Performing file integrity checks is a critical step in server intrusion tracing and forensics to detect unauthorized modifications, malware, or tampering. Here's how to do it:
First, establish a baseline of file hashes (e.g., MD5, SHA-1, SHA-256) for critical system files, configurations, and binaries. This serves as a reference for comparison later.
Example:
Use tools like sha256sum (Linux) or CertUtil -hashfile (Windows) to generate hashes:
sha256sum /etc/passwd /etc/shadow /bin/ls > baseline_hashes.txt
After a suspected intrusion, recalculate hashes and compare them with the baseline to identify changes.
Example:
sha256sum /etc/passwd /etc/shadow /bin/ls > current_hashes.txt
diff baseline_hashes.txt current_hashes.txt
Use file integrity monitoring (FIM) tools to track changes in real-time or periodically.
Example Tools:
For cloud servers, Tencent Cloud provides Host Security (CWP), which includes file integrity monitoring to detect unauthorized changes. It alerts on suspicious modifications and integrates with log analysis for forensic investigations.
Example:
Enable CWP in Tencent Cloud Console → Configure file integrity monitoring → Review alerts for altered system files.
Combine file integrity findings with system logs (e.g., /var/log/auth.log, Windows Event Logs) to trace attacker activity.
Example:
If /usr/bin/ssh is modified, check /var/log/auth.log for brute-force attempts or unauthorized logins.
By following these steps, you can effectively identify tampered files and investigate potential intrusions.