【 Weak current College 】 users how to find your own computer intruders

How timely discovery hacker intrusion, find the intruder and take effective measures. This chapter 1, section 2, you will be mainly describes network is attacked by anomalies as well as the measures to be taken; in the third section on intrusion detection principle, purpose and related products are described in section 4 provides for you in a number of recommendations on network security.

How to find the intruder

The system is not known intrusion is the worst thing, here's the UNIX system as example show you how to analyze network anomalies identified on the basis of your network system for intruders.

Exception of access log

Intruder in intrusion and control system, often used scan tool or manual scanning method for detecting system for more information. The scanning behavior is a system service logging off. Example: one IP times appear in the system's various services logs, and attempt the more vulnerability; and if a IP times in the same system for multiple service established a null connection, this is most likely that the intruder in gathering information about the version of a service.

Note in UNIX operating systems if someone visited system unnecessary services or have a serious security risk services such as finger, rpc; or Telnet, FTP, POP3, and other service logs a large number of consecutive failed login record of continuity, it is most likely that the intruder tries to guess the password of the system. These are precursory attack!

Network traffic increase

If you find that the server's access traffic increases the many suddenly, this indicates that your system may have been an intruder control, and intrusion is used to scan and attacks on other servers. As it turns out, many intruders are intermediary host on remote hosts for scanning and identifying security vulnerabilities, and attacks. But these actions will result in a sudden increase in network traffic.

Illegal access

If you find that a user attempted to access control and modify/etc/shadow, system logs and system configuration file, then it is likely that the user is already an intruder control and try to win a higher permission.

Normal termination of service

For example, System log services suddenly strange to quit, or your IDS program terminated abruptly, it is implied that an intruder attempting to quit these threats to avoid in the system log on the "mark".

Suspicious process or the emergence of illegal services

System of any suspicious process should be carefully checked, for example, to start the HTTP service root or system had shut down the service is started again. These suspicious processes and services are likely to be an intruder launch attack process, backdoor process or Sniffer process.

System files or user

Intruders often changes the system configuration files to avoid tracing, or load the backdoor, attacks such as software programs to facilitate the next time you enter. For example, for UNIX, the intruder or modify the syslog.conf file to remove the entries to avoid secure login backdoor audit, or modify the hosts.deny, hosts.allow to unlock the tcpwrapper on intruders IP filtering; even an additional entry in the rc.d inside, so that the system starts at the same time start the backdoor. It is illegal to modify the system or baffling and added a user and some phenomenon means that your system may well be the intruder control.

Suspicious data

System if found named such as spaces, dots and spaces, ".. ^ M "(content ctrl + M), the" ... "(blah) and other suspicious directory, you need to pay attention, because intruders often in this directory using and hidden files, such as some directory may (especially the/tmp directory) is a temporary file generated by the scanner.