The fastest way to detect whether Unix is hacked
Updated: October 24, 2006 00:00:00 Author:
It takes higher skills to identify whether Unix systems are hacked, and of course there are some very simple methods. The simple way is to check the system log, process table, and file system to see if there are some "strange" messages, processes, or files. For example: Two running inetd processes (should be only one); .ssh runs with root's EUID rather than root's UID; Core files of the RPC service under "/"; New setuid/setgid program; documents that grow rapidly in size; The results of df and du are not similar; The monitor of perfmeter/top/BMC Patrol/SNMP (the above are some monitoring programs) does not match the results of vmstat/ps, which is much higher than the usual network traffic; Normal files and directory entries under dev, especially those that seem to have normal names; /etc/passwd and /etc/shadow, are there any abnormal or password-free accounts in the area; The strange file names in /tmp, /var/tmp and other directories with writable permissions refer to strange files. The strange ones here refer to (3 dots) whose names are similar to "...". If you find such a name, but it is actually a directory, then there are most likely problems with your system. Also pay attention to check /.rhosts, /etc/, /.ssh/known_hosts and ~/.rhosts to see if there are any inappropriate new entries. In addition, pay close attention to those hidden trust relationships. For example, how are hosts mounted on NFS? Which host has .hosts, .stops and entries about other hosts? Which host has .netrc file? Who does this host share the network segment with? You should continue to investigate it. Usually attackers do not just destroy one host, they jump from one host to another, hide their traces and open as many backdoors as possible. If you have any suspicious findings, please contact your local computer emergency response team to help check other hosts on the network and restore damaged sites.
Related Articles
Implementation steps for writing a script in linux to delete data in mysql regularly
Write a script in Linux to delete data in time. How to implement this function? This article introduces the implementation steps in detail. Friends who need to know can refer to it.2013-01-01Excellent Linux site
Excellent Linux site...2006-10-10Tutorial on building a Java environment under CentOS7
CentOS comes with OpenJDK, but unfortunately some software needs to be under OracleJDK to work normally, so it needs to be uninstalled and reinstalled. Next, through this article, I will share with you the tutorial on building a Java environment under CentOS7. Let’s take a look together2017-01-01How to add a new hard disk in Linux operating system
How to add a hard disk under linux2008-04-04How to use Linux partition tool
How to use Linux partitioning tools...2006-10-10Detailed explanation of the usage of Linux ipcs commands and ipcrm commands
The following is an introduction to the usage of the ipcs command and ipcrm command in Linux. Friends who need it can refer to it.2013-08-08In-depth analysis of timing tasks under Linux
With the email alarm function, the next step is to do a timed task to allow the task to be executed in a cycle, so that the alarm message can be received periodically.2013-07-07Don't be afraid of errors—How to deal with emergency situations in Linux systems
Don't be afraid of errors—How to deal with emergency situations in Linux system...2006-10-10zabbix monitoring installation method in linux
This article mainly introduces the zabbix monitoring installation method in Linux. Friends who need it can refer to it2018-01-01Free Linux application in building a green campus network
Free Linux application in building a green campus network...2006-10-10