banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

Emergency response under Linux (Basic knowledge record)

Check CPU Usage#

The purpose of checking CPU usage is to determine which process is using a high amount of CPU (specifically for mining).

top -c -o %CPU
htop -t

# View the top five processes by CPU usage
ps -eo pid,ppid,%mem,%cpu,cmd --sort=-%cpu | head -n 5

image

Memory Usage#

top -c -o %MEM
htop -t

# View the top five processes by memory usage
ps -eo pid,ppid,%mem,%cpu,cmd --sort=-%mem | head -n 5

Network Usage#

iftop # Requires installation and root privileges, does not display process ID
nethogs # Requires installation and root privileges, displays process ID
ss -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr # View the number of local network card connections by source IP
ss -ntu | awk '{print $6}' | cut -d ":" -f1 | sort | uniq -c | sort -nr # View the number of destination IP connections

image.png

Outbound IP#

# Search by destination IP
netstat -pantu | grep 1.1.1.1
netstat -pantu | grep 3389
lsof -i:3389 # Requires root privileges

# Search by local IP
netstat -pantu | grep 3389
lsof -i:3389

Finding Malicious Samples#

  • Get PID - Find the path of the malicious file
  • Found malicious file - PID

Get PID based on process name or partial string

pidof "name"
ps -aux | grep "name"
ps -ef | grep "name" | grep -v grep | awk '{print $2}'
pgrep -f "name"

image

Get detailed information of a process based on PID

lsof -p PID # Requires root privileges
pwdx PID # Requires root privileges, get the directory where the PID process was started, which is the path of the malicious file
systemctl status PID # Get the status information of the process
cat /proc/PID/maps # Output the memory mapping information of the specified process
ls -al /proc/1505945/exe # Output the absolute path of the program executed by the specified process
cat /proc/$$/mountinfo # View the file system information mounted by the current process, where $$ represents the process ID (PID) of the current process.

View threads

ps H -T -p PID # PID is the process ID, spid is the thread ID, CMD represents the command line of the process/thread
ps -Lf PID # Display information of each thread in the specified process
pstree -agplU # Display the relationship between all processes in the system ✅

Get PID based on file

lsof | grep FILENAME
lsof FILENAME
fuser FILENAME # Command to find the process that uses a specific file or socket

Determine Program Running Time#

ps -eo pid,lstart,etime,cmd | grep PID

# Compare the creation time of the malicious file
stat FILENAME
ls -al FILENAME

image

Handling Abnormal Processes#

  1. Download samples from the server
  2. Online virus analysis
  3. Process termination
1. Check if there are any child processes
ps ajfx
systemctl status

2. If there are no child processes
kill -9 PID

3. If there are child processes
kill -9 -PID

Delete Malicious Files#

  1. Check if the process is occupying the file
lsof FILENAME
  1. If the file cannot be deleted due to the "a" and "i" attributes
chattr -a
chattr -i
  1. If the file cannot be deleted due to strange file names
  • Use inode to delete
ls -li FILENAME # View inode

image

  • Delete the file
find ./* -inum INODE -delete
find ./ -inum INODE -exec rm {} \;
find ./* -inum INODE -exec rm -i {} \; # Prompt for confirmation before deleting
find ./* -inum INODE -exec rm -f {} \; # Force delete
find ./* -inum INODE | xargs rm -rf
rm `find ./* -inum INODE`

These are the commands needed for most emergency incidents. There may be some differences for different events:

Extension 1: TCP Connection States in netstat#

StateTypeDescription
LISTENTCP Listening PortListening state. Indicates that the port is waiting for a connection from the other end for communication.
SYN_SENTTCP Transmission Control Protocol StateConnection request has been sent. Indicates that the TCP connection has been initiated but not yet acknowledged.
SYN_RECVTCP Transmission Control Protocol StateConnection request is being received. Indicates that the TCP connection has been received and is waiting for acknowledgment. Usually only appears on servers, indicating that a request has been received from a client.
ESTABLISHEDTCP Transmission Control Protocol StateIndicates that the TCP connection has been established and is in communication.
FIN_WAIT1TCP Transmission Control Protocol StateIndicates that the TCP connection has been closed and is waiting for a close request from the other end.
FIN_WAIT2TCP Transmission Control Protocol StateIndicates that the TCP connection has been closed and is waiting for a close request from the other end, or is receiving final confirmation from the other end.
TIME_WAITTCP Transmission Control Protocol StateIndicates that the TCP connection has been closed and all data has been transmitted, waiting for a period of time to ensure that all packets have been processed.
CLOSE_WAITTCP Transmission Control Protocol StateIndicates that the TCP connection has been closed, but the local application has not closed the connection.
LAST_ACKTCP Transmission Control Protocol StateClose request has been sent and waiting for the other end's close request.
CLOSINGTCP Transmission Control Protocol StateIndicates that the TCP connection is in the process of closing.

Extension 2: Checking IP Address#

Three steps: Threat Intelligence Query-Domain Registration-Company Search

Weibei Threat Intelligence can provide some information

image.png

You can also search for the following information

image.png

If there is a domain, you can check the registration (in China)

image.png

If there is a registration, you can search for the company

image.png

Others#

GitHub - T0xst/linux: Linux Security Check
Security/1earn/Security/BlueTeam/Emergency
Blue-Team/Emergency/Linux Emergency Response Manual
Linux Emergency Response Manual 1.7

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.