How to Troubleshoot Linux Cloud Server Intrusion

Most people do not understand the knowledge points of this article on how to troubleshoot Linux cloud server intrusion, so the editor summarizes the following content for you. The content is detailed, the steps are clear, and it has certain reference value. I hope you can read this article This article can gain something, let's take a look at this article on how to troubleshoot Linux cloud server intrusion.

Check the current login user

Input w or who, you can see that only One user logs in. Normally, you are the only one logging in. If you are not one, it is best to check.

Check the network connection

netstat -anp command to check the current network connection, if there is no netstat, install sudo apt install net-tools and check again

Check whether common ports such as 22, 445, 3389, 6379 are abnormally connected, check whether the address of the connect connection is an ip of a foreign country or a cloud vendor, and you can query the information of this ip on Weibu or other intelligence platforms

Check the process

ps -ef Check the process, whether there is any abnormality, you can check it online if you encounter a process you don’t understand, and you can also check the connection that cannot be judged from netstat View the corresponding process information ps -ef|grep id through the process id, locate related files, analyze whether the file has malicious behavior, or upload online detection platforms such as virustotal to check whether the file is harmful.

Check history commands

.bash_history records the commands you have entered, you can check if there are any commands that you did not enter

Check account information

/etc/passwd check account information

Check scheduled tasks

crontab -l

Check the login log

Execute last or lastlog to view the user's recent login log

Check the ssh login log to see if there are a large number of logins Failure information