What should I do if the Linux server is attacked by a rootkit?

A rootkit is a type of malware that is often used in conjunction with other malicious programs such as Trojans. Linux is an important target of attack. What should Linux do after it is attacked by a rootkit? The following small series will tell you how to deal with Linux servers after being attacked by rootkits.

development of the IT industry to now, security has become critical, with the most recent & ldquo; prism door & rdquo; event, reflects a lot of security issues, information security has become urgent As an operation and maintenance personnel, you must understand some safety operation and maintenance guidelines. At the same time, to protect the business you are responsible for, you must first consider the problem from the perspective of the attacker and fix any potential threats and vulnerabilities.

The following is a case study of the processing and processing of a server after being invaded by a rootkit. The rootkit attack is the most common attack method and attack method under Linux system.

1. Attacked phenomenon

This is a client's portal server, hosted in the telecommunications room, and the customer receives notification from the telecom: Since this server continuously sends data packets, it leads to 100M. The bandwidth is exhausted, so telecommunications cuts off the network of this server. This server is a Centos 5.5 version, which is open to ports 80 and 22.

From the customer, the website does not have a large amount of traffic, so the bandwidth usage is not too high, and it is absolutely impossible to exhaust 100M bandwidth, so it is very likely that the server has suffered traffic. Attack, then log in to the server for detailed testing.

2, preliminary analysis

In the cooperation of the telecom personnel, the network traffic of the server was detected through the switch, and it was found that the host actually had the scanning traffic of the external 80 port, so the login system passed The netstat –an” command checks the ports opened by the system. Strangely, no network connections related to port 80 are found. Then use the “ps –ef”,“top” commands to find no suspicious processes. Then I wonder if the system is implanted with a rootkit.

In order to prove whether the system is rooted in the rootkit, we have done the md5sum check on the ps, top commands, etc. under the web server and the previously version of the trusted operating system command. These two commands have indeed been modified, and it is concluded that this server has been compromised and a rootkit-level backdoor has been installed.

3, network analysis system

Because the server does not stop sending packets, the first thing to do is to disconnect the server from the network, and then analyze the system log to find the source of the attack. However, the system command has been replaced. If you continue to perform operations on the system, it will become untrusted. There are two ways to avoid this. The first method is to take the server's hard disk and mount it to Another method of analyzing on a secure host is to copy all commands from a trusted operating system of the same version to a path under the intrusion server, and then specify the full path of the command when executing the command. Here, the second method is used.

We first checked the login log of the system to see if there is suspicious login information. Run the following command:

more /var/log/secure