Python Check system suspicious user

Recently, a server was attacked, and an attacker replaced a system command on the server, such as a ps,ss,netstat,lsof file. How to do the troubleshooting will not say. The main purpose of this article is to write a script that examines the users of the system, checks which system users have a home directory, which users do not have a home directory, and which users can log on to the system.

Our environment here is a bit chaotic, some server Web users can log on the system, some systems but can not log on the system, is not standardized, so write a script to do the check. Next, directly on the code, the main use of the PWD and Spwd module,

# encoding: utf8# written by lavenliu at 20170211import pwdimport  spwdsys_users = {}usr_no_passwd = []usr_has_passd = []users_entry =  pwd.getpwall () For entry in users_entry:    sys_users[entry.pw_name]  = entry.pw_shellfor username in sys_users.keys ():     pass_entry  = spwd.getspnam (username)     if pass_entry.sp_pwd ==  '! '  or pass_entry.sp_pwd ==  ' * ':         usr_no_ Passwd.append (Pass_entry.sp_nam)     else:         Usr_has_passd.append (Pass_entry.sp_nam) print  "These users have home directory:" for  user, home in sys_users.items ():    if home ==  '/sbin/ Nologin ':     &nbsP;   continue    else:        print   "%15s: %s"  %  (user, home) printprint  "these users can login  System: "For user in usr_has_passd:    print user

The result of the execution is:

# python chkuser.py These users have home Directory:sync:/bin/sync shutdown:/sbin/shutdown ha LT:/sbin/halt Root:/bin/bashthese users can login System:root

From the execution results, only the root user can log in to the system at this time.

This article is from the "solid-state Drive" blog, make sure to keep this source http://lavenliu.blog.51cto.com/5060944/1901043

Python Check system suspicious user