The server of linux system is invaded. For those who don't know much about the network management of linux server, the following basic methods are summarized. \x0d\ First, check with iptraf. If it is not installed, run yum install iptraf to see if there are many UDP packets in it. If so, it is basically a back door \x0d\ 1. Check the account \ x0d \ # less/etc/passwd \ x0d \ # grep: 0:/etc/passwd (check whether a new user has been created and a user with UID and GID of 0) \x0d\# ls -l /etc/passwd (check the file modification date) \ x0d \ # awk. X0d \ # awk-f:' length $2) = = 0 {print $1}'/etc/shadow (check whether there is an empty password account) \x0d\ \x0d\2. Check the log \x0d\# last (check all users who normally log on to this computer) Pay attention to the "prompt mode of input" \x0d\ Pay attention to the error message \x0d\ Note that the log entry of the remote procedure call (RPC) program contains a large number (> 20) of strange characters (-pm-pm-pm-pm-pm) \ Check process \ \x0d\# ps -aux (note that the UID is 0) \ x0d \ # cat/etc/inetd.conf | grep-v "#" # (check daemon) \ x0d \ check hidden process \ x0d \ # ps-ef | awk "{ 2\x0d\# diff 1 2\x0d\ \x0d\4。 Check the file \ x0d \ # find/-uid 0 _ perm-4000 _ print \ x0d \ # find/-size+10000k _ print. _ print \ x0d \ # find/-name "..." _ print \ x0d \ # find/-name "。" _ print \ x0d \ # find/-name ""_ print \ x0d \ Pay attention to SUID file, suspicious size is greater than 10M and blank file x0. (Check the core files in the system) \x0d\ Check the system file integrity \ x0d \ # rpm _ qf/bin/ls \ x0d \ # rpm-qf/bin/login \ x0d \ # md5sum _ b file name \x0d\# md5sum _t file name \ x0d \. X0d\ Output format: \ x0d \ s _ file size difference \ x0d \ m _ mode difference (permission) \ x0d \ 5 _ MD5 sum difference \ x0d \ d _ device number mismatch \ x0d \ L _ readlink path mismatch \ x0d \ g _ user ownership difference \ x0. X0d \ Pay attention to the related /sbin, /bin, /usr/sbin and /usr/bin \ x0d \ \ x0d \ 6. Check the network \x0d\# ip link | grep PROMISC (the normal network card should not be in PROMISC mode, and there may be a sniffer) \x0d\# lsof _i\x0d\ # netstat _nap (view TCP/UDP ports that are not opened normally) \ x0d \ # ARP _ a \ x0d \ \ Check the scheduled task \x0d\ and pay attention to the plan with root and UID of 0 \ x0d \ # crontab _ uroot _ l \ x0d \ # cat/. # ls/etc/cron。 * \ x0d \ x0d \ 8。 Check the back door \ x0d \ # cat/etc/crontab \ x0d \ # ls/var/pool/cron/\ x0d \ # cat/etc/rc.d/rc.local. # ls/etc/rc3.d \ x0d \ # find/-type F. Check the kernel module \ x0d \ # lsmod \ x0d \ x0d \10. Check the system service \ x0d. X0d\ \x0d\ 1 1。 Check rootkit \ x0d \ # rkhunter-c \ x0d \ # chkrootkit-q.