Basic preparation--command tamper-proof and command logging
Many hackers invade the operating system, will do two common operations unset history and replace the command file (or the corresponding link library file), for these two points to do a record shelllog and Check that the link library class files and command files have changed recently .
Rootkithunter
#安装$sudo wget https://jaist.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.4/rkhunter-1.4.4.tar.gz$sudo tar zxvf rkhunter-1.4.4.tar.gz$sudo cd rkhunter-1.4.4$sudo sh install.sh --install#使用$/usr/local/bin/rkhunter --propupd$/usr/local/bin/rkhunter -c --sk --rwo
Symptom evaluation--judging abnormal point performance based on host abnormal state resource tension (turns into card slow)
free -m #以MB为单位查看内存使用情况free -l #查看内存使用细节ps aux|head -1;ps aux|grep -v PID|sort -rn -k +4|head #查看内存使用前十名vmstat -a #查看内存和CPU使用情况vmstat -s #查看内存和CPU使用详情vmstat -d #查看读写IO情况ps aux|head -1;ps aux|grep -v PID|sort -rn -k +3|head # 查看CPU使用前十名top #查看进程性能资源消耗
Host downtime (performance as host outage or deadlock or restart)
dmesg -T #按时间点查看内核日志dmesg -T | grep memory #查看和内存相关的日志记录dmesg -T | grep crash #查看和崩溃相关的日志记录dmesg -T | grep reboot #查看和重启相关的日志记录cat /var/log/dmesg #内核日志cat /var/log/syslog #系统日志cat /var/log/kernel.log #内核日志(Ubuntu下是kern.log)
Off-grid disconnection troubleshooting (turns out to be network-disconnected or intermittent connectivity)
iptables -L #查看防火墙cat /etc/resolv.conf #查看域名解析ifconfig -a #查看网卡信息
Application Service Problem Diagnosis
HTTP /var/log/httpd/access.log #或者是HTTP服务器配置文件中的日志路径FTP /var/log/vsftp.log #或者是同路径下的xferlogSquid /var/log/squid #或者是squid.access.logNFS /var/log/nfsIPTABLES /var/log/iptables/……Samba /var/log/sambaDNS /var/log/messageDHCP /var/log/message #或者/var/lib/dhcp/db/dhcpd.leasesMail /var/log/maillog
Intrusion point intrusion Feature troubleshooting
## 可疑网络通信及进程排查 ##netstat -antlop #查看异常连接和对应的进程、文件ps -ef #查看进程信息ps aux # 查看进程信息lsof #查看进程关联账户信息lsof -g pid
Can log in and explode to troubleshoot
last #登录或重启日志lastb #登录失败日志 或者是/var/log/faillogwho /var/log/wtmp #登录日志 另外可以 last -f /var/run/utmpcat /var/log/lastlog #最后的登录日志cat /var/log/secure #安全日志cat /var/log/cron #计划任务日志cat ~/.bash_history | more #历史操作grep "Failed password for root" /var/log/auth.log | awk ‘{print $11}‘ | sort | uniq -nr | more #查看root账户登录爆破尝试grep "Accepted" /var/log/auth.log | awk ‘{print $11}‘ | sort |uniq -c | sort -nr | more #查看登录成功日志信息strings /usr/bin/.sshd | egrep ‘[1-9]{1,3}.[1-9]{1,3}.‘
Exploit intrusion and post-infiltration features
Web intrusion Point Check
#webshell查找find /var/www/ -name "*.php" | xargs egrep ‘assert | phpspy | c99sh | milw0rm | eval | \( gunerpress | \(bas464_encode | spider _bc | shell_exec | passthru | \(\$\_\POST\[|eval\(str_rotl3 | .chr\c|\$\{\"\_P|eval\C\$\_R | file_put_contents\C\.\*\$\_ | base64_decode‘# 脚本文件打包find /var/www/html/ |grep -E ".asp$|.aspx$|.jsp$|.jspx$|.jspf$|.php$|.php3$|.php4$|.php5$|.inc$|.phtml$|.jar$|.war$|.pl$|.py$|.cer$|.asa$|.cdx$|.ashx$|.ascx$|.cfm$|.cgi$ "|xargs tar zcvf /tmp/shellscript.tar.gz# 文件查找的相关命令:sudo find / -mtime(atime/ctime) -x #按照创建、修改时间查找sudo find ./ -perm 4777 #按照权限查找文件find ./ -mtime -1 -type f #按照文件类型查找
Based on historical experience, Access.log can be analyzed using the Https://github.com/cisp/AccessLogAnylast tool (I develop and maintain);
Appendix I:
- Partial backdoor file deletion is after you want to modify permission to 000
- Rookithunter detailed Use section--Reference from: https://yq.aliyun.com/ziliao/75349
Linux Emergency handling Operations manual