After successfully breaching a system, intruders often leave backdoors for subsequent access, and creating a system account is a commonly used backdoor method. During intrusion investigation, user configuration file /etc/passwd and password configuration file /etc/shadow are essential aspects to focus on.
Query Privileged Users (uid equals 0)
> awk -F: '$3==0{print $1}' /etc/passwdFind Accounts That Allow Remote Login
> awk '/\$1|\$5|\$6/{print $1}' /etc/shadow- $1: MD5 (22-character length)
- $5: SHA-256 (43-character length)
- $6: SHA-512 (86-character length)
Check sudo Privileges
> cat /etc/sudoers | grep -v "^#\|^$" | grep "ALL=(ALL"Delete or Lock Accounts
Suspicious accounts can be identified through the steps above.
> usermod -L rooot #Disable account, account cannot log in, the second field in /etc/shadow starts with !
> userdel rooot #Delete the user account
> userdel -r rooot #Will delete the root user and also delete the root directory under the /home directoryView Information on Users Currently Logged into the System
> who #View users currently logged in (tty for local login, pts for remote login)
> w #View system information to understand user behavior at a particular moment
> uptime #View how long the system has been up, how many users, and the loadCheck Abnormal Ports
Use the netstat network connection command to analyze information such as suspicious ports, IPs, and PIDs.
> netstat -tunlp | lessPacket Capture and Analysis
> tcpdump -c 10 -q //Brief mode to display 10 packetsCheck for Suspicious Processes Using the ps Command
> ps -efSearch for the Resource-Intensive Resource on the System
> topInvestigate Further upon Discovering Anomalies
> ps eho command -p $PID #View the complete command line used to start the process
> readlink /proc/$PID/cwd #View the directory where the process was started
> ls -l /proc/$PID/exe #View the file path corresponding to the PID
> strings -f /proc/$PID/environ | cut -f2 -d '' #View the complete environment variables when the process was started
> lsof -p $PID #List all files opened by the processCheck System Services
Linux system service management, CentOS7 uses systemd for control, while versions prior to CentOS6 use chkconfig.
Check Services that Start on Boot
//For the systemd service manager, services that start on boot can be checked with the following method
> systemctl list-unit-files --type=service | grep "enabled"
//chkconfig is a tool used to control system services before CentOS6, to check service start status
> chkconfig --list | grep "3:on\|5:on"Check Startup Scripts
Use commands to check if there are any abnormal startup services among the startup items.
> cat /etc/rc.localCheck Scheduled Tasks
Scheduled tasks can be used to maintain privileges and may be exploited by intruders as a persistence mechanism. Check abnormal scheduled tasks and focus on whether there are malicious scripts in the following directories.
/var/spool/cron/*
/etc/crontab
/etc/cron.d/*
/etc/cron.daily/*
/etc/cron.hourly/*
/etc/cron.monthly/*
/etc/cron.weekly/
/etc/anacrontab
/var/spool/anacron/*