更多了解(https://blog.sechelper.com/2022/08/26/emergency-response/README/#more)
应急响应指遇到重大或突发事件后所采取的措施和行动。应急响应所处置的突发事件不仅仅包括硬件、产品、网络、配置等方面的故障,也包括各类安全事件,如:黑客攻击、木马病毒、勒索病毒、Web攻击等。
处置手段
发现问题要处置,遵循原则:百分百确认是非法文件,报备记录关停,摸棱两可找负责人确认,处置看沟通结果
环境信息:
Ubuntu 20.04.4 LTS
XShell
*注意:linux版本之间有差异,具体以自己的系统版本为准
开机启动项
伴随开机启动,一般生产服务器很少重启,但是为防止被控机器失联部分木马会添加开机启动项作为复活手段。
/etc/rc.local
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Ensure that the script will "exit 0" on success or any other
# value on error.
#
# To enable or disable this script, just change the execution
# bits.
#
# By default, this script does nothing.
touch /root/1.txt
/etc/rc.d/rc.local
#!/bin/bash
# THIS FILE IS ADDED FOR COMPATIBILITY PURPOSES
#
# It is highly advisable to create own systemd services or udev rules
# to run scripts during boot instead of using this file.
#
# In contrast to previous versions due to parallel execution during boot
# this script will NOT be run after all other services.
#
# Please note that you must run 'chmod +x /etc/rc.d/rc.local' to ensure
# that this script will be executed during boot.
touch /var/lock/subsys/local
touch /tmp/1.txt
/etc/rc.d/init.d/
这个目录下面放了可执行脚本或文件
/etc/rc*.d/
rc0.d/ rc1.d/ rc2.d/ rc3.d/ rc4.d/ rc5.d/ rc6.d/ rcS.d/
systemctl list-unit-files
...
ssh.service enabled enabled
ssh@.service static enabled
sshd.service enabled enabled
sudo.service masked enabled
syslog.service enabled enabled
system-update-cleanup.service static enabled
systemd-ask-password-console.service static enabled
systemd-ask-password-plymouth.service static enabled
systemd-ask-password-wall.service static enabled
systemd-backlight@.service static enabled
...
发现恶意服务,使用下面命令关停(以关闭ufw.service服务作为实例):
sudo systemctl stop ufw.service # 停止服务
sudo systemctl disable ufw.service # 删除开启启动
关错了,避免尴尬偷偷启动服务
sudo systemctl start ufw.service # 启动服务
sudo systemctl enable ufw.service # 添加开启启动
环境变量配置文件
/etc/profile
/etc/bashrc
/etc/bash.bashrc
~/.bashrc
~/.profile
~/.bash_profile
这些文件用于设置系环境变量或启动程序,每次Linux登入或切换用户都会触发这些文件。
Linux登入环境环境变量触发顺序
切换用户时也会触发环境变量文件
vulab@sechelper:~$ sudo su
~/.bash_logout
登出账户时触发。
vulab@sechelper:~$ exit
logout
~/.bash_logout
各项资源异常进程是Linux当前正在处理的任务,当运行某个软件时将为其创建一个进程。
vulab@sechelper:~$ sudo ps -efcaux # 查看所有进程
...
www-data 97735 0.0 1.8 309560 65456 ? S Aug20 0:13 \_ php-fpm7.4
syslog 785 0.0 0.1 224492 5528 ? Ssl Aug17 0:03 rsyslogd
ntp 796 0.0 0.1 74632 4240 ? Ssl Aug17 0:13 ntpd
root 802 0.0 0.2 17176 8044 ? Ss Aug17 0:03 systemd-logind
root 816 0.0 0.2 12172 7436 ? Ss Aug17 0:04 sshd
root 126262 0.0 0.2 13920 8852 ? Ss 15:47 0:00 \_ sshd
ubuntu 126363 0.0 0.1 14052 6260 ? S 15:47 0:00 \_ sshd
ubuntu 126364 0.0 0.1 8276 5216 pts/0 Ss 15:47 0:00 \_ bash
root 130670 0.0 0.1 9404 4752 pts/0 S 18:59 0:00 \_ sudo
root 130671 0.0 0.1 8260 4252 pts/0 S 18:59 0:00 \_ su
root 130672 0.0 0.1 7236 4056 pts/0 S 18:59 0:00 \_ bash
...
查找进程文件位置
vulab@sechelper:~$ sudo lsof -p 948 # 查看pid为948的进程详细信息
COMMAND PID USER FD TYPE DEVICE S