当前位置 主页 > 服务器问题 > Linux/apache问题 >
随着开源产品的越来越盛行,作为一个Linux运维工程师,能够清晰地鉴别异常机器是否已经被入侵了显得至关重要,个人结合自己的工作经历,整理了几种常见的机器被黑情况供参考
背景信息:以下情况是在CentOS 6.9的系统中查看的,其它Linux发行版类似
1.入侵者可能会删除机器的日志信息,可以查看日志信息是否还存在或者是否被清空,相关命令示例:
[<a href="/cdn-cgi/l/email-protection" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" data-cfemail="98eaf7f7ecd8f0f4f5fbfdf6aea1f6ab">[email protected]</a> ~]# ll -h /var/log/* -rw-------. 1 root root 2.6K Jul 7 18:31 /var/log/anaconda.ifcfg.log -rw-------. 1 root root 23K Jul 7 18:31 /var/log/anaconda.log -rw-------. 1 root root 26K Jul 7 18:31 /var/log/anaconda.program.log -rw-------. 1 root root 63K Jul 7 18:31 /var/log/anaconda.storage.log [<a href="/cdn-cgi/l/email-protection" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" data-cfemail="493b26263d092125242a2c277f70277a">[email protected]</a> ~]# du -sh /var/log/* 8.0K /var/log/anaconda 4.0K /var/log/anaconda.ifcfg.log 24K /var/log/anaconda.log 28K /var/log/anaconda.program.log 64K /var/log/anaconda.storage.log
2.入侵者可能创建一个新的存放用户名及密码文件,可以查看/etc/passwd及/etc/shadow文件,相关命令示例:
[<a href="/cdn-cgi/l/email-protection" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" data-cfemail="80f2efeff4c0e8ecede3e5eeb6b9eeb3">[email protected]</a> ~]# ll /etc/pass* -rw-r--r--. 1 root root 1373 Sep 15 11:36 /etc/passwd -rw-r--r--. 1 root root 1373 Sep 15 11:36 /etc/passwd- [<a href="/cdn-cgi/l/email-protection" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" data-cfemail="c8baa7a7bc88a0a4a5abada6fef1a6fb">[email protected]</a> ~]# ll /etc/sha* ----------. 1 root root 816 Sep 15 11:36 /etc/shadow ----------. 1 root root 718 Sep 15 11:36 /etc/shadow-
