一、筛选异常进程
netstat -anp4|grep SYN
ps -p 7443 -o lstart //查找进程的启动时间
systemctl status 7107
拷贝proc下的exe进程文件
cp /proc/20800/exe /tmp/recovered_20800
cat /proc/$PID/exe > /tmp/t.bin
二、查找进程的源路径
**#ls -l /proc/7443/exe**
# cat /proc/7443/exe | more
**# file /proc/7443/exe**
readlink /proc/18058/exe 找到它所指向的实际文件。
三、跟踪进程的调用行为
ltrace -p 18058 ltrace 可以跟踪进程的库函数调用。
strace -p 18058 strace 可以跟踪进程的系统调用。
strace -f -p 18058
[root@VM-0-8-centos ~]# strace -p 18058``Process 18058 attached``epoll_pwait(3, {}, 1024, 792, NULL) = 0``epoll_pwait(3, {}, 1024, 1000, NULL) = 0``epoll_ctl(3, EPOLL_CTL_DEL, 13, {0, {u32=0, u64=0}}) = 0``close(13) = 0``epoll_pwait(3, {}, 1024, 0, NULL) = 0``epoll_pwait(3, {}, 1024, 1000, NULL) = 0``epoll_pwait(3, {}, 1024, 1000, NULL) = 0``epoll_pwait(3, {}, 1024, 1000, NULL) = 0``epoll_pwait(3, {}, 1024, 1000, NULL) = 0``epoll_pwait(3, {}, 1024, 1000, NULL) = 0``futex(0x7fd5040faa24, FUTEX_WAKE_PRIVATE, 1) = 1``futex(0x7fd505e743a4, FUTEX_WAKE_PRIVATE, 1) = 1``epoll_pwait(3, {{EPOLLIN, {u32=8, u64=8}}}, 1024, 1000, NULL) = 1``read(8, "\1\0\0\0\0\0\0\0", 1024) = 8``socket(PF_INET, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, IPPROTO_IP) = 13``setsockopt(13, SOL_TCP, TCP_NODELAY, [1], 4) = 0``setsockopt(13, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0``setsockopt(13, SOL_TCP, TCP_KEEPIDLE, [60], 4) = 0``setsockopt(13, SOL_TCP, TCP_KEEPINTVL, [1], 4) = 0``setsockopt(13, SOL_TCP, TCP_KEEPCNT, [10], 4) = 0``connect(13, {sa_family=AF_INET, sin_port=htons(8080), sin_addr=inet_addr("89.223.120.251")}, 16) = -1 EINPROGRESS (Operation now in progress)``epoll_ctl(3, EPOLL_CTL_ADD, 13, {EPOLLOUT, {u32=13, u64=13}}) = 0``epoll_pwait(3, {}, 1024, 1000, NULL) = 0``epoll_ctl(3, EPOLL_CTL_DEL, 14, {0, {u32=0, u64=0}}) = 0``close(14) = 0``epoll_pwait(3, {}, 1024, 0, NULL) = 0``epoll_pwait(3, {}, 1024, 1000, NULL) = 0``epoll_pwait(3, {}, 1024, 1000, NULL) = 0``epoll_pwait(3, {}, 1024, 1000, NULL) = 0``epoll_pwait(3, {}, 1024, 1000, NULL) = 0``epoll_pwait(3, {}, 1024, 1000, NULL) = 0``socket(PF_INET, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, IPPROTO_IP) = 14``setsockopt(14, SOL_TCP, TCP_NODELAY, [1], 4) = 0``setsockopt(14, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0``setsockopt(14, SOL_TCP, TCP_KEEPIDLE, [60], 4) = 0``setsockopt(14, SOL_TCP, TCP_KEEPINTVL, [1], 4) = 0``setsockopt(14, SOL_TCP, TCP_KEEPCNT, [10], 4) = 0``connect(14, {sa_family=AF_INET, sin_port=htons(9090), sin_addr=inet_addr("77.232.138.109")}, 16) = -1 EINPROGRESS (Operation now in progress)``epoll_ctl(3, EPOLL_CTL_ADD, 14, {EPOLLOUT, {u32=14, u64=14}}) = 0``epoll_pwait(3, {}, 1024, 1000, NULL) = 0``epoll_pwait(3, {}, 1024, 1000, NULL) = 0``epoll_pwait(3, {}, 1024, 1000, NULL) = 0``epoll_pwait(3, {}, 1024, 1000, NULL) = 0``epoll_pwait(3, {}, 1024, 1000, NULL) = 0``epoll_pwait(3, {}, 1024, 1000, NULL) = 0``epoll_ctl(3, EPOLL_CTL_DEL, 11, {0, {u32=0, u64=0}}) = 0``close(11) = 0``epoll_ctl(3, EPOLL_CTL_DEL, 12, {0, {u32=0, u64=0}}) = 0``close(12) = 0``epoll_pwait(3, {}, 1024, 0, NULL) = 0``epoll_pwait(3, {}, 1024, 1000, NULL) = 0``epoll_pwait(3, {}, 1024, 1000, NULL) = 0``epoll_pwait(3, {}, 1024, 1000, NULL) = 0``epoll_pwait(3, {}, 1024, 1000, NULL) = 0``epoll_pwait(3, {}, 1024, 1000, NULL) = 0``socket(PF_INET, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, IPPROTO_IP) = 11``setsockopt(11, SOL_TCP, TCP_NODELAY, [1], 4) = 0``setsockopt(11, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0``setsockopt(11, SOL_TCP, TCP_KEEPIDLE, [60], 4) = 0``setsockopt(11, SOL_TCP, TCP_KEEPINTVL, [1], 4) = 0``setsockopt(11, SOL_TCP, TCP_KEEPCNT, [10], 4) = 0``connect(11, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("5.39.79.206")}, 16) = -1 EINPROGRESS (Operation now in progress)``socket(PF_INET, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, IPPROTO_IP) = 12``setsockopt(12, SOL_TCP, TCP_NODELAY, [1], 4) = 0``setsockopt(12, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0``setsockopt(12, SOL_TCP, TCP_KEEPIDLE, [60], 4) = 0``setsockopt(12, SOL_TCP, TCP_KEEPINTVL, [1], 4) = 0``setsockopt(12, SOL_TCP, TCP_KEEPCNT, [10], 4) = 0``connect(12, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("185.178.44.144")}, 16) = -1 EINPROGRESS (Operation now in progress)``epoll_ctl(3, EPOLL_CTL_ADD, 11, {EPOLLOUT, {u32=11, u64=11}}) = 0``epoll_ctl(3, EPOLL_CTL_ADD, 12, {EPOLLOUT, {u32=12, u64=12}}) = 0``epoll_pwait(3, {}, 1024, 1000, NULL) = 0``epoll_pwait(3, ^CProcess 18058 detached` `<detached ...>``
四、内核转储分析异常进程
gcore 18058
使用 gcore 和 gdb 来创建进程的内核转储并进一步分析异常进程
gdb 可执行文件路径 core.PID
[root@VM-0-8-centos ~]# gcore 18058``/.9dd770b8258ac0f19b66 (deleted): No such file or directory.``warning: Memory read failed for corefile section, 8192 bytes at 0x38f8000.``warning: Memory read failed for corefile section, 1048576 bytes at 0x38fa000.``warning: Memory read failed for corefile section, 8192 bytes at 0x40fb000.``warning: Memory read failed for corefile section, 1048576 bytes at 0x40fd000.``warning: Memory read failed for corefile section, 8192 bytes at 0x48fe000.``warning: Memory read failed for corefile section, 1048576 bytes at 0x4900000.``warning: Memory read failed for corefile section, 8192 bytes at 0x5101000.``warning: Memory read failed for corefile section, 1048576 bytes at 0x5103000.``warning: Memory read failed for corefile section, 8192 bytes at 0x5907000.``warning: Memory read failed for corefile section, 151552 bytes at 0x5909000.``warning: Memory read failed for corefile section, 8192 bytes at 0x592e000.``warning: Memory read failed for corefile section, 122880 bytes at 0x5931000.``warning: Memory read failed for corefile section, 131072 bytes at 0x594f000.``warning: Memory read failed for corefile section, 16384 bytes at 0x596f000.``warning: Memory read failed for corefile section, 4096 bytes at 0x5973000.``warning: Memory read failed for corefile section, 4096 bytes at 0x5974000.``warning: Memory read failed for corefile section, 1048576 bytes at 0x5975000.``warning: Memory read failed for corefile section, 1048576 bytes at 0x5c60000.``warning: Memory read failed for corefile section, 630784 bytes at 0x5e60000.``warning: Memory read failed for corefile section, 4096 bytes at 0x6b2e000.``
五、auditd收集可疑进程的系统调用
cat > /etc/audit/rules.d/audit-malware.rules <<EOF
-a exit,always -F pid=18058 -F auid>=1000 -F auid!=-1 -k sus_proc
EOF
黑客&网络安全如何学习
今天只要你给我的文章点赞,我私藏的网安学习资料一样免费共享给你们,来看看有哪些东西。
1.学习路线图
攻击和防守要学的东西也不少,具体要学的东西我都写在了上面的路线图,如果你能学完它们,你去就业和接私活完全没有问题。
2.视频教程
网上虽然也有很多的学习资源,但基本上都残缺不全的,这是我自己录的网安视频教程,上面路线图的每一个知识点,我都有配套的视频讲解。
内容涵盖了网络安全法学习、网络安全运营等保测评、渗透测试基础、漏洞详解、计算机基础知识等,都是网络安全入门必知必会的学习内容。
(都打包成一块的了,不能一一展开,总共300多集)
因篇幅有限,仅展示部分资料,需要点击下方链接即可前往获取
CSDN大礼包:《黑客&网络安全入门&进阶学习资源包》免费分享
3.技术文档和电子书
技术文档也是我自己整理的,包括我参加大型网安行动、CTF和挖SRC漏洞的经验和技术要点,电子书也有200多本,由于内容的敏感性,我就不一一展示了。
因篇幅有限,仅展示部分资料,需要点击下方链接即可前往获取
CSDN大礼包:《黑客&网络安全入门&进阶学习资源包》免费分享
4.工具包、面试题和源码
“工欲善其事必先利其器”我为大家总结出了最受欢迎的几十款款黑客工具。涉及范围主要集中在 信息收集、Android黑客工具、自动化工具、网络钓鱼等,感兴趣的同学不容错过。
还有我视频里讲的案例源码和对应的工具包,需要的话也可以拿走。
因篇幅有限,仅展示部分资料,需要点击下方链接即可前往获取
CSDN大礼包:《黑客&网络安全入门&进阶学习资源包》免费分享
最后就是我这几年整理的网安方面的面试题,如果你是要找网安方面的工作,它们绝对能帮你大忙。
这些题目都是大家在面试深信服、奇安信、腾讯或者其它大厂面试时经常遇到的,如果大家有好的题目或者好的见解欢迎分享。
参考解析:深信服官网、奇安信官网、Freebuf、csdn等
内容特点:条理清晰,含图像化表示更加易懂。
内容概要:包括 内网、操作系统、协议、渗透测试、安服、漏洞、注入、XSS、CSRF、SSRF、文件上传、文件下载、文件包含、XXE、逻辑漏洞、工具、SQLmap、NMAP、BP、MSF…
因篇幅有限,仅展示部分资料,需要点击下方链接即可前往获取
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
