Linux under the Emergency tool

The emergency tools under Linux

Under Linux, the emergency point of view is nothing more than that, one is to see the performance (downtime, high CPU, high memory, high IO, high network communication), two look at the connection, three look at the process, four look at the log, five look at the file (Linux all files), and then combine to see. So I wrote two gadgets for a common emergency operation. Currently support for CentOS and Redhat, in fact, because of Python-based, basically cross-platform, the vast majority of features support other releases of Linux and even windows.

Installation of tools

#要求root权限git clone https://github.com/cisp/LinuxEmergency.gitcd LinuxEmergencysh ./install.sh

Use the tool to view operating system information:

[[email protected] emergency]# python emergency.py -o        内核版本 : Linux-3.10.0-514.26.2.el7.v7.4.qihoo.x86_64-x86_64-with-centos-7.2.1511-Core        CORE数量 : 16        CPU数量 : 16        CPU使用率 : scputimes(user=1.0, nice=0.0, system=0.0, idle=15.0, iowait=0.0, irq=0.0, softirq=0.0, steal=0.0, guest=0.0, guest_nice=0.0)        内存总量  : 33736994816        内存使用率 : 5.1[[email protected] emergency]#

To view kernel module information:

[[email protected] emergency]# python emergency.py -k内核模块 : nfnetlink_queue  来源  :内核模块 : nfnetlink_log  来源  :内核模块 : nfnetlink  来源  :  nfnetlink_log,nfnetlink_queue内核模块 : bluetooth  来源  :

To view the IP addresses for which all logins failed successfully:

[[email protected] emergency]# python emergency.py -l192.168.100.35  失败192.168.100.31  失败127.0.0.1  失败192.168.100.20  成功

View login success and Failure logs

#  成功的 -s[[email protected] emergency]# python emergency.py -s | more账户 : emergency    时间 : 2017-08-09-11:20  来源 : (192.168.100.24)账户 : emergency    时间 : 2017-08-09-14:34  来源 : (192.168.100.24)账户 : root    时间 : 2017-09-28-12:38  来源 : (192.168.100.65)账户 : root    时间 : 2017-09-28-12:46  来源 : (192.168.100.65)账户 : root    时间 : 2017-09-28-13:13  来源 : (192.168.100.65)# 失败的 -f[[email protected] emergency]# python emergency.py -f | more账户 : emergency    时间 : 192.168.100.34  来源 : Jul-6-21:27---21:27账户 : emergency    时间 : 192.168.100.34  来源 : Jul-6-21:25---21:25账户 : admin    时间 : 127.0.0.1  来源 : Jul-5-15:32---15:32#  如果需要指定IP 加-i参数 ，例如 -i 192.168.100.34；

View a list of processes and more information

# list information [[email protected] emergency]# python emergency.py-a*************************************************** Process ID Number: 2 process name: Kthreadd process User: Root startup time: 2018-06-16 07 : 40:48cpu%: 0% memory ratio: 0% network connection: ******************************************************************************** *************************************************************************************************************** Process ID Number: 3 process name: ksoftirqd/0 process User: Root start time: 2018-06-16 07:40:48cpu ratio: 0% memory ratio: 0. 0% Network Connections: ******************************************************************************************************* ... # # more information [[email protected] emergency]# python emergency.py-p 28344**************************************     Process ID Number: 28344 process Name: Screen process User: Emergency Start time: 2018-06-22 13:25:30 work path:/home/emergency/process command: Screen parents enterPath: 1 Parent-child process: [28345]CPU ratio: 0% memory ratio: 0.0046135703802% network connection: Process Environment: Terminal session:/bin/bash Security session: Login account : Emergency work account: Emergency permission path:/usr/lib64/ccache:/usr/local/bin:/usr/bin:/usr/local/sbin:/ usr/sbin:/home/emergency/tools:/usr/local/bin:/usr/local/sbin:/usr/local/python3/bin:/home/emergency/.local/ Bin:/home/emergency/bin User directory:/home/emergency***************************************************************** ******************************************

Add VirusTotal Basic Query function

# 检查样本[[email protected] emergency]# python virustotal.py -f ./LICENSE******************************************检测时间: 2018-07-09 07:31:04报毒数量: 0报毒引擎: []引擎总数: 59******************************************# 检查URL[[email protected] emergency]# python virustota.py -u http://1.1.1.2/bmi/docs.autodesk.com******************************************检测时间: 2018-07-09 16:33:29关联样本: 0关联连接: 0关联域名: 0******************************************# 检查域名[[email protected] emergency]# python virustota.py -d baidu.com******************************************检测时间: 2018-07-09 16:33:35关联样本: 202关联连接: 100关联域名: 8******************************************# 检查IP[[email protected] emergency]# python virustota.py -a 114.114.114.114******************************************检测时间: 2018-07-09 16:34:05关联样本: 135关联连接: 93关联域名: 592******************************************

Increase the ability to view whois information

[[email protected] emergency]# python mywhois.py-d baidu.comdomain Name:baidu.comRegistry Domain id:11181110_ Domain_com-vrsnregistrar WHOIS Server:whois.markmonitor.comRegistrar url:http://www.markmonitor.comupdated Date: 2017-07-27t19:36:28-0700creation Date:1999-10-11t04:05:17-0700registrar Registration Expiration date:2026-10-11t00 : 00:00-0700registrar:markmonitor, Inc.registrar IANA id:292registrar abuse contact email:abusecomplain[email  Protected]registrar abuse Contact Phone: +1.2083895740domain status:clientupdateprohibited (https://www.icann.org/ epp#clientupdateprohibited) Domain status:clienttransferprohibited (https://www.icann.org/epp# clienttransferprohibited) Domain status:clientdeleteprohibited (https://www.icann.org/epp#clientDeleteProhibited) Domain status:serverupdateprohibited (https://www.icann.org/epp#serverUpdateProhibited) domain Status: Servertransferprohibited (https://www.icann.org/epp#serverTransferProhibited) Domain Status:serverdeleteprohibited (https://www.icann.org/epp#serverDeleteProhibited) registrant organization:beijing Baidu Netcom Science Technology Co., ltd.registrant state/province:beijingregistrant country:cnadmin organization:beijing Baidu Netcom Scie NCE technology Co., ltd.admin state/province:beijingadmin Country:cntech organization:beijing Baidu Netcom Science Tech Nology Co., Ltd.tech state/province:beijingtech country:cnname Server:ns4.baidu.comName Server:ns3.baidu.comName Serv Er:dns.baidu.comName Server:ns2.baidu.comName Server:ns7.baidu.comDNSSEC:unsignedURL of the ICANN WHOIS Data problem R Eporting system:http://wdprs.internic.net/>>> last update of WHOIS database:2018-07-09t02:21:59-0700 <  <<if Certain contact information isn't shown for a registrant, administrative,or Technical contact, and your wish to Send a message to these contacts, pleasesend your message to [email protected] and specify the domain name inthe sub Ject Line. We'll forward that message to the underlying contact. If you had a legitimate interest in viewing the non-public WHOIS details, Sendyour request and the reasons for your Reque St to [Email protected]and specify the domain name ' in the ' subject line. We'll review this request Andmay ask for supporting documentation and explanation.  The Data in MarkMonitor.com's WHOIS database is provided by markmonitor.com forinformation purposes, and to assist persons  In obtaining information for orrelated to a domain name registration record.  MarkMonitor.com does not guaranteeits accuracy. By submitting a WHOIS to query, you agree that would use the this dataonly for lawful purposes and that, under no circumstance s Would you use this Data to: (1) Allow, enable, or otherwise support the transmission of mass unsolicited, commercial Advertising or solicitations via e-mail (spam); or (2) enable high volume, automated, electronic processes, and apply to markmonitor.com (or its systems). MarkMonitor.com reserves the right to ModiFY these terms at any time. By submitting this query, you agree to abide by the this policy. MarkMonitor is the Global Leader in Online brand Protection.markmonitor Domain Management (TM) MarkMonitor brand Protection ( TM) MarkMonitor Antipiracy (tm) MarkMonitor AntiFraud (tm) Professional and Managed servicesvisit markmonitor at/http Www.markmonitor.comContact us at +1.8007459229in Europe, at +44.02032062220for + information on Whois status codes, ple ASE Visit https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en--

About the Web attack log detection program download:

git clone https://github.com/cisp/AccessLogAnylast.git

About using:

  parser.add_option ("-F", "--floder", dest= "filepath", help= "Access log file path") parser.ad D_option ("-T", "--time", dest= "Accesstime", help= "set search Time") parser.add_option ("-D", "--date", dest= "accessdate ", help=" set search Date ") parser.add_option ("-C ","--count ", action= ' store_true ', dest=" Count ", help=" show count Information ") parser.add_option ("-P ","--payload ", dest=" payload ", help=" set search payload ") parser.add_option ("-A ", "--address", dest= "IPAddress", help= "set search IPAddress") parser.add_option ("-V", "--version", action= ' store_true ', Dest= "Version", help= "show Document") Parser.add_option ("-I", "--detail", action= ' store_true ', dest= "detail", help= " Show Detail ") parser.add_option ("-S ","--shell ", action= ' store_true ', dest=" Webshell ", help=" show suspicious Webshell " ) Parser.add_option ("-G", "--ipflag", dest= "Ipposition", help= "IP position in logfile") parser.add_option ("-N", "--name ", dest=" filename ", help=" FileName flag ")  

Emergency tools under Linux