Difference between revisions of "Cyber Security: Detect and remove trojans in a Linux operating system"

Revision as of 13:30, 14 June 2023

Jika kerentanan terdeteksi di sistem operasi Linux Anda tetapi Anda tidak mengambil tindakan pencegahan, trojan dapat dimasukkan ke dalam sistem Anda. Anda harus menghapus trojan dari sistem Anda sesegera mungkin. Selain itu, Anda harus memperkuat keamanan sistem Anda dengan menggunakan beberapa metode. Misalnya, Anda dapat menginstal patch keamanan, mengontrol izin sistem, mengaudit operasi, dan menganalisis log.

Step 1: Gunakan Use Security Center untuk detect trojan

Masuk ke Security Center console untuk menangani peringatan dan menghapus trojan yang terdeteksi sesegera mungkin. Untuk informasi selengkapnya, lihat Melihat dan menangani peristiwa peringatan.

Perbaiki kerentanan sedini mungkin untuk memperkuat keamanan sistem Anda. Untuk informasi selengkapnya, lihat Melihat dan menangani kerentanan perangkat lunak Linux.

Step 2: Query detail attack

Run Command	Description
last		lastlog	cek waktu masuk terakhir dan akun masuk. Kemudian, lock akun yang tidak normal
grep -i Accepted /var/log/secure	Cek IP address user yang masuk dari remote
/var/spool/cron/		/etc/cron.hourly		/etc/crontab	cek cron job
find / -ctime 1	cek file terakhir yang di update, ini salah satu cara mencek trojan
sudo more /etc/passwd		sudo more /etc/shadow	cek ada user yang aneh atau tidak
sudo ls /tmp		sudo ls /vat/tmp		sudo ls /dev/shm	temporary directory dengan permission 1777 biasanya dipakai upload trojan
	Cek apakah ada exception di log services seperti Tomcat atau NGINX, yang port service-nya bisa di akses dari Internet.
service --status-all	grep running command to check whether exceptions exist in the services that are running.
grep :on	cek apakah ada exception di service yang start automatis.
Run the ls -lt /etc/init.d/	cek head command apakah ada abnormal startup scripts.

Step 3: Run commonly used commands to detect trojans

Caption text
Command	Desci[topm
ps or top	You can run these commands to query the running processes and system resources that are occupied by these processes. This way, you can identify abnormal processes.
pstree	You can run this command to visualize the relationship among processes in a treemap.
lsof	You can run this command to query the files opened by a process, the files or directories occupied by a process, the process that opens a specific port, and all the open ports in the system.
netstat	You can run this command to query all the ports monitored by the system, network connection status, and the IP addresses from which excessive connections are established.
iftop	You can run this command to monitor the network traffic forwarded over TCP connections in real time. This way, you can distinguish between and sort inbound and outbound traffic, and identify the IP addresses that have abnormal network traffic.
nethogs	You can run this command to monitor the network traffic generated by each process and sort the processes by traffic volume in descending order. This way, you can identify abnormal processes with unusual large traffic.
strace	You can run this command to trace system calls executed by a specific process. This way, you can analyze the running status of trojans.
strings	You can run this command to obtain the strings of printable characters in files. Then, you can use the strings to analyze trojans.

@@ Line 8: / Line 8: @@
 ==Step 2: Query detail attack==
-Jalankan command
+{|
+! Run Command !! Description
- last
+|-
-  lastlog
+| last     ||
+| lastlog  || cek waktu masuk terakhir dan akun masuk. Kemudian, lock akun yang tidak normal
-untuk menanyakan waktu masuk terakhir dan akun masuk. Kemudian, lock akun yang tidak normal.
+|-
+| grep -i Accepted /var/log/secure || Cek IP address user yang masuk dari remote
+|-
-Run the grep -i Accepted /var/log/secure command to query the IP addresses that are used to log on to your system from a remote location.
+| /var/spool/cron/  ||
+| /etc/cron.hourly  ||
-Run the following commands to query cron jobs:
+| /etc/crontab      || cek cron job
+|-
- /var/spool/cron/
+| find / -ctime 1 || cek file terakhir yang di update, ini salah satu cara mencek trojan
- /etc/cron.hourly
+|-
- /etc/crontab
+| sudo more /etc/passwd ||
+| sudo more /etc/shadow || cek ada user yang aneh atau tidak
-Run the find / -ctime 1 command to query the last update time of a file. This way, you can identify trojan files.
+|-
+| sudo ls /tmp      ||
-Check the /etc/passwd and /etc/shadow files for malicious users.
+| sudo ls /vat/tmp  ||
+| sudo ls /dev/shm  || temporary directory dengan permission 1777 biasanya dipakai upload trojan
-Check the /tmp, /vat/tmp, and /dev/shm temporary directories. The permission of these directories is 1777. Therefore, these directories can be used to upload trojan files.
+|-
+|  || Cek apakah ada exception di log services seperti Tomcat atau NGINX, yang port service-nya bisa di akses dari Internet.
-Check whether exceptions exist in the logs of services such as Tomcat and NGINX, whose service ports are accessible from the Internet.
+|-
+| service --status-all || grep running command to check whether exceptions exist in the services that are running.
-Run the service --status-all | grep running command to check whether exceptions exist in the services that are running.
+|-
+| chkconfig --list | grep :on || cek apakah ada exception di service yang start automatis.
-Run the chkconfig --list | grep :on command to check whether exceptions exist in the services that automatically start.
+|-
+| Run the ls -lt /etc/init.d/ || cek head command apakah ada abnormal startup scripts.
-Run the ls -lt /etc/init.d/ | head command to check whether abnormal startup scripts exist.
+|}
 ==Step 3: Run commonly used commands to detect trojans==

Difference between revisions of "Cyber Security: Detect and remove trojans in a Linux operating system"

Revision as of 13:30, 14 June 2023

Step 1: Gunakan Use Security Center untuk detect trojan

Step 2: Query detail attack

Step 3: Run commonly used commands to detect trojans

Navigation menu

Search