|
Size: 164
Comment:
|
Size: 1006
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 3: | Line 3: |
| 1. cat /proc/pid/pwd to see which dir it run in and see any suspicious files in it | 1. cat /proc/pid/pwd to see which dir it run in and see any suspicious files in it and delete it {{{ rm files <-- if no permission, then chmod, if still no permission then lsattr lsattr files <-- check if have is immutable if yes remove it chattr -i -a files <-- remove immutable flags. then rm again rm files }}} 2,load up backup and compare files different. {{{ mkdir /mnt/backfil/ <-- make a dir to mount at ls /dev/vd* <-- list the back up device mount /dev/vdc1 /mnt/backfil <-- mount the backup device to file cd / <-- goes to root dir rsync -avn /mnt/backfil/ ./ | less <--compare file differents, n is important testing mode. }}} 3,compare the file different and find any suspisious file , e.g, file in etc/, some service executables, copy the file from backup. example /etc/ssh/ has been changed , rsynd it from mounts {{{ cd /etc/ssh/ rsync -av /mnt/backfil/etc/ssh/ ./ }}} |
major way to detect malware first top and see if any process use lot of cpu
- cat /proc/pid/pwd to see which dir it run in and see any suspicious files in it and delete it
rm files <-- if no permission, then chmod, if still no permission then lsattr lsattr files <-- check if have is immutable if yes remove it chattr -i -a files <-- remove immutable flags. then rm again rm files
- 2,load up backup and compare files different.
mkdir /mnt/backfil/ <-- make a dir to mount at ls /dev/vd* <-- list the back up device mount /dev/vdc1 /mnt/backfil <-- mount the backup device to file cd / <-- goes to root dir rsync -avn /mnt/backfil/ ./ | less <--compare file differents, n is important testing mode.
- 3,compare the file different and find any suspisious file , e.g, file in etc/, some service executables, copy the file from backup.
- example /etc/ssh/ has been changed , rsynd it from mounts
cd /etc/ssh/ rsync -av /mnt/backfil/etc/ssh/ ./