Linux入侵排查思路
(1)账号安全
1、用户信息文件:/etc/passwd
root:x:0:0:root:/root:/bin/bash
用户名:密码:用户ID:组ID:用户说明:家目录:登陆之后shell
注意:无密码只允许本机登陆,远程不允许登陆
2、影子文件:/etc/shadow
root:$6$dIEKcGV4PJpr6kGu$jSpNY9SGXkkE3XakM4neFh24UT6G3mB0OCWV3ciTgmtntVEKFZ3Zc5BU69cLXqSBllz/JxA2YRC77xCG9A5YP/:17966:0:99999:7:::
用户名:加密密码:密码最后一次修改日期:两次密码的修改时间间隔:密码有效期:密码修改到期到的警告天数:密码过期之后的宽限天数:账号失效时间:保留
3、who:查看当前登录用户(tty本地登录,pts远程登录)
w:查看系统信息,某一时刻用户的行为;
uptime:查看登录多久,多少用户,负载;
[root@redhat 桌面]# who
root tty1 2019-04-15 01:38 (:0)
root pts/0 2019-05-20 13:05 (:0.0)
root pts/3 2019-05-20 14:16 (:0.0)
root pts/10 2019-07-30 14:18 (:0.0)
[root@redhat 桌面]# w
14:22:54 up 6:43, 4 users, load average: 0.00, 0.01, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 :0 15Apr19 106days 1:06 1:06 /usr/bin/Xorg :
root pts/0 :0.0 20May19 71days 0.14s 0.08s bash
root pts/3 :0.0 20May19 71days 0.39s 0.39s /bin/bash
root pts/10 :0.0 14:18 0.00s 0.42s 0.20s w
[root@redhat 桌面]# uptime
14:22:59 up 6:43, 4 users, load average: 0.00, 0.01, 0.00
4、入侵排查
1、查询特权用户特权用户(uid 为0)
[root@redhat 桌面]# awk -F: '$3==0{print $1}' /etc/passwd
root
yaoyao
2、查询可以远程登录的帐号信息
[root@redhat 桌面]# awk '/\$1|\$6/{print $1}' /etc/shadow
root:$6$dIEKcGV4PJpr6kGu$jSpNY9SGXkkE3XakM4neFh24UT6G3mB0OCWV3ciTgmtntVEKFZ3Zc5BU69cLXqSBllz/JxA2YRC77xCG9A5YP/:17966:0:99999:7:::
yaoyao2:$6$EUXxnIJY$28gZzQb8LU2FXHAy26qiJsIItl0N3Vuh0smJiGvBB8fDcWj2sAYugGNpvHziwfqXIo8UojVhr4SPEKD7ZWO.s0:17973:0:99999:7:::
tangyan:$6$e.JWZKLS$v8uDzLjYgET0cF8Y2zfdcz6f85k1aP8NY0sYPoYDRx5gaxJ1ELQGjeXKFmgIF9nK9ovRJHi/rSqUnplubMKFp/:17986:0:99999:7:::
xiaoqi:$6$f8XiLhMA$4dTZ4vGJjwKK.Zxc/UI2Ch3UnWB0Y9zdYpN2ZUtbtMdFkRVivoBm09KMX9XM