How to detect when Linux system is invaded?

If the Linux system is compromised, then personal privacy data is likely to leak, and the system is at risk. So how is the system only compromised? Regular inspections are necessary. The following small series will tell you how to check if Linux is compromised.

1. Check account

code is as follows:

# less /etc /passwd "/p" "p" # grep: 0: /etc /passwd (Check if a new user has been created, and the user with UID and GID is 0) "/p" "p"# ls -l /etc/passwd (check the file modification date) "/p" "p"# awk -F: ‘$3= =0 {print $1}& rsquo; /etc/passwd (check for privileged users) "/p" "p"# awk -F: ‘length($2)= =0 {print $1}’ /etc/shadow(Check if there is a blank password account)

2. Check the log

The code is as follows:

#last

(Check under normal circumstances) History of all users logged in to this machine)

Note”entered promiscuous mode”

Note Error Messages

Note Remote Procedure Call (rpc) programs with a log Entry that includes a large number (》 20) strange characters(-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM)

3. Check process
>

The code is as follows:

# Ps -aux (note that UID is 0) "/p" "p"# lsof -p pid (see the port and file opened by the process) "/p" "p"# cat /etc/inetd.conf