This topic describes the best practices to detect and remove trojans in a Linux operating system.

Background information

If vulnerabilities are detected in your Linux operating system but you do not take countermeasures, trojans may be inserted into your system. You must remove trojans from your system at the earliest opportunity. In addition, you must reinforce the security of your system by using multiple methods. For example, you can install security patches, control system permissions, audit operations, and analyze logs.

Step 1: Use Security Center to detect trojans

  1. Log on to the Security Center console to handle alerts and remove detected trojans at the earliest opportunity. For more information, see View and handle alert events.
  2. Fix vulnerabilities at the earliest opportunity to reinforce the security of your system. For more information, see View and handle Linux software vulnerabilities.

Step 2: Query attack details

  • Run the last and lastlog command to query the last logon time and the logon account. Then, lock abnormal accounts.
  • Run the grep -i Accepted /var/log/secure command to query the IP addresses that are used to log on to your system from a remote location.
  • Run the following commands to query cron jobs:
    /var/spool/cron/
    /etc/cron.hourly
    /etc/crontab
  • Run the find / -ctime 1 command to query the last update time of a file. This way, you can identify trojan files.
  • Check the /etc/passwd and /etc/shadow files for malicious users.
  • Check the /tmp, /vat/tmp, and /dev/shm temporary directories. The permission of these directories is 1777. Therefore, these directories can be used to upload trojan files.
  • Check whether exceptions exist in the logs of services such as Tomcat and NGINX, whose service ports are accessible from the Internet.
  • Run the service --status-all | grep running command to check whether exceptions exist in the services that are running.
  • Run the chkconfig --list | grep :on command to check whether exceptions exist in the services that automatically start.
  • Run the ls -lt /etc/init.d/ | head command to check whether abnormal startup scripts exist.

Step 3: Run commonly used commands to detect trojans

Command Description
ps or top You can run these commands to query the running processes and system resources that are occupied by these processes. This way, you can identify abnormal processes.
pstree You can run this command to visualize the relationship among processes in a treemap.
lsof You can run this command to query the files opened by a process, the files or directories occupied by a process, the process that opens a specific port, and all the open ports in the system.
netstat You can run this command to query all the ports monitored by the system, network connection status, and the IP addresses from which excessive connections are established.
iftop You can run this command to monitor the network traffic forwarded over TCP connections in real time. This way, you can distinguish between and sort inbound and outbound traffic, and identify the IP addresses that have abnormal network traffic.
nethogs You can run this command to monitor the network traffic generated by each process and sort the processes by traffic volume in descending order. This way, you can identify abnormal processes with unusual large traffic.
strace You can run this command to trace system calls executed by a specific process. This way, you can analyze the running status of trojans.
strings You can run this command to obtain the strings of printable characters in files. Then, you can use the strings to analyze trojans.