1.1 System Check
1. Port Check
This is mainly used to check which ports are open on the server and which IP addresses are establishing connections.
View all TCP connections
|
netstat -tnlpa |
View UDP connections
|
netstat -unlpa |
This is also used to view port connections, but it can show half-open connections initiated, such as outgoing DOS attacks
|
lsof -i:22 -PnR |
List TCP/UDP information
|
lsof -i tcp/udp |
View the corresponding information for the PID process, such as which files are loaded
|
lsof -p PID |
2. Key File Check
DNS configuration file, as well as the static resolution of the host and IP.
|
/etc/resolv.conf |
HOSTS file, binding of domain names and IP.
|
/etc/hosts |
The following two files are mainly used for passwordless login. Use the following command to generate a pair of public and private keys, upload the private key to the target, and passwordless login can be achieved.
|
ssh-keygen -t rsa -P ” |
Public key file check
|
/root/.ssh/*.pub |
Private key file check
|
/root/.ssh/id_rsa |
3. Service Check
For centos7 and ubuntu, the following command can be used to check which services are still running
|
systemctl | grep -E “\.service.*running” |
Only display service names
|
systemctl | grep -E “\.service.*running” | awk -F. ‘{ print $1 }’ |
For centos6, the following command can be used to check the service status
|
chkconfig –list | grep on |
|
service –status-all |
4. Startup Item Check
Check scheduled tasks. If not followed by -u, it indicates checking the scheduled tasks of the root user.
|
crontab -u user -l |
View asynchronous scheduled tasks
|
cat /etc/anacrontab |
Scheduled task configuration files are saved in paths starting with /etc/cron*, categorized by day, week, and month.
|
more /etc/cron* |
Linux startup consists of two major steps: loading startup scripts from the /etc/rc(0-6).d directory according to the run level; then loading /etc/rc.local.
Files under /etc/rc(0-6).d are actually soft links to files under /etc/init.d/, with S indicating startup scripts, and K indicating stop scripts
|
more /etc/rc.local |
5. Process Check
View currently running processes, including executable file paths, PID/PPID
|
ps -ef |
|
ps -aux |
Display real-time process status. Add -d 1 to modify the refresh time, default is 3 seconds.
|
top |
After the top command, press uppercase P to sort by CPU
After the top command, press uppercase M to sort by memory.
Press q to exit top.
Display all process information only once
|
top -b -n 1 |
View the executable file path corresponding to a certain process, which is actually a soft link to the real file
|
ls -al /proc/[pid]/exe |
6. User Investigation
View logged-in users
|
w |
Check if there are any users with UID equal to 0, this step is mainly to check if an attacker has cloned a superuser to log in.
|
more /etc/passwd | egrep -v ‘^#|^( |
If an attacker wants to log in with root privileges without knowing the root password, they can create a user and modify the UID and GID in the passwd file to both be 0.
Check for users with the same UID, which is also to prevent cloned users
|
awk -F: ‘{a[$3]++}END{for(i in a)if(a[i]>1)print i}’ /etc/passwd |
View which users can log in, mainly observing whether the users in the /etc/passwd file end with /bin/bash or /bin/sh, as this indicates they can log in and execute commands in the specified environment.
|
cat /etc/passwd | grep -E “/bin/(bash|sh)$” | awk -F: ‘{print $1}’ |
Check for empty passwords, view shadow, the shadow file saves password information, if the second column is empty, it indicates no password.
|
gawk -F: ‘($2==””) {print $1}’ /etc/shadow |
Investigate whether empty password login is allowed
|
more /etc/ssh/sshd_config |grep PermitEmptyPassword | grep -v “#” |
Investigate whether there are other users in the root group besides the root user, which is actually checking if the GID is 0
|
more /etc/group | grep -v ‘^#’ | gawk -F: ‘{if ($1!=”root”&&$3==0) print $1}’ |
7. Command History Check
This is useful for both emergency response and penetration testing
History of downloaded scripts, scripts downloaded via wget/curl with extensions sh/pl/py.
|
more /root/.bash_history | grep -E “((wget|curl).*\.(sh|pl|py))” | grep -v grep |
History of added accounts
|
history | egrep “(useradd|groupadd)” | grep -v grep |
History of deleted accounts
|
history | egrep “(userdel|groupdel)” | grep -v grep |
Suspicious historical commands: operations related to intrusion scanning, which are unlikely to be installed on the target server, generally done by proxies.
|
history | grep -E “(whois|sqlmap|nmap|beef|nikto|john|ettercap|backdoor|proxy|msfconsole|msf)” | grep -v grep |
History of files downloaded to local PC, sz can be used to download files from the server to local, very convenient.
|
history | grep sz | grep -v grep | awk ‘{print $3}’ |
Database operation history commands
|
more /root/.mysql_history |
8. File Integrity Check
This mainly focuses on critical system files, as replacing critical files is a common method used by rootkits to hide, such as ifconfig/ls/cat/netstat.
Replacing netstat/lsof can filter out and not display virus processes and connections when used.
Replacing ls can hide virus files when viewing files.
Find file locations and calculate MD5 to submit to threat intelligence platforms for checks
|
whereis netstat |
|
md5sum /usr/bin/netstat |
Enumerate files in system folders, check files modified within the last seven days
|
find /usr/bin/ /usr/sbin/ /bin/ /usr/local/bin/ -type f -mtime -7 |
Use rkhunter for scanning, system command (binary) detection, including MD5 checks, etc. There may be some alerts when used, but there are generally fixed false positives, mainly related to MD5 check issues.
|
·Wget https://sourceforge.net/projects/rkhunter/files/rkhunter/1.4.6/rkhunter-1.4.6.tar.gz/downloadtar -zxvf rkhunter-1.4.4.tar.gz ·cd rkhunter-1.4.4 ·./installer.sh –install ·rkhunter -c |
chkrootkit
|
·wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz ·tar zxvf chkrootkit.tar.gz ·cd chkrootkit-0.52 ·make sense ·If there are no errors during compilation, execute the check ·./chkrootkit |
1.2 Log Analysis
Successful logins
|
more /var/log/secure* | grep “Accepted password” |
Failed logins
|
more /var/log/secure* | grep “Failed password” |
Local login status
|
more /var/log/secure* | grep -E “sshd:session.*session opened” |
New users
|
more /var/log/secure* | grep “new user” |
File transfers, this actually detects the use of sz, rz commands to transfer files
|
more /var/log/message* | grep “ZMODEM:.*BPS” |
In addition to the above, the following commands can also check login logs, corresponding log files are saved in binary and cannot be viewed directly.
|
Command |
Log File |
Function |
|
last |
/var/log/wtmp |
All successful login/logout history |
|
lastb |
/var/log/btmp |
Failed login attempts |
|
lastlog |
/var/log/lastlog |
Last login record for all users |
All user login logs
|
last | grep pts | grep -vw :0 |
Scheduled task logs, scheduled task logs are stored by date, so there are multiple to check. It will record the historical execution records of scheduled tasks.
|
more /var/log/cron* |
Scheduled script execution, mainly check py/sh/pl script execution
|
more /var/log/cron* | grep -E “\.py|\.sh|\.pl” |
Software installation status, can check if an attacker has installed new programs.
|
more /var/log/yum* | grep Installed |
Software uninstallation status
|
more /var/log/yum* | grep Erased |
Check for suspicious tool installations, check for keywords like nc/nmap
|
more /var/log/yum* | awk -F: ‘{print $NF}’ | awk -F ‘[-]’ ‘{print $1}’ | sort | uniq | grep -E “(^nc|sqlmap|nmap|beef|nikto|john|ettercap|backdoor|proxy|msfconsole|msf)” |
1.3 Techniques
Monitor processes communicating with the target IP.
|
while true; do netstat -tnlpa|grep [ip];done |
Find files with a .php extension modified in the last seven days, where seven days ago is +7
|
find /var/www -mtime -7 -iname “*.php” | xargs ls -alt |
Find files with a .php extension accessed in the last seven days, as cat file will modify that time.
|
find /var/www –atime -7 -iname “*.php” | xargs ls -alt |
Find files with a .php extension changed in the last seven days.
|
find /var/www –ctime -7 -iname “*.php” | xargs ls -alt |
1) When only reading or accessing a file, the access time changes, while the modify time and change time do not change.
2) When modifying file content, the modify time and change time will change, while the access time may not change.
3) When modifying file permission attributes, the change time changes, while the access time and modify time do not change.
File attributes, including the above time attributes, can be viewed using stat
|
stat file |