linux主机应急排查

一、菜单打印

read -p "Press any key to continue." var

echo -e "\033[34m[-]主机信息：\033[0m"
# 当前用户
echo -e "USER:\t\t" $(whoami) 2>/dev/null
# 版本信息
echo -e "OS Version:\t"`cat /etc/redhat-release`
# 主机名
echo -e "Hostname: \t" $(hostname -s)
# uptime
echo -e "uptime: \t" $(uptime | awk -F ',' '{print $1}')
printf "\n"

二、CPU占用率

echo -e "\033[34m[-]CPU使用率：\033[0m"
grep "cpu[0-9]" /proc/stat|awk '{total=$2+$3+$4+$5+$6+$7+$8;free=$5;print $1,"Free",free/total*100"%","Used " (total-free)/total*100"%"}'
printf "\n"

三、CPU占用TOP 10

cpu=$(ps aux | grep -v ^'USER' | sort -rn -k3 | head -10) 2>/dev/null
echo -e "\033[34m[-]CPU TOP 10：\033[0m\n${cpu}\n"

四、内存占用

echo -e "\033[34m[-]内存占用：\033[0m"
free -m
printf "\n"

五、内存占用TOP 10

cpu=$(ps aux | grep -v ^'USER' | sort -rn -k3 | head -10) 2>/dev/null
#echo -e "\e[00;31m[*]内存占用 TOP10:  \e[00m\n${cpu}\n"
echo -e "\033[34m[-]内存占用 TOP 10：\033[0m\n${cpu}\n"

六、查看passwd下的用户，是否存在可疑用户

echo -e "\033[34m[-]/etc/passwd:\033[0m" #blue
grep -nvi "nologin" /etc/passwd

七、显示可远程登录的用户

echo -e "\033[34m[-]可远程登录用户：\033[0m"
awk -F: '/\$1|\$6/{print $1}' /etc/shadow

八、查看有无特权用户，并将其删除

echo -e "\033[34m[-]特权用户：\033[0m"
awk -F: '$3==0{print $1}' /etc/passwd

九、 删除可疑特权用户，将/home下的用户一块删掉

while :
do
        read -p "请输入要删除的用户名: " user
        if [ $user == "root" ]; then
                break
        else
                del=`userdel -r $user`
                echo "Del $user succefssful!!"
        fi
done

十，显示处于连接状态的端口号和响应的进程

port=`netstat -antlp` # port=`netstat -antlp | grep -ni "ESTABLISHED"`
echo -e "\033[34m[-]连接端口状态:：\033[0m"
echo -e "$port"

十一、for循环用于获取各个pid对应的进程

for a in {1..10}
do
        read -p "please input PID $a [if PID==0, break!]: "  PID
        if [ $PID -eq 0 ];
        then
                break
        else
                exe=`ls -l /proc/$PID/exe`
                ps=`ps aux | grep $PID|grep -v grep`
                echo -e "$PID\033[34m 对应进程文件路径 ->  $exe\033[0m" #blue
                echo -e "$PID\033[34m 对应进程为 ->  $ps\033[0m" #blue
        fi
        read -p "是否要杀掉此进程?[1/0]" result
        if [ $result -eq 1 ]; then
                `kill $PID`
                echo "$PID 删除成功！"
        else
                echo "$PID 删除失败！"
        fi
done
printf "\n"

十二、查看历史命令，并显示异常操作

shell=`cat ~/.bash_history | grep -e "chmod" -e "rm" -e "wget" -e "ssh" -e "tar" -e "zip" -e "scp"`
echo -e "\033[34m[-]历史命令:：\033[0m"
echo -e "$shell"
printf "\n"

十三、增强型历史命令记录

echo -e "\033[34m[-]是否添加增强型历史命令记录？[1/0]\033[0m"
read r
if [ $r -eq 0 ]; then
        echo "未添加增强型命令记录！"
else

        cat>>/tmp/666.txt<<EOF
USER_IP=\`who -u am i 2>/dev/null | awk -F"[()]"  '{print $2}'\`
if [ "\$USER_IP" = "" ]
then
USER_IP=\`hostname\`
fi
export HISTTIMEFORMAT="%F %T $USER_IP \`whoami\` "
shopt -s histappend
export PROMPT_COMMAND="history -a"
EOF
echo "/etc/profile写入成功！"
printf "\n"

source /etc/profile
echo "/etc/profile已生效！"
printf "\n"
fi

十四、用户自定义启动项

echo -e "\033[34m[-]用户自定义启动项：\033[0m"
chkconfig=`systemctl list-unit-files|grep -E "enabled"|awk '{print $1}'`
if [ -n "$chkconfig" ];then
	(echo "[*]用户自定义启动项:" && echo "$chkconfig")
else
	echo "[!]未发现用户自定义启动项"
fi
printf "\n"

十五、可能存在的危险启动项

echo -e "\033[34m[-]危险启动项：\033[0m"
dangerstarup=$(systemctl list-unit-files|egrep -E "enabled"|awk -F"." '/sh|per|py/{print $1}')
if [ -n "$dangerstarup" ];then
	echo "[!]发现危险启动项:" && echo "$dangerstarup"
else
	echo "[*]未发现危险启动项"
fi
printf "\n"

十六、系统定时任务

echo -e "\033[34m[-]系统定时任务：\033[0m"
syscrontab=$(crontab -l|grep -v "^#")
if [ -n "$syscrontab" ];then
	echo "[!]发现存在系统定时任务:" && more /etc/crontab 
else
	echo "[*]未发现系统定时任务"
fi
printf "\n"

十七、可疑定时任务

echo -e "\033[34m[-]可疑定时任务：\033[0m"
dangersyscron=$(egrep "((chmod|useradd|groupadd|chattr)|((wget|curl)*\.(sh|pl|py)$))"  /etc/cron*/* /var/spool/cron/*)
if [ $? -eq 0 ];then
	(echo "[!]发现可疑定时任务：" && echo "$dangersyscron")
else
	echo "[*]未发现可疑系统定时任务"
fi
printf "\n"

十八、查看日志配置

echo -e "\033[34m[-]日志配置：\033[0m"
logconf=$(more /etc/rsyslog.conf | egrep -v "#|^$")
if [ -n "$logconf" ];then
	(echo "[*]日志配置如下:" && echo "$logconf")
else
	echo "[!]未发现日志配置文件"
fi
printf "\n"

十九、检查日志是否被清除

echo -e "\033[34m[-]查看日志是否被清除：\033[0m"
logs=$(ls -l /var/log/)
if [ -n "$logs" ];then
	echo "[*]日志文件存在"
else
	echo "[!]日志文件不存在,可能被清除！"
fi
printf "\n"

二十、secure日志分析

echo -e "\033[34m[-]secure日志分析-登录成功情况：\033[0m"
loginsuccess=$(more /var/log/secure* | grep "Accepted password" | awk '{print $1,$2,$3,$9,$11}')
if [ -n "$loginsuccess" ];then
	(echo "[*]日志中分析到以下用户成功登录:" && echo "$loginsuccess") 
	(echo "[*]登录成功的IP及次数如下：" && grep "Accepted " /var/log/secure* | awk '{print $11}' | sort -nr | uniq -c ) 
	(echo "[*]登录成功的用户及次数如下:" && grep "Accepted" /var/log/secure* | awk '{print $9}' | sort -nr | uniq -c ) 
else
	echo "[*]日志中未发现成功登录的情况"
fi
printf "\n"

echo -e "\033[34m[-]secure日志分析-登录失败情况：\033[0m"
loginfailed=$(more /var/log/secure* | grep "Failed password" | awk '{print $1,$2,$3,$9,$11}')
if [ -n "$loginfailed" ];then
	(echo "[!]日志中发现以下登录失败的情况:" && echo "$loginfailed") |  tee -a $danger_file 
	(echo "[!]登录失败的IP及次数如下:" && grep "Failed password" /var/log/secure* | awk '{print $11}' | sort -nr | uniq -c) 
	(echo "[!]登录失败的用户及次数如下:" && grep "Failed password" /var/log/secure* | awk '{print $9}' | sort -nr | uniq -c) 
else
	echo "[*]日志中未发现登录失败的情况"
fi
printf "\n"

echo -e "\033[34m[-]secure日志分析-本机登录情况：\033[0m"
systemlogin=$(more /var/log/secure* | grep -E "sshd:session.*session opened" | awk '{print $1,$2,$3,$11}')
if [ -n "$systemlogin" ];then
	(echo "[*]本机登录情况:" && echo "$systemlogin")
	(echo "[*]本机登录账号及次数如下:" && more /var/log/secure* | grep -E "sshd:session.*session opened" | awk '{print $11}' | sort -nr | uniq -c)
else
	echo "[!]未发现在本机登录退出情况！"
fi
printf "\n"

echo -e "\033[34m[-]secure日志分析-新增用户情况：\033[0m"
newusers=$(more /var/log/secure* | grep "new user"  | awk -F '[=,]' '{print $1,$2}' | awk '{print $1,$2,$3,$9}')
if [ -n "$newusers" ];then
	(echo "[!]日志中发现新增用户:" && echo "$newusers")
	(echo "[*]新增用户账号及次数如下:" && more /var/log/secure* | grep "new user" | awk '{print $8}' | awk -F '[=,]' '{print $2}' | sort | uniq -c)
else
	echo "[*]日志中未发现新增加用户"
fi
printf "\n"

二十一、message日志分析

echo -e "\033[34m[-]message日志分析-文件传输情况：\033[0m"
zmodem=$(more /var/log/message* | grep "ZMODEM:.*BPS")
if [ -n "$zmodem" ];then
	(echo "[!]传输文件情况:" && echo "$zmodem")
else
	echo "[*]日志中未发现传输文件"
fi
printf "\n"

echo -e "\033[34m[-]cron日志分析-定时下载：\033[0m"
cron_download=$(more /var/log/cron* | grep "wget|curl")
if [ -n "$cron_download" ];then
	(echo "[!]定时下载情况:" && echo "$cron_download")
else
	echo "[*]未发现定时下载情况"
fi
printf "\n"

echo -e "\033[34m[-]cron日志分析-定时执行脚本：\033[0m"
cron_shell=$(more /var/log/cron* | grep -E "\.py$|\.sh$|\.pl$") 
if [ -n "$cron_shell" ];then
	(echo "[!]发现定时执行脚本:" && echo "$cron_download")
else
	echo "[*]未发现定时下载脚本"
fi
printf "\n"

二十二、btmp日志分析

echo -e "\033[34m[-]btmp日志分析-错误登录日志分析：\033[0m"
lastb=$(lastb)
if [ -n "$lastb" ];then
	(echo "[！]错误登录日志如下:" && echo "$lastb")
else
	echo "[*]未发现错误登录日志"
fi
printf "\n"

# lastlog日志分析
echo -e "\033[34m[-]lastlog日志分析-最后一次登录：\033[0m"
lastlog=$(lastlog)
if [ -n "$lastlog" ];then
	(echo "[！]所有用户最后一次登录日志如下:" && echo "$lastlog")
else
	echo "[*]未发现所有用户最后一次登录日志"
fi
printf "\n"

二十三、 wtmp日志分析

echo -e "\033[34m[-]wtmp日志分析-用户登录分析：\033[0m"
lasts=$(last | grep pts | grep -vw :0)
if [ -n "$lasts" ];then
	(echo "[！]历史上登录到本机的用户如下:" && echo "$lasts")
else
	echo "[*]未发现历史上登录到本机的用户信息"
fi
printf "\n"

二十四、文件排查

echo -e "\033[34m[-]文件排查：\033[0m"
#敏感文件
echo -e "\033[34m[-]敏感文件列表：\033[0m"
find / ! -path "/lib/modules*" ! -path "/usr/src*" ! -path "/snap*" ! -path "/usr/include/*" -regextype posix-extended -regex '.*sqlmap|.*msfconsole|.*\bncat|.*\bnmap|.*nikto|.*ettercap|.*backdoor|.*tunnel\.(php|jsp|asp|py)|.*\bnc|.*socks.(php|jsp|asp|py)|.*proxy.(php|jsp|asp|py)|.*brook.*|.*frps|.*frpc'
printf "\n"
echo -e "\033[34m[-]新增特权文件列表：\033[0m"
echo -e "
[1]: php
[2]: jsp
[3]: asp
"
echo "请根据编号选择语言[if input == 0; break]:"
read language
if [ $language -eq 1 ]; then
	php=`find / -mtime 0 -name "*.php"`
	php1=`find / -name *.php -perm 777`
	echo -e "$php"
	echo -e "777 = $php1"
elif [ $language -eq 2 ]; then
	jsp=`find / -mtime 0 -name "*.jsp"`
	jsp1=`find / -name *.jsp -perm 777`
	echo -e "$jsp"
	echo -e "777 = $jsp1"
elif [ $language -eq 3 ]; then
	asp=`find / -mtime 0 -name "*.asp"`
	asp1=`find / -name *.asp -perm 777`
	echo -e "$asp"
	echo -e "777 = $asp1"
else
	echo "未匹配语言！"
fi
printf "\n"

二十五、查看指定目录下文件的时间排序[从新到旧]

echo -e "\033[34m[-]查看指定目录下文件的时间排序[从新到旧]：\033[0m"
#ls -alt | head -n 10
for x in {1..10}
do
	echo -e "\033[34m[-]请输入目录名称[if input == 0; break]：\033[0m"
	read directory 
	# if [ `echo $directory | awk -v tem=0 '{print($1>tem)? "1":"0"}'` == "0" ];then
	if [ $directory == "0" ]; then
		break
	else
		directory1=`ls $directory -alt | head -n 30`
		echo -e "$directory1"
	fi
done
printf "\n"

二十六、查看异常文件的创建修改等的时间

echo -e "\033[34m[-]查看异常文件的创建修改等的时间：\033[0m"
for y in {1..10}
do
	echo -e "\033[34m[-]请输入文件的绝对路径[if input == 0; break]：\033[0m"
	read file
	if [ $file == "0" ]; then
		break
	else
		files=`stat $file`
		echo -e "$files"
	fi
done

echo -e "\033[34m[+]检查结束！\033[0m"