第一章 应急响应-Linux日志分析

环境: 52.82.47.xxx / 10.0.10.2
ssh连接shell, 密码linuxrz

ssh root@52.82.47.240

1.有多少IP在爆破主机ssh的root帐号,如果有多个使用","分割

➜  root@ip-10-0-10-2:~ ls /var/log | grep "auth"
auth.log
auth.log.1
➜  root@ip-10-0-10-2:~ cat /var/log/auth.log.1 | grep -a "Failed password for root" | awk '{print $11}' | uniq -c
      1 192.168.200.32
      4 192.168.200.2
      1 192.168.200.31

flag{192.168.200.2,192.168.200.31,192.168.200.32}

2.ssh爆破成功登陆的IP是多少,如果有多个使用","分割

➜  root@ip-10-0-10-2:~ grep -a "Accepted password" /var/log/auth.log.1 | awk '{print $11}' | uniq -c
      2 192.168.200.2

flag{192.168.200.2}

3.爆破用户名字典是什么?如果有多个使用","分割

➜  root@ip-10-0-10-2:~ grep -a "Failed password for invalid user" /var/log/auth.log.1 | awk '{print $11}' | sort | uniq -
c | sort -nr
      5 user
      5 hello
      5 from
      1 test3
      1 test2
      1 test1
from是有一个空用户名所以第11个单词匹配到from了, 实际要去掉from再加上一个root

flag{user,hello,root,test3,test2,test1}

4.登陆成功的IP共爆破了多少次
192.168.200.2爆破成功了, 根据第一问的匹配结果, 有4条匹配,因为数量是4

flag{4}

5.黑客登陆主机后新建了一个后门用户,用户名是多少

➜  root@ip-10-0-10-2:~ cat /var/log/auth.log.1 | grep -a "new user"
Aug  1 07:50:45 linux-rz useradd[7551]: new user: name=test2, UID=1000, GID=1000, home=/home/test2, shell=/bin/sh
Aug  1 08:18:27 ip-172-31-37-190 useradd[487]: new user: name=debian, UID=1001, GID=1001, home=/home/debian, shell=/bin/bash
➜  root@ip-10-0-10-1:~ cat /etc/passwd | grep "test2"
test2:x:1000:1000::/home/test2:/bin/sh

flag{test2}
posted @ 2024-07-29 16:53  Fxe0_0  阅读(37)  评论(0)    收藏  举报