-exec file {};
Find / etc / rc.d directory for all files ending with crond, and use the file command to view its properties, attention: exec and a space between the file, file, and is a space between {}, file and; between is a space; as a whole.
20
, No. kill-SIGSEGV process will produce a core file, the information can be seen with strings, with a c program can rebuild the executable program, study / unix / save a next article. Test did not produce core, for unspecified reasons.
, No. kill-SIGSEGV process will produce a core file, the information can be seen with strings, with a c program can rebuild the executable program, study / unix / save a next article. Test did not produce core, for unspecified reasons.