banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

Emergency Response on Linux (Basic Knowledge Record)

View CPU usage#

The purpose of viewing CPU usage is to determine which process is consuming high CPU usage (for mining).

top -c -o %CPU
htop -t

# View the top five processes consuming CPU usage
ps -eo pid,ppid,%mem,%cpu,cmd --sort=-%cpu | head -n 5

image

Memory usage#

top -c -o %MEM
htop -t

# View the top five processes consuming memory
ps -eo pid,ppid,%mem,%cpu,cmd --sort=-%mem | head -n 5

Network usage#

iftop # Requires installation and root permission to run, does not display process ID
nethogs # Requires installation and root permission to run, displays process ID
ss -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr # View the number of local network card IP connections (source IP)
ss -ntu | awk '{print $6}' | cut -d ":" -f1 | sort | uniq -c | sort -nr # View the number of destination IP connections (destination IP)

image.png

External IP#

# Search by destination IP
netstat -pantu | grep 1.1.1.1
netstat -pantu | grep 3389
lsof -i:3389 # Requires root permission
# Search by local IP
netstat -pantu | grep 3389
lsof -i:3389

Finding malicious samples#

  • Get PID - Find the path of the malicious file
  • Found the malicious file - PID

Get PID based on process name or partial string

pidof "name"
ps -aux | grep "name"
ps -ef | grep "name" | grep -v grep | awk '{print $2}'
pgrep -f "name"

image

Get detailed information of the process based on PID

lsof -p PID # Requires root permission
pwdx PID # Requires root permission, get the directory where the PID process was started, which is the path where the malicious file was started
systemctl status PID # Get the status information of the process
cat /proc/PID/maps # Output the memory mapping information of the specified process
ls -al /proc/1505945/exe # Output the absolute path of the program executed by the specified process
cat /proc/$$/mountinfo # View the file system information mounted by the current process, where $$ represents the process ID (PID) of the current process.

View threads

ps H -T -p PID # PID is the process ID, spid is the thread ID, CMD represents the command line of the process/thread
ps -Lf PID # Display information of each thread in the specified process
pstree -agplU # Display all process relationships in the system ✅

Get PID based on file

lsof | grep FILENAME
lsof FILENAME
fuser FILENAME # Command used to find the process that uses a specific file or socket

Determine program running time#

ps -eo pid,lstart,etime,cmd | grep  PID

# Compare the creation time of the malicious file
stat FILENAME
ls -al FILENAME

image

Handling abnormal processes#

  1. Download samples from the server
  2. Online virus analysis
  3. Process killing
1. Check if there are child processes
ps ajfx
systemctl status

2. If there are no child processes
kill -9 PID

3. If there are child processes
kill -9 -PID

Delete malicious files#

  1. Check if the process is occupying the file
lsof FILENAME
  1. If the file cannot be deleted due to the a and i attributes
chattr -a
chattr -i
  1. If the file cannot be deleted due to strange file names
  • Delete the file using the inode number
ls -li FILENAME # View the inode

image

  • Delete the file
find ./* -inum INODE -delete
find ./ -inum INODE -exec rm {} \;
find ./* -inum INODE -exec rm -i {} \; # Prompt for confirmation before deleting
find ./* -inum INODE -exec rm -f {} \; # Force delete
find ./* -inum INODE | xargs rm -rf
rm `find ./* -inum INODE`

These are the commands needed for most emergency incidents. There may be some differences for different events:

Extension 1: TCP connection status in netstat#

Status           Type               Description                                                                                                           
LISTEN        TCP listening port Listening state. Indicates that the port is waiting for a connection from the other end for communication.                                                                 
SYN_SENT      TCP state           Connection request has been sent. Indicates that the TCP connection has been initiated but no acknowledgment has been received yet.                                                 
SYN_RECV      TCP state           Connection request is being received. Indicates that the TCP connection has been received and is waiting for acknowledgment. Usually only appears on the server side, indicating that a request has been received from the client.
ESTABLISHED   TCP state           Indicates that the TCP connection has been established and is in communication.                                                                                         
FIN_WAIT1     TCP state           Indicates that the TCP connection has been closed and is waiting for the other end to close the connection.                                                               
FIN_WAIT2     TCP state           Indicates that the TCP connection has been closed and is waiting for the other end to close the connection or is receiving final acknowledgment.                           
TIME_WAIT     TCP state           Indicates that the TCP connection has been closed and all data has been transmitted, waiting for a period of time to ensure that all packets have been processed.           
CLOSE_WAIT    TCP state           Indicates that the TCP connection has been closed but the local application has not closed the connection.                                                               
LAST_ACK      TCP state           Close request has been sent and waiting for the other end's close request.                                                                                                
CLOSING       TCP state           Indicates that the TCP connection is in the process of closing.                                                                                                         

Extension 2: Checking if IP is normal#

Three steps: Threat Intelligence Query-Domain Registration-Company Search

Weibei Threat Intelligence can provide some information

image.png

You can also query other information

image.png

If there is a domain name, you can check the registration (in China)

image.png

If there is a registration, you can check the company

image.png

Others#

GitHub - T0xst/linux: Linux security check
Security/1earn/Security/BlueTeam/Emergency
Blue-Team/Emergency/Linux Emergency Response Manual
Linux Emergency Response Manual 1.7

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.