应急排查
建议先清除计划任务、启动项、守护进程,再清除恶意进程,防止卷土重来,清理不干净。
应急排查收集常见信息脚本
#!/bin/bash
#Liunx 应急响应上机信息收集
#应急清理:建议先清除计划任务、启动项、守护进程,再清除恶意进程。
# busybox 安装
#yum -y install wget make gcc perl glibc-static ncurses-devel libgcrypt-devel
#wget http://busybox.net/downloads/busybox-1.33.0.tar.bz2
#tar -jxvf busybox-1.33.0.tar.bz2
#cd busybox-1.33.0 && make && make install
echo -e '\e[31;43m 应急排查信息收集\e[0m'
echo -e '\e[31;43m 应急建议先清除计划任务、启动项、守护进程,再清除恶意进程。\e[0m'
uptime
#账号安全
echo -e '\e[31;43m 账号安全\e[0m'
#当前登陆用户(pts|tty)
echo -e '\e[34;47m w命令 \e[0m'
#剔除某用户pkill -9 -t pts/0
w
#查看特权用户
echo -e '\e[34;47m 特权用户 \e[0m'
awk -F: '$3==0{print $1}' /etc/passwd
echo -e '\e[34;47m sudo的权限的用户 \e[0m'
cat /etc/sudoers | grep -v "^#\|^$" | grep "ALL=(ALL)"
#查看公钥配置
echo -e '\e[34;47m 免密登陆公钥 \e[0m'
cat ~/.ssh/authorized_keys
#查看可以远程登陆的用户
echo -e '\e[34;47m 可以远程登陆的用户 \e[0m'
awk '/\$1|\$6/{print $1}' /etc/shadow
#成功登陆的用户和时间
echo -e '\e[34;47m 成功登陆用户和时间 \e[0m'
grep "Accepted " /var/log/secure | awk '{print $1,$2,$3,$9,$11}'
#爆破的IP
echo -e '\e[34;47m 存在爆破的IP \e[0m'
grep "Failed password" /var/log/secure|grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"|sort |uniq -c
#爆破字典
echo -e '\e[34;47m 爆破的字典 \e[0m'
grep "Failed password" /var/log/secure|perl -e 'while($_=<>){ /for(.*?) from/; print "$1\n";}'|sort -nr|uniq -c
#查看网络链接
echo -e '\e[31;43m 网络情况IP \e[0m'
echo -e '\e[34;47m 查看网络链接 \e[0m'
netstat -antlp
echo -e '\e[34;47m 主机防火墙配置 \e[0m'
iptables -nL
#查看用户空间的进程
echo -e '\e[31;43m 进程 \e[0m'
echo -e '\e[34;47m ps 命令 \e[0m'
ps -aux | grep -v '\['
#查看开机启动
echo -e '\e[31;43m 启动项 \e[0m'
echo -e '\e[34;47m 查看启动项文件\e[0m'
runlevel
ls -l /etc/rc.d/rc3.d/
chkconfig --list
echo -e '\e[34;47m 定时任务 \e[0m'
# 查看定时任务
crontab -l
#其他启动任务
echo -e '\e[34;47m 其他启动任务文件 \e[0m'
crontfile=("/var/spool/cron/" "/etc/crontab" "/etc/cron.d/" "/etc/cron.daily/" "/etc/cron.hourly/" "/etc/cron.monthly/" "/etc/cron.weekly/" "/etc/anacrontab" "/var/spool/anacron/")
for f in ${crontfile[@]};
do
echo '=======定时启动文件目录:'$f
ls $f
done
echo -e '\e[34;47m 最进修改的文件 \e[0m'
# 查看/etc/下最近两天的修改的文件
find /etc -ctime -2
#lsof -c $file 查看是否存在有可疑文件的相关进程信息
echo -e '\e[31;43m 加载恶意链接库 \e[0m'
echo -e '\e[34;47m 是否存在预加载 \e[0m'
# 查看是否有预加载的so库文件
cat /etc/ld.so.preload
echo $LD_PRELOAD
#发现可以进程后查看:
#1)ls -l /proc/$PID/exe
#2)
#校验rpm文件是否有变化
echo -e '\e[31;43m RPM file \e[0m'
echo -e '\e[34;47m 检查RPM file是否被改 \e[0m'
rpm -Va
echo -e ‘\e[34;47m 5.4查看history记录 \e[0m’
cat ~/.bash_history|grep -vE ‘ls|cat|cd|ll|ifconfig|rpm|exit|ps|top|find|ping|grep’
for file in /home/*
do
if [ -d KaTeX parse error: Expected 'EOF', got '#' at position 30: … echo -e "#̲#########file###########"
cat $file/.bash_history | grep -vE ‘ls|cat|cd|ll’
fi
done
####攻击指纹####
echo -e ‘\e[31;43m 6)攻击指纹 \e[0m’
#SSH爆破的IP
echo -e ‘\e[34;47m 6.1存在爆破的Top 20 IP \e[0m’
grep “Failed password” /var/log/secure|grep -E -o “(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)”|sort | uniq -c |sort -rn |head -n 10
#SSH爆破字典
echo -e ‘\e[34;47m 6.2爆破的字典Top 20 \e[0m’
grep “Failed password” /var/log/secure|perl -e ‘while($_=<>){ /for(.*?) from/; print “$1\n”;}’|sort |uniq -c |sort -rn |head -n 20
#登陆成功的IP
echo -e ‘\e[34;47m 6.3登陆成功的IP \e[0m’
grep “Accepted” /var/log/secure|grep -E -o “(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)”|sort | uniq -c |sort -rn |head -n 10
查看是否有预加载的so库文件
echo -e ‘\e[34;47m 6.4恶意加载 \e[0m’
cat /etc/ld.so.preload
echo $LD_ELF_PRELOAD
echo $LD_PRELOAD
echo $LD_LIBRARY_PATH
#查看系统命令文件是否被改
echo -e ‘\e[34;47m 6.5查看文件是否被替换或者修改 \e[0m’
file /bin/ps ##可能替换为shell脚本,过滤显示
stat /bin/ls
stat /bin/ps
stat /etc/passwd
echo -e ‘\e[34;47m 6.6进程存在但文件被删除 \e[0m’
lsof +L1
echo -e ‘\e[34;47m 6.7是否存在空密码登陆 \e[0m’
cat /etc/ssh/sshd_config | grep -Ev “^$|[#;]” | grep PermitEmptyPasswords | awk ‘{print $2}’
echo -e ‘\e[34;47m 6.8定时任务反链接链接 \e[0m’
cat /etc/crontab | grep -Ev “^$|[#;]” | grep “/dev/tcp”
for file in /var/spool/cron/*
do
cat KaTeX parse error: Expected group after '^' at position 18: …le | grep -Ev "^̲|[#;]" | grep “/dev/tcp”
done
for file in /etc/cron*/*
do
cat KaTeX parse error: Expected group after '^' at position 18: …le | grep -Ev "^̲|[#;]" | grep “/dev/tcp”
done
echo -e ‘\e[34;47m 6.9定时任务wget|curl–\e[0m’
cat /etc/crontab | grep -Ev “^$|[#;]” | grep -E “wget|curl” | grep “sh”
for file in /var/spool/cron/*
do
cat KaTeX parse error: Expected group after '^' at position 18: …le | grep -Ev "^̲|[#;]" | grep -E “wget|curl” | grep “sh”
done
for file in /etc/cron*/*
do
cat KaTeX parse error: Expected group after '^' at position 18: …le | grep -Ev "^̲|[#;]" | grep -E “wget|curl” | grep “sh”
done
echo -e ‘\e[34;47m 6.10检查PROMPT_COMMAND环境变量\e[0m’
PROMPT_COMMAND 变量会在你执行命令前执行一遍
cat /etc/profile | grep “PROMPT_COMMAND”
cat /etc/bashrc | grep “PROMPT_COMMAND”
cat /root/.bashrc | grep “PROMPT_COMMAND”
cat /root/.bash_profile | grep “PROMPT_COMMAND”
echo -e ‘\e[34;47m 6.11检查超过20M的常见文件\e[0m’
find / ! -path “/proc/" ! -path "/sys/” ! -path “/run/" ! -path "/boot/” -size +20M -print 2>/dev/null | xargs -i{} ls -alh {} | grep ‘.gif|.jpeg|.jpg|.png|.zip|.tar.gz|.tgz|.7z|.log|.xz|.rar|.bak|.old|.sql|.1|.txt|.tar|.db|/\w+$’
###隐藏进程排查
echo -e ‘\e[34;47m 6.6 隐藏进程 \e[0m’
ps -ef | awk ‘{print $2}’ | sort -n | uniq >ps.log
ls /proc |grep ‘1*[0-9]’|sort -n >proc.log
diff ps.log proc.log
rm -f ps.log proc.log
####是否存在log4j2.x漏洞,版本小于2.15的 cve-2021-44228
echo -e ‘\e[34;47m 6.7 是否存在log4j漏洞 \e[0m’
result1=ls -la /proc/*/fd/ | grep -E "log4j-core"
result2=find / -name log4j-core*.jar
echo ‘有进程调用:’
r
e
s
u
l
t
1
e
c
h
o
′
存在文件没有调用
:
′
{result1} echo '存在文件没有调用:'
result1echo′存在文件没有调用:′{result2}
####是否存在spring mvc +小于jdk1.9漏洞cve-2022-22965
echo -e ‘\e[34;47m 6.8 是否存在spring cve-2022-22965漏洞 \e[0m’
result=“sec”
for pid in ps -ef |grep java|grep -v grep |awk '{print $2}'
do
if [ -n “$(echo KaTeX parse error: Undefined control sequence: \+ at position 21: …sed -n "/^[0-9]\̲+̲/p”)" ];then
jdk=ls -la /proc/${pid}/fd/ | awk '{print $NF}' | grep 'jdk'|grep -vE '1\.5|1\.6|1\.7|1\.8' |head -n 1
2>/dev/null
if [ -n “
j
d
k
"
]
;
t
h
e
n
s
p
r
i
n
g
=
‘
l
s
−
l
a
/
p
r
o
c
/
jdk" ] ; then spring=`ls -la /proc/
jdk"];thenspring=‘ls−la/proc/{pid}/fd/ | awk '{print KaTeX parse error: Expected 'EOF', got '}' at position 3: NF}̲' | grep -E 'sp…spring” ] ; then
path=‘spring=’KaTeX parse error: Expected group after '_' at position 10: {spring}'_̲_jdk='jdk
result=KaTeX parse error: Expected group after '_' at position 8: result'_̲'{path}
echo ‘result_’${result}
java --version
fi
fi
fi
done
####是否存在struts2漏洞 CVE-2021-31805 影响版本2.0.0 to 2.5.29
echo -e ‘\e[34;47m 6.9 是否存在struts2漏洞 CVE-2021-31805 影响版本2.0.0 to 2.5.29 \e[0m’
find / -name struts2-core*
执行结果eg:
0-9 ↩︎