给出百度云地址,下载附件
给出的是一个ssh1.img镜像
还是用AccessData FTK打开
File -> Add Evidence Item...,选择 Image File
选择我们的文件地址。Finish
我们要找的是ssh过的ip,那么首先要知道系统的日志是会记录在/var/log/messages的,
那么我们去看看这个文件
Nov 1 12:39:10 localhost auth.info sshd[3898]: Server listening on 0.0.0.0 port 22.
Nov 1 12:39:10 localhost auth.info sshd[3898]: Server listening on :: port 22.
Nov 1 12:39:10 localhost daemon.info init: starting pid 3904, tty '/dev/tty1': '/sbin/getty 38400 tty1'
Nov 1 12:39:10 localhost daemon.info init: starting pid 3905, tty '/dev/tty2': '/sbin/getty 38400 tty2'
Nov 1 12:39:10 localhost daemon.info init: starting pid 3908, tty '/dev/tty3': '/sbin/getty 38400 tty3'
Nov 1 12:39:10 localhost daemon.info init: starting pid 3911, tty '/dev/tty4': '/sbin/getty 38400 tty4'
Nov 1 12:39:10 localhost daemon.info init: starting pid 3914, tty '/dev/tty5': '/sbin/getty 38400 tty5'
Nov 1 12:39:10 localhost daemon.info init: starting pid 3917, tty '/dev/tty6': '/sbin/getty 38400 tty6'
Nov 1 12:39:15 localhost daemon.info chronyd[3841]: Selected source 203.107.6.88
Nov 1 12:39:15 localhost daemon.warn chronyd[3841]: System clock wrong by 1.947665 seconds, adjustment started
Nov 1 12:40:30 localhost daemon.info chronyd[3841]: Source 85.199.214.100 replaced with 193.228.143.13
Nov 1 12:40:31 localhost auth.info login[3921]: root login on 'tty1'
Nov 1 12:40:59 localhost auth.info sshd[3923]: Accepted password for root from 172.16.110.15 port 45466 ssh2
看到sshd服务最后一次密码认证的ip是来自172.16.110.15的,所以答案就是它了。