Web server Management Linux Essentials commands

1. the site root directory to find whether to be placed Webshell Trojan According to the sentence is not PHP Trojan script

# find/storage/www/-name "*.php" | Xargs grep-in--color "eval ("
# grep-i--include= ' *.php '-R system\s*\ (/storage/www/
2. Statistical analysis of the number of occurrences of the same IP in the access log hotlinking, attacks, bots
# cat Access.log |awk ' {print $} ' | Sort | Uniq-c |sort-rn
3. Analysis of the most frequently occurring IP site-specific data access situation
# grep-e IP access.log > FileName
# cat filename |awk ' {print $8} ' |sort|uniq-c|sort-rn
4. Most visited files or pages, take the top 20
# cat Access.log|awk ' {print $11} ' |sort|uniq-c|sort-nr|head-20
5. List the maximum number of EXE files to be transmitted (commonly used when analyzing the download station)
# Cat Access.log |awk ' ($7~/\.exe/) {print $ "" $ "" $4 "" $7} ' |sort-nr|head-20
6. list exe files with output greater than 200000byte (approx. 200kb) and the number of corresponding file occurrences
# Cat Access.log |awk ' ($ > 200000 && $7~/\.exe/) {print $7} ' |sort-n|uniq-c|sort-nr|head-100
7. If the last column of the log records the paging file transfer time, there are the most time-consuming pages listed to the client
# Cat Access.log |awk ' ($7~/\.php/) {print $NF "" $ "" $4 "" $7} ' |sort-nr|head-100
8. List the most time-consuming pages (more than 60 seconds) and the number of corresponding page occurrences
# Cat Access.log |awk ' ($NF > && $7~/\.php/) {print $7} ' |sort-n|uniq-c|sort-nr|head-100
9. List files that have been transmitted for longer than 30 seconds
# Cat Access.log |awk ' ($NF >) {print $7} ' |sort-n|uniq-c|sort-nr|head-20
10. Statistics website Traffic (G)
# cat Access.log |awk ' {sum+=$10} END {print sum/1024/1024/1024} '
11. Statistics 404 of the Connection
# awk ' ($9 ~/404/) ' Access.log | awk ' {print $9,$7} ' | Sort
12. Statistics HTTP status.
# cat Access.log |awk ' {counts[$ (9)]+=1}; END {for (code in counts) print Code,counts[code]} '
# cat Access.log |awk ' {print $9} ' |sort|uniq-c|sort-rn
13. Find Hanging horse content for batch cleanup
# find/webbase/-type f-exec grep ' www.800816.com.cn '-l {} \;
# sed-i "s/body{.*www.800816.com.cn.*}//g" ' grep www.800816.com.cn-rl./'
14. Batch conversion GBK to UTF-8 file encoding
# find Default-type d-exec mkdir-p utf/{} \;
# find Default-type f-exec iconv-f gbk-t UTF-8 {}-o utf/{} \;
15.find How to avoid multiple file directories when looking for files
# Find/usr/sam \ (-path/usr/sam/dir1-o-path/usr/sam/file1 \)-prune-o-name "*.txt"-print
16. View the number of concurrent requests for TCP and their TCP connection status:
# Netstat-n | awk '/^tcp/{++s[$NF]} END {for (a in S) print A, s[a]} '
# Netstat-nat |awk ' {print $6} ' |sort|uniq-c|sort-rn
# Netstat-n | awk '/^tcp/{++state[$NF]}; END {for (key in) PrintKey, "\ T", State[key]} '
# Netstat-n | awk '/^tcp/{++arr[$NF]}; END {for (k in arr) printk, "\ T", arr[k]} '
# netstat-n |awk '/^tcp/{print $NF} ' |sort|uniq-c|sort-rn
# Netstat-ant | awk ' {print $NF} ' | Grep-v ' [A-z] | Sort | Uniq-c
17. Find the IP of the top 20 of the request (often used to find the attack source)
# netstat-anlp|grep 80|grep Tcp|awk ' {print $} ' |awk-f: ' {print$1} ' |sort|uniq-c|sort-nr|head-n20
# netstat-ant |awk '/:80/{split ($5,ip, ":"); ++a[ip[1]]}end{for (i InA) print a[i],i} ' |sort-rn|head-n10
18. See how many php-cgi processes are active
# NETSTAT-ANP | grep php-cgi | grep ^tcp | Wc-l
19. Find more Time_wait connections
# Netstat-n|grep Time_wait|awk ' {print $} ' |sort|uniq-c|sort-rn|head-n20
20. Check for more SYN connections
# Netstat-an | grep SYN | awk ' {print $} ' | Awk-f: ' {print $} ' | Sort |uniq-c | Sort-nr | More
21. Depending on the port column process
# NETSTAT-NTLP | grep 80 | awk ' {print $7} ' | Cut-d/-F1
22. The packet is used to prevent the 80 port from being attacked when the data can be analyzed
# tcpdump-c 10000-i eth0-n DST port >/root/pkts
23. Sniff 80-port access with tcpdump to see who is the tallest
# tcpdump-i ETH0-TNN DST Port 80-c 1000 | Awk-f "." ' {print$1 '. " $ "." $ "." $4} ' | Sort | uniq-c | Sort-nr |head-20
24. See which spiders are crawling content.
#/usr/sbin/tcpdump-i Eth0-l-S 0-w-DST Port 80 | Strings | grep-iuser-agent | Grep-i-E ' bot|crawler|slurp|spider '
25. Statistic Traffic by domain
# Zcat squid_access.log.tar.gz| awk ' {print $10,$7} ' |awk ' begin{fs= "[/]"}{trfc[$4]+=$1}end{for (domain in TRFC) {printf "%s\t%d\n", Domain,trfc[domain] }}‘
26. View SQL executed by the database
#/usr/sbin/tcpdump-i eth0-s 0-l-w-dst Port 3306 | Strings | Egrep-i ' select| update| delete| Insert| Set| Commit| rollback| create| drop| alter| Call '
27. Replace No in match root line with Yes
# sed-i '/root/s/no/yes/'/etc/ssh/sshd_config
28. Remove the first column
# awk ' {for (i=2;i<=nf;i++) if (i!=nf) {printf $i ""}else{print $i}} ' list
29. Sort by memory from large to small
# PS-E-O "%c:%p:%z:%a" |sort-k5-nr
30. By CPU utilization from large to small arrangement
# PS-E-O "%c:%p:%z:%a" |sort-nr
31. How to know which CPU a process is running on
# Ps-eo PID,ARGS,PSR
32. Clear the zombie process.
# Ps-eal | awk ' {if ($ = = "Z") {print $4}} ' | Kill-9
33. View the hardware manufacturer
# dmidecode-s System-product-name
34. Find the process that consumes the most disk IO

# wget-c http://linux.web.psi.ch/dist/scientific/5/gfa/all/dstat-0.6.7-1.rf.noarch.rpm
# dstat-m topio-d-M Topbio
35. Check if I/O utilization (%util) exceeds 100%
# iostat-x 1 2
36. Disk space, check for partition usage (use%) too high (for example, more than 90%) If a partition space is found to be nearly exhausted, you can go to the mount point of the partition and use the following command to find the file or directory that occupies the most space:
# df-h
# Du-cks * | Sort-rn | Head-n 10
The 37.CPU load checks whether the first three output values exceed 4 times times the system logical CPU.
# Cat/proc/loadavg
The number of 38.CPU
# Cat/proc/cpuinfo |GREP-C Processor
39. Check if network traffic (RXBYT/S, txbyt/s) is too high
# sar-n DEV
40. Show network traffic every 1 seconds
# watch-n 1 "/sbin/ifconfig eth0 | grep bytes "
41. Bulk overwrite files in directory do not determine whether or not to execute
# \cp-rf/svn/wwwroot/wwwroot
42. Debug commands
# strace-p PID
43. Tracking the PID of the specified process
# gdb-p PID
44. See how many file handles are open for the current process
Lsof-n |awk ' {print $} ' |sort|uniq-c |sort-nr|more

45. View TCP Connection Status

Netstat-nat |awk ' {print $6} ' |sort|uniq-c|sort-rnnetstat-n | awk '/^tcp/{++s[$NF]}; END {for (a in S) print A, s[a]} ' or Netstat-n | awk '/^tcp/{++state[$NF]}; END {for (keyin State) print key, "\ T", State[key]} '

Netstat-n | awk '/^tcp/{++arr[$NF]}; End{for (k in arr) print K, "\ T", arr[k]} '

Netstat-n |awk '/^tcp/{print $NF} ' |sort|uniq-c|sort-rn

Netstat-ant | awk ' {print $NF} ' | Grep-v ' [A-z] | Sort | Uniq-c

46. Find the number of requests 20 IP (commonly used to find the source of attack):

Netstat-anlp|grep 80|grep Tcp|awk ' {print$5} ' |awk-f: ' {print '} ' |sort|uniq-c|sort-nr|head-n20

Netstat-ant |awk '/:80/{split ($5,ip, ":"); ++a[ip[1]]}end{for (i in A) print A[i],i} ' |sort-rn|head-n20

47. Sniff 80-port access with tcpdump to see who is the tallest

Tcpdump-i ETH0-TNN DST Port 80-c 1000 | Awk-f "." ' {print $ '. $ "." $ "." $4} ' |sort | uniq-c | Sort-nr |head-20

48. Find more Time_wait connections

Netstat-n|grep Time_wait|awk ' {print$5} ' |sort|uniq-c|sort-rn|head-n20

49. Check for more SYN connections

Netstat-an | grep SYN | awk ' {print $} ' | Awk-f: ' {print $} ' | Sort | uniq-c | Sort-nr | More

50. Depending on the port column process

NETSTAT-NTLP | grep 80 | awk ' {print $7} ' |cut-d/-f1

Website Log Analysis 1 (Apache):

51. Get access to the top 10 IP addresses

Cat Access.log|awk ' {print '} ' |sort|uniq-c|sort-nr|head-10

Cat Access.log|awk ' {counts[$ (11)]+=1}; End{for (URL in counts) print Counts[url], url} '

52. Most visited files or pages, take the top 20

Cat Access.log|awk ' {print $11} ' |sort|uniq-c|sort-nr|head-20

53. List the maximum number of EXE files to be transmitted (commonly used when analyzing the download station)

Cat Access.log |awk ' ($7~/\.exe/) {print $ "" $ "" $4 "" $7} ' |sort-nr|head-20

54. list exe files with output greater than 200000byte (approx. 200kb) and the number of corresponding file occurrences

Cat Access.log |awk ' ($ > 200000&& $7~/\.exe/) {print $7} ' |sort-n|uniq-c|sort-nr|head-100

55. If the last column of the log records the paging file transfer time, there are the most time-consuming pages listed to the client

Cat Access.log |awk ' ($7~/\.php/) {PRINT$NF "" $ "" $4 "" $7} ' |sort-nr|head-100

56. List the most time-consuming pages (more than 60 seconds) and the number of corresponding page occurrences

Cat Access.log |awk ' ($NF > &&$7~/\.php/) {print $7}&

#39; |sort-n|uniq-c|sort-nr|head-100

57. List files that have been transmitted for longer than 30 seconds

Cat Access.log |awk ' ($NF >) {print$7} ' |sort-n|uniq-c|sort-nr|head-20

58. Statistics website Traffic (G)

Cat Access.log |awk ' {sum+=$10} END {printsum/1024/1024/1024} '

59. Statistics 404 of the Connection

awk ' ($9 ~/404/) ' Access.log | awk ' {print$9,$7} ' | Sort

60. Statistics HTTP status.

Cat ACCESS.L

og |awk ' {counts[$ (9)]+=1}; END {for (code incounts) print code, Counts[code]} '

Cat Access.log |awk ' {print $9} ' |sort|uniq-c|sort-rn

61. Spider Analysis

See which spiders are crawling content.

/usr/sbin/tcpdump-i Eth0-l-S 0-w-DST Port80 | Strings | Grep-i User-agent | Grep-i-E ' bot|crawler|slurp|spider '

Website Daily Analysis 2 (Squid article)

62. Statistic Traffic by domain

Zcat squid_access.log.tar.gz| awk ' {print$10,$7} ' |awk ' begin{fs= "[/]"}{trfc[$4]+=$1}end{for (domain intrfc) {printf "%s\t%d\n", Domain,trfc[domain] }}‘

For more efficient Perl versions, please download: http://docs.linuxtone.org/soft/tools/tr.pl

Database Chapter

63. View SQL executed by the database

/usr/sbin/tcpdump-i eth0-s 0-l-w-dst port3306 | Strings | Egrep-i ' select| update| delete| Insert| Set| Commit| rollback| create| drop| alter| Call '

64. System Debug Analysis

1. Debug commands

Strace-p PID

2. Tracking the PID of the specified process

Gdb-p PID

PS: Reference command red and Black Alliance author "ERDP Technology Architecture"

Web server management commands for Linux prerequisites