子命令
netstat: 不加子命令,可用 ss 代替;
Display a list of open sockets.netstat -r: –route, 可用 ip route 代替;
Display the kernel routing tables.netstat -i: –interface, 可用 ip -s link 代替;
Display a table of all network interfaces, or the specified iface.netstat -s: –statistics
Display summary statistics for each protocol.netstat -g: –groups, 可用 ip maddr 代替;
Display multicast group membership information for IPv4 and IPv6.
常用选项
-a, –all: Show both listening and non-listening (for TCP this means established connections) sockets.(默认)
-l, –listening: Show only listening sockets.
–numeric , -n: Show numerical addresses instead of trying to determine symbolic host, port or user names.
-p, –program: Show the PID and name of the program to which each socket belongs.
-t, –tcp: Display only TCP sockets.
-u, –udp: Display only UDP sockets.
-x, –unix: Display only Unix domain sockets.
-d, –dccp: Display only DCCP sockets.
-w, –raw: Display only RAW sockets.
-c, –continuous: This will cause netstat to print the selected information every second continuously.(类似于 top)
netstat -np(-anp)
netstat -tnp(-tanp)
netstat -unp(-uanp)
netstat -xnp(-xanp)
netstat -tlnp
netstat -ulnp
netstat -xlnp
案例
找到攻击进程
背景
某天晚上,有台服务器被关闭对外所有端口并受到腾讯云的通知,大概意思是我们的服务器攻击其他服务器,出口端口为 22, 含有政策风险。因此,我们分析是这台服务器被安装了一个程序,被用来扫描外部服务器的 22 端口,也就是被当成肉鸡来尝试 ssh 登陆其他服务器。netstat 找到攻击进程
# netstat -tnp | less
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 1 10.144.66.170:49774 188.210.132.143:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:57731 188.210.134.14:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:45174 188.210.133.89:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:33414 188.210.134.28:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:59292 188.210.132.139:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:50860 188.210.134.173:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:52392 188.210.132.54:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:33383 188.210.134.181:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:37178 188.210.131.223:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:55516 188.210.132.72:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:37525 188.210.131.183:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:59589 188.210.134.8:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:47897 188.210.133.113:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:35016 188.210.134.120:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:38616 188.210.133.248:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:58764 188.210.134.230:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:40900 188.210.131.192:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:42574 188.210.133.86:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:48334 188.210.133.61:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:37154 188.210.132.197:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:34191 188.210.133.170:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:55259 188.210.134.31:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:47823 188.210.132.120:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:32882 188.210.132.126:22 SYN_SENT 1420/bash
tcp 0 0 10.144.66.170:46992 188.210.99.90:22 TIME_WAIT -
tcp 0 1 10.144.66.170:39483 188.210.134.53:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:51860 188.210.135.8:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:50526 188.210.134.237:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:43818 188.210.133.56:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:48283 188.210.133.72:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:54310 188.210.132.102:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:57509 188.210.134.253:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:56765 188.210.134.176:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:59683 188.210.135.22:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:37218 188.210.131.247:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:37635 188.210.134.76:22 SYN_SENT 1420/bash
系统中存在大量的 SYN_SENT 状态的连接,并且目标端口是 22, 因此证实了我们的猜想,找到进程 pid 为 1420.
最后的原因是,以为新员工最近创建了一个 test 的用户,并且使用了弱密码,被攻击者用枚举的方式登陆了。