Familiar with Linux virus to do system protection engineering

For people who use Windows, viruses are everywhere, and a variety of new viruses are emerging. In recent years, a Unix-like operating system has grown and started to enter our field of vision. It is applied in the field. It is a Linux system. For users who are plagued by viruses, will Linux be a paradise without viruses? First, beware of the Linux virus At the beginning of Linux, due to its original excellent design, it seems to have the innate virus immunity, so many people believed that there would be no virus for Linux, but Linux is no exception. In the fall of 1996, an organization called VLAD in Australia wrote the Staog, which is said to be the first virus under the Linux system, in assembly language. It specifically infects binary files and tries to gain root privileges in three ways. Of course, the Staog virus was designed to demonstrate and justify the potential danger of Linux being infected with a virus. It does not carry out any damage to the infected system. In 2001, a Linux worm called Ramen appeared. The Ramen virus can be propagated automatically without human intervention. Although it does not cause any damage to the server, its scanning behavior during propagation consumes a lot of network bandwidth. The Ramen virus is exploited by two security vulnerabilities, rpc.statd and wu-ftp, in some versions of Linux (Redhat 6.2 and 7.0). In the same year, another Linux-based worm, Lion, caused actual harm. At that time, Lion spread rapidly through the Internet and caused serious damage to some users' computer systems. The Lion virus can send some passwords and configuration files to a certain mailbox on the Internet via email. After collecting these files, the attacker may re-enter the entire system through the gap in the first breakthrough to further damage. Activities such as obtaining confidential information, installing back doors, etc. When the user's Linux system is infected with this virus, it is very likely that he or she chooses to reformat the hard disk because it cannot judge how the intruder changed the system. Moreover, a Linux host will automatically start searching for other victims on the Internet after being infected with Lion. Subsequent feedback indicates that the Lion virus has caused serious damage to many Linux users. Other Linux platforms include OSF.8759, Slapper, Scalper, Unux.Svat, and BoxPoison. Of course, most ordinary Linux users have never encountered them. This is because, until now, there have been very few viruses on Linux, and the scope of impact is small. However, with the increase of Linux users, more and more Linux systems are connected to the LAN and WAN, which naturally increases the possibility of attack. It can be expected that more and more Linux viruses will appear, so how to prevent Linux viruses Becoming a thing that every Linux user should start paying attention to now. Second, to seize the weaknesses, users who have broken Linux may have heard that they have even encountered some Linux viruses. The principles and symptoms of these Linux viruses are different, so the prevention methods adopted are also different. In order to better protect against Linux viruses, we first classify some known Linux viruses. From the perspective of the current Linux virus, it can be summarized into the following virus types: 1. Viruses infected with ELF format files. These viruses are mainly infected with ELF format files, and can be written by assembly or C. The virus of the ELF file. The Lindose virus is a virus that can infect ELF files. When it finds an ELF file, it will check if the infected machine type is Intel80386. If so, look for a portion of the file that is larger than 2784 bytes (or hexadecimal AEO). If it does, the virus overwrites it with its own code and adds the code for the corresponding part of the host file, and hosts it. The entry point to the file points to the virus code section. Prevention: Because Linux has a good permission control mechanism, such viruses must have sufficient permissions to spread. In the prevention of such viruses, we must pay attention to the management of the permissions of various files in the Linux system, in particular, do not use the root account when doing daily operations, it is best not to run as root without the unknown executable Files, so as not to inadvertently trigger a virus-containing file to spread to the entire system. 2, script virus Script virus is a virus written in a script language such as shell. Such viruses are relatively simple to write and do not require a high level of knowledge. It is easy to destroy the system, such as deleting files, destroying the normal operation of the system, and even downloading and installing Trojans. But it is not very communicative, and it usually causes damage on the machine. Precaution: To prevent such viruses, be careful not to run scripts of unknown origin. At the same time, strictly control the use of root privileges. 3. Worm The worm under Linux is similar to the worm under Windows. It can run independently and spread itself to another computer. The worm on the Linux platform usually uses some Linux system and service vulnerabilities to spread. For example, the Ramen virus uses the rpc.statd and wu-ftp versions of some versions of Linux (Redhat 6.2 and 7.0). The vulnerability was spread. Precaution: To prevent such viruses from blocking the source of worm attacks, from the emergence of several Linux virus outbreaks, they have exploited several security vulnerabilities that have been released by Linux. Security measures will not be affected by them. Unfortunately, many Linux administrators don't keep up with the latest information about their systems and services, so there's still a chance for viruses. Users should do a good job of the security of this machine, especially the security vulnerability information of Linux. Once a new Linux security vulnerability occurs, it is necessary to take security measures in time. In addition, firewall rules can be used to limit the spread of worms. 4, backdoor program Backdoor program can also be seen as a generalized virus, also very active on the Linux platform. The Linux backdoor is implemented by system service loading, shared library file injection, rootkit toolkit, and even loadable kernel module (LKM). Many backdoor technologies and intrusion technologies under Linux platforms are very hidden and difficult to remove. Precaution: Preventing such viruses can be done with some software. Some software can help users find various backdoor programs in the system. 5, other viruses in the Linux platform In addition to facing the virus against Linux, but also notice that many Windows viruses will exist in the Linux file system, of course, such windows viruses will not attack in Linux, but they Have the opportunity to pass to the Windows system. For example, a Linux Samba server can act as a file server in the entire network. When a user uploads a file containing a Windows virus to a Samba server, the Samba server becomes a virus carrier, although it does not infect the Windows virus, but Other people who have visited the Samba service may be infected with the virus. Prevention: For the overall security, you need to be able to find and kill Windows viruses in Linux systems. This requires the use of specialized anti-virus software.