作者:点提土八撇又254 | 来源:互联网 | 2023-09-25 20:14
根据大佬的Linux入侵排查文章,链接如下:
https://bypass007.github.io/Emergency-Response-Notes/Summary/%E7%AC%AC2%E7%AF%87%EF%BC%9ALinux%E5%85%A5%E4%BE%B5%E6%8E%92%E6%9F%A5.html
编写的简易python脚本:
# coding=utf-8
import os
info = '''usermod -L user 禁用帐号,帐号无法登录,/etc/shadow第二栏为!开头
userdel user 删除user用户
userdel -r user 将删除user用户,并且将/home目录下的user目录一并删除'''
min1 = "awk -F: '$3==0{print $1}' /etc/passwd"
min2 = "awk '/\$1|\$6/{print $1}' /etc/shadow"
min3 = 'more /etc/sudoers | grep -v "^#\|^$" | grep "ALL=(ALL)"'
def getinfo(min):tmp = os.popen(min)return tmp.read()
print "处置手段:"
print info
print "============================================================"
print "入侵排查 第一步账号安全 ing------"
display_format = '%-30s %-20s'
print display_format % ("特权用户:", getinfo(min1)[:-1])
print display_format % ("可远程登录:", getinfo(min2)[:-1])
print display_format % ("sudo权限用户:", getinfo(min3)[:-1])
print "============================================================"
print "入侵排查 第二步历史命令 ing------"
print "root的历史命令: histroy"
print '''进入用户目录下
cat .bash_history >> history.txt'''
print "============================================================"
print "入侵排查 第三步检查异常端口 ing------"
min4 = "netstat -antlp|more"
def getdir(min):tmp = os.popen(min)return tmp.readlines()
pidinfo = getdir(min4)
print pidinfo[1][:-1], " dir"
for i in pidinfo[2:]:str = "ls -l /proc/%s/exe" % (i[:-1].split("/")[0]).split(" ")[-1]print i[:-1], getinfo(str)[:-1]
print "============================================================"
print "入侵排查 第四步检查异常进程 ing------"
min5 = "ps aux | grep pid"
print getinfo(min5)[:-1]
print "============================================================"
print "入侵排查 第五步检查开机启动项 ing------"
min6 = "more /etc/rc.local /etc/rc.d/rc[0~6].d ls -l /etc/rc.d/rc3.d/"
print getinfo(min6)[:-1]
print "============================================================"
print "入侵排查 第六步检查定时任务 ing------"
print '''请使用以下命令:
more /var/spool/cron/*
more /etc/crontab
more /etc/cron.d/*
more /etc/cron.daily/*
more /etc/cron.hourly/*
more /etc/cron.monthly/*
more /etc/cron.weekly/
more /etc/anacrontab
more /var/spool/anacron/*'''
print "============================================================"
print "入侵排查 第七步检查服务 ing------"
min7 = "ps aux | grep crond"
min8 = "chkconfig --list"
print display_format % ("查看当前服务:", getinfo(min7)[:-1])
print display_format % ("服务自启动状态:", getinfo(min8)[:-1])
print "============================================================"
print "入侵排查 检查异常文件 and 检查系统日志 Please do manual work"
print "Thinks !"
上面脚本的结果如下:
部分检查日志的脚本:
# coding=utf-8
import osdef getinfo(min):tmp = os.popen(min)return tmp.read()
min1 = '''grep "Failed password for root" /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr | more'''
min2 = '''grep "Failed password" /var/log/secure|grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"|uniq -c'''
min3 = &#39;&#39;&#39;grep "Failed password" /var/log/secure|perl -e &#39;while($_=<>){ /for(.*?) from/; print "$1\n";}&#39;|uniq -c|sort -nr&#39;&#39;&#39;
min4 = &#39;&#39;&#39;grep "Accepted " /var/log/secure | awk &#39;{print $11}&#39; | sort | uniq -c | sort -nr | more&#39;&#39;&#39;
min5 = &#39;&#39;&#39;grep "Accepted " /var/log/secure | awk &#39;{print $1,$2,$3,$9,$11}&#39;&#39;&#39;
display_format = &#39;%-30s %-20s&#39;
print display_format % ("多少IP在爆破主机的root帐号:", getinfo(min1)[:-1])
print display_format % ("定位有哪些IP在爆破:", getinfo(min2)[:-1])
print display_format % ("爆破用户名字典是:", getinfo(min3)[:-1])
print display_format % ("登录成功的IP有:", getinfo(min4)[:-1])
print display_format % ("登录成功的日期、用户名、IP:", getinfo(min5)[:-1])
结果如下:
京公网安备 11010802041100号