安全类和远程类shell脚本
批量杀php小马脚本
find /home/hatdot/ -name "*.php" |xargs egrep "phpspy|c99sh|milw0rm|eval\(gunerpress|eval\(base64_decoolcode|spider_bc">>/tmp/test.txt grep -r -include=*.php '[^a-z]eval($_POST' . >> /tmp/test.txt grep -r -include=*.php 'file_put_contents(.*$_POST\[ .*\ ]);' . >> /tmp/test.txt find /home/hatdot/ -name "*.php" -type f -print 0 | xargs -0 egrep "(phpspy|c99sh|milw0rm|eval\(gzuncompress\(base64_decoolcode|eval\(base64_decoolcode|spider_bc|gzinflate)" | awk -F: '{print $1}' | sort | uniq >> /tmp/test.txt
python批量杀php小马
#!/usr/bin/python # -*- coding: utf-8 -*- #blog:www.sinesafe.com import os import sys import re rulelist = [ '(\$_(GET|POST|REQUEST)\[.{0,15}\]\(\$_(GET|POST|REQUEST)\[.{0,15}\]\))', '(base64_decode\([\'"][\w\+/=]{200,}[\'"]\))', 'eval\(base64_decode\(', '(eval\(\$_(POST|GET|REQUEST)\[.{0,15}\]\))', '(assert\(\$_(POST|GET|REQUEST)\[.{0,15}\]\))', '(\$[\w_]{0,15}\(\$_(POST|GET|REQUEST)\[.{0,15}\]\))', '(wscript\.shell)', '(gethostbyname\()', '(cmd\.exe)', '(shell\.application)', '(documents\s+and\s+settings)', '(system32)', '(serv-u)', '(提权)', '(phpspy)', '(后门)', '(webshell)', '(Program\s+Files)' ] def Scan(path): for root,dirs,files in os.walk(path): for filespath in files: isover = False if '.' in filespath: ext = filespath[(filespath.rindex('.')+1):] if ext=='php': file= open(os.path.join(root,filespath)) filestr = file.read() file.close() for rule in rulelist: result = re.compile(rule).findall(filestr) if result: print '文件:'+os.path.join(root,filespath) print '恶意代码:'+str(result[0]) print '\n\n' break if os.path.lexists(sys.argv[1]): print('\n\n开始扫描:'+sys.argv[1]) print(' 可疑文件 ') print('########################################') Scan(sys.argv[1]) print('提示:扫描完成-- O(∩_∩)O哈哈~') else: print '提示:指定的扫描目录不存在--- 我靠( \'o′)!!凸'
每两秒都监控是否有人ssh到你的机器,如果有人ssh上来,则把它kill掉,并且,使用iptables拒绝#它登录,2秒后,就被踢掉,并30分钟登录不了,但是会在30分钟后,取消对它的拒绝
版本1:
#!/bin/bash
echo "check ssh...." while true do who | awk -F"(" '{print $2}' | sed 's/.$//' | while read ip do if [ `echo $ip | awk -F"." 'END{print NF}'` -eq 4 ] then echo "$ip ssh close" iptables -A INPUT -p tcp --dport 22 -s $ip -j REJECT ipssh=`who | awk '{print $2}' | head -$i | tail -1` ipsshid=`ps -ef | grep "@$ipssh" | awk '{print $2}'` kill -9 $ipsshid 2> /dev/null echo iptables -D INPUT -p tcp --dport 22 -s $ip -j REJECT | at now + 30 minutes fi done sleep 2 done
版本2:
#!/bin/bash while true do line=`who |grep -v "(:" |wc -l` for i in `seq $line` do pts=`who |grep -v "(:" |awk '{print $2}' |head -$i |tail -1` ip=`who |grep -v "(:" |awk -F"(" '{print $2}'|awk -F")" '{print $1}' |head -$i |tail -1` pid=`ps -ef |grep $pts |grep sshd |grep -v grep |awk '{print $2}'` kill -9 $pid iptables -A INPUT -p tcp --dport 22 -s $ip -j REJECT at now + 30 minutes << EOF > /dev/null 2>&1 iptables -D INPUT -p tcp --dport 22 -s $ip -j REJECT EOF done sleep 2 done
rsync+ssh批量自动化部署:
#!/bin/bash #-------------------------------------# # author by bossco # # auto change server files # # 2015.12.24 # #-------------------------------------# #前提:先要做SSH等效性,让SSH远程登陆不需要输入密码 #ssh-keygen 回车回车回车 #ssh-copy-id -i /root/.ssh/id_rsa.pub 远程服务器IP flush() { if [ ! f rsync.list ];then echo -e "\033[34mPlease Create rsync.list files, The rsync.list contents as follows! \033[0m" cat <<EOF 192.168.10.128 src_dir des_dir 192.168.10.129 src_dir des_dir EOF exit fi rm -rf rsync.list.swp;cat rsync.list | grep -v "#" >rsync.list.swp COUNT=`cat rsync.list.swp | wc -l` NUM=0 while (($(NUM) < $COUNT)) do NUM=`expr $NUM + 1` LINE=`sed -n "$(NUM)p" rsync.list.swp` SRC=`echo $LINE | awk '{print $2}'` DES=`echo $LINE | awk '{print $3}'` IP=`echo $LINE | awk '{print $1}'` rsync -av $(SRC)/ root@$(IP):$(DES)/ done } restart () { if [ ! f restart.list ];then echo -e "\033[34mPlease Create restart.list files, The restart.list contents as follows! \033[0m" cat <<EOF 192.168.10.128 COMMAND 192.168.10.129 COMMAND EOF exit fi rm -rf restart.list.swp;cat restart.list | grep -v "#" >> restart.list.swap COUNT=`cat restart.list.swp | wc -l` NUM=0 while (($(NUM) < $COUNT)) do NUM=`expr $NUM + 1` LINE=`sed -n "$(NUM)p" restart.list.swp` COMMAND=`echo $LINE | awk '{print $2}'` IP=`echo $LINE | awk '{print $1}'` ssh -l root $IP "sh $COMMAND;echo -e '------------\nThe $IP Exec commands:sh $COMMAND success!'" done } case $1 in flush ) flush ;; restart ) restart ;; *) echo -e "\033[31mUsage: $0 command,example{flush | restart} \033[0m" esac
批量远程执行命令:
#!/bin/bash #-------------------------------------# # author by bossco # # remote exec command # # 2015.12.24 # #-------------------------------------# #前提:先要做SSH等效性,让SSH远程登陆不需要输入密码 #ssh-keygen 回车回车回车 #ssh-copy-id -i /root/.ssh/id_rsa.pub 远程服务器IP #把远程服务器的IP地址ip.txt文件里 if [ ! -f ip.txt ];then echo -e "\033[31m please create ip.txt\033[0m" exit fi if [ -z "$*" ];then echo -e "\033[32mUsage: $0 command,example{rm /tmp/test.txt | mkdir /tmp/20150505}\033[0m" exit fi count=`cat ip.txt | wc -l` rm -rf ip.txt.swap i=0 while ((i< $count)) do i=`expr $i + 1` sed "$(i)s/^/&$(i) /g" ip.txt >> ip.txt.swp IP=`awk -v I="$i" '{if(I==$1)print $2}' ip.txt.swp` ssh -q -l root $IP "$*;echo -e '\033[35m-------------------\nThe $IP Exec Commands: $* success !';sleep 2" done
批量拷贝文件或目录至远程服务器:
#!/bin/bash #-------------------------------------# # author by bossco # # cp file/dir to remote server # # 2015.12.24 # #-------------------------------------# #前提:先要做SSH等效性,让SSH远程登陆不需要输入密码 #ssh-keygen 回车回车回车 #ssh-copy-id -i /root/.ssh/id_rsa.pub 远程服务器IP #把远程服务器的IP地址ip.txt文件里 if [ ! -f ip.txt ];then echo -e "\033[31m please create ip.txt\033[0m" exit fi if [ -z "$1" ];then echo -e "\033[32mUsage: $0 command,example{src_files|src_dir des_dir}\033[0m" exit fi count=`cat ip.txt | wc -l` rm -rf ip.txt.swap i=0 while ((i< $count)) do i=`expr $i + 1` sed "$(i)s/^/&$(i) /g" ip.txt >> ip.txt.swp IP=`awk -v I="$i" '{if(I==$1)print $2}' ip.txt.swp` scp -r $1 root@${ip}:$2 #rsync -aP --delete $1 root${ip}:$2 done
自动阻止3次SSH远程登陆输入密码错误的恶意IP
#!/bin/bash #auto drop ssh failed IP address #-------------------------------------# # author by bossco # # auto drop ssh failed IP address # # 2015.12.23 # #-------------------------------------# #定义变量 SEC_FILE=/var/log/secure IP_ADDR=`tail -n 1000 /var/log/secure | grep "failed password" | egrep -o "([0-9]{1,3}\.){3}[0-9]{1,3}" | sort -nr | uniq -c | awk ' $1>=3 {print $2}'` IPTABLE_CONF=/etc/sysconfig/iptables echo cat <<EOF +++++++++++++++welcome to use ssh login drop failed ip +++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ EOF for i in `echo IP_ADDR` do cat $IPTABLE_CONF | grep $i >/dev/null if [ $? -ne 0 ];then sed -i "/lo/a -A INPUT -s $i -m state --state NEW -p tcp --dport 22 -j DROP" $IPTABLE_CONF else echo "$i is exists in iptalbes" fi done