Linux入侵排查腳本

根據大佬的Linux入侵排查文章,鏈接如下:

https://bypass007.github.io/Emergency-Response-Notes/Summary/%E7%AC%AC2%E7%AF%87%EF%BC%9ALinux%E5%85%A5%E4%BE%B5%E6%8E%92%E6%9F%A5.html

編寫的簡易python腳本:
 

# coding=utf-8
import os
info = '''usermod -L user    禁用帳號,帳號無法登錄,/etc/shadow第二欄爲!開頭
userdel user       刪除user用戶
userdel -r user    將刪除user用戶,並且將/home目錄下的user目錄一併刪除'''
min1 = "awk -F: '$3==0{print $1}' /etc/passwd"
min2 = "awk '/\$1|\$6/{print $1}' /etc/shadow"
min3 = 'more /etc/sudoers | grep -v "^#\|^$" | grep "ALL=(ALL)"'
def getinfo(min):
	tmp = os.popen(min)
	return tmp.read()
print "處置手段:"
print info
print "============================================================"
print "入侵排查 第一步賬號安全 ing------"
display_format = '%-30s %-20s'
print display_format % ("特權用戶:", getinfo(min1)[:-1])
print display_format % ("可遠程登錄:", getinfo(min2)[:-1])
print display_format % ("sudo權限用戶:", getinfo(min3)[:-1])
print "============================================================"
print "入侵排查 第二步歷史命令 ing------"
print "root的歷史命令: histroy"
print '''進入用戶目錄下
cat .bash_history >> history.txt'''
print "============================================================"
print "入侵排查 第三步檢查異常端口 ing------"
min4 = "netstat -antlp|more"
def getdir(min):
	tmp = os.popen(min)
	return tmp.readlines()
pidinfo = getdir(min4)
print pidinfo[1][:-1], "    dir"
for i in pidinfo[2:]:
	str = "ls -l /proc/%s/exe" % (i[:-1].split("/")[0]).split(" ")[-1]
	print i[:-1], getinfo(str)[:-1]
print "============================================================"
print "入侵排查 第四步檢查異常進程 ing------"
min5 = "ps aux | grep pid"
print getinfo(min5)[:-1]
print "============================================================"
print "入侵排查 第五步檢查開機啓動項 ing------"
min6 = "more /etc/rc.local /etc/rc.d/rc[0~6].d ls -l /etc/rc.d/rc3.d/"
print getinfo(min6)[:-1]
print "============================================================"
print "入侵排查 第六步檢查定時任務 ing------"
print '''請使用以下命令:
more /var/spool/cron/* 
more /etc/crontab
more /etc/cron.d/*
more /etc/cron.daily/* 
more /etc/cron.hourly/* 
more /etc/cron.monthly/*
more /etc/cron.weekly/
more /etc/anacrontab
more /var/spool/anacron/*'''
print "============================================================"
print "入侵排查 第七步檢查服務 ing------"
min7 = "ps aux | grep crond"
min8 = "chkconfig  --list"
print display_format % ("查看當前服務:", getinfo(min7)[:-1])
print display_format % ("服務自啓動狀態:", getinfo(min8)[:-1])
print "============================================================"
print "入侵排查 檢查異常文件 and 檢查系統日誌 Please do manual work"
print "Thinks !"

上面腳本的結果如下:

部分檢查日誌的腳本:
 

# coding=utf-8
import os

def getinfo(min):
	tmp = os.popen(min)
	return tmp.read()
min1 = '''grep "Failed password for root" /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr | more'''
min2 = '''grep "Failed password" /var/log/secure|grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"|uniq -c'''
min3 = '''grep "Failed password" /var/log/secure|perl -e 'while($_=<>){ /for(.*?) from/; print "$1\n";}'|uniq -c|sort -nr'''
min4 = '''grep "Accepted " /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr | more'''
min5 = '''grep "Accepted " /var/log/secure | awk '{print $1,$2,$3,$9,$11}'''
display_format = '%-30s %-20s'
print display_format % ("多少IP在爆破主機的root帳號:", getinfo(min1)[:-1])
print display_format % ("定位有哪些IP在爆破:", getinfo(min2)[:-1])
print display_format % ("爆破用戶名字典是:", getinfo(min3)[:-1])
print display_format % ("登錄成功的IP有:", getinfo(min4)[:-1])
print display_format % ("登錄成功的日期、用戶名、IP:", getinfo(min5)[:-1])

結果如下:

發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章