Linux Command skills

Source: Internet
Author: User

1. Check whether the webshell Trojan is placed in the root directory of the site. check whether it is a PHP Trojan script based on the statement.
# Find/storage/www/-name "*. php" | xargs grep-in -- color "eval ("
# Grep-I -- include = '*. php'-r system \ s * \ (/storage/www/
2. Analyze the number of times that access logs appear from the same ip address, such as leeching, attacks, and robots
# Cat access. log | awk '{print $1}' | sort | uniq-c | sort-rn
3. analyze the specific data access situation of the most frequently used ip address to the website
# Grep-e IP access. log> filename
# Cat filename | awk '{print $8}' | sort | uniq-c | sort-rn
4. Obtain the first 20 files or pages with the most visits
# Cat access. log | awk '{print $11}' | sort | uniq-c | sort-nr | head-20
5. List the largest number of exe files transmitted (commonly used when analyzing download sites)
# Cat access. log | awk '($7 ~ /\. Exe/) {print $10 "" $1 "" $4 "" $7} '| sort-nr | head-20
6. List the exe files with an output greater than 200000 bytes (about KB) and the number of occurrences of the corresponding files
# Cat access. log | awk '($10> 200000 & $7 ~ /\. Exe/) {print $7} '| sort-n | uniq-c | sort-nr | header-100
7. If the last column of the log records the page file transfer time, the most time-consuming page is listed on the client.
# Cat access. log | awk '($7 ~ /\. Php/) {print $ NF "" $1 "" $4 "" $7} '| sort-nr | head-100
8. List the most time-consuming pages (more than 60 seconds) and the number of corresponding page occurrences
# Cat access. log | awk '($ NF> 60 & $7 ~ /\. Php/) {print $7} '| sort-n | uniq-c | sort-nr | header-100
9. List objects whose transmission time exceeds 30 seconds
# Cat access. log | awk '($ NF> 30) {print $7}' | sort-n | uniq-c | sort-nr | head-20
10. Count website traffic (G)
# Cat access. log | awk '{sum + = $10} END {print sum/1024/1024/1024 }'
11. Count connections of 404
# Awk '($9 ~ /404/) 'access. log | awk' {print $9, $7} '| sort
12. collect statistics on http status.
# Cat access. log | awk '{counts [$ (9)] + = 1}; END {for (code in counts) print code, counts [code]}'
# Cat access. log | awk '{print $9}' | sort | uniq-c | sort-rn
13. Search for Trojan content for batch cleanup
# Find/webbase/-type f-exec grep 'www .800816.com.cn '-l {}\;
# Sed-I "s/body {. * www.800816.com.cn. *} // g" 'grep www.800816.com.cn-rl ./'
14. Bulk conversion GBK for UTF-8 file encoding
# Find default-type d-exec mkdir-p utf /{}\;
# Find default-type f-exec iconv-f GBK-t UTF-8 {}-o utf /{}\;
15. find how to avoid multiple file directories when searching for files
# Find/usr/sam \ (-path/usr/sam/dir1-o-path/usr/sam/file1 \)-prune-o-name "*. txt "-print
16. view the number of concurrent tcp requests and their TCP connection status:
# Netstat-n | awk '/^ tcp/{++ S [$ NF]} END {for (a in S) print a, S [a]}'
# Netstat-nat | awk '{print $6}' | sort | uniq-c | sort-rn
# Netstat-n | awk '/^ tcp/{++ state [$ NF]}; END {for (key in state) print key, "\ t ", state [key]}'
# Netstat-n | awk '/^ tcp/{++ arr [$ NF]}; END {for (k in arr) print k, "\ t ", arr [k]}'
# Netstat-n | awk '/^ tcp/{print $ NF}' | sort | uniq-c | sort-rn
# Netstat-ant | awk '{print $ NF}' | grep-v '[a-z]' | sort | uniq-c
17. Search for the top 20 IP addresses (usually used to find attack sources)
# Netstat-anlp | grep 80 | grep tcp | awk '{print $5}' | awk-F: '{print $1}' | sort | uniq-c | sort-nr | head-n20
# Netstat-ant | awk '/: 80/{split ($5, ip ,":"); + A [ip [1]} END {for (I in A) print A [I], I} '| sort-rn | head-n10
18. view the number of active php-cgi Processes
# Netstat-anp | grep php-cgi | grep ^ tcp | wc-l
19. Find More time_wait connections
# Netstat-n | grep TIME_WAIT | awk '{print $5}' | sort | uniq-c | sort-rn | head-n20
20. Search for more SYN connections
# Netstat-an | grep SYN | awk '{print $5}' | awk-F: '{print $1}' | sort | uniq-c | sort-nr | more
21. Process by port column
# Netstat-ntlp | grep 80 | awk '{print $7}' | cut-d/-f1
22. packet capture can be used to analyze data when port 80 is attacked.
# Tcpdump-c 10000-I eth0-n dst port 80>/root/pkts
23. Use tcpdump to sniff access to port 80 to see who is the highest
# Tcpdump-I eth0-tnn dst port 80-c 1000 | awk-F ". "'{print $1 ". "$2 ". "$3 ". "$4} '| sort | uniq-c | sort-nr | head-20
24. Check which crawlers are capturing the content.
#/Usr/sbin/tcpdump-I eth0-l-s 0-w-dst port 80 | strings | grep-I user-agent | grep-I-E 'bot | crawler | slurp | spider'
25. Collect traffic by region
# Zcat squid_access.log.tar.gz | awk '{print $10, $7} '| awk' BEGIN {FS = "[/]"} {trfc [$4] + = $1} END {for (domain in trfc) {printf "% s \ t % d \ n", domain, trfc [domain]}'
26. view the SQL statement executed by the database
#/Usr/sbin/tcpdump-I eth0-s 0-l-w-dst port 3306 | strings | egrep-I 'SELECT | UPDATE | DELETE | INSERT | SET | COMMIT | ROLLBACK | CREATE | DROP | ALTER | CALL'
27. Replace "no" in the matched Root row with "yes"
# Sed-I '/Root/s/no/yes/'/etc/ssh/sshd_config
28. Remove the first column
# Awk '{for (I = 2; I <= NF; I ++) if (I! = NF) {printf $ I ""} else {print $ I} 'list
29. sort by memory size from large to small
# Ps-e-o "% C: % p: % z: % a" | sort-k5-nr
30. sort by cpu utilization from large to small
# Ps-e-o "% C: % p: % z: % a" | sort-nr
31. How to know the CPU on which a process runs
# Ps-eo pid, args, AND SrS
32. Clear dead processes.
# Ps-eal | awk '{if ($2 = "Z") {print $4}' | kill-9
33. View hardware manufacturers
# Dmidecode-s system-product-name
34. Find the process that occupies the most disk I/O
# Wget-c http://linux.web.psi.ch/dist/scientific/5/gfa/all/dstat-0.6.7-1.rf.noarch.rpm
# Dstat-M topio-d-M topbio
35. Check whether I/O usage (% util) exceeds 100%
# Iostat-x 1 2
36. disk space, check whether there is high partition usage (Use %) (for example, more than 90%) If you find that a partition space is close to exhausted, you can enter the mount point of the partition, run the following command to find the most occupied files or directories:
# Df-h
# Du-cks * | sort-rn | head-n 10
37. Check whether the first three output values of the CPU load have exceeded 4 times the system logic CPU.
# Cat/proc/loadavg
38. Number of CPUs
# Cat/proc/cpuinfo | grep-c processor
39. Check whether the network traffic (rxbyt/s, txbyt/s) is too high.
# Sar-n DEV
40. The network traffic is displayed every one second.
# Watch-n 1 "/sbin/ifconfig eth0 | grep bytes"
41. to overwrite files in the directory in batches, you do not need to determine whether to execute them.
# \ Cp-rf/svn/wwwroot
42. debug commands
# Strace-p pid
43. Trace the PID of a specified process
# Gdb-p pid
44. view the number of file handles opened by the current process
Lsof-n | awk '{print $2}' | sort | uniq-c | sort-nr | more

Author "For The Dream"

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.