Linux应急响应的常用命令
-
筛选暴力破解 grep -o "Failed password" /var/log/secure|uniq -c
-
定位具体攻击ip grep "Failed password" /var/log/secure|grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"|uniq -c | sort -nr
-
筛选登录成功过的ip grep "Accepted " /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr | more
-
检查特权用户情况 awk -F: '$3==0{print $1}' /etc/passwd
-
检查可以远程登录的帐号 awk '/$1|$6/{print $1}' /etc/shadow
-
检查其他帐号是否存在sudo权限 more /etc/sudoers | grep -v "^#|^$" | grep "ALL=(ALL)"
-
检查历史命令 histroy
-
分析可疑端口、IP、PID netstat -antlp|more
-
定位可疑进程 ps aux | grep pid
-
定位pid文件路径 ls -l /proc/$PID/exe或file /proc/$PID/exe($PID 为对应的pid 号)
-
检查启动项 more /etc/rc.local /etc/rc.d/rc[0~6].d ls -l /etc/rc.d/rc3.d/
-
检查定时任务
/var/spool/cron/*
/etc/crontab
/etc/cron.d/*
/etc/cron.daily/*
/etc/cron.hourly/*
/etc/cron.monthly/*
/etc/cron.weekly/
/etc/anacrontab
/var/spool/anacron/* -
检查异常文件 find /opt -iname "*" -atime 1 -type f
-
检查服务自启 chkconfig --list
