子命令
netstat: 不加子命令,可用 ss 代替;
Display a list of open sockets.netstat -r: –route, 可用 ip route 代替;
Display the kernel routing tables.netstat -i: –interface, 可用 ip -s link 代替;
Display a table of all network interfaces, or the specified iface.netstat -s: –statistics
Display summary statistics for each protocol.netstat -g: –groups, 可用 ip maddr 代替;
Display multicast group membership information for IPv4 and IPv6.
常用選項
-a, –all: Show both listening and non-listening (for TCP this means established connections) sockets.(默認)
-l, –listening: Show only listening sockets.
–numeric , -n: Show numerical addresses instead of trying to determine symbolic host, port or user names.
-p, –program: Show the PID and name of the program to which each socket belongs.
-t, –tcp: Display only TCP sockets.
-u, –udp: Display only UDP sockets.
-x, –unix: Display only Unix domain sockets.
-d, –dccp: Display only DCCP sockets.
-w, –raw: Display only RAW sockets.
-c, –continuous: This will cause netstat to print the selected information every second continuously.(類似於 top)
netstat -np(-anp)
netstat -tnp(-tanp)
netstat -unp(-uanp)
netstat -xnp(-xanp)
netstat -tlnp
netstat -ulnp
netstat -xlnp案例
找到攻擊進程
背景
某天晚上,有臺服務器被關閉對外所有端口並受到騰訊雲的通知,大概意思是我們的服務器攻擊其他服務器,出口端口爲 22, 含有政策風險。因此,我們分析是這臺服務器被安裝了一個程序,被用來掃描外部服務器的 22 端口,也就是被當成肉雞來嘗試 ssh 登陸其他服務器。netstat 找到攻擊進程
# netstat -tnp | less
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 1 10.144.66.170:49774 188.210.132.143:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:57731 188.210.134.14:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:45174 188.210.133.89:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:33414 188.210.134.28:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:59292 188.210.132.139:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:50860 188.210.134.173:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:52392 188.210.132.54:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:33383 188.210.134.181:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:37178 188.210.131.223:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:55516 188.210.132.72:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:37525 188.210.131.183:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:59589 188.210.134.8:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:47897 188.210.133.113:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:35016 188.210.134.120:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:38616 188.210.133.248:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:58764 188.210.134.230:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:40900 188.210.131.192:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:42574 188.210.133.86:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:48334 188.210.133.61:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:37154 188.210.132.197:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:34191 188.210.133.170:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:55259 188.210.134.31:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:47823 188.210.132.120:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:32882 188.210.132.126:22 SYN_SENT 1420/bash
tcp 0 0 10.144.66.170:46992 188.210.99.90:22 TIME_WAIT -
tcp 0 1 10.144.66.170:39483 188.210.134.53:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:51860 188.210.135.8:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:50526 188.210.134.237:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:43818 188.210.133.56:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:48283 188.210.133.72:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:54310 188.210.132.102:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:57509 188.210.134.253:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:56765 188.210.134.176:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:59683 188.210.135.22:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:37218 188.210.131.247:22 SYN_SENT 1420/bash
tcp 0 1 10.144.66.170:37635 188.210.134.76:22 SYN_SENT 1420/bash 系統中存在大量的 SYN_SENT 狀態的連接,並且目標端口是 22, 因此證實了我們的猜想,找到進程 pid 爲 1420.
最後的原因是,以爲新員工最近創建了一個 test 的用戶,並且使用了弱密碼,被攻擊者用枚舉的方式登陸了。