forty-one
Windows and Linux quickly check whether the system is hacked

1、 Windows

1. There are hidden users or abnormal users

Take Windows as an example. Right click Computer ->Manage ->View Local Users and Groups. If a user or user group is marked with a $symbol, it means that the user/user group is hidden and probably blacked out. The following screenshot

2. Abnormal process

Check whether there are abnormal processes through the task manager. For example, after the php studio is blacked out, there may be processes starting with 12345.exe. Or some temp temporary files run as administrator

If the user has installed php studio, check that there are some digital processes

3. Exception script or executable file

You can check several common system directories of Windows, such as C: Windows, C: Windows System32, a large number of exception scripts, or executable files.

4. Abnormal process occupies CPU

Pay attention to the process description, whether the running user uses the user with higher system/administrator permissions.

Windows Security Advice

Modify the default remote connection port.

Do not use weak passwords.

Do not install software of unknown origin (such as xx cracked version and xx green version).

Install the necessary antivirus software.

Run mysql and mssql for common accounts; Try to avoid system or administrator running.

Try to close database remote.

Update system patches in time through official update.

summary

Check whether Windows users and groups are abnormal.

The task manager checks whether there are processes with high occupancy and abnormal processes.

Check whether there are abnormal scripts or executable files in common directories such as C: Windows.

Check whether the event viewer has abnormal user/abnormal IP login.

PID value 0-999 in Windows process is system process.

2、 Linux

1. Abnormal process

You can use the top command to check whether there are processes that occupy a high CPU. The following screenshot shows the process exceptions that occupy a high CPU

2. Windows like directories or executable files appear in the Linux system

If it is judged that it is not uploaded by the user himself, it is likely that the system or database is hacked

3. Check the scheduled task crontab

You can use crontab - l to check whether the scheduled task is abnormal, such as 1 20 */bin/rm - rf/home/wwwroot Plan to delete the wwwroot directory. There may be exceptions.

View Scheduled Tasks

 [ root@xiaoz  home]# crontab -l
 */20 * * * * /usr/sbin/ntpdate pool.ntp.org > /dev/null 2>&1*
 1 20 * * /bin/rm -rf /home/wwwroot

4. Check the/etc/init.d/directory

Check whether there are abnormal files in this directory, or some strange files have x executable permissions. Ll - t Sort by time. Open some recently added and unknown services to view and perform content analysis.

5. Check/etc/rc.local

vi /etc/rc.local Whether there is abnormal start of loading. If any, check whether it is normal.

6. Check/etc/passwd

Vi/etc/passwd whether there is an abnormal account. The third parameter is: if the account is above 500, the account will be created later. If the account is above 500, the user will be the system user

Check with common commands

 History: view history command
 Crontab - l: view scheduled tasks
 Cat/etc/passwd: View created users
 Cat/etc/group: view group
 Who: current online user
 Who/var/log/wtmp: Recent login
 Screen - ls: List all sessions

Linux security advice.

Do not install one click scripts of unknown origin.

Try to avoid using root directly.

Use a more complex password or use a key to log in.

Modify the SSH default port.

Close the database remote connection.

summary

Check whether there are abnormal files or permissions in the/etc/init.d/directory.

Crontab - l Check whether there are abnormal scheduled tasks.

Top Check whether there are abnormal processes.

Who/var/log/wtmp Check whether there are abnormal IPs in recent logins.

Linux pid process PID values 0-299 are system processes.

Experience:

1. Windows process PID value 0-999 is the system process; Linux pid process PID values 0-299 are system processes. The process name appears to be systematic, but the pid is very high. This process may be forged and has problems. It needs to be verified.

2. Common process names of windows linux should be mastered.

Does this help solve your problem? resolved Unresolved

Submitted successfully! Thank you very much for your feedback, and we will continue to strive to do better! We are sorry that we were unable to resolve your question. We have received your feedback and will give feedback in time!

  • 100 times fault compensation
  • Refund for 1 day without reason
  • 7x24 service
  • 0 yuan fast filing
  • 1V1 Special Secretary