1. Check whether the webshell Trojan is placed in the root directory of the site. check whether it is a PHP Trojan script based on the statement.
# Find/storage/www/-name "*. php" | xargs grep-in -- color "eval ("
# Grep-I -- include = '*. php'-r system \ s * \ (/storage/www/
2. Analyze the number of times that access logs appear from the same ip address, such as leeching, attacks, and robots
# Cat access. log | awk '{print $1}' | sort | uniq-c | sort-rn
3. analyze the specific data access situation of the most frequently used ip address to the website
# Grep-e IP access. log> filename
# Cat filename | awk '{print $8}' | sort | uniq-c | sort-rn
4. Obtain the first 20 files or pages with the most visits
# Cat access. log | awk '{print $11}' | sort | uniq-c | sort-nr | head-20
5. List the largest number of exe files transmitted (commonly used when analyzing download sites)
# Cat access. log | awk '($7 ~ /\. Exe/) {print $10 "" $1 "" $4 "" $7} '| sort-nr | head-20
6. List the exe files with an output greater than 200000 bytes (about KB) and the number of occurrences of the corresponding files
# Cat access. log | awk '($10> 200000 & $7 ~ /\. Exe/) {print $7} '| sort-n | uniq-c | sort-nr | header-100
7. If the last column of the log records the page file transfer time, the most time-consuming page is listed on the client.
# Cat access. log | awk '($7 ~ /\. Php/) {print $ NF "" $1 "" $4 "" $7} '| sort-nr | head-100
8. List the most time-consuming pages (more than 60 seconds) and the number of corresponding page occurrences
# Cat access. log | awk '($ NF> 60 & $7 ~ /\. Php/) {print $7} '| sort-n | uniq-c | sort-nr | header-100
9. List objects whose transmission time exceeds 30 seconds
# Cat access. log | awk '($ NF> 30) {print $7}' | sort-n | uniq-c | sort-nr | head-20
10. Count website traffic (G)
# Cat access. log | awk '{sum + = $10} END {print sum/1024/1024/1024 }'
11. Count connections of 404
# Awk '($9 ~ /404/) 'access. log | awk' {print $9, $7} '| sort
12. collect statistics on http status.
# Cat access. log | awk '{counts [$ (9)] + = 1}; END {for (code in counts) print code, counts [code]}'
# Cat access. log | awk '{print $9}' | sort | uniq-c | sort-rn
13. Search for Trojan content for batch cleanup
# Find/webbase/-type f-exec grep 'www .800816.com.cn '-l {}\;
# Sed-I "s/body {. * www.800816.com.cn. *} // g" 'grep www.800816.com.cn-rl ./'
14. Bulk conversion GBK for UTF-8 file encoding
# Find default-type d-exec mkdir-p utf /{}\;
# Find default-type f-exec iconv-f GBK-t UTF-8 {}-o utf /{}\;
15. find how to avoid multiple file directories when searching for files
# Find/usr/sam \ (-path/usr/sam/dir1-o-path/usr/sam/file1 \)-prune-o-name "*. txt "-print
16. view the number of concurrent tcp requests and their TCP connection status:
# Netstat-n | awk '/^ tcp/{++ S [$ NF]} END {for (a in S) print a, S [a]}'
# Netstat-nat | awk '{print $6}' | sort | uniq-c | sort-rn
# Netstat-n | awk '/^ tcp/{++ state [$ NF]}; END {for (key in state) print key, "\ t ", state [key]}'
# Netstat-n | awk '/^ tcp/{++ arr [$ NF]}; END {for (k in arr) print k, "\ t ", arr [k]}'
# Netstat-n | awk '/^ tcp/{print $ NF}' | sort | uniq-c | sort-rn
# Netstat-ant | awk '{print $ NF}' | grep-v '[a-z]' | sort | uniq-c
17. Search for the top 20 IP addresses (usually used to find attack sources)
# Netstat-anlp | grep 80 | grep tcp | awk '{print $5}' | awk-F: '{print $1}' | sort | uniq-c | sort-nr | head-n20
# Netstat-ant | awk '/: 80/{split ($5, ip ,":"); + A [ip [1]} END {for (I in A) print A [I], I} '| sort-rn | head-n10
18. view the number of active php-cgi Processes
# Netstat-anp | grep php-cgi | grep ^ tcp | wc-l
19. Find More time_wait connections
# Netstat-n | grep TIME_WAIT | awk '{print $5}' | sort | uniq-c | sort-rn | head-n20
20. Search for more SYN connections
# Netstat-an | grep SYN | awk '{print $5}' | awk-F: '{print $1}' | sort | uniq-c | sort-nr | more
21. Process by port column
# Netstat-ntlp | grep 80 | awk '{print $7}' | cut-d/-f1
22. packet capture can be used to analyze data when port 80 is attacked.
# Tcpdump-c 10000-I eth0-n dst port 80>/root/pkts
23. Use tcpdump to sniff access to port 80 to see who is the highest
# Tcpdump-I eth0-tnn dst port 80-c 1000 | awk-F ". "'{print $1 ". "$2 ". "$3 ". "$4} '| sort | uniq-c | sort-nr | head-20
24. Check which crawlers are capturing the content.
#/Usr/sbin/tcpdump-I eth0-l-s 0-w-dst port 80 | strings | grep-I user-agent | grep-I-E 'bot | crawler | slurp | spider'
25. Collect traffic by region
# Zcat squid_access.log.tar.gz | awk '{print $10, $7} '| awk' BEGIN {FS = "[/]"} {trfc [$4] + = $1} END {for (domain in trfc) {printf "% s \ t % d \ n", domain, trfc [domain]}'
26. view the SQL statement executed by the database
#/Usr/sbin/tcpdump-I eth0-s 0-l-w-dst port 3306 | strings | egrep-I 'SELECT | UPDATE | DELETE | INSERT | SET | COMMIT | ROLLBACK | CREATE | DROP | ALTER | CALL'
27. Replace "no" in the matched Root row with "yes"
# Sed-I '/Root/s/no/yes/'/etc/ssh/sshd_config
28. Remove the first column
# Awk '{for (I = 2; I <= NF; I ++) if (I! = NF) {printf $ I ""} else {print $ I} 'list
29. sort by memory size from large to small
# Ps-e-o "% C: % p: % z: % a" | sort-k5-nr
30. sort by cpu utilization from large to small
# Ps-e-o "% C: % p: % z: % a" | sort-nr
31. How to know the CPU on which a process runs
# Ps-eo pid, args, AND SrS
32. Clear dead processes.
# Ps-eal | awk '{if ($2 = "Z") {print $4}' | kill-9
33. View hardware manufacturers
# Dmidecode-s system-product-name
34. Find the process that occupies the most disk I/O
# Wget-c http://linux.web.psi.ch/dist/scientific/5/gfa/all/dstat-0.6.7-1.rf.noarch.rpm
# Dstat-M topio-d-M topbio
35. Check whether I/O usage (% util) exceeds 100%
# Iostat-x 1 2
36. disk space, check whether there is high partition usage (Use %) (for example, more than 90%) If you find that a partition space is close to exhausted, you can enter the mount point of the partition, run the following command to find the most occupied files or directories:
# Df-h
# Du-cks * | sort-rn | head-n 10
37. Check whether the first three output values of the CPU load have exceeded 4 times the system logic CPU.
# Cat/proc/loadavg
38. Number of CPUs
# Cat/proc/cpuinfo | grep-c processor
39. Check whether the network traffic (rxbyt/s, txbyt/s) is too high.
# Sar-n DEV
40. The network traffic is displayed every one second.
# Watch-n 1 "/sbin/ifconfig eth0 | grep bytes"
41. to overwrite files in the directory in batches, you do not need to determine whether to execute them.
# \ Cp-rf/svn/wwwroot
42. debug commands
# Strace-p pid
43. Trace the PID of a specified process
# Gdb-p pid
44. view the number of file handles opened by the current process
Lsof-n | awk '{print $2}' | sort | uniq-c | sort-nr | more
Author "For The Dream"