There will be some friends who have encountered the problem of the server being hacked. After collecting and sorting out relevant related materials, I have found a solution for the hacking of the Linux server here. I hope that you will have a lot of gains after watching it.
If you have all the right patches installed, have a tested firewall, and activate advanced intrusion detection systems at multiple levels, then in only one case you will be hacked, that is You are too lazy to do what you need to do, for example, to install the latest patch for BIND.
It’s really embarrassing to be unknowingly black. What’s more, some scripts will download some well-known “rootkits” or popular spying tools, which take up your CPU and memory. , data and bandwidth. Where did these bad guys start from there? This starts with the rootkit.
A rootkit is actually a package that hackers use to provide themselves with root-level access to your machine. Once the hacker can access your machine as root, everything is done. The only thing you can do is back up your data with the fastest efficiency, clean the hard drive, and reinstall the operating system. In any case, once your machine is taken over by someone, recovery is not an easy task.
Can you trust your ps command?
The first trick to find out the rootkit is to run the ps command. It may be normal for you to see everything. The illustration is an example of a ps command output. The real question is, "Is everything really normal?" One trick that hackers often use is to replace the ps command, and the ps on this replacement will not show the illegal programs that are running on your machine. In order to test, you should check the size of your ps file, which is usually located at /bin/ps. It has about 60kB on our Linux machine. I recently encountered a ps program that was replaced by a rootkit. This thing is only about 12kB in size.
Another obvious scam is to link the root command history file to /dev/null. This command history file is used to track and record the commands used by a user after logging in to a Linux machine. The purpose of hackers redirecting your history files to /dev/null is that you can't see the commands they have entered.
You can access your history file by typing history at the shell prompt. If you find yourself using the history command and it does not appear in the list of commands you have used before, you should take a look at your ~/.bash_history file. If the file is empty, execute an ls-l~/.bash_history command. After you execute the above command you will see output similar to the following:
-rw------- 1 jd jd 13829 Oct 10 17:06 /home/jd/.bash_history
Or, you may see output similar to the following: lrwxrwxrwx 1 jd jd 9 Oct 1019:40/home/jd/.bash_history -> /dev/null
If you see The second is to indicate that the .bash_history file has been redirected to /dev/null. This is a fatal message, immediately disconnect your machine from the Internet, back up your data as much as possible, and start reinstalling the system.
To solve the problem of hacking Linux servers, you need to find unknown user accounts:
When you are going to do a test on your Linux machine, it is wise to first check if there is an unknown user account. of. The next time you log in to your Linux server, type the following command:
grep :x:0: /etc/passwd
There is only one line, I will emphasize it again, in a standard In a Linux installation, the grep command should only return one line, similar to the following:
root:x:0:0:root:/root:/bin/bash
If you typed before After the grep command, your system returns more than one line, which may be a problem. There should be only one user whose UID is 0, and if the grep command returns more than one line, it means more than one user. Seriously, although these are some good basic methods for discovering hacking behavior. But these techniques alone do not constitute sufficient security, and their depth and breadth are far worse than the intrusion detection systems mentioned in the article.
The above is a small knowledge point, about the solution to the hacked Linux server.
<IfModule mpm_prefork_module> LIS)(?X<]? StartServers 5 6DM$g=/? MinSpareServers 5 -9%:i?lX
As you can see from the prompts, this upgrade will result in the inability to restore the domain to
After setting up a web server, the most concerned about the use of th
Client DNS server address configuration steps (Windows 2000, Windows XP operating system): 1, afte
Backing up and restoring Windows IIS server settings
Efficient management server to extract 3 tips
How do you think about choosing a server hosting provider?
Security Analysis with IIS+ASP Website
Skills delivery: three moves to improve the security of the FTP server
The shell unexpectedly stopped, the reason and solution for Explorer.exe being restarted
How to change the VPS and server login password
IIS W3SVC service due to performance counter error and crashed
Win7 64-bit installation AutoCAD2006 tutorial
How to retrieve the win8/win8.1 webpage password
Frequently Asked Questions about Whether the Graphics Card Supports Vista Aero Effects
Win XP also converts image formats in batches
Why didn't my computer host start a screen and didn't respond?
Navigation pane favorites in the Win10 folder show how to set
Ghost all running error code is completely big secret
How to log in the user avatar icon of Win7 system
Win7 uninstall software after restarting the system Grub boot menu solution