检查Linux服务器是否被攻击的常用命令及方法

独游侠 發表於 2020-8-23 23:03:00

检查Linux服务器是否被攻击的常用命令及方法

1. 使用last命令查看登录服务器的用户记录。
<div class="cnblogs_Highlighter">
<pre class="brush:bash;gutter:true;"># last
ruskingpts/2 192.168.1.102 Sun Aug 23 18:38 still logged in
ruskingpts/2 192.168.1.102 Sun Aug 23 18:08 - 18:14(00:05)
ruskingpts/2 192.168.1.102 Sun Aug 23 18:05 - 18:07(00:01)
ruskingpts/2 192.168.1.102 Sun Aug 23 17:38 - 17:58(00:19)
ruskingpts/2 192.168.1.102 Sun Aug 23 16:41 - 17:38(00:56)
ruskingpts/1 192.168.1.82 Sun Aug 23 16:33 still logged in
root web console Sun Aug 23 15:03 - 15:18(00:15)
ruskingpts/0 192.168.1.82 Sun Aug 23 14:49 still logged in
root tty1 Sun Aug 23 14:49 still logged in
reboot system boot4.18.0-193.14.2. Sun Aug 23 14:48 still running
ruskingpts/0 192.168.1.82 Sat Aug 15 09:07 - 18:30 (2+09:22)
ruskingtty1 Sat Aug 15 09:07 - crash (8+05:40)
reboot system boot4.18.0-193.14.2. Sat Aug 15 09:06 still running</pre>
</div>
2. 使用who命令查看当前登录的用户。
<div class="cnblogs_Highlighter">
<pre class="brush:bash;gutter:true;"># who -a
 system boot2020-08-23 14:48
root + tty1 2020-08-23 14:49 03:59 2059
rusking+ pts/0 2020-08-23 14:49 00:51 3193 (192.168.1.82)
 web console2020-08-23 15:18 9190 id=919 term=0 exit=0
rusking+ pts/1 2020-08-23 16:33 . 3193 (192.168.1.82)
rusking+ pts/2 2020-08-23 18:38 00:10 96080 (192.168.1.102)
#
</pre>
</div>
3.查看命令执行记录 。 # tail -n 200 ~/.bash_history | more#查看当前帐户的操作命令。-n 200显示最近200条记录。
# tail -n 200 /home/rusking/.bash_history | more #查看指定用户名为rusking的操作命令记录。可以将rusking替换成其它用户。
4. 查看最近2天修改过的文件 # find /etc /var -mtime -2
5.使用netstat 命令查看本机各端口连接情况。 #netstat -aplunt 常用命令，关注LISTEN和ESTABLISHED情况。
<div class="cnblogs_Highlighter">
<pre class="brush:bash;gutter:true;"># netstat -aplunt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:9090 0.0.0.0:* LISTEN 1/systemd
tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 1972/systemd-resolv
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 2400/dnsmasq
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1415/cupsd
tcp 0 0 0.0.0.0:8888 0.0.0.0:* LISTEN 1414/sshd
tcp 0 248 192.168.1.101:8888 192.168.1.82:54949 ESTABLISHED 3193/sshd: rusking
tcp 0 0 192.168.1.101:8888 192.168.1.102:53426 ESTABLISHED 96080/sshd: rusking
udp 0 0 0.0.0.0:45742 0.0.0.0:* 1029/avahi-daemon:
udp 0 0 0.0.0.0:5353 0.0.0.0:* 1029/avahi-daemon:
udp 0 0 0.0.0.0:5355 0.0.0.0:* 1972/systemd-resolv
udp 0 0 192.168.122.1:53 0.0.0.0:* 2400/dnsmasq
udp 0 0 127.0.0.53:53 0.0.0.0:* 1972/systemd-resolv
udp 0 0 0.0.0.0:67 0.0.0.0:* 2400/dnsmasq
udp 0 0 0.0.0.0:111 0.0.0.0:* 1/systemd
</pre>
</div>
6. 使用lsof命令查看打开的文件。
# lsof -i
# lsof -p pid
<div class="cnblogs_Highlighter">
<pre class="brush:bash;gutter:true;"># lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root 42uIPv418941 0t0TCP *:sunrpc (LISTEN)
systemd 1 root 43uIPv418942 0t0UDP *:sunrpc
systemd 1 root 51uIPv422690 0t0TCP *:websm (LISTEN)
rpcbind 960 rpc 4uIPv418941 0t0TCP *:sunrpc (LISTEN)
rpcbind 960 rpc 5uIPv418942 0t0UDP *:sunrpc
avahi-dae1029 avahi 15uIPv425088 0t0UDP *:mdns
avahi-dae1029 avahi 16uIPv425099 0t0UDP *:45742
sshd 1414 root 5uIPv427123 0t0TCP *:ddi-tcp-1 (LISTEN)
cupsd 1415 root 10uIPv427305 0t0TCP localhost:ipp (LISTEN)
systemd-r1972 systemd-resolve 12uIPv429589 0t0UDP *:hostmon
systemd-r1972 systemd-resolve 13uIPv429590 0t0TCP *:hostmon (LISTEN)
systemd-r1972 systemd-resolve 16uIPv429593 0t0UDP 127.0.0.53:domain
dnsmasq 2400 dnsmasq 3uIPv432237 0t0UDP *:bootps
dnsmasq 2400 dnsmasq 5uIPv432240 0t0UDP centos8.test.com:domain
dnsmasq 2400 dnsmasq 6uIPv432241 0t0TCP centos8.test.com:domain (LISTEN)
sshd 3193 root 5uIPv434113 0t0TCP centos8.test.com:ddi-tcp-1->UltraPower:54949 (ESTABLISHED)
sshd 3210 rusking 5uIPv434113 0t0TCP centos8.test.com:ddi-tcp-1->UltraPower:54949 (ESTABLISHED)
sshd 96080 root 5uIPv4 252937 0t0TCP centos8.test.com:ddi-tcp-1->192.168.1.102:53426 (ESTABLISHED)
sshd 96083 rusking 5uIPv4 252937 0t0TCP centos8.test.com:ddi-tcp-1->192.168.1.102:53426 (ESTABLISHED)
# lsof -p 96083
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 96083 ruskingcwd DIR 253,0 265 128 /
sshd 96083 ruskingrtd DIR 253,0 265 128 /
sshd 96083 ruskingtxt REG 253,012281923786429 /usr/sbin/sshd
sshd 96083 ruskingmem REG 253,0 906648 640148 /usr/lib64/libnss_systemd.so.2
sshd 96083 ruskingmem REG 253,0 10406312 34621674 /var/lib/sss/mc/initgroups
......
</pre>
</div>
7. 使用ps命令查看当前系统中正在运行的进程信息。
#ps -aux  
<div class="cnblogs_Highlighter">
<pre class="brush:bash;gutter:true;"># ps -aux | grep rusking
root 31930.00.3 161180 10768 ? Ss 14:49 0:00 sshd: rusking
rusking 31970.00.3938129400 ? Ss 14:49 0:00 /usr/lib/systemd/systemd --user
rusking 31990.00.1 2514563760 ? S 14:49 0:00 (sd-pam)
rusking 32080.00.3 3002249324 ? Ssl14:49 0:00 /usr/bin/pulseaudio --daemonize=no
rusking 32100.00.2 1611806084 ? S 14:49 0:01 sshd: rusking@pts/0,pts/1
rusking 32110.00.1246965432 pts/0 Ss 14:49 0:00 -bash
rusking 32660.00.1742924480 ? Ss 14:49 0:00 /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
rusking 462090.00.1246965220 pts/1 Ss 16:33 0:00 -bash
root 960800.00.3 161180 10760 ? Ss 18:38 0:00 sshd: rusking
rusking 960830.00.1 1611805352 ? S 18:38 0:00 sshd: rusking@pts/2
rusking 960840.00.1247125336 pts/2 Ss+18:38 0:00 -bash
root 1027350.00.0121081072 pts/1 S+ 18:55 0:00 grep --color=auto rusking
</pre>
</div>
8. 使用top或htop命令查看进程对CPU/内存的消耗情况。
注意消耗CPU/内存较高的进程。
<div class="cnblogs_Highlighter">
<pre class="brush:bash;gutter:true;"># top
top - 18:56:58 up4:08,4 users,load average: 0.00, 0.00, 0.00
Tasks: 145 total, 1 running, 144 sleeping, 0 stopped, 0 zombie
%Cpu(s):0.2 us,0.3 sy,0.0 ni, 99.2 id,0.0 wa,0.2 hi,0.2 si,0.0 st
MiB Mem : 2834.8 total, 1845.2 free, 301.6 used, 688.0 buff/cache
MiB Swap: 3072.0 total, 3072.0 free, 0.0 used. 2356.1 avail Mem

PID USER PRNI VIRT RES SHR S%CPU%MEM TIME+ COMMAND
103380 root 20 0 64536 4452 3768 R 0.3 0.2 0:00.01 top
 1 root 20 017791211676 8100 S 0.0 0.4 0:11.04 systemd
 2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd
 3 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 rcu_gp
 4 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 rcu_par_gp
 6 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 kworker/0:0H-kblockd
 8 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 mm_percpu_wq
 9 root 20 0 0 0 0 S 0.0 0.0 0:00.25 ksoftirqd/0
10 root 20 0 0 0 0 I 0.0 0.0 0:01.49 rcu_sched
11 root rt 0 0 0 0 S 0.0 0.0 0:00.03 migration/0
12 root rt 0 0 0 0 S 0.0 0.0 0:00.01 watchdog/0
13 root 20 0 0 0 0 S 0.0 0.0 0:00.00 cpuhp/0
14 root 20 0 0 0 0 S 0.0 0.0 0:00.00 cpuhp/1
15 root rt 0 0 0 0 S 0.0 0.0 0:00.01 watchdog/1
16 root rt 0 0 0 0 S 0.0 0.0 0:00.04 migration/1
17 root 20 0 0 0 0 S 0.0 0.0 0:00.15 ksoftirqd/1
19 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 kworker/1:0H-kblockd
...
</pre>
</div>
9. 查看SSH登录日志。 centos/RHEL Linux查看Secure和audit日志。 /var/log/secure 关键字”Accepted password“
/var/log/audit/audit.log 关键字：”type=USER_AUTH“
其它LInux查看auto.log日志 /var/log/auth.log
10. 查看以下目录下是否有特殊文件。 # ls /tmp/ -la # ls /dev/shm -la # ls /var/tmp -la
11. 查看cronjob配置文件是否有异常的job
# crontab -l # cat /etc/crontab # ls /etc/cron 查看以下所有目录下是否有异常文件，以及这些文件的内容是否被修改。 cron.d/ cron.daily/ cron.deny cron.hourly/cron.monthly/ crontab cron.weekly/
12. 使用nmap命令查看打开的端口 #nmap localhost 注意是否有异常开启的端口。
<div class="cnblogs_Highlighter">
<pre class="brush:bash;gutter:true;"># nmap localhost
Starting Nmap 7.70 ( https://nmap.org ) at 2020-08-23 19:00 +04
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000080s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 996 closed ports
PORT STATE SERVICE
111/tcpopenrpcbind
631/tcpopenipp
8888/tcp opensun-answerbook
9090/tcp openzeus-admin

Nmap done: 1 IP address (1 host up) scanned in 1.70 seconds
</pre>
</div>
　　

</div>
<div id="MySignature" role="contentinfo">
*******VICTORY LOVES PREPARATION******* 
来源：https://www.cnblogs.com/rusking/p/13551299.html

頁: [1]

琼殿技术论坛's Archiver

检查Linux服务器是否被攻击的常用命令及方法