netstat -an
对系统开启的端口进行检查
ps –ef
查看liunx进程
more /var/log/secure
安全信息和系统登录与网络连接的信息
/var/log/wtmp
记录登录者讯录,二进制文件,须用last来读取内容
/etc/shadow
系统密码文件,以*和!开头的是不作为登录的密码的账户
/var/log/messages
系统报错日志
who -u /var/log/wtmp
查看信息
/var/log/cron
cron(定制任务日志)日志
crontab -l
检查定时任务
cat /etc/rc.local
可以检查是否有自启动程序或脚本。
id user
显示用户信息
userdel user
永久性删除用户账号
groupdel peter
删除组
usermod –G peter peter
(强制删除该用户的主目录和主目录下的所有文件和子目录)
最后问题发现木马hostoadeL
Question: What is 'hostoadeL' command on ubuntu server? — running at 99%cpu
Answer: Check your /root/.ssh/authorized_keys, you have probably been hacked using a Redis exploit described in a recent post by Salvatore Sanfilippo (the creator of Redis) on his blog:
http://www.antirez.com/news/96
Measures:
Your Redis instance is most likely bound to the 0.0.0.0 IP. Do you really need that? 127.0.0.1 is usually enough for most cases. If you really need outside access, configure your firewall / security group properly.
Set up a password.
Disable SSH access to the root user (PermitRootLogin option).
http://blog.chinaunix.net/uid-26569496-id-3199434.html
linux系统/var/log目录下的信息详解
http://www.cnblogs.com/JemBai/archive/2009/03/19/1416364.html
linux下IPTABLES配置详解