应急响应-Linux 篇
应急响应指遇到重大或突发事件后所采取的措施和行动。应急响应所处置的突发事件不仅仅包括硬件、产品、网络、配置等方面的故障,也包括各类安全事件,如:黑客攻击、木马病毒、勒索病毒、Web攻击等。
处置手段
发现问题要处置,遵循原则:百分百确认是非法文件,报备记录关停,摸棱两可找负责人确认,处置看沟通结果
环境信息:
- Ubuntu 20.04.4 LTS
- XShell
**注意:**linux版本之间有差异,具体以自己的系统版本为准
开机启动项
伴随开机启动,一般生产服务器很少重启,但是为防止被控机器失联部分木马会添加开机启动项作为复活手段。
/etc/rc.local
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Ensure that the script will "exit 0" on success or any other
# value on error.
#
# To enable or disable this script, just change the execution
# bits.
#
# By default, this script does nothing.
touch /root/1.txt
/etc/rc.d/rc.local
# THIS FILE IS ADDED FOR COMPATIBILITY PURPOSES
#
# It is highly advisable to create own systemd services or udev rules
# to run scripts during boot instead of using this file.
#
# In contrast to previous versions due to parallel execution during boot
# this script will NOT be run after all other services.
#
# Please note that you must run 'chmod +x /etc/rc.d/rc.local' to ensure
# that this script will be executed during boot.
touch /var/lock/subsys/local
touch /tmp/1.txt
/etc/rc.d/init.d/
这个目录下面放了可执行脚本或文件
/etc/rc*.d/
rc0.d/ rc1.d/ rc2.d/ rc3.d/ rc4.d/ rc5.d/ rc6.d/ rcS.d/
systemctl list-unit-files
...
ssh.service enabled enabled
ssh@.service static enabled
sshd.service enabled enabled
sudo.service masked enabled
syslog.service enabled enabled
system-update-cleanup.service static enabled
systemd-ask-password-console.service static enabled
systemd-ask-password-plymouth.service static enabled
systemd-ask-password-wall.service static enabled
systemd-backlight@.service static enabled
...
发现恶意服务,使用下面命令关停(以关闭ufw.service
服务作为实例):
sudo systemctl stop ufw.service # 停止服务sudo systemctl disable ufw.service # 删除开启启动
关错了,避免尴尬偷偷启动服务
sudo systemctl start ufw.service # 启动服务sudo systemctl enable ufw.service # 添加开启启动
环境变量配置文件
/etc/profile
/etc/bashrc
/etc/bash.bashrc
~/.bashrc
~/.profile
~/.bash_profile
这些文件用于设置系环境变量或启动程序,每次Linux登入或切换用户都会触发这些文件。
图1 Linux登入环境环境变量触发顺序
切换用户时也会触发环境变量文件
vulab@sechelper:~$ sudo su
~/.bash_logout
登出账户时触发。
vulab@sechelper:~$ exit
logout
~/.bash_logout
各项资源异常
进程是Linux当前正在处理的任务,当运行某个软件时将为其创建一个进程。
vulab@sechelper:~$ sudo ps -efcaux # 查看所有进程
...
www-data 97735 0.0 1.8 309560 65456 ? S Aug20 0:13 \_ php-fpm7.4
syslog 785 0.0 0.1 224492 5528 ? Ssl Aug17 0:03 rsyslogd
ntp 796 0.0 0.1 74632 4240 ? Ssl Aug17 0:13 ntpd
root 802 0.0 0.2 17176 8044 ? Ss Aug17 0:03 systemd-logind
root 816 0.0 0.2 12172 7436 ? Ss Aug17 0:04 sshd
root 126262 0.0 0.2 13920 8852 ? Ss 15:47 0:00 \_ sshd
ubuntu 126363 0.0 0.1 14052 6260 ? S 15:47 0:00 \_ sshd
ubuntu 126