How to troubleshoot Linux cloud server intrusion

Check the currently logged in user

Enter w or who, you can see that there is only one user currently logged in, normally you are the only one Log in, if it is not the best troubleshooting.

Check the network connection

netstat -anp command to check the current network connection. If there is no netstat, install it sudo apt install net-tools and check again

Check whether common ports such as 22, 445, 3389, 6379 are abnormally connected, and check whether the address of the connect connection is an IP from a foreign or cloud manufacturer. You can query the information of the IP on Weibu or other intelligence platforms

Check the process

ps -ef Check the process to see if there are any abnormalities. If you encounter a process you don’t understand, you can check it online. For connections that cannot be determined from netstat, you can also check the corresponding process information through the process ID. ps -ef|grep id, locate relevant files, analyze whether the files have malicious behavior, or upload them to online detection platforms such as virustotal to check whether the files are harmful.

Check the command history

.bash_history records the commands entered. You can check whether there are any commands that were not entered by yourself

Check the account Information

/etc/passwdView account information

Check scheduled tasks

crontab -l

Check the login log

Execute last or lastlog to view the user’s recent login log

Check the ssh login log to see if there are a large number of login failure messages

The above is the detailed content of How to troubleshoot Linux cloud server intrusion. For more information, please follow other related articles on the PHP Chinese website!