检查Linux服务器是否被攻击的常用命令及方法
1. 使用last命令查看登录服务器的用户记录。
[root@centos8 ~]# last rusking pts/2 192.168.1.102 Sun Aug 23 18:38 still logged in rusking pts/2 192.168.1.102 Sun Aug 23 18:08 - 18:14 (00:05) rusking pts/2 192.168.1.102 Sun Aug 23 18:05 - 18:07 (00:01) rusking pts/2 192.168.1.102 Sun Aug 23 17:38 - 17:58 (00:19) rusking pts/2 192.168.1.102 Sun Aug 23 16:41 - 17:38 (00:56) rusking pts/1 192.168.1.82 Sun Aug 23 16:33 still logged in root web console Sun Aug 23 15:03 - 15:18 (00:15) rusking pts/0 192.168.1.82 Sun Aug 23 14:49 still logged in root tty1 Sun Aug 23 14:49 still logged in reboot system boot 4.18.0-193.14.2. Sun Aug 23 14:48 still running rusking pts/0 192.168.1.82 Sat Aug 15 09:07 - 18:30 (2+09:22) rusking tty1 Sat Aug 15 09:07 - crash (8+05:40) reboot system boot 4.18.0-193.14.2. Sat Aug 15 09:06 still running
2. 使用who命令查看当前登录的用户。
[root@centos8 ~]# who -a
system boot 2020-08-23 14:48
root + tty1 2020-08-23 14:49 03:59 2059
rusking + pts/0 2020-08-23 14:49 00:51 3193 (192.168.1.82)
web console 2020-08-23 15:18 9190 id=919 term=0 exit=0
rusking + pts/1 2020-08-23 16:33 . 3193 (192.168.1.82)
rusking + pts/2 2020-08-23 18:38 00:10 96080 (192.168.1.102)
[root@centos8 ~]#
3.查看命令执行记录 。
# tail -n 200 ~/.bash_history | more #查看当前帐户的操作命令。-n 200显示最近200条记录。
# tail -n 200 /home/rusking/.bash_history | more #查看指定用户名为rusking的操作命令记录。 可以将rusking替换成其它用户。
4. 查看最近2天修改过的文件
# find /etc /var -mtime -2
5.使用netstat 命令查看本机各端口连接情况。
#netstat -aplunt 常用命令,关注LISTEN和ESTABLISHED情况。
[root@centos8 ~]# netstat -aplunt Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:9090 0.0.0.0:* LISTEN 1/systemd tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 1972/systemd-resolv tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 2400/dnsmasq tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1415/cupsd tcp 0 0 0.0.0.0:8888 0.0.0.0:* LISTEN 1414/sshd tcp 0 248 192.168.1.101:8888 192.168.1.82:54949 ESTABLISHED 3193/sshd: rusking tcp 0 0 192.168.1.101:8888 192.168.1.102:53426 ESTABLISHED 96080/sshd: rusking udp 0 0 0.0.0.0:45742 0.0.0.0:* 1029/avahi-daemon: udp 0 0 0.0.0.0:5353 0.0.0.0:* 1029/avahi-daemon: udp 0 0 0.0.0.0:5355 0.0.0.0:* 1972/systemd-resolv udp 0 0 192.168.122.1:53 0.0.0.0:* 2400/dnsmasq udp 0 0 127.0.0.53:53 0.0.0.0:* 1972/systemd-resolv udp 0 0 0.0.0.0:67 0.0.0.0:* 2400/dnsmasq udp 0 0 0.0.0.0:111 0.0.0.0:* 1/systemd
6. 使用lsof命令查看打开的文件。
# lsof -i
# lsof -p pid
[root@centos8 ~]# lsof -i COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root 42u IPv4 18941 0t0 TCP *:sunrpc (LISTEN) systemd 1 root 43u IPv4 18942 0t0 UDP *:sunrpc systemd 1 root 51u IPv4 22690 0t0 TCP *:websm (LISTEN) rpcbind 960 rpc 4u IPv4 18941 0t0 TCP *:sunrpc (LISTEN) rpcbind 960 rpc 5u IPv4 18942 0t0 UDP *:sunrpc avahi-dae 1029 avahi 15u IPv4 25088 0t0 UDP *:mdns avahi-dae 1029 avahi 16u IPv4 25099 0t0 UDP *:45742 sshd 1414 root 5u IPv4 27123 0t0 TCP *:ddi-tcp-1 (LISTEN) cupsd 1415 root 10u IPv4 27305 0t0 TCP localhost:ipp (LISTEN) systemd-r 1972 systemd-resolve 12u IPv4 29589 0t0 UDP *:hostmon systemd-r 1972 systemd-resolve 13u IPv4 29590 0t0 TCP *:hostmon (LISTEN) systemd-r 1972 systemd-resolve 16u IPv4 29593 0t0 UDP 127.0.0.53:domain dnsmasq 2400 dnsmasq 3u IPv4 32237 0t0 UDP *:bootps dnsmasq 2400 dnsmasq 5u IPv4 32240 0t0 UDP centos8.test.com:domain dnsmasq 2400 dnsmasq 6u IPv4 32241 0t0 TCP centos8.test.com:domain (LISTEN) sshd 3193 root 5u IPv4 34113 0t0 TCP centos8.test.com:ddi-tcp-1->UltraPower:54949 (ESTABLISHED) sshd 3210 rusking 5u IPv4 34113 0t0 TCP centos8.test.com:ddi-tcp-1->UltraPower:54949 (ESTABLISHED) sshd 96080 root 5u IPv4 252937 0t0 TCP centos8.test.com:ddi-tcp-1->192.168.1.102:53426 (ESTABLISHED) sshd 96083 rusking 5u IPv4 252937 0t0 TCP centos8.test.com:ddi-tcp-1->192.168.1.102:53426 (ESTABLISHED) [root@centos8 ~]# lsof -p 96083 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 96083 rusking cwd DIR 253,0 265 128 / sshd 96083 rusking rtd DIR 253,0 265 128 / sshd 96083 rusking txt REG 253,0 1228192 3786429 /usr/sbin/sshd sshd 96083 rusking mem REG 253,0 906648 640148 /usr/lib64/libnss_systemd.so.2 sshd 96083 rusking mem REG 253,0 10406312 34621674 /var/lib/sss/mc/initgroups ......
7. 使用ps命令查看当前系统中正在运行的进程信息。
#ps -aux
[root@centos8 ~]# ps -aux | grep rusking root 3193 0.0 0.3 161180 10768 ? Ss 14:49 0:00 sshd: rusking [priv] rusking 3197 0.0 0.3 93812 9400 ? Ss 14:49 0:00 /usr/lib/systemd/systemd --user rusking 3199 0.0 0.1 251456 3760 ? S 14:49 0:00 (sd-pam) rusking 3208 0.0 0.3 300224 9324 ? Ssl 14:49 0:00 /usr/bin/pulseaudio --daemonize=no rusking 3210 0.0 0.2 161180 6084 ? S 14:49 0:01 sshd: rusking@pts/0,pts/1 rusking 3211 0.0 0.1 24696 5432 pts/0 Ss 14:49 0:00 -bash rusking 3266 0.0 0.1 74292 4480 ? Ss 14:49 0:00 /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only rusking 46209 0.0 0.1 24696 5220 pts/1 Ss 16:33 0:00 -bash root 96080 0.0 0.3 161180 10760 ? Ss 18:38 0:00 sshd: rusking [priv] rusking 96083 0.0 0.1 161180 5352 ? S 18:38 0:00 sshd: rusking@pts/2 rusking 96084 0.0 0.1 24712 5336 pts/2 Ss+ 18:38 0:00 -bash root 102735 0.0 0.0 12108 1072 pts/1 S+ 18:55 0:00 grep --color=auto rusking
8. 使用top或htop命令查看进程对CPU/内存的消耗情况。
注意消耗CPU/内存较高的进程。
[root@centos8 ~]# top
top - 18:56:58 up 4:08, 4 users, load average: 0.00, 0.00, 0.00
Tasks: 145 total, 1 running, 144 sleeping, 0 stopped, 0 zombie
%Cpu(s): 0.2 us, 0.3 sy, 0.0 ni, 99.2 id, 0.0 wa, 0.2 hi, 0.2 si, 0.0 st
MiB Mem : 2834.8 total, 1845.2 free, 301.6 used, 688.0 buff/cache
MiB Swap: 3072.0 total, 3072.0 free, 0.0 used. 2356.1 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
103380 root 20 0 64536 4452 3768 R 0.3 0.2 0:00.01 top
1 root 20 0 177912 11676 8100 S 0.0 0.4 0:11.04 systemd
2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd
3 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 rcu_gp
4 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 rcu_par_gp
6 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 kworker/0:0H-kblockd
8 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 mm_percpu_wq
9 root 20 0 0 0 0 S 0.0 0.0 0:00.25 ksoftirqd/0
10 root 20 0 0 0 0 I 0.0 0.0 0:01.49 rcu_sched
11 root rt 0 0 0 0 S 0.0 0.0 0:00.03 migration/0
12 root rt 0 0 0 0 S 0.0 0.0 0:00.01 watchdog/0
13 root 20 0 0 0 0 S 0.0 0.0 0:00.00 cpuhp/0
14 root 20 0 0 0 0 S 0.0 0.0 0:00.00 cpuhp/1
15 root rt 0 0 0 0 S 0.0 0.0 0:00.01 watchdog/1
16 root rt 0 0 0 0 S 0.0 0.0 0:00.04 migration/1
17 root 20 0 0 0 0 S 0.0 0.0 0:00.15 ksoftirqd/1
19 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 kworker/1:0H-kblockd
...
9. 查看SSH登录日志。
centos/RHEL Linux查看Secure和audit日志。
/var/log/secure
关键字”Accepted password“
/var/log/audit/audit.log
关键字:”type=USER_AUTH“
其它LInux查看auto.log日志
/var/log/auth.log
10. 查看以下目录下是否有特殊文件。
# ls /tmp/ -la
# ls /dev/shm -la
# ls /var/tmp -la
11. 查看cronjob配置文件是否有异常的job
# crontab -l
# cat /etc/crontab
# ls /etc/cron 查看以下所有目录下是否有异常文件,以及这些文件的内容是否被修改。
cron.d/ cron.daily/ cron.deny cron.hourly/ cron.monthly/ crontab cron.weekly/
12. 使用nmap命令查看打开的端口
#nmap localhost 注意是否有异常开启的端口。
[root@centos8 ~]# nmap localhost Starting Nmap 7.70 ( https://nmap.org ) at 2020-08-23 19:00 +04 Nmap scan report for localhost (127.0.0.1) Host is up (0.0000080s latency). Other addresses for localhost (not scanned): ::1 Not shown: 996 closed ports PORT STATE SERVICE 111/tcp open rpcbind 631/tcp open ipp 8888/tcp open sun-answerbook 9090/tcp open zeus-admin Nmap done: 1 IP address (1 host up) scanned in 1.70 seconds
*******VICTORY LOVES PREPARATION*******
