Enterprise Shell face question 14: Development script intrusion detection and alarm case

Interview and actual combat exam questions: monitoring the Web Site Directory (/var/html/www) All files have been maliciously tampered with (the contents of the file has been changed), The scheduled task executes every 3 minutes if there is a file name (e-mail) for printing changes .

1.1problem Analysis

1) The first thing to note is that the accumulation of thinking process is more important than the capacity accumulation of actual code development.

2) What is malicious tampering, as long as the unauthorized changes are tampered with.

3) changes in the contents of the file will have the following characteristics.

Size may vary

Modification time will change

The contents of the file will change, using md5sum fingerprint check

Add or delete files, compared to the number of files before and after each test.

1.2Reference Solutions

The main use of md5sum method to achieve.

The first step, after the enterprise website release code, that is, all site data to establish the initial fingerprint library and file library, this step is very important, there is no basic fingerprint library, can not be intrusion detection.

take /var/html/www as an example of a site directory.

1) set up test data:

[[email protected] scripts]# mkdir/var/html/www-p #<== Create a site directory.

[[email protected] scripts]# cp-a/etc/a*/var/html/www #<== Copy a small amount of test data.

[[email protected] scripts]# cp-a/etc/b*/var/html/www #<== Copy a small amount of test data.

[[email protected] scripts]# ls/var/html/www #<== check.

ABRT ACPI Adjtime aliases aliases.db alsa alternatives Anacrontab asound.conf at.deny audisp Audit bash_completion . D BASHRC Blkid

2) Create the initial file fingerprint library:

[email protected] scripts]# find/var/html/www-type F|xargs md5sum >/opt/zhiwen.db.ori

<== Create a file content fingerprint library.

[Email protected] scripts]# Tail/opt/zhiwen.db.ori

68b329da9893e34099c7d8ad5cb9c940/var/html/www/at.deny

E5d91bca71662d7c09bc7fc731ad3222/var/html/www/adjtime

8241db83d5edf01c71734e41e383e205/var/html/www/anacrontab

C23a47aca3ec55122b8871c5a61494b5/var/html/www/abrt/abrt-action-save-package-data.conf

9cd848af905b767fa410070b265a70c7/var/html/www/abrt/gpg_keys

B6bcc3a178b9442d30d88444a9311769/var/html/www/abrt/abrt.conf

441645d0e419c1f593694ca014817ee1/var/html/www/abrt/plugins/ccpp.conf

1ecf30990ac5948a8e3bd7b8c1cd944f/var/html/www/abrt/plugins/python.conf

1e4aded98bb1ff08094c8dfb09d33192/var/html/www/abrt/plugins/oops.conf

B2a676d524cb2d46eccc00baadfbfe29/var/html/www/aliases.db

3) set up the initial file vault:

[Email protected] scripts]# Find/var/html/www-type F>/opt/wenjian.db.ori

#<== establish the number of files and the name library.

[Email protected] scripts]# Tail/opt/wenjian.db.ori

/var/html/www/at.deny

/var/html/www/adjtime

/var/html/www/anacrontab

/var/html/www/abrt/abrt-action-save-package-data.conf

/var/html/www/abrt/gpg_keys

/var/html/www/abrt/abrt.conf

/var/html/www/abrt/plugins/ccpp.conf

/var/html/www/abrt/plugins/python.conf

/var/html/www/abrt/plugins/oops.conf

/var/html/www/aliases.db

The second step is to detect changes in file contents and number of files.

1) Detection of file content changes:

[[email protected] scripts]# echo oldboy>>/var/html/www/audisp/plugins.d/af_unix.conf #<== tamper file.

[[email protected] scripts]# Export #<== adjust character set.

[Email protected] scripts]# md5sum-c--quiet/opt/zhiwen.db.ori

#<== Check that the contents of all files change.

/var/html/www/audisp/plugins.d/af_unix.conf:failed #<== changes will be printed out.

Md5sum:warning:1 of computed checksums did Notmatch #<== comprehensive tip.

2) changes in the number of detected files:

[Email protected] scripts]# echo oldgirl.txt>/var/html/www/test.txt

#<== simulation adds new files.

[Email protected] scripts]# md5sum-c--quiet/opt/zhiwen.db.ori

#<== cannot detect new files using the fingerprint library.

/var/html/www/audisp/plugins.d/af_unix.conf:failed

Md5sum:warning:1 of computed checksums did not match

[Email protected] scripts]# Find/var/html/www-type F>/opt/wenjian.db_curr.ori

#<== gets the number and file name of all files before detection.

[[email protected] scripts]# diff/opt/wenjian.db* #<== compare with diff command.

20d19

</var/html/www/test.txt #<==test.txt is new, how, can it.

The third step is to develop and check the fingerprint identification script.

First, manually do the following:

[Email protected] scripts]# Find/var/html/www-type F |xargs Md5sum>/opt/zhiwen.db.ori

[Email protected] scripts]# Find/var/html/www-type F>/opt/wenjian.db.ori

Script detection takes the results of the two commands above as the original correct basis, as follows

[email protected] scripts]# cat 30-14.sh

#!/bin/bash

Retval=0 #<== State initialization.

Export #<== adjust the character set.

Check_dir=/var/html/www #<== defines the site directory to be monitored.

[-e $CHECK _dir] | | Exit 1 #<== Exit the script if the directory does not exist.

Zhiwendbori= "/opt/zhiwen.db.ori" #<== defines the original fingerprint library path.

Filecountdbori= "/opt/wenjian.db.ori" #<== defines the original vault path.

Errlog= "/opt/err.log" #<== defines the content log after detection.

[-e $ZhiWenDbOri] | | Exit 2 #<== Exit the script if the original fingerprint library does not exist.

[-e $FileCountDbOri] | | Exit 3 #<== Exit the script if the original vault does not exist.

#judge file Contet

echo "[[email protected] scripts]# md5sum-c--quit/opt/zhiwen.db.ori" > $ErrLog #<== Print Inspection command.

Md5sum-c--quiet/opt/wenjian.db.ori &>> $ErrLog #<== actually executes the instrumentation command.

Retval=$? #<== collects the return value.

#com file Count

Find $CHECK _dir-type F >/opt/wenjian.db_curr.ori #<== actually executes the detect command, gets the latest number of files, and so on.

echo "[[email protected] scripts]# diff/opt/wenjian.db* &>> $ErrLog #<== Print Detect command.

diff/opt/wenjian.db* &>> $ErrLog #<== The actual execution of the detection command, the number of files and file name changes.

If [$RETVAL-ne 0-o ' diff/opt/wenjian.db*|wc-l '-ne 0]

#<== if the return value is not 0, or if the number of rows compared to the result is not 0, the decision is entered.

Then

Mail-s "' Uname-n ' $ (date +%f) Err" [Email protected] < $ErrLog

Else

echo "Sites dir isok" |mail-s "' Uname-n ' $ (date +%f) is OK" [email protected]

Fi

Mail sends related configuration content

[Email protected] scripts]# cat/etc/mail.rc

# for Linux and BSD, this should is set. #<== the last modification of the mail content of the configuration file.

Set Bsdcompat

Set [email protected] smtp=smtp.163.com

Set smtp-auth-user=15537920814smtp-auth-password=l123456 Smtp-auth=login

Then use the timed task check, the command is as follows:

[Email protected] scripts]# Crontab-l|tail-2

# ids Monitor site dir and file change by Oldboy at20170511

*/3 * * * */bin/sh/server/scripts/30-10.sh>/dev/null 2>&1

Now think about what documents in the enterprise need to do fingerprint verification?

system commands, user files, configuration files, startup files and other important files, should be monitored, in addition, in the actual work of all user operations to do a log audit, so that all the operations of all people everywhere, play the role of deterrence and supervision, thereby reducing the risk of being regarded as "the blame".

This article is from the "Serve the" blog, please be sure to keep this source http://junhun.blog.51cto.com/12852949/1924731

Enterprise Shell face question 14: Development script intrusion detection and alarm case