Linux系统是否被植入木马的排查流程梳理.doc
Linux系统是否被植入木马的排査流程梳理
为保障系统安全要定期对系统进行安全检杳,此文档旨在检斉系统里是否存在未知进程及 木马和病毒。
一、是否入侵检查
1)检查系统日志
检查系统错误登陆日志,统计IP重试次数(last命令是查看系统登陆日志, 比如系统被reboot或登陆情况)
lastlastb[root@gsweb data]#root root root root root root root root root root root root root roopts/1pts/1pts/3
lastlastb
[root@gsweb data]#
root root root root root root root root root root root root root roo
pts/1
pts/1
pts/3
pts/2
pts/1
pts/1
pts/1
pts/1
pts/1
pts/1
pts/3
pts/1
pts/3 pts/2
lastcomm lastlog last
98wedMar
98ThuJar
93 wed〕ar 98wedJar
98wedJan
98MonJar
98MonJar
98MonJar
98Thu3an
98TueJan
98ThuDec
98ThuDec
22wedDec
93wedD
4 10 0
08 15 13 32 27 04 51 35 22 23 14:28 19 57 53
n 12
53 35 8:35 7:03 2:02 0:50 15 56 22 22 22 49
2)检查系统用户
杳看是否有异常的系统用户 cat /etc/passwd
[root^gsweb data]# cat /etc/passwdroot :x:0:0: root:/root :/bin> bin:x:l:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbi n:/sbin/nologin adn:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sb1n/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:l2:ma11:/var/spool/mai1:/sbin/nol uucp:x:10:14:uucp:/var/spool/uu< operator:x:11:0:oper ator:/root:x:12:100:games:
[root^gsweb data]# cat /etc/passwd
root :x:0:0: root:/root :/bin> bin:x:l:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbi n:/sbin/nologin adn:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sb1n/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:l2:ma11:/var/spool/mai1:/sbin/nol uucp:x:10:14:uucp:/var/spool/uu< operator:x:11:0:oper ator:/root
:x:12:100:games:/usr/games:/sbin/nologin ier:x:13:3O:gopher:/var/gopher:/sbi n/nologin rtp:x:14:50:ftp user:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin usbmuxd:x:113:113:usbmuxd user:/:/sb1n/nologin
69:virtual console memory owner:/dev:/sbin/nologin x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/