Tuesday, July 12, 2011

inittab file and the init process

A, init process
(1) init is started by the kernel user-level process, the kernel starts (has been loaded into memory, running, and has initialized all device drivers and data structures, etc.), you start a user-level programs through init way to start other user-level process or service. So init is always the first process (the PID is always: 1 ), all the parent process. init program through / etc / inittab configuration file
(2) the kernel will be used in the past init in several places to find it, it's the correct position (on Linuxsystems) is / sbin / init. If the kernel can not find init , it will try to run / bin / SH , if you fail, the system will fail to start
Two, / etc / inittab file Detailed
Content format ( 4 -stage): Label: runlevel: action: command (Process)
label
label registration key identifier is an arbitrary specified ( 1-4 ) character sequence label, in this document must be unique, some systems support only 2 -character labels. For this reason, most people will label the number of characters limited to 2 months or less. The label can be any character string, but in fact, certain labels are used, in red Hat Linux using the label as follows:
id
Used to define the default init run level
si
Is the system initialization process
ln
Where from 1 to 6, indicating that the process can use runlevel level
ud
The upgrade process
ca
Specified when you press the Ctrl + Alt + Del is a running process
pf
Means that when the UPS power to run the process that
pr
Before the system is really close, UPS issued a signal when power is restored to run the process
x
Is the system into X terminals to run the process

runlevel
1 ) to effectively meet the system run level configuration of the process
2 ) by the init command to start each process is assigned one or more of the process can be found in the runlevel
3 ) run level from 0-9 to indicate the number
a. If the system is in run level 1 , only in the run level field are 1 of those entries is started 
b. If the run level field is empty, then those entries will be applied all run-level start system
4 ) request init to change run levels so that when the entry in the runlevel field does not match the target run level all processes will receive a warning signal (SIGTERM) , in the process of being removed symbol [ kill Signal (SIGKILL)] forced termination ago, 20 -second grace period
5 ) run level field can define multiple run levels of a process can be 0-9 in any combination. If no run level is specified, the process is assumed valid at all run levels
6 ) other four values ​​will appear in the runlevel field, even if they are not true run levels: a, b, c and H . In the run level field entries of these characters only in the telinit command requests them to be run (with the current system runlevel). They differ from init command's run level, init command can never enter a, b, c, h run level. And all of these processes are not running the request to change the current run level. In addition, init command to change the level, by a, b, c command to start the process does not disconnect ( killed ). Only when the / etc / inittab file line in their action field is marked off , their line from / etc / inittab file is completely deleted, or init command to enter single user mode, these processes will be interrupted ( killed )
Note: The field specifies the runlevel level. You can specify more than one runlevel level, you can not runlevel field to specify a particular value

action 
(role: inform the init command how to handle the process field to specify the process)
1 ) respawnif the process does not exist, start the process. Do not wait for process termination (continue scanning the / etc / inittab file). If it dies, then restart the process. If the process exists, continue scanning the / etc / inittab file
For example: "5:2345: respawn: / sbin / mingetty TTY5 "
Explained: init will open a local terminal, when the terminal over time no one login or too long no one keystroke, this terminal will not be executed, respawn that tells init re-run the terminal, otherwise, after a period of time We will find that this terminal is gone, can not use ALT + F5 switch
2 ) waitwhen the init command to enter matches the entry's run level, start the process and wait for the process to terminate. When the init command in the same run level, all of the / etc / inittab file will cause the next read init command to ignore this entry
3 ) oncewhen the init command to enter matches the entry's run level, start the process, and do not wait for the termination. When it dies, do not restart the process. When the system enters a new run level, the process continues from the previous run level change operation, do not restart the program
4 ) bootonly run during system boot entry, these processes are system startup, init command from / etc / inittab file to read, so runlevel value of its invalid. Start the process, do not wait for its termination, and the process dies, do not restart the process. Meaningful guidance followed, should be the default run level, or it must boot init command's run level match. This action restarts the system after the hardware initialization is useful
5 ) bootwaitsystem boot, init command from a single user to multi-user state, the first run of the entries. Start the process, and so its end, the process dies, do not restart the process. If the initdefault is 2 , the system is run directly after the boot process
6 ) powerfailonly when the init command receives a power fail signal (SIGPWr) only when the implementation process associated with this entry, but init will not wait for the end of the process is running ( rH Linux default this option is not listed)
7 ) powerwaitonly when the init command receives a power fail signal (SIGPWr) only when the implementation process associated with this entry, to close the system (of course, provided there is UPS and monitor UPS and informs init software power has been cut off ), and so the process terminates before continuing to process / etc / inittab file ( rH Linux default this option is not listed)
8 ) off
if the process associated with this entry is currently running, send a warning signal (SIGTERM) , then wait 20 seconds before kill signal ( SIGKILL ) to terminate the process. If the process is not running, ignore this entry
9 ) OnDemand
functionality and respawn the same, but this action application a, b, or c values, instead of run level
10 ) initdefault
init command is initially invoked when scanning with this action -related entries. If there is, init command uses this entry to determine the initial run level to enter, due to enter the corresponding run level will activate the corresponding level of process, so its designated process field has no meaning. Under normal circumstances, the use of run-level field, the highest run level specified as the initial state. If the run level field is empty, this is interpreted as 0123456789 ; Thus, init command enters run level 9 . In addition, if the init command in the / etc / inittab file not found initdefault entry in the guide when the user requests an initial run level
11 ) sysinit
this type of entries in the registry before the init command tries to access the console before being executed. The entry is only used to initialize the device, init command for these devices may ask the run level. These entries are executed, and wait to complete before continuing
12 ) CtrlAltDel
user at the console keyboard, press Ctrl + Alt + Del key combination, allow init to restart the system 
Note: If the system is in a public place, the system administrator can Ctrl + Alt + Del key combination to configure the other behavior, such as neglect, etc.
13 ) kbrequest
monitor to a specific keyboard combination is pressed to take action, now is not perfect


command
Should execute specific commands. Example, the figure in the / etc / init.d / rc command to start running level 2 processes should be run / command, and is responsible for the exit to terminate when run level (of course, enter the runlevel except in the program still running) . When the run level changes, and running the program does not run in the new run level is specified, then init will first send a SIGTErM signal termination, thenSIGKILL 2

inittab file as follows: 
# inittab          This file describes how the INIT Process should set up 
the System in a certain run-level. # Author: Miquel van Smoorenburg, miquels@drinkel.nl.mugnet.org Modified for RHS Linux by Marc Ewing and Donnie Barnes # Default runlevel. The runlevels used by RHS are: 0 - halt (Do NOT set initdefault to this) #1 - Single user mode 2 - Multiuser, without NFS (The same as 3, IF you do not have networking) 3 - Full Multiuser mode 4 - unused 5 - X11 6 - reboot (Do NOT set initdefault to this) ID: 3: initdefault: # System initialization. Company:: sysinit: / etc / rc.d / rc.sysinit 10: 0: wait: / etc / rc.d / rc0l1:1: wait: / etc / rc.d / rc 1l2:2: wait: / etc / rc.d / rc 2l3:3: wait: / etc / rc.d / rc 3l4:4: wait: / etc / rc.d / rc 4l5:5: wait: / etc / rc.d / rc 5l6:6: wait: / etc / rc.d / rc 6 # Things to run in every runlevel ud:: once: / sbin / Update # Trap CTRL-ALT-DELETE ca:: CtrlAltDel: / sbin / shutdown-T3 - R now # When our UPS tells U.S. Power has failed, ASSUME We have a few minutes # of Power left. Schedule a shutdown for 2 minutes from now. # This does, of Course, Powerd ASSUME you have installed and your # UPS Connected and Working correctly. PF:: powerfail: / sbin / shutdown-f-H +2 "Power Failure; System Shutting Down" # If Power was restored before the shutdown kicked in, Cancel it. PR: 12345: powerokwait: / sbin / shutdown -c "Power restored; Shutdown Cancelled" # If Power was restored before the shutdown kicked in, Cancel it. PR: 12345: powerokwait: / sbin / shutdown-c "Power restored; Shutdown Cancelled" # run gettys runlevels in Standard 1: 2345: respawn: / sbin / mingetty tty1 2:2345: respawn: / sbin / mingetty tty2 3:2345: respawn: / sbin / mingetty tty3 4:2345: respawn: / sbin / mingetty tty4 5:2345: respawn: / sbin / mingetty tty5 6:2345: respawn: / sbin / mingetty tty6 # run xdm in runlevel 5 x: 5: respawn: / etc/X11/prefdm-nodaemon
                           
  Note: Case file comments are edited, in order to maintain the written consistency
[Understand runlevel ]

runlevel --- used to represent the init process after the end of the system state, the system's hardware is not fixed information that runlevel , it is simply a software architecture. init and inittab is runlevel affect the system state the only reason. In the above example inittab file comments in the initial stage is mainly used to describe the runlevel : 1 ) runlevel = 0 to init the system shut down and terminate all processes

2 ) runlevel = 1single-user mode, only the system administrator to enter in this mode have to deal with those in the case of logged-on user can not change the file, change the runlevel number one can also use the S or a single purpose: only minimal services running, so the run-level is often used for system maintenance

3 ) runlevel = 2multi-user mode, but does not support file sharing, this model is rarely used

4 ) runlevel = 3multi-user mode, but does support file sharing, but also the most server's default mode

5 ) runlevel = 4is generally not used by the system, users can design their own system state and apply it to runlevel 4 stages, although rarely used, but the use of the system can achieve some specific logon request

6 ) runlevel = 5the system is initialized to a dedicated X Window terminal. Of a powerful Linux system, this is not a good choice, but the user if desired so, it can be in runlevel start to implement the program

7 ) runlevel = 6Close all running processes and restart the system

process
This field contains the init execution process, which uses the format of the command line to run the process under the same format, so the process to the field are beginning the process name, followed by a run, followed by a run-time to passed to the process parameters. Such as / sbin / shutdown-T3-R now , the process by pressing Ctrl + Alt + Del is executed, the command line can also enter to restart the system
By at
Labels:

apache's mod_proxy reverse proxy

In a machine (ran apache) for a domain name (such as www.selboo.com.cn) to do a reverse proxy 
with apache mod_proxy just know this stuff 
then looked at the document 
and wrote the following profile:


ServerName www.selboo.com.cn
ProxyPass / http://www.selboo.com.cn/
ProxyPassReverse / http://www.selboo.com.cn/
CustomLog logs/access_abc_log combined
 
Order deny,allow
Allow from all

Then have to modify the system httpd.conf
Will be one of mod_proxy, mod_proxy_httpd enabled
Then again
Because www.selboo.com.cn real server in this domain with the server I have connected to the intranet (internal network ip: 192.168.1.100)
So vim / etc / hosts
Write
192.168.1.100 www.selboo.com.cn
Then restart apache
By at
Labels:

A comprehensive summary of the use of Linux shortcuts

The most common windows system, we give you a lot of shortcuts, then Linux shortcut keys are not?Linux shortcut keys in different terminals have different combinations. under a lot of linux users to simplify the process of helpful shortcut keys, following a brief introduction:
In the console / virtual terminal
1. Ctrl-alt-delete - Shut down the computer 
2. alt-fn (f1, f2, f3, ...) - console switch to n- 
3. alt-left or alt-right - to switch to the up / down a virtual terminal 
4. scroll lock - lock the terminal input / output - the output when the screen scrolling too fast when you can use this key to freeze the screen, press the scroll lock is unlocked. 
Can also be another way to achieve this function, use ctrl-s locks the screen, use ctrl-q to unlock. If your console has unexplained sudden no response can also try to unlock the back of the shortcut key, perhaps because you inadvertently trigger the ctrl-s causes the screen to play dead.
5. Shift-page up or shift-page down - on the scroll the console cache. This feature is scroll lock is also useful for boot time. Using (alt-fn) replacement console was removed after the contents of the cache, so scrolling is invalid. 
6. Ctrl-l - refresh the screen. 
7. Ctrl-c or ctrl-\ - kill the current task 
8. ctrl-d - role eof the end of the file (end-of-file). If your cursor in a blank command line, it will exit the bash, than you use the exit command to exit much faster. 
9. Ctrl-z - suspend the process. Use the command: bg in the background or use fg to run in front.
bash & command-line
1. Ctrl-a - to move the cursor to the beginning where the command line. 
2. Ctrl-e - command line to move the cursor to the end. 
3. Ctrl-u - clears the command line before the cursor position all the characters. 
4. Ctrl-w - cleared the left field 
5. ctrl-y - will be labeled by ctrl-u or ctrl-k or ctrl-w clear part. 
6. Ctrl-r - will automatically increment the command history buffer into the search behind the characters. 
7. Tab - command-line auto-completion - automatically complete the current command line. If you enable auto-completion script command parameters and options can also be automatically filled. 
8. Ctrl-k - remove from location to prompt the end of the line between the characters.
kernel shortcuts
The following shortcuts must be enabled in the kernel before it can use. 
And must enable the magic key combination (sysrq):
Enable sysrq:
$ Sudo echo 1> / proc / sys / kernel / sysrq
Disable sysrq:
$ Sudo echo 0> / proc / sys / kernel / sysrq
1. Alt-sysrq-s - sync all mounted file systems. All data in the cache are immediately written to disk. 
2. Alt-sysrq-u - read-only remount all mounted file systems. 
3. Alt-sysrq-b - fast restart. Do not unmount the file system synchronization and the implementation of the case, otherwise it will cause serious file system errors. 
4. Alt-sysrq-s, and then alt-sysrq-u, then alt-sysrq-b - sync all file system read-only remount all file systems, and immediately restart. This is the fastest way to restart linux. 
5. Alt-sysrq-h - outputs a list of other magic key combination (sysrq) function.
Linux keyboard shortcuts you on so many bar. Skilled use to improve our efficiency.
By at
Labels:

ulimit parameters explain

ulimit parameters through a number of options to manage different types of system resources. In this section, we will explain the use of these parameters.
ulimit command format is: ulimit [options] [limit]
Meaning of specific options and a simple example can refer to the following table.

Table 1. Ulimit parameter descriptions
Options [options]MeaningExample
-HSet the hard resource limit, once set can not increase.ulimit - Hs 64; limited hardware resources, the thread stack size is 64K.
-SSet the soft resource limit settings can be increased, but not more than hard-resource settings.ulimit - Sn 32; soft resource limit, 32 file descriptors.
-AShow all current limit information.ulimit - a; show all current limit information.
-CMaximum core file size, in blocks as a unit.ulimit - c unlimited; the generated core file size without limit.
-DThe largest process data segment size in Kbytes units.ulimit-d unlimited; of the process data segment size without limit.
-FThe maximum process can create a file to blocks of flats.ulimit - f 2048; limit process can create the maximum file size is 2048 blocks.
-LMaximum locked memory size in Kbytes units.ulimit - l 32; limit the maximum locked memory size 32 Kbytes.
-MMaximum memory size to Kbytes units.ulimit - m unlimited; no limit on the maximum memory.
-NThe maximum number of file descriptors can open.ulimit - n 128; limit the maximum to 128 file descriptors.
-PPipe buffer size in Kbytes units.ulimit - p 512; limit the size of pipe buffer is 512 Kbytes.
-SThread stack size in Kbytes units.ulimit - s 512; limit thread stack size is 512 Kbytes.
-TMaximum CPU utilization time in seconds.ulimit - t unlimited; for maximum CPU usage time without restrictions.
-UMaximum available number of user processes.ulimit - u 64; restrict users may use up to 64 process.
-VProcess the maximum amount of virtual memory, in Kbytes units.ulimit - v 200000; limit the maximum amount of virtual memory is 200000 Kbytes.
By at
Labels:

Linux system to prevent the syn attack

Web hosting service provider in the operating process may be hacker attacks, a common attack methods are SYN, DDOS, etc. By replacing the IP, to find the site of attack may be to avoid attacks, but the break in service a long time. More thorough solution is to install a hardware firewall. However, hardware firewalls are expensive. May consider using the Linux system itself provides the firewall to defend against.
Against SYN SYN attack is to use TCP / IP protocol 3-way handshake principle, to establish a connection to send a large number of network packets, but does not actually establish a connection, eventually leading to the attacked server network queue is filled, not by normal users.
The Linux kernel provides a number of SYN-related configuration, use the command: sysctl-a | grep syn see:
net.ipv4.tcp_max_syn_backlog = 1024 net.ipv4.tcp_syncookies = 0
net.ipv4.tcp_synack_retries = 5 net.ipv4.tcp_syn_retries = 5
tcp_max_syn_backlog is the SYN queue length, tcp_syncookies is a switch that is open SYN Cookie feature can prevent some of SYN attacks. tcp_synack_retries and tcp_syn_retries definition of a SYN retries. SYN queue length can be increased to accommodate more waiting to connect to the network connections, open the SYN Cookie feature can prevent some SYN attack, reduce the number of retries has some effect.
Adjust these settings is:
SYN queue length increases to 2048:
sysctl-w net.ipv4.tcp_max_syn_backlog = 2048
Open SYN COOKIE features:
sysctl-w net.ipv4.tcp_syncookies = 1
Reduce the number of retries:
sysctl-w net.ipv4.tcp_synack_retries = 3 sysctl-w net.ipv4.tcp_syn_retries = 3
In order to maintain this system is restarted the configuration, these commands can be added to / etc / rc.d / rc.local file.
 
Prevent synchronization packet flood (Sync Flood) 
# iptables-A FORWARD-P TCP - SYN-M limit - limit 1 / S-J ACCEPT 
was also writing 
# iptables-A INPUT-p tcp - syn-m limit - limit 1 / S-J ACCEPT 
- limit 1 / S limits the number of concurrent syn 1 per second, according to their need to modify the 
prevention of a variety of port scan 
# iptables-A FORWARD-p tcp - tcp-flags SYN, ACK, FIN, RST RST-M limit - limit 1 / S-J ACCEPT 
Fair flood attack (Fair of Death) 
# iptables-A FORWARD-P ICMP - ICMP-type echo-Request-M limit - limit 1 / S - j ACCEPT
By at
Labels: ,

Access to the same network segment the MAC address of all machines 

#! / Bin / bash 
for  ( ( i = 1 ; i <  254 ; i + + ) ) 
do 
        arping -I eth0 192.168.0. $ i  -c  1 
done 
arp -a  >  / tmp / mactable.txt
The following is the result of testing and revision:
#! / Bin / bash 
for i in $ ( seq  1  255 ) 
do 
        ping  -C1  -W1 192.168.0. $ i   2 > & 1  >  / dev / null
         IF  [  $?  -eq  0  ] 
        then 
              arp -a   |  grep  "(192.168.0. $ i ) "  >> mac.txt
          Fi 
done

By at
Labels:

Linux to generate a random password

1 install expect
yum install Expect
2 command line
mkpasswd -L  32  -d  5  -C  5
The above command generates a 32-bit password at least 5 numbers and 5 upper case letters, such a powerful password and slowly break it:)
3 scripting, batch generate 30 passwords
vi pass.sh 
 #! / bin / bash 
 
i = 1  
echo  "######## Power by gaojinbo.com ##########"  > / tmp / passwd.txt 
 while  [  $ i  -le  30  ] ; do  
/ usr / bin / mkpasswd -L  32  -d  5  -C  5  >> / tmp / passwd.txt 
 let i + = 1  
done  
exit ;
The above script will generate a password on the / tmp / passwd.txt file
Done! 
By at
Labels:

configure / make / make install's role

Install the software will be used in linux, such as configure / make / make install commands, which are typical to use the GNU AUTOCONF AUTOMAKE generated program and the installation steps.
. / Configure your installation is used to detect the target platform characteristics. For example, it will detect you are not a CC or GCC, is not required CC or GCC, it is a shell script.
make is used to compile, it reads the instructions from the Makefile, then compile.
make install is used to install, it also reads the instructions from the Makefile to install to the specified location.
And AUTOCONF AUTOMAKE is very useful thing to publish a C program. If you write a program and want to use AUTOMAKE AUTOCONF, can refer to CNGNU.ORG on related articles.
1, configure, this step is generally used to generate the Makefile, to prepare for the next build, you can be added after the configure parameters to control the installation, such as the
code:. / configure-prefix = / usr
The above means that the software is installed in / usr below, the executable file is installed in / usr / bin (instead of the default / usr / local / bin), resource files will be installed in / usr / share (instead of the default The / usr / local / share). Meanwhile, some software configuration file you can specify-sys-config = parameter set. Some software can also add-with,-enable,-without,-disable, etc. parameters to control the compiler, you can allow. / Configure-help look at the detailed instructions to help.
2, make, this step is to compile most of the source code package have been compiled this step (of course, some software written in perl or python need to call perl or python to compile). If you make the process appear in the error, you have to write down the error code (note not just the last line), then you can ask the developer to submit bugreport (usually there are presented in the INSTALL address), or some of your system less dependent on libraries, etc., which require careful study of their own error code.
3, make insatll, this command to install it (of course, some software need to run make check or make test to make some tests), this step usually requires you to have root privileges (because to the system write to a file).
By at
Labels: ,

Linux Intrusion check utility command (turn)

One
can draw the filename running processes
# pidof filename
2
can see the file or process tcp udp protocol
TCP port # fuser-n
3
can see the file modification time, size and other information
Stat filename #
4
to see loaded modules
# lsmod
5
to see rpc service open
# rpcinfo-P
6
to see whether the card promiscuous mode (promiscuous mod)
# dmesg | grep eth0
7
to see whether the command is changed, the same as the md5sum
# rpm-Vf / bin / ls
rpm-Vf / bin / PS normally no output, or output SM5 .... T / bin / su and the like prompted
if the rpm database is not modified reliable, and only through the network or if cdrom in the rpm database to compare
, such as: rpm-Vvp ftp://mirror.site/dir/RedHat/RPMS/fileutils-3.16-10.i386.rpm
the following commonly used commands need to check
/ usr / bin / chfn
usr / bin / chsh
/ bin / login
/ bin / ls
/ usr / bin / passwd
/ bin / PS
/ usr / bin / top
/ usr / sbin / in.rshd
/ bin / netstat
/ sbin / ifconfig
/ usr / sbin / syslogd
/ usr / sbin / inetd
/ usr / sbin / tcpd
/ usr / bin / killall
/ sbin / pidof
/ usr / bin / Find
8
has confirmed that if the check is being hacked machine, the perfect proposal:
1.dd a backup hard drive
2.mount a drive, above the static-compiled program ls ps netstat and other common tools
3. nc to step out with to the remote machine
9
with the md5sum file to save a global
find / sbin-type f | xargs md5sum> 1st
check changed
md5sum-c 1st | grep OK
10
to avoid the attack machine has been too much writing, you can:
1. 192.168.20.191 on another machine running on the
nc-L-p 1234> some_audit_output.log Note that L is the capital, permanently listen
2 attack machine run
command | nc 192.168.20.191 1234
or
script> / mnt / export.log
after testing with the ctrl + d to save records
11
way through the process of looking for suspicious programs:
1.netstat-anp this step depends mainly on experience, to suspect all recorded
2 cd into the directory memory / proc/3299
3. ls-la, you can see the general execute exe file path,
4 re-entry to view the file handle fd directory, thus you can generally find the execution
5.ps-awx to observe the process again just suspicious
12
If the hacker to delete the log:
1 Find all the logs are not removed completely, such as history, sniffer logs
2./proc/pid/fd directory prompt files have been removed
l-wx - 1 root root 64 Aug 10 20:54 15 -> / var / log / httpd / error_log (deleted)
L-WX - 1 root root 64 Aug 10 20:54 18 -> / var / log / httpd / ssl_engine_log (deleted)
L-WX - 1 root root 64 Aug 10 20:54 19 -> / var/log/httpd/ssl_mutex.800 (deleted)
L-WX - 1 root root 64 Aug 10 20:54 20 -> / var / log / httpd / access_log (deleted)
L-WX - 1 root root 64 Aug 10 20:54 21 -> / var / log / httpd / access_log (deleted)
L-WX - 1 root root 64 Aug 10 20:54 22 -> / var / log / httpd / ssl_request_log (deleted)
L-WX - 1 root root 64 Aug 10 20:54 23 -> / var/log/httpd/ssl_mutex.800 (deleted)
lrwx - 1 root root 64 Aug 10 20: 54 3 -> / var/run/httpd.mm.800.sem (deleted)
lrwx - 1 root root 64 Aug 10 20:54 4 -> / var / log / httpd / ssl_scache.sem (deleted)
3 static compiled lsof | grep deleted see what was deleted
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
gpm 1650 root 1U REG 8,2 5 149743 / var/run/gpm208raa (deleted)
4. Get file inode number, here is the 149 743
5. sleuthkit tool used to restore,
df / var come to the hard disk location is sda1
ICAT / dev/sda1 149 743
6. to restore the file you look closely, you can find traces of a general
This will make the program difficult to analyze compiled
GCC -04-evil.c-O Evil
strip. / Evil
1.file view the file type, whether static compilation, is strip off
2.strings display program asicc string by string and then google to find
3.strace is to track the system calls (this does not know how to use) strace -P PID
4.gdb (will not be good because more)
13
process where some process is not shown, but in / proc are traces, comparable to find hidden processes
proc pseudo file system for / dev / kmem interface provides a structured, easy system diagnostics and look at each running executable environment
# PS-ef | awk '{Print $ 2}' | sort-n | uniq> 1
# ls / PORC | sort-n | uniq> 2
# diff 1 2
14
emergency tool tct, there are many tools, including icat other data recovery
if the evidence in the attack machine, you can mount a hard disk, you can also backup to a network, the method:
A. machines in the network run nc-L-p 1234 > abc.img
B. chicken run dd if = / dev/hdb5 count 20000 bs = 1024 | nc 192.168.0.1 1234-w 3
if the backup is too large, you can listen on multiple ports, perform multiple dd to copy, and then file merge cat 2>> 1.img
15
ldd executable program can display depends on a dynamic library, but libraries can not be shown indirectly dependent on
[root @ rh9bk root] # ldd / bin / ls
libtermcap.so.2 => / lib/libtermcap.so.2 (0 × 40.022 million)
libc.so.6 => / lib/tls/libc.so.6 (0 × 42000000)
/ lib/ld-linux.so.2 => / lib/ld-linux.so.2 (0 × 40 million)
strace tool is a debugging tool that can show a program in the implementation process of all system calls,
[root @ rh9bk root] # strace-eOpen / bin / ls> / dev / null
Open ("/ etc / ld . so.preload ", O_RDONLY) = -1 ENOENT (No. such file or Directory)
Open ("/ etc / ld.so.cache", O_RDONLY) = 3
Open ("/ lib/libtermcap.so.2", O_RDONLY ) = 3
Open ("/ lib/tls/libc.so.6", O_RDONLY) = 3
Open ("/ usr / lib / locale / locale-Archive", O_RDONLY | O_LARGEFILE) = 3
Open (".", O_RDONLY | O_NONBLOCK | O_LARGEFILE | O_DIRECTORY) = 3
Open ("/ etc / mtab", O_RDONLY) = 3
Open ("/ proc / meminfo", O_RDONLY) = 3
strace-O out Telnet 192.168.100.100
O parameter is meant is the strace output information generated to the out file, the file name is free to develop.
We open out file system calls will find a lot of information, open our main concern is the system call information, open is used to open the file, not only with the first open call to open the dynamic library to read the configuration file uses the open, Therefore, the use sed to write a simple script file can be output out of all the open information
sed-n-e '/ ^ open / p' out
output is as follows:
Open ("/ etc / ld.so.preload", O_RDONLY) = -1 ENOENT (No. such file or Directory)
Open ("/ etc / ld.so.cache", O_RDONLY) = 3
Open ("/ lib/libutil.so.1", O_RDONLY) = 3
Open ("/ usr / lib/libncurses.so.5 ", O_RDONLY) = 3
Open ("/ lib/i686/libc.so.6", O_RDONLY) = 3
Open ("/ etc / resolv.conf", O_RDONLY) = 3
Open ( "/ etc / nsswitch.conf", O_RDONLY) = 3
Open ("/ etc / ld.so.cache", O_RDONLY) = 3
Open ("/ lib/libnss_files.so.2", O_RDONLY) = 3
Open (" / etc / Services ", O_RDONLY) = 3
Open ("/ etc / host.conf", O_RDONLY) = 3
Open ("/ etc / hosts", O_RDONLY) = 3
Open ("/ etc / ld.so.cache" , O_RDONLY) = 3
Open ("/ lib/libnss_nisplus.so.2", O_RDONLY) = 3
Open ("/ lib/libnsl.so.1", O_RDONLY) = 3
Open ("/ var / NIS / NIS_COLD_START", O_RDONLY) = -1 ENOENT (No. such file or Directory)
Open ("/ etc / ld.so.cache", O_RDONLY) = 3
Open ("/ lib/libnss_dns.so.2", O_RDONLY) = 3
Open (" / lib/libresolv.so.2 ", O_RDONLY) = 3
Open ("/ etc / Services", O_RDONLY) = 3
Open ("/ root / .telnetrc", O_RDONLY) = -1 ENOENT (No. such file or Directory)
open ("/ usr / share / terminfo / l / linux", O_RDONLY) = 4
can be found from the output of ldd does not show up a few libraries
/ lib/libnss_dns.so.2, /
lib/libresolv.so.2,
/ lib/libnsl.so.1,
/ lib/libnss_nisplus.so.2,
/ lib/libnss_files.so.2
strace-o aa-ff-p PID will have more than one file name starts with aa
grep open aa * | grep-v-e No-e null-e denied | grep WR call to open the file to view information.
16
should log to the log host steps:
a.vi / etc / syslog.conf *.* @ 192.168.20.163 192.168.20.163 all logs sent to
syslog restart b.service
C. In 192.168.20.163 installation kiwisyslogd
D. Remote landing, deliberately enter the wrong password, you can see immediately the alarm log host, you can also observe the tcpdump port 514
17
If you know the hacker is 0927 invasion, is:
Touch-T 09.27 million / tmp / a
Find / \ (-newer / tmp / a-O-cnewer / tmp / a \)-L
so that files created the day to change and are listed out
18
full disk copy
dd if = / dev / sda of = / dev / sdb bs = 1024
partition copy tested
dd if = / dev/sda1 of = / abc bs = 1024 This is stored in the root partition with mount view is sda2
boot another linux
type: mount / dev/sda2 / mnt
where you can see just the abc file, enter: mount aa / tmp-o loop
image seen here is just the contents of the file
19 find
find the file specified character (binary test that can also be found, is after the contents of the strings)
Find / tmp-type f-Exec grep "no exist" {} \;-Print
find / etc / rc.d-name '* crond'-exec file {};
Find / etc / rc.d directory for all files ending with crond, and use the file command to view its properties, attention: exec and a space between the file, file, and is a space between {}, file and; between is a space; as a whole.
20
, No. kill-SIGSEGV process will produce a core file, the information can be seen with strings, with a c program can rebuild the executable program, study / unix / save a next article. Test did not produce core, for unspecified reasons.
By at
Labels:
Subscribe to: Posts (Atom)