标签:layout 检测 bytes sed opp The 删除文件 次数 函数
推荐迁出重要文件后重装系统lastb root | awk ‘{print $3}‘ | sort | uniq -c | sort -nr| more
last # 查看最近成功登陆的用户;
lastlog # 查看每个用户最后一次登陆的时间;
grep -i Accepted /var/log/secure
ls -l /etc/passwd
cat /etc/passwd
判断是否在不知的情况下添加用户
grep "0" /etc/passwd
awk -F":" ‘{if($3 == 0){print $1}}‘ /etc/passwd
查看是否产生了新用户,UID和GID为0的用户
awk -F: ‘{if(length($2)==0) {print $1}}‘ /etc/passwd
ls -l /usr/bin/which
ls -l $(which find)
find /usr/ -mtime -20 -ls
find /bin/ /sbin/ /usr/bin/ /usr/sbin/ /usr/local/bin/ /usr/local/sbin/ -mtime -20 -ls
ps -ef
lsof -p pid
ps -ef | awk ‘{print $2}‘| sort -n | uniq >1
ls /proc |sort -n|uniq >2
diff 1 2
ifconfig
yum 安装(epel 源)
yum install libpcap nethogs -y
直接运行nethogs
nethogs
或者指定网卡设备
nethogs 网卡设备
nethogs eth0
ss -tunap |grep ":80"
ls -artl /tmp/
find / -uid 0 -perm 4000 -print
find / -size +10000k -print
find / -name "..." -print
find / -name ".." -print
find / -name "." -print
find / -name " " -print
注意SUID文件,可疑大于10M和空格文件
find / -name core -exec ls -l {} \ (检查系统中的core文 件)
Find perm用法
-perm mode:文件许可正好符合mode
-perm +mode:文件许可部分符合mode
-perm -mode: 文件许可完全符合mode
rpm –qf /bin/ls
rpm -qf /bin/login
md5sum –b 文件名
md5sum –t 文件名
在GUN系统上,-t –b没有区别
rpm –Va 输出格式:
S – File size differs
M – Mode differs (permissions)
5 – MD5 sum differs
D – Device number mismatch
L – readLink path mismatch
U – user ownership differs
G – group ownership differs
T – modification time differs
注意相关的 /sbin, /bin, /usr/sbin, and /usr/bin
ip link | grep PROMISC(正常网卡不该在promisc混杂模式,可能存在sniffer)
lsof –i 如查看所有打开80端口的进程: lsof –i :80
netstat –nap(察看不正常打开的TCP/UDP端口)
arp –a
crontab -u root -l
cat /etc/crontab
ls -al /etc/cron.*
ls -al /var/spool/cron/
cat /etc/crontab
cat /etc/rc.d/rc.local
ls /etc/rc.d
ls /etc/rc3.d
find / -type f -perm 4000
find /etc/ -mtime -20
chkconfig —list | grep :on
rpcinfo -p(查看RPC服务)
service --status-all | grep running
查看运行的进程和进程系统资源占用情况,查找异常进程。
以树状图的形式显示进程间的关系。
可以查看进程打开的文件、文件或目录被哪个进程占用、打开某个端口的进程、系统所有打开的端口等等。
可以查看系统监听的所有端口、网络连接情况、查找连接数过多的IP地址等。
上面两个命令的替换命令;
监控TCP连接实时网络流量,可分别分析出入流量并进行排序,查找出流量异常的IP地址。
监控每个进程使用的网络流量,并从高到低排序,方便查找出流量异常的进程。
追踪一个进程所执行的系统调用,可分析***进程的运行情况。
输出文件中可打印的字符串,可用来分析***程序。
pkill -9 Linux-udp25000
pkill -9 .zl
pkill -9 .sshd
ps -ef | grep getty
ls -artl /tmp/
rm -f /tmp/gates.lod
rm -f /tmp/moni.lod
rm -f /tmp/.lz1546747496
rm -f /tmp/.java_pid12463
rm -f /tmp/.cron
find /opt/tomcat/bin/ -type f -mtime -5 -ls
find / -type f -name ‘qw1‘ -ls
find / -type f -name ‘.loop‘ -ls
rm -fr /usr/bin/bsd-port
rm -fr /usr/bin/dpkgd
rm -f /usr/bin/.sshd
ls -l /usr/bin/which
ls -l $(which find)
find /usr/ -mtime -20 -ls
find /bin/ /sbin/ /usr/bin/ /usr/sbin/ /usr/local/bin/ /usr/local/sbin/ -mtime -20 -ls
normal_ip=192.168.1.177
normal_port=22
# rm /usr/sbin/ss
scp -P ${normal_port} -rp ${normal_ip}:/usr/sbin/ss /usr/sbin/
# rm /bin/ps
scp -P ${normal_port} -rp ${normal_ip}:/bin/ps /bin/
# rm /bin/netstat
scp -P ${normal_port} -rp ${normal_ip}:/bin/netstat /bin/
# rm /usr/sbin/lsof
scp -P ${normal_port} -rp ${normal_ip}:/usr/sbin/lsof /usr/sbin/
find /etc/ -mtime -20
vim /etc/rc.d/rc.local
rm -f /etc/rc.d/init.d/.zl
rm -f /etc/rc.d/rc2.d/S77.zl
rm -f /etc/rc.d/rc3.d/S77.zl
rm -f /etc/rc.d/rc4.d/S77.zl
rm -f /etc/rc.d/rc5.d/S77.zl
rm -f /etc/rc.d/init.d/DbSecuritySpt
rm -f /etc/rc.d/rc5.d/S97DbSecuritySpt
rm -f /etc/rc.d/rc2.d/S97DbSecuritySpt
rm -f /etc/rc.d/rc4.d/S97DbSecuritySpt
rm -f /etc/rc.d/rc1.d/S97DbSecuritySpt
rm -f /etc/rc.d/rc3.d/S97DbSecuritySpt
rm -f /etc/init.d/selinux
rm -f /etc/rc.d/rc5.d/S99selinux
rm -f /etc/rc.d/rc2.d/S99selinux
rm -f /etc/rc.d/rc4.d/S99selinux
rm -f /etc/rc.d/rc1.d/S99selinux
rm -f /etc/rc.d/rc3.d/S99selinux
chkrootkit和rkhunter是Linux下常用的查找检测rootkit后门的工具。
项目主页:http://www.chkrootkit.org/
下载路径:ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar xf chkrootkit.tar.gz
cd chkrootkit-*
yum install gcc gcc-c++ glibc* make
make sense
运行检查:
./chkrootkit -q
chkrootkit检查使用了部分系统命令: awk, cut, egrep, find, head, id, ls, netstat, ps, strings, sed, uname。
在被***的系统上这些系统命令可能已被替换,因此chkrootkit的结果将不可靠。为了避免使用这些不受信任的命令,我们可以使用‘-p‘选项指定命令的备用路径。
rkhunter具有比chrootkit更为全面的扫描范围。除rootkit特征码扫描外,rkhunter还支持端口扫描,常用开源软件版本和文件变动情况检查等。
项目主页:http://rkhunter.sourceforge.net/
下载路径:https://sourceforge.net/projects/rkhunter/files/rkhunter/
wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz
tar xzvf rkhunter*
cd rkhunter*
./installer.sh --layout /usr --install
更新rkhunter数据库:
rkhunter --update
开始检查(输出中文):
rkhunter --lang cn -c --sk
--rwo参数仅输出warning信息:
rkhunter --lang cn -c --sk --rwo
还可以用-l参数指定写入的日志:
rkhunter --lang cn -c --sk -l rkhunter.log
为干净的系统建立校对样本:
rkhunter --propupd
ClamAV是一个在命令行下查毒软件,因为它不将杀毒作为主要功能,默认只能查出您计算机内的病毒,但是无法清除,至多删除文件。ClamAV可以工作很多的平台上,但是有少数无法支持,这就要取决您所使用的平台的流行程度了。另外它主要是来防护一些WINDOWS病毒和***程序。另外,这是一个面向服务端的软件。
官方下载地址:http://www.clamav.net/download.html
安装gcc、gcc-c++、C/C++语言编译环境
yum install gcc gcc-c++ autoconf automake make -y
依赖包
yum install zlib-devel -y
groupadd clamav
useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav
tar xf clamav-0.101.0.tar.gz
cd clamav-0.101.0
./configure --prefix=/opt/clamav --disable-clamav
make
make install
mkdir /opt/clamav/{logs,/updata}
touch /opt/clamav/logs/{freshclam.log,clamd.log}
chown clamav:clamav /opt/clamav/logs/*.log
ls -l /opt/clamav/logs/
# cp /opt/clamav/etc/clamd.conf.sample /opt/clamav/etc/clamd.conf
# cp /opt/clamav/etc/freshclam.conf.sample /opt/clamav/etc/freshclam.conf
# vim /opt/clamav/etc/clamd.conf
# Example 注释掉这一行. 第8 行
修改内容如下:添加即可
LogFile /opt/clamav/logs/clamd.log
PidFile /opt/clamav/updata/clamd.pid
DatabaseDirectory /opt/clamav/updata
vim /opt/clamav/etc/freshclam.conf
#Example # 注释掉
Example这一行注释掉。否则在更新反病毒数据库时就有可能出现下面错误
ERROR: Please edit the example config file /opt/clamav/etc/freshclam.conf
ERROR: Can‘t open/parse the config file /opt/clamav/etc/freshclam.conf
mkdir -p /opt/clamav/share/clamav
chown clamav:clamav /opt/clamav/share/clamav
/opt/clamav/bin/freshclam
更新过程:
[root@node1 clamav-0.101.0]# /opt/clamav/bin/freshclam
ClamAV update process started at Tue Jan 8 14:23:14 2019
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.101.0 Recommended version: 0.101.1
DON‘T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
Downloading main.cvd [100%]
main.cvd updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Downloading daily.cvd [100%]
daily.cvd updated (version: 25278, sigs: 2201446, f-level: 63, builder: raynman)
Downloading bytecode.cvd [100%]
bytecode.cvd updated (version: 328, sigs: 94, f-level: 63, builder: neo)
Database updated (6767789 signatures) from database.clamav.net (IP: 104.16.188.138)
[root@node1 clamav-0.101.0]#
[root@node1 opt]# /opt/clamav/bin/clamscan -h
Clam AntiVirus: Scanner 0.101.0
By The ClamAV Team: https://www.clamav.net/about.html#credits
(C) 2007-2018 Cisco Systems, Inc.
clamscan [options] [file/directory/-]
--help -h Show this help
--version -V Print version number
--verbose -v Be verbose
--archive-verbose -a Show filenames inside scanned archives
--debug Enable libclamav‘s debug messages
--quiet Only output error messages
--stdout Write to stdout instead of stderr
--no-summary Disable summary at end of scanning
--infected -i Only print infected files
--suppress-ok-results -o Skip printing OK files
--bell Sound bell on virus detection
--tempdir=DIRECTORY Create temporary files in DIRECTORY
--leave-temps[=yes/no(*)] Do not remove temporary files
--gen-json[=yes/no(*)] Generate JSON description of scanned file(s). JSON will be printed and also-
dropped to the temp directory if --leave-temps is enabled.
--database=FILE/DIR -d FILE/DIR Load virus database from FILE or load all supported db files from DIR
--official-db-only[=yes/no(*)] Only load official signatures
--log=FILE -l FILE Save scan report to FILE
--recursive[=yes/no(*)] -r Scan subdirectories recursively
--allmatch[=yes/no(*)] -z Continue scanning within file after finding a match
--cross-fs[=yes(*)/no] Scan files and directories on other filesystems
--follow-dir-symlinks[=0/1(*)/2] Follow directory symlinks (0 = never, 1 = direct, 2 = always)
--follow-file-symlinks[=0/1(*)/2] Follow file symlinks (0 = never, 1 = direct, 2 = always)
--file-list=FILE -f FILE Scan files from FILE
--remove[=yes/no(*)] Remove infected files. Be careful!
--move=DIRECTORY Move infected files into DIRECTORY
--copy=DIRECTORY Copy infected files into DIRECTORY
--exclude=REGEX Don‘t scan file names matching REGEX
--exclude-dir=REGEX Don‘t scan directories matching REGEX
--include=REGEX Only scan file names matching REGEX
--include-dir=REGEX Only scan directories matching REGEX
--bytecode[=yes(*)/no] Load bytecode from the database
--bytecode-unsigned[=yes/no(*)] Load unsigned bytecode
--bytecode-timeout=N Set bytecode timeout (in milliseconds)
--statistics[=none(*)/bytecode/pcre] Collect and print execution statistics
--detect-pua[=yes/no(*)] Detect Possibly Unwanted Applications
--exclude-pua=CAT Skip PUA sigs of category CAT
--include-pua=CAT Load PUA sigs of category CAT
--detect-structured[=yes/no(*)] Detect structured data (SSN, Credit Card)
--structured-ssn-format=X SSN format (0=normal,1=stripped,2=both)
--structured-ssn-count=N Min SSN count to generate a detect
--structured-cc-count=N Min CC count to generate a detect
--scan-mail[=yes(*)/no] Scan mail files
--phishing-sigs[=yes(*)/no] Enable email signature-based phishing detection
--phishing-scan-urls[=yes(*)/no] Enable URL signature-based phishing detection
--heuristic-alerts[=yes(*)/no] Heuristic alerts
--heuristic-scan-precedence[=yes/no(*)] Stop scanning as soon as a heuristic match is found
--normalize[=yes(*)/no] Normalize html, script, and text files. Use normalize=no for yara compatibility
--scan-pe[=yes(*)/no] Scan PE files
--scan-elf[=yes(*)/no] Scan ELF files
--scan-ole2[=yes(*)/no] Scan OLE2 containers
--scan-pdf[=yes(*)/no] Scan PDF files
--scan-swf[=yes(*)/no] Scan SWF files
--scan-html[=yes(*)/no] Scan HTML files
--scan-xmldocs[=yes(*)/no] Scan xml-based document files
--scan-hwp3[=yes(*)/no] Scan HWP3 files
--scan-archive[=yes(*)/no] Scan archive files (supported by libclamav)
--alert-broken[=yes/no(*)] Alert on broken executable files (PE & ELF)
--alert-encrypted[=yes/no(*)] Alert on encrypted archives and documents
--alert-encrypted-archive[=yes/no(*)] Alert on encrypted archives
--alert-encrypted-doc[=yes/no(*)] Alert on encrypted documents
--alert-macros[=yes/no(*)] Alert on OLE2 files containing VBA macros
--alert-exceeds-max[=yes/no(*)] Alert on files that exceed max file size, max scan size, or max recursion limit
--alert-phishing-ssl[=yes/no(*)] Alert on emails containing SSL mismatches in URLs
--alert-phishing-cloak[=yes/no(*)] Alert on emails containing cloaked URLs
--alert-partition-intersection[=yes/no(*)] Alert on raw DMG image files containing partition intersections
--nocerts Disable authenticode certificate chain verification in PE files
--dumpcerts Dump authenticode certificate chain in PE files
--max-filesize=#n Files larger than this will be skipped and assumed clean
--max-scansize=#n The maximum amount of data to scan for each container file (**)
--max-files=#n The maximum number of files to scan for each container file (**)
--max-recursion=#n Maximum archive recursion level for container file (**)
--max-dir-recursion=#n Maximum directory recursion level
--max-embeddedpe=#n Maximum size file to check for embedded PE
--max-htmlnormalize=#n Maximum size of HTML file to normalize
--max-htmlnotags=#n Maximum size of normalized HTML file to scan
--max-scriptnormalize=#n Maximum size of script file to normalize
--max-ziptypercg=#n Maximum size zip to type reanalyze
--max-partitions=#n Maximum number of partitions in disk image to be scanned
--max-iconspe=#n Maximum number of icons in PE file to be scanned
--max-rechwp3=#n Maximum recursive calls to HWP3 parsing function
--pcre-match-limit=#n Maximum calls to the PCRE match function.
--pcre-recmatch-limit=#n Maximum recursive calls to the PCRE match function.
--pcre-max-filesize=#n Maximum size file to perform PCRE subsig matching.
--disable-cache Disable caching and cache checks for hash sums of scanned files.
Pass in - as the filename for stdin.
(*) Default scan settings
(**) Certain files (e.g. documents, archives, etc.) may in turn contain other
files inside. The above options ensure safe processing of this kind of data.
[root@WS1 opt]#
clamscan [选项] [文件/目录/-]
????--help -h 显示此帮助
????--version -V 打印版本号
????--verbose -v 详细
????--archive-verbose -a 在扫描的档案中显示文件名
????--debug 启用libclamav的调试消息
????--quiet 仅输出错误消息
????--stdout 写入stdout而不是stderr
????--no-summary 在扫描结束时禁用摘要
????--infected -i 仅打印受感染的文件
????--suppress-ok-results -o 跳过打印OK文件
????--bell 关于病毒检测的声铃
????--tempdir=DIRECTORY 在DIRECTORY中创建临时文件
????--leave-temps[=yes/no(*)] 不要删除临时文件
????--gen-json[=yes/no(*)] 生成扫描文件的JSON描述。 JSON将被打印并且 -
???????????????????????????????????????? 如果启用了--leave-temps,则删除到临时目录。
????--database=FILE/DIR -d FILE/DIR 从FILE加载病毒数据库或从DIR加载所有支持的db文件
????--official-db-only[=yes/no(*)] 仅加载官方签名
????--log=FILE -l FILE 将扫描报告保存到FILE
????--recursive[=yes/no(*)] -r 递归扫描子目录
????--allmatch[=yes/no(*)] -z 找到匹配后继续在文件中扫描
????--cross-fs[=yes(*)/no] 扫描其他文件系统上的文件和目录
????--follow-dir-symlinks[=0/1(*)/2] 按照目录符号链接(0 =从不,1 =直接,2 =总是)
????--follow-file-symlinks[=0/1(*)/2] 关注文件符号链接(0 =从不,1 =直接,2 =总是)
????--file-list=FILE -f FILE 从FILE扫描文件
????--remove[=yes/no(*)] 删除受感染的文件。小心!
????--move=DIRECTORY 将受感染的文件移至DIRECTORY
????--copy=DIRECTORY 将受感染的文件复制到DIRECTORY中
????--exclude=REGEX 不扫描与REGEX匹配的文件名
????--exclude-dir=REGEX 不扫描与REGEX匹配的目录
????--include=REGEX 仅扫描与REGEX匹配的文件名
????--include-dir=REGEX 仅扫描与REGEX匹配的目录
????--bytecode[=yes(*)/no] 从数据库加载字节码
????--bytecode-unsigned[=yes/no(*)] 加载无符号字节码
????--bytecode-timeout=N 设置字节码超时(以毫秒为单位)
????--statistics[=none(*)/bytecode/pcre] 收集并打印执行统计信息
????--detect-pua[=yes/no(*)] 检测可能不需要的应用程序
????--exclude-pua=CAT 跳过类别为CAT的PUA sigs
????--include-pua=CAT 加载CAT类别的PUA sigs
????--detect-structured[=yes/no(*)] 检测结构化数据(SSN,信用卡)
????--structured-ssn-format=X SSN格式(0 =正常,1 =剥离,2 =两者)
????--structured-ssn-count=N Min SSN计数以生成检测
????--structured-cc-count=N Min CC count以生成检测
????--scan-mail[=yes(*)/no] 扫描邮件文件
????--phishing-sigs[=yes(*)/no] 启用基于电子邮件签名的网络钓鱼检测
????--phishing-scan-urls[=yes(*)/no] 启用基于URL签名的网络钓鱼检测
????--heuristic-alerts[=yes(*)/no] 启发式警报
????--heuristic-scan-precedence[=yes/no(*)] 一旦找到启发式匹配,就停止扫描
????--normalize[=yes(*)/no] 规范化html,脚本和文本文件。对于yara兼容性,请使用normalize = no
????--scan-pe[=yes(*)/no] 扫描PE文件
????--scan-elf[=yes(*)/no] 扫描ELF文件
????--scan-ole2[=yes(*)/no] 扫描OLE2容器
????--scan-pdf[=yes(*)/no] 扫描PDF文件
????--scan-swf[=yes(*)/no] 扫描SWF文件
????--scan-html[=yes(*)/no] 扫描HTML文件
????--scan-xmldocs[=yes(*)/no] 扫描基于xml的文档文件
????--scan-hwp3[=yes(*)/no] 扫描HWP3文件
????--scan-archive[=yes(*)/no] 扫描存档文件(libclamav支持)
????--alert-broken[=yes/no(*)] 对可破坏的可执行文件(PE和ELF)发出警报
????--alert-encrypted[=yes/no(*)] 对加密档案和文档发出警报
????--alert-encrypted-archive[=yes/no(*)] 加密档案的警报
????--alert-encrypted-doc[=yes/no(*)] 对加密文档发出警报
????--alert-macros[=yes/no(*)] 对包含VBA宏的OLE2文件发出警报
????--alert-exceeds-max[=yes/no(*)] 对超过最大文件大小,最大扫描大小或最大递归限制的文件发出警报
????--alert-phishing-ssl[=yes/no(*)] 警告包含URL中SSL不匹配的电子邮件
????--alert-phishing-cloak[=yes/no(*)] 警告包含隐藏URL的电子邮件
????--alert-partition-intersection[=yes/no(*)] 对包含分区交叉点的原始DMG图像文件发出警报
????--nocerts 在PE文件中禁用authenticode证书链验证
????--dumpcerts 转储PE文件中的authenticode证书链
????--max-filesize=#n 将跳过大于此的文件并假定为干净
????--max-scansize=#n 要扫描每个容器文件的最大数据量(**)
????--max-files=#n 要扫描每个容器文件的最大文件数(**)
????--max-recursion=#n 容器文件的最大归档递归级别(**)
????--max-dir-recursion=#n 最大目录递归级别
????--max-embeddedpe=#n 检查嵌入式PE的最大大小文件
????--max-htmlnormalize=#n 要标准化的HTML文件的最大大小
????--max-htmlnotags=#n 要扫描的规范化HTML文件的最大大小
????--max-scriptnormalize=#n 要规范化的脚本文件的最大大小
????--max-ziptypercg=#n 要重新分析的最大尺寸拉链
????--max-partitions=#n 要扫描的磁盘映像中的最大分区数
????--max-iconspe=#n 要扫描的PE文件中的最大图标数
????--max-rechwp3=#n 对HWP3解析函数的最大递归调用
????--pcre-match-limit=#n 最大调用PCRE匹配函数。
????--pcre-recmatch-limit=#n 对PCRE匹配函数的最大递归调用。
????--pcre-max-filesize=#n 执行PCRE子集匹配的最大文件大小。
????--disable-cache 禁用缓存和缓存检查扫描文件的哈希值。
-r 递归扫描子目录
-i 仅打印受感染(infected)的文件
--bell 关于病毒检测的声铃
扫描/sys/会产生大量报错,跳过此文件夹即可
/opt/clamav/bin/clamscan --exclude-dir=/sys/ --bell -i -r /
结果:
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: cli_scanxz: decompress file size exceeds limits - only scanning 27262976 bytes
LibClamAV Warning: cli_scanxz: decompress file size exceeds limits - only scanning 27262976 bytes
/opt/clamav-0.101.0/test.tar.gz: Clamav.Test.File-6 FOUND # 删掉带有FOUND的文件
^G
----------- SCAN SUMMARY ----------- # 扫描摘要
Known viruses: 6759977 # 已知病毒
Engine version: 0.101.0 # 版本
Scanned directories: 54284 # 扫描目录
Scanned files: 1019040 # 扫描文件
Infected files: 1 # 受感染的文件
Total errors: 15174 # 总错误
Data scanned: 181322.94 MB # 扫描数据
Data read: 228000.39 MB (ratio 0.80:1) # 数据读取
Time: 34849.575 sec (580 m 49 s) # 时间
标签:layout 检测 bytes sed opp The 删除文件 次数 函数
原文地址:http://blog.51cto.com/moerjinrong/2340089