[新手上路]批处理新手入门导读[视频教程]批处理基础视频教程[视频教程]VBS基础视频教程[批处理精品]批处理版照片整理器
[批处理精品]纯批处理备份&还原驱动[批处理精品]CMD命令50条不能说的秘密[在线下载]第三方命令行工具[在线帮助]VBScript / JScript 在线参考
返回列表 发帖

[转载代码] Linux应急处置/信息搜集/漏洞检测Shell脚本

Linux应急处置/信息搜集/漏洞检测工具,支持基础配置/网络流量/任务计划/环境变量/用户信息/Services/bash/恶意文件/内核Rootkit/SSH/Webshell/挖矿文件/挖矿进程/供应链/服务器风险等13类70+项检查

【使用方法】

联网状态:

  • apt-get install silversearcher-ag
  • yum -y install the_silver_searcher


离线状态:

  • Debian:dpkg -i silversearcher-ag_2.2.0-1+b1_amd64.deb
  • Centos:rpm -ivh the_silver_searcher-2.1.0-1.el7.x86_64.rpm


  1. git clone https://github.com/al0ne/LinuxCheck.git
  2. chmod u+x LinuxCheck.sh
  3. ./LinuxCheck.sh
复制代码


如果已经安装了ag和rkhunter可以直接使用以下命令:
  1. bash -c "$(curl -sSL https://raw.githubusercontent.com/al0ne/LinuxCheck/master/LinuxCheck.sh)"
复制代码

文件会保存成ipaddr_hostname_username_timestamp.log 这种格式

LinuxCheck.sh
  1. #!/usr/bin/env bash
  2. echo ""
  3. echo " ========================================================= "
  4. echo " \        Linux应急处置/信息搜集/漏洞检测脚本 V2.3      / "
  5. echo " ========================================================= "
  6. echo " # 支持Centos、Debian系统检测                    "
  7. echo " # author:al0ne                    "
  8. echo " # https://github.com/al0ne                    "
  9. echo " # 更新日期:2022年08月5日                    "
  10. echo " # 参考来源:                "
  11. echo " #   1.Gscan https://github.com/grayddq/GScan  "
  12. echo " #   2.Lynis https://github.com/CISOfy/lynis  "
  13. echo -e "\n"
  14. # 更新日志:2022年08月05日
  15. #### 修复内核模块检查日志过多问题
  16. # 更新日志:2022年03月07日
  17. #### 添加SSH软连接后门检测
  18. # 更新日期:2021年10月17日
  19. #### 添加Ntpclient/WorkMiner/TeamTNT挖矿木马检测
  20. #### 添加Rootkit模块检测逻辑
  21. #### 添加Python pip投毒检测
  22. #### 添加$HOME/.profile查看
  23. #### 添加服务器风险检查(Redis)
  24. # WEB Path 设置web目录 默认的话是从/目录去搜索 性能较慢
  25. webpath='/'
  26. print_msg() {
  27.   echo -e "\e[00;31m[+]$1\e[00m"
  28. }
  29. ### 1.环境检查 ###
  30. print_msg "环境检测"
  31. # 验证是否为root权限
  32. if [ $UID -ne 0 ]; then
  33.   print_msg "请使用root权限运行!"
  34.   exit 1
  35. else
  36.   print_msg "当前为root权限"
  37. fi
  38. # 验证操作系统是debian系还是centos
  39. OS='None'
  40. if [ -e "/etc/os-release" ]; then
  41.   source /etc/os-release
  42.   case ${ID} in
  43.   "debian" | "ubuntu" | "devuan")
  44.     OS='Debian'
  45.     ;;
  46.   "centos" | "rhel fedora" | "rhel")
  47.     OS='Centos'
  48.     ;;
  49.   *) ;;
  50.   esac
  51. fi
  52. if [ $OS = 'None' ]; then
  53.   if command -v apt-get >/dev/null 2>&1; then
  54.     OS='Debian'
  55.   elif command -v yum >/dev/null 2>&1; then
  56.     OS='Centos'
  57.   else
  58.     echo -e "\n不支持这个系统\n"
  59.     echo -e "已退出"
  60.     exit 1
  61.   fi
  62. fi
  63. # 安装应急必备工具
  64. cmdline=(
  65.   "net-tools"
  66.   "telnet"
  67.   "nc"
  68.   "lrzsz"
  69.   "wget"
  70.   "strace"
  71.   "traceroute"
  72.   "htop"
  73.   "tar"
  74.   "lsof"
  75.   "tcpdump"
  76. )
  77. for prog in "${cmdline[@]}"; do
  78.   if [ $OS = 'Centos' ]; then
  79.     soft=$(rpm -q "$prog")
  80.     if echo "$soft" | grep -E '没有安装|未安装|not installed' >/dev/null 2>&1; then
  81.       echo -e "$prog 安装中......"
  82.       yum install -y "$prog" >/dev/null 2>&1
  83.       yum install -y the_silver_searcher >/dev/null 2>&1
  84.     fi
  85.   else
  86.     if dpkg -L $prog | grep 'does not contain any files' >/dev/null 2>&1; then
  87.       echo -e "$prog 安装中......"
  88.       apt install -y "$prog" >/dev/null 2>&1
  89.       apt install -y silversearcher-ag >/dev/null 2>&1
  90.     fi
  91.   fi
  92. done
  93. echo -e "\n"
  94. # 设置保存文件
  95. ipaddress=$(ip address | ag -o '(?<=inet )\d+\.\d+\.\d+\.\d+(?=\/2)' | head -n 1)
  96. filename=$ipaddress'_'$(hostname)'_'$(whoami)'_'$(date +%s)_log'.log'
  97. vuln="$ipaddress_$(hostname)_$(whoami)_$(date +%s)_vuln.log"
  98. base_check() {
  99.   echo -e "############ 基础配置检查 ############\n" | tee -a "$filename"
  100.   echo -e "\e[00;31m[+]系统信息\e[00m" | tee -a "$filename"
  101.   #当前用户
  102.   echo -e "USER:\t\t$(whoami)" 2>/dev/null | tee -a "$filename"
  103.   #版本信息
  104.   echo -e "OS Version:\t$(uname -r)" | tee -a "$filename"
  105.   #主机名
  106.   echo -e "Hostname: \t$(hostname -s)" | tee -a "$filename"
  107.   #服务器SN
  108.   echo -e "服务器SN: \t$(dmidecode -t1 | ag -o '(?<=Serial Number: ).*')" | tee -a "$filename"
  109.   #uptime
  110.   echo -e "Uptime: \t$(uptime | awk -F ',' '{print $1}')" | tee -a "$filename"
  111.   #系统负载
  112.   echo -e "系统负载: \t$(uptime | awk '{print $9" "$10" "$11" "$12" "$13}')" | tee -a "$filename"
  113.   #cpu信息
  114.   echo -e "CPU info:\t$(ag -o '(?<=model name\t: ).*' </proc/cpuinfo | head -n 1)" | tee -a "$filename"
  115.   #cpu核心
  116.   echo -e "CPU 核心:\t$(cat /proc/cpuinfo | grep 'processor' | sort | uniq | wc -l)" | tee -a "$filename"
  117.   #ipaddress
  118.   ipaddress=$(ifconfig | ag -o '(?<=inet |inet addr:)\d+\.\d+\.\d+\.\d+' | ag -v '127.0.0.1') >/dev/null 2>&1
  119.   echo -e "IPADDR:\t\t${ipaddress}" | sed ":a;N;s/\n/ /g;ta" | tee -a "$filename"
  120.   echo -e "\n" | tee -a "$filename"
  121.   echo -e "\e[00;31m[+]CPU使用率:  \e[00m" | tee -a "$filename"
  122.   awk '$0 ~/cpu[0-9]/' /proc/stat 2>/dev/null | while read line; do
  123.     echo "$line" | awk '{total=$2+$3+$4+$5+$6+$7+$8;free=$5;\
  124.         print$1" Free "free/total*100"%",\
  125.         "Used " (total-free)/total*100"%"}' | tee -a "$filename"
  126.   done
  127.   echo -e "\n" | tee -a "$filename"
  128.   #登陆用户
  129.   echo -e "\e[00;31m[+]登陆用户\e[00m" | tee -a "$filename"
  130.   who | tee -a "$filename"
  131.   echo -e "\n" | tee -a "$filename"
  132.   #CPU占用TOP 15
  133.   cpu=$(ps aux | grep -v ^'USER' | sort -rn -k3 | head -15) 2>/dev/null
  134.   echo -e "\e[00;31m[+]CPU TOP15:  \e[00m\n${cpu}\n" | tee -a "$filename"
  135.   #内存占用TOP 15
  136.   mem=$(ps aux | grep -v ^'USER' | sort -rn -k4 | head -15) 2>/dev/null
  137.   echo -e "\e[00;31m[+]内存占用 TOP15:  \e[00m\n${mem}\n" | tee -a "$filename"
  138.   #内存占用
  139.   echo -e "\e[00;31m[+]内存占用\e[00m" | tee -a "$filename"
  140.   free -mh | tee -a "$filename"
  141.   echo -e "\n" | tee -a "$filename"
  142.   #剩余空间
  143.   echo -e "\e[00;31m[+]剩余空间\e[00m" | tee -a "$filename"
  144.   df -mh | tee -a "$filename"
  145.   echo -e "\n" | tee -a "$filename"
  146.   echo -e "\e[00;31m[+]硬盘挂载\e[00m" | tee -a "$filename"
  147.   ag -v "#" </etc/fstab | awk '{print $1,$2,$3}' | tee -a "$filename"
  148.   echo -e "\n" | tee -a "$filename"
  149.   #安装软件
  150.   echo -e "\e[00;31m[+]常用软件\e[00m" | tee -a "$filename"
  151.   cmdline=(
  152.     "which perl"
  153.     "which gcc"
  154.     "which g++"
  155.     "which python"
  156.     "which php"
  157.     "which cc"
  158.     "which go"
  159.     "which node"
  160.     "which nodejs"
  161.     "which bind"
  162.     "which tomcat"
  163.     "which clang"
  164.     "which ruby"
  165.     "which curl"
  166.     "which wget"
  167.     "which mysql"
  168.     "which redis"
  169.     "which ssserver"
  170.     "which vsftpd"
  171.     "which java"
  172.     "which apache"
  173.     "which apache2"
  174.     "which nginx"
  175.     "which git"
  176.     "which mongodb"
  177.     "which docker"
  178.     "which tftp"
  179.     "which psql"
  180.     "which kafka"
  181.   )
  182.   for prog in "${cmdline[@]}"; do
  183.     soft=$($prog)
  184.     if [ "$soft" ] 2>/dev/null; then
  185.       echo -e "$soft" | ag -o '\w+$' --nocolor | tee -a "$filename"
  186.     fi
  187.   done
  188.   echo -e "\n" | tee -a "$filename"
  189.   #HOSTS
  190.   echo -e "\e[00;31m[+]/etc/hosts \e[00m" | tee -a "$filename"
  191.   cat /etc/hosts | ag -v "#" | tee -a "$filename"
  192.   echo -e "\n" | tee -a "$filename"
  193. }
  194. network_check() {
  195.   echo -e "############ 网络/流量检查 ############\n" | tee -a "$filename"
  196.   #ifconfig
  197.   echo -e "\e[00;31m[+]ifconfig\e[00m" | tee -a "$filename"
  198.   /sbin/ifconfig -a | tee -a "$filename"
  199.   echo -e "\n" | tee -a "$filename"
  200.   #网络流量
  201.   echo -e "\e[00;31m[+]网络流量 \e[00m" | tee -a "$filename"
  202.   echo "Interface    ByteRec   PackRec   ByteTran   PackTran" | tee -a "$filename"
  203.   awk ' NR>2' /proc/net/dev | while read line; do
  204.     echo "$line" | awk -F ':' '{print "  "$1"  " $2}' |
  205.       awk '{print $1"   "$2 "    "$3"   "$10"  "$11}' | tee -a "$filename"
  206.   done
  207.   echo -e "\n" | tee -a "$filename"
  208.   #端口监听
  209.   echo -e "\e[00;31m[+]端口监听\e[00m" | tee -a "$filename"
  210.   netstat -tulpen | ag 'tcp|udp.*' --nocolor | tee -a "$filename"
  211.   echo -e "\n" | tee -a "$filename"
  212.   #对外开放端口
  213.   echo -e "\e[00;31m[+]对外开放端口\e[00m" | tee -a "$filename"
  214.   netstat -tulpen | awk '{print $1,$4}' | ag -o '.*0.0.0.0:(\d+)|:::\d+' --nocolor | tee -a "$filename"
  215.   echo -e "\n" | tee -a "$filename"
  216.   #网络连接
  217.   echo -e "\e[00;31m[+]网络连接\e[00m" | tee -a "$filename"
  218.   netstat -antop | ag ESTAB --nocolor | tee -a "$filename"
  219.   echo -e "\n" | tee -a "$filename"
  220.   #连接状态
  221.   echo -e "\e[00;31m[+]TCP连接状态\e[00m" | tee -a "$filename"
  222.   netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}' | tee -a "$filename"
  223.   echo -e "\n" | tee -a "$filename"
  224.   #路由表
  225.   echo -e "\e[00;31m[+]路由表\e[00m" | tee -a "$filename"
  226.   /sbin/route -nee | tee -a "$filename"
  227.   echo -e "\n" | tee -a "$filename"
  228.   #路由转发
  229.   echo -e "\e[00;31m[+]路由转发\e[00m" | tee -a "$filename"
  230.   ip_forward=$(more /proc/sys/net/ipv4/ip_forward | awk -F: '{if ($1==1) print "1"}')
  231.   if [ -n "$ip_forward" ]; then
  232.     echo "/proc/sys/net/ipv4/ip_forward 已开启路由转发" | tee -a "$filename"
  233.   else
  234.     echo "该服务器未开启路由转发" | tee -a "$filename"
  235.   fi
  236.   echo -e "\n" | tee -a "$filename"
  237.   #DNS
  238.   echo -e "\e[00;31m[+]DNS Server\e[00m" | tee -a "$filename"
  239.   ag -o '\d+\.\d+\.\d+\.\d+' --nocolor </etc/resolv.conf | tee -a "$filename"
  240.   echo -e "\n" | tee -a "$filename"
  241.   #ARP
  242.   echo -e "\e[00;31m[+]ARP\e[00m" | tee -a "$filename"
  243.   arp -n -a | tee -a "$filename"
  244.   echo -e "\n" | tee -a "$filename"
  245.   #混杂模式
  246.   echo -e "\e[00;31m[+]网卡混杂模式\e[00m" | tee -a "$filename"
  247.   if ip link | ag PROMISC >/dev/null 2>&1; then
  248.     echo "网卡存在混杂模式!" | tee -a "$filename"
  249.   else
  250.     echo "网卡不存在混杂模式" | tee -a "$filename"
  251.   fi
  252.   echo -e "\n" | tee -a "$filename"
  253.   #防火墙
  254.   echo -e "\e[00;31m[+]IPTABLES防火墙\e[00m" | tee -a "$filename"
  255.   iptables -L | tee -a "$filename"
  256.   echo -e "\n" | tee -a "$filename"
  257. }
  258. crontab_check() {
  259.   echo -e "############ 任务计划检查 ############\n" | tee -a "$filename" | tee -a "$vuln"
  260.   #crontab
  261.   echo -e "\e[00;31m[+]Crontab\e[00m" | tee -a "$filename"
  262.   crontab -u root -l | ag -v '#' --nocolor | tee -a "$filename"
  263.   ls -alht /etc/cron.*/* | tee -a "$filename"
  264.   echo -e "\n" | tee -a "$filename"
  265.   #crontab可疑命令
  266.   echo -e "\e[00;31m[+]Crontab Backdoor \e[00m" | tee -a "$vuln"
  267.   ag '((?:useradd|groupadd|chattr)|(?:wget\s|curl\s|tftp\s\-i|scp\s|sftp\s)|(?:bash\s\-i|fsockopen|nc\s\-e|sh\s\-i|\"/bin/sh\"|\"/bin/bash\"))' /etc/cron* /var/spool/cron/* --nocolor | tee -a "$vuln"
  268.   echo -e "\n" | tee -a "$vuln"
  269. }
  270. env_check() {
  271.   echo -e "############ 环境变量检查 ############\n" | tee -a "$filename"
  272.   #env
  273.   echo -e "\e[00;31m[+]env\e[00m" | tee -a "$filename"
  274.   env | tee -a "$filename"
  275.   echo -e "\n" | tee -a "$filename"
  276.   #PATH
  277.   echo -e "\e[00;31m[+]PATH\e[00m" | tee -a "$filename"
  278.   echo "$PATH" | tee -a "$filename"
  279.   echo -e "\n" | tee -a "$filename"
  280.   #LD_PRELOAD
  281.   echo -e "\e[00;31m[+]LD_PRELOAD\e[00m" | tee -a "$vuln"
  282.   echo ${LD_PRELOAD} | tee -a "$vuln"
  283.   echo -e "\n" | tee -a "$vuln"
  284.   #LD_ELF_PRELOAD
  285.   echo -e "\e[00;31m[+]LD_ELF_PRELOAD\e[00m" | tee -a "$vuln"
  286.   echo ${LD_ELF_PRELOAD} | tee -a "$vuln"
  287.   echo -e "\n" | tee -a "$vuln"
  288.   #LD_AOUT_PRELOAD
  289.   echo -e "\e[00;31m[+]LD_AOUT_PRELOAD\e[00m" | tee -a "$vuln"
  290.   echo ${LD_AOUT_PRELOAD} | tee -a "$vuln"
  291.   echo -e "\n" | tee -a "$vuln"
  292.   #PROMPT_COMMAND
  293.   echo -e "\e[00;31m[+]PROMPT_COMMAND\e[00m" | tee -a "$vuln"
  294.   echo "${PROMPT_COMMAND}" | tee -a "$vuln"
  295.   echo -e "\n" | tee -a "$vuln"
  296.   #LD_LIBRARY_PATH
  297.   echo -e "\e[00;31m[+]LD_LIBRARY_PATH\e[00m" | tee -a "$vuln"
  298.   echo "${LD_LIBRARY_PATH}" | tee -a "$vuln"
  299.   echo -e "\n" | tee -a "$vuln"
  300.   #ld.so.preload
  301.   echo -e "\e[00;31m[+]ld.so.preload\e[00m" | tee -a "$vuln"
  302.   preload='/etc/ld.so.preload'
  303.   if [ -e "${preload}" ]; then
  304.     cat ${preload} | tee -a "$vuln"
  305.   fi
  306.   echo -e "\n" | tee -a "$vuln"
  307. }
  308. user_check() {
  309.   echo -e "############ 用户信息检查 ############\n" | tee -a "$filename"
  310.   echo -e "\e[00;31m[+]可登陆用户\e[00m" | tee -a "$filename"
  311.   cat /etc/passwd | ag -v 'nologin$|false$' | tee -a "$filename"
  312.   echo -e "\n" | tee -a "$filename"
  313.   echo -e "\e[00;31m[+]passwd文件修改日期: \e[00m" $(stat /etc/passwd | ag -o '(?<=Modify: ).*' --nocolor) | tee -a "$filename"
  314.   echo -e "\n" | tee -a "$filename"
  315.   echo -e "\e[00;31m[+]sudoers(请注意NOPASSWD)\e[00m" | tee -a "$filename"
  316.   cat /etc/sudoers | ag -v '#' | sed -e '/^$/d' | ag ALL --nocolor | tee -a "$filename"
  317.   echo -e "\n" | tee -a "$filename"
  318.   echo -e "\e[00;31m[+]登录信息\e[00m" | tee -a "$filename"
  319.   w | tee -a "$filename"
  320.   echo -e "\n" | tee -a "$filename"
  321.   last | tee -a "$filename"
  322.   echo -e "\n" | tee -a "$filename"
  323.   lastlog | tee -a "$filename"
  324.   echo -e "\n" | tee -a "$filename"
  325.   echo "登陆ip: $(ag -a accepted /var/log/secure /var/log/auth.* 2>/dev/null | ag -o '\d+\.\d+\.\d+\.\d+' | sort | uniq)" | tee -a "$filename"
  326.   echo -e "\n" | tee -a "$filename"
  327. }
  328. service_check() {
  329.   echo -e "############ 服务状态检查 ############\n" | tee -a "$filename"
  330.   echo -e "\e[00;31m[+]正在运行的Service \e[00m" | tee -a "$filename"
  331.   systemctl -l | grep running | awk '{print $1}' | tee -a "$filename"
  332.   echo -e "\n" | tee -a "$filename"
  333.   echo -e "\e[00;31m[+]最近添加的Service \e[00m" | tee -a "$filename"
  334.   ls -alhtR /etc/systemd/system/multi-user.target.wants | tee -a "$filename"
  335.   ls -alht /etc/systemd/system/*.service | ag -v 'dbus-org' | tee -a "$filename"
  336.   echo -e "\n" | tee -a "$filename"
  337. }
  338. bash_check() {
  339.   echo -e "######Bash配置检查######\n" | tee -a "$filename"
  340.   #查看history文件
  341.   echo -e "\e[00;31m[+]History\e[00m" | tee -a "$filename"
  342.   ls -alht /root/.*_history | tee -a "$filename"
  343.   echo -e "\n" | tee -a "$filename"
  344.   cat ~/.*history | ag '(?<![0-9])(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2}))(?![0-9])|http://|https://|\bssh\b|\bscp\b|\.tar|\bwget\b|\bcurl\b|\bnc\b|\btelnet\b|\bbash\b|\bsh\b|\bchmod\b|\bchown\b|/etc/passwd|/etc/shadow|/etc/hosts|\bnmap\b|\bfrp\b|\bnfs\b|\bsshd\b|\bmodprobe\b|\blsmod\b|\bsudo\b' --nocolor | ag -v 'man\b|ag\b|cat\b|sed\b|git\b|docker\b|rm\b|touch\b|mv\b|\bapt\b|\bapt-get\b' | tee -a "$filename"
  345.   echo -e "\n" | tee -a "$filename"
  346.   #/etc/profile
  347.   echo -e "\e[00;31m[+]/etc/profile \e[00m" | tee -a "$filename"
  348.   cat /etc/profile | ag -v '#' | tee -a "$filename"
  349.   echo -e "\n" | tee -a "$filename"
  350.   # $HOME/.profile
  351.   echo -e "\e[00;31m[+]\$HOME/.profile \e[00m" | tee -a "$filename"
  352.   cat $HOME/.profile | ag -v '#' | tee -a "$filename"
  353.   echo -e "\n" | tee -a "$filename"
  354.   #/etc/rc.local
  355.   echo -e "\e[00;31m[+]/etc/rc.local \e[00m" | tee -a "$filename"
  356.   cat /etc/rc.local | ag -v '#' | tee -a "$filename"
  357.   echo -e "\n" | tee -a "$filename"
  358.   #~/.bash_profile
  359.   echo -e "\e[00;31m[+]~/.bash_profile \e[00m" | tee -a "$filename"
  360.   if [ -e "$HOME/.bash_profile" ]; then
  361.     cat ~/.bash_profile | ag -v '#' | tee -a "$filename"
  362.   fi
  363.   echo -e "\n" | tee -a "$filename"
  364.   #~/.bashrc
  365.   echo -e "\e[00;31m[+]~/.bashrc \e[00m" | tee -a "$filename"
  366.   cat ~/.bashrc | ag -v '#' | tee -a "$filename"
  367.   echo -e "\n" | tee -a "$filename"
  368.   #bash反弹shell
  369.   echo -e "\e[00;31m[+]bash反弹shell \e[00m" | tee -a "$vuln"
  370.   ps -ef | ag 'bash -i' | ag -v 'ag' | awk '{print $2}' | xargs -i{} lsof -p {} | ag 'ESTAB' --nocolor | tee -a "$vuln"
  371.   echo -e "\n" | tee -a "$vuln"
  372. }
  373. file_check() {
  374.   echo -e "############ 文件检查 ############\n" | tee -a "$filename"
  375.   echo -e "\e[00;31m[+]系统文件修改时间 \e[00m" | tee -a "$vuln"
  376.   cmdline=(
  377.     "/sbin/ifconfig"
  378.     "/bin/ls"
  379.     "/bin/login"
  380.     "/bin/netstat"
  381.     "/bin/top"
  382.     "/bin/ps"
  383.     "/bin/find"
  384.     "/bin/grep"
  385.     "/etc/passwd"
  386.     "/etc/shadow"
  387.     "/usr/bin/curl"
  388.     "/usr/bin/wget"
  389.     "/root/.ssh/authorized_keys"
  390.   )
  391.   for soft in "${cmdline[@]}"; do
  392.     echo -e "文件:$soft\t\t\t修改日期:$(stat $soft | ag -o '(?<=Modify: )[\d-\s:]+')" | tee -a "$vuln"
  393.   done
  394.   echo -e "\n" | tee -a "$vuln"
  395.   echo -e "\e[00;31m[+]...隐藏文件 \e[00m" | tee -a "$vuln"
  396.   find / ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/boot/*" -name ".*." | tee -a "$vuln"
  397.   echo -e "\n" | tee -a "$vuln"
  398.   #tmp目录
  399.   echo -e "\e[00;31m[+]/tmp \e[00m" | tee -a "$filename"
  400.   # shellcheck disable=SC2012
  401.   ls /tmp /var/tmp /dev/shm -alht | tee -a "$filename"
  402.   echo -e "\n" | tee -a "$filename"
  403.   #alias 别名
  404.   echo -e "\e[00;31m[+]alias \e[00m" | tee -a "$filename"
  405.   alias | ag -v 'git' | tee -a "$filename"
  406.   echo -e "\n" | tee -a "$filename"
  407.   #SUID
  408.   echo -e "\e[00;31m[+]SUID \e[00m" | tee -a "$vuln"
  409.   find / ! -path "/proc/*" -perm -004000 -type f | ag -v 'snap|docker|pam_timestamp_check|unix_chkpwd|ping|mount|su|pt_chown|ssh-keysign|at|passwd|chsh|crontab|chfn|usernetctl|staprun|newgrp|chage|dhcp|helper|pkexec|top|Xorg|nvidia-modprobe|quota|login|security_authtrampoline|authopen|traceroute6|traceroute|ps' | tee -a "$vuln"
  410.   echo -e "\n" | tee -a "$vuln"
  411.   #lsof -L1
  412.   #进程存在但文件已经没有了
  413.   echo -e "\e[00;31m[+]lsof +L1 \e[00m" | tee -a "$filename"
  414.   lsof +L1 | tee -a "$filename"
  415.   echo -e "\n" | tee -a "$filename"
  416.   #近7天改动
  417.   echo -e "\e[00;31m[+]近七天文件改动 mtime \e[00m" | tee -a "$filename"
  418.   find /etc /bin /lib /sbin /dev /root/ /home /tmp /var /usr ! -path "/var/log*" ! -path "/var/spool/exim4*" ! -path "/var/backups*" -mtime -7 -type f | ag -v '\.log|cache|vim|/share/|/lib/|.zsh|.gem|\.git|LICENSE|README|/_\w+\.\w+|\blogs\b|elasticsearch|nohup|i18n' | xargs -i{} ls -alh {} | tee -a "$filename"
  419.   echo -e "\n" | tee -a "$filename"
  420.   #近7天改动
  421.   echo -e "\e[00;31m[+]近七天文件改动 ctime \e[00m" | tee -a "$filename"
  422.   find /etc /bin /lib /sbin /dev /root/ /home /tmp /var /usr ! -path "/var/log*" ! -path "/var/spool/exim4*" ! -path "/var/backups*" -ctime -7 -type f | ag -v '\.log|cache|vim|/share/|/lib/|.zsh|.gem|\.git|LICENSE|README|/_\w+\.\w+|\blogs\b|elasticsearch|nohup|i18n' | xargs -i{} ls -alh {} | tee -a "$filename"
  423.   echo -e "\n" | tee -a "$filename"
  424.   #大文件100mb
  425.   #有些黑客会将数据库、网站打包成一个文件然后下载
  426.   echo -e "\e[00;31m[+]大文件>200mb \e[00m" | tee -a "$filename"
  427.   find / ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/boot/*" -size +200M -exec ls -alht {} + 2>/dev/null | ag '\.gif|\.jpeg|\.jpg|\.png|\.zip|\.tar.gz|\.tgz|\.7z|\.log|\.xz|\.rar|\.bak|\.old|\.sql|\.1|\.txt|\.tar|\.db|/\w+$' --nocolor | ag -v 'ib_logfile|ibd|mysql-bin|mysql-slow|ibdata1' | tee -a "$filename"
  428.   echo -e "\n" | tee -a "$filename"
  429.   #敏感文件
  430.   echo -e "\e[00;31m[+]敏感文件 \e[00m" | tee -a "$vuln"
  431.   find / ! -path "/lib/modules*" ! -path "/usr/src*" ! -path "/snap*" ! -path "/usr/include/*" -regextype posix-extended -regex '.*sqlmap|.*msfconsole|.*\bncat|.*\bnmap|.*nikto|.*ettercap|.*tunnel\.(php|jsp|asp|py)|.*/nc\b|.*socks.(php|jsp|asp|py)|.*proxy.(php|jsp|asp|py)|.*brook.*|.*frps|.*frpc|.*aircrack|.*hydra|.*miner|.*/ew$' -type f | ag -v '/lib/python' | xargs -i{} ls -alh {} | tee -a "$vuln"
  432.   echo -e "\n" | tee -a "$vuln"
  433.   echo -e "\e[00;31m[+]可疑黑客文件 \e[00m" | tee -a "$vuln"
  434.   find /root /home /opt /tmp /var/ /dev -regextype posix-extended -regex '.*wget|.*curl|.*openssl|.*mysql' -type f 2>/dev/null | xargs -i{} ls -alh {} | ag -v '/pkgs/|/envs/' | tee -a "$vuln"
  435.   echo -e "\n" | tee -a "$vuln"
  436. }
  437. rootkit_check() {
  438.   echo -e "############ Rootkit检查 ############\n" | tee -a "$vuln"
  439.   #lsmod 可疑模块
  440.   echo -e "\e[00;31m[+]lsmod 可疑模块\e[00m" | tee -a "$vuln"
  441.   lsmod | ag -v "ablk_helper|ac97_bus|acpi_power_meter|aesni_intel|ahci|ata_generic|ata_piix|auth_rpcgss|binfmt_misc|bluetooth|bnep|bnx2|bridge|cdrom|cirrus|coretemp|crc_t10dif|crc32_pclmul|crc32c_intel|crct10dif_common|crct10dif_generic|crct10dif_pclmul|cryptd|dca|dcdbas|dm_log|dm_mirror|dm_mod|dm_region_hash|drm|drm_kms_helper|drm_panel_orientation_quirks|e1000|ebtable_broute|ebtable_filter|ebtable_nat|ebtables|edac_core|ext4|fb_sys_fops|floppy|fuse|gf128mul|ghash_clmulni_intel|glue_helper|grace|i2c_algo_bit|i2c_core|i2c_piix4|i7core_edac|intel_powerclamp|ioatdma|ip_set|ip_tables|ip6_tables|ip6t_REJECT|ip6t_rpfilter|ip6table_filter|ip6table_mangle|ip6table_nat|ip6ta ble_raw|ip6table_security|ipmi_devintf|ipmi_msghandler|ipmi_si|ipmi_ssif|ipt_MASQUERADE|ipt_REJECT|iptable_filter|iptable_mangle|iptable_nat|iptable_raw|iptable_security|iTCO_vendor_support|iTCO_wdt|jbd2|joydev|kvm|kvm_intel|libahci|libata|libcrc32c|llc|lockd|lpc_ich|lrw|mbcache|megaraid_sas|mfd_core|mgag200|Module|mptbase|mptscsih|mptspi|nf_conntrack|nf_conntrack_ipv4|nf_conntrack_ipv6|nf_defrag_ipv4|nf_defrag_ipv6|nf_nat|nf_nat_ipv4|nf_nat_ipv6|nf_nat_masquerade_ipv4|nfnetlink|nfnetlink_log|nfnetlink_queue|nfs_acl|nfsd|parport|parport_pc|pata_acpi|pcspkr|ppdev|rfkill|sch_fq_codel|scsi_transport_spi|sd_mod|serio_raw|sg|shpchp|snd|snd_ac97_codec|snd_ens1371|snd_page_alloc|snd_pcm|snd_rawmidi|snd_seq|snd_seq_device|snd_seq_midi|snd_seq_midi_event|snd_timer|soundcore|sr_mod|stp|sunrpc|syscopyarea|sysfillrect|sysimgblt|tcp_lp|ttm|tun|uvcvideo|videobuf2_core|videobuf2_memops|videobuf2_vmalloc|videodev|virtio|virtio_balloon|virtio_console|virtio_net|virtio_pci|virtio_ring|virtio_scsi|vmhgfs|vmw_balloon|vmw_vmci|vmw_vsock_vmci_transport|vmware_balloon|vmwgfx|vsock|xfs|xt_CHECKSUM|xt_conntrack|xt_state|raid*|tcpbbr|btrfs|.*diag|psmouse|ufs|linear|msdos|cpuid|veth|xt_tcpudp|xfrm_user|xfrm_algo|xt_addrtype|br_netfilter|input_leds|sch_fq|ib_iser|rdma_cm|iw_cm|ib_cm|ib_core|.*scsi.*|tcp_bbr|pcbc|autofs4|multipath|hfs.*|minix|ntfs|vfat|jfs|usbcore|usb_common|ehci_hcd|uhci_hcd|ecb|crc32c_generic|button|hid|usbhid|evdev|hid_generic|overlay|xt_nat|qnx4|sb_edac|acpi_cpufreq|ixgbe|pf_ring|tcp_htcp|cfg80211|x86_pkg_temp_thermal|mei_me|mei|processor|thermal_sys|lp|enclosure|ses|ehci_pci|igb|i2c_i801|pps_core|isofs|nls_utf8|xt_REDIRECT|xt_multiport|iosf_mbi|qxl|cdc_ether|usbnet|ip6table_raw|skx_edac|intel_rapl|wmi|acpi_pad|ast|i40e|ptp|nfit|libnvdimm|bpfilter|failover" | tee -a "$vuln"
  442.   echo -e "\n" | tee -a "$vuln"
  443.   echo -e "\e[00;31m[+]Rootkit 内核模块\e[00m" | tee -a "$vuln"
  444.   kernel=$(grep -E 'hide_tcp4_port|hidden_files|hide_tcp6_port|diamorphine|module_hide|module_hidden|is_invisible|hacked_getdents|hacked_kill|heroin|kernel_unlink|hide_module|find_sys_call_tbl|h4x_delete_module|h4x_getdents64|h4x_kill|h4x_tcp4_seq_show|new_getdents|old_getdents|should_hide_file_name|should_hide_task_name' </proc/kallsyms)
  445.   if [ -n "$kernel" ]; then
  446.     echo "存在内核敏感函数!疑似Rootkit内核模块" | tee -a "$vuln"
  447.     echo "$kernel" | tee -a "$vuln"
  448.   else
  449.     echo "未找到内核敏感函数" | tee -a "$vuln"
  450.   fi
  451.   echo -e "\n" | tee -a "$vuln"
  452.   echo -e "\e[00;31m[+]可疑的.ko模块\e[00m" | tee -a "$vuln"
  453.   find / ! -path "/proc/*" ! -path "/usr/lib/modules/*" ! -path "/lib/modules/*" ! -path "/boot/*" -regextype posix-extended -regex '.*\.ko' | tee -a "$vuln"
  454.   echo -e "\n" | tee -a "$vuln"
  455. }
  456. ssh_check() {
  457.   echo -e "############ SSH检查 ############\n" | tee -a "$filename"
  458.   #SSH爆破IP
  459.   echo -e "\e[00;31m[+]SSH爆破\e[00m" | tee -a "$filename"
  460.   if [ $OS = 'Centos' ]; then
  461.     ag -a 'authentication failure' /var/log/secure* | awk '{print $14}' | awk -F '=' '{print $2}' | ag '\d+\.\d+\.\d+\.\d+' | sort | uniq -c | sort -nr | head -n 25 | tee -a "$filename"
  462.   else
  463.     ag -a 'authentication failure' /var/log/auth.* | awk '{print $14}' | awk -F '=' '{print $2}' | ag '\d+\.\d+\.\d+\.\d+' | sort | uniq -c | sort -nr | head -n 25 | tee -a "$filename"
  464.   fi
  465.   echo -e "\n" | tee -a "$filename"
  466.   #SSHD
  467.   echo -e "\e[00;31m[+]SSHD \e[00m" | tee -a "$filename"
  468.   echo -e "/usr/sbin/sshd"
  469.   stat /usr/sbin/sshd | ag 'Access|Modify|Change' --nocolor | tee -a "$filename"
  470.   echo -e "\n" | tee -a "$filename"
  471.   #ssh后门配置检查
  472.   echo -e "\e[00;31m[+]SSH 后门配置 \e[00m" | tee -a "$vuln"
  473.   if [ -e "$HOME/.ssh/config" ]; then
  474.     grep LocalCommand <~/.ssh/config | tee -a "$vuln"
  475.     grep ProxyCommand <~/.ssh/config | tee -a "$vuln"
  476.   else
  477.     echo -e "未发现ssh配置文件" | tee -a "$vuln"
  478.   fi
  479.   echo -e "\n" | tee -a "$vuln"
  480.   #ssh后门配置检查
  481.   echo -e "\e[00;31m[+]SSH 软连接后门 \e[00m" | tee -a "$vuln"
  482.   if ps -ef | ag '\s+\-oport=\d+' >/dev/null 2>&1; then
  483.     ps -ef | ag '\s+\-oport=\d+' | tee -a "$vuln"
  484.   else
  485.     echo "未检测到SSH软连接后门" | tee -a "$vuln"
  486.   fi
  487.   echo -e "\n" | tee -a "$vuln"
  488.   echo -e "\e[00;31m[+]SSH inetd后门检查 \e[00m" | tee -a "$vuln"
  489.   if [ -e "/etc/inetd.conf" ]; then
  490.     grep -E '(bash -i)' </etc/inetd.conf | tee -a "$vuln"
  491.   fi
  492.   echo -e "\n" | tee -a "$vuln"
  493.   echo -e "\e[00;31m[+]SSH key\e[00m" | tee -a "$vuln"
  494.   sshkey=${HOME}/.ssh/authorized_keys
  495.   if [ -e "${sshkey}" ]; then
  496.     # shellcheck disable=SC2002
  497.     cat ${sshkey} | tee -a "$vuln"
  498.   else
  499.     echo -e "SSH key文件不存在\n" | tee -a "$vuln"
  500.   fi
  501.   echo -e "\n" | tee -a "$vuln"
  502. }
  503. webshell_check() {
  504.   echo -e "############ Webshell检查 ############\n" | tee -a "$vuln"
  505.   echo -e "\e[00;31m[+]PHP webshell查杀\e[00m" | tee -a "$vuln"
  506.   ag --php -l -s -i 'array_map\(|pcntl_exec\(|proc_open\(|popen\(|assert\(|phpspy|c99sh|milw0rm|eval?\(|\(gunerpress|\(base64_decoolcode|spider_bc|shell_exec\(|passthru\(|base64_decode\s?\(|gzuncompress\s?\(|gzinflate|\(\$\$\w+|call_user_func\(|call_user_func_array\(|preg_replace_callback\(|preg_replace\(|register_shutdown_function\(|register_tick_function\(|mb_ereg_replace_callback\(|filter_var\(|ob_start\(|usort\(|uksort\(|uasort\(|GzinFlate\s?\(|\$\w+\(\d+\)\.\$\w+\(\d+\)\.|\$\w+=str_replace\(|eval\/\*.*\*\/\(' $webpath | tee -a "$vuln"
  507.   ag --php -l -s -i '^(\xff\xd8|\x89\x50|GIF89a|GIF87a|BM|\x00\x00\x01\x00\x01)[\s\S]*<\?\s*php' $webpath | tee -a "$vuln"
  508.   ag --php -l -s -i '\b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\b[\/*\s]*\(+[\/*\s]*((\$_(GET|POST|REQUEST|COOKIE)\[.{0,25})|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]*(\$_(GET|POST|REQUEST|COOKIE)\[.{0,25}))' $webpath | tee -a "$vuln"
  509.   ag --php -l -s -i '\$\s*(\w+)\s*=[\s\(\{]*(\$_(GET|POST|REQUEST|COOKIE)\[.{0,25});[\s\S]{0,200}\b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\b[\/*\s]*\(+[\s"\/*]*(\$\s*\1|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\("]*\$\s*\1))' $webpath | tee -a "$vuln"
  510.   ag --php -l -s -i '\b(filter_var|filter_var_array)\b\s*\(.*FILTER_CALLBACK[^;]*((\$_(GET|POST|REQUEST|COOKIE|SERVER)\[.{0,25})|(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec))' $webpath | tee -a "$vuln"
  511.   ag --php -l -s -i "\b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|include)\b\s*\(\s*(file_get_contents\s*\(\s*)?[\'\"]php:\/\/input" $webpath | tee -a "$vuln"
  512.   echo -e "\n" | tee -a "$vuln"
  513.   #JSP webshell查杀
  514.   echo -e "\e[00;31m[+]JSP webshell查杀\e[00m" | tee -a "$vuln"
  515.   ag --jsp -l -s -i '<%@\spage\simport=[\s\S]*\\u00\d+\\u00\d+|<%@\spage\simport=[\s\S]*Runtime.getRuntime\(\).exec\(request.getParameter\(|Runtime.getRuntime\(\)' $webpath | tee -a "$vuln"
  516.   echo -e "\n" | tee -a "$vuln"
  517. }
  518. poison_check() {
  519.   echo -e "############ 供应链投毒检测 ############\n" | tee -a "$vuln"
  520.   echo -e "\e[00;31m[+]Python2 pip 检测\e[00m" | tee -a "$vuln"
  521.   pip freeze | ag "istrib|djanga|easyinstall|junkeldat|libpeshka|mumpy|mybiubiubiu|nmap-python|openvc|python-ftp|pythonkafka|python-mongo|python-mysql|python-mysqldb|python-openssl|python-sqlite|virtualnv|mateplotlib|request=" | tee -a "$vuln"
  522.   echo -e "\n" | tee -a "$vuln"
  523.   echo -e "\e[00;31m[+]Python3 pip 检测\e[00m" | tee -a "$vuln"
  524.   pip3 freeze | ag "istrib|djanga|easyinstall|junkeldat|libpeshka|mumpy|mybiubiubiu|nmap-python|openvc|python-ftp|pythonkafka|python-mongo|python-mysql|python-mysqldb|python-openssl|python-sqlite|virtualnv|mateplotlib|request=" | tee -a "$vuln"
  525.   echo -e "\n" | tee -a "$vuln"
  526. }
  527. miner_check() {
  528.   echo -e "############ 挖矿木马检查 ############\n" | tee -a "$vuln"
  529.   echo -e "\e[00;31m[+]常规挖矿进程检测\e[00m" | tee -a "$vuln"
  530.   ps aux | ag "systemctI|kworkerds|init10.cfg|wl.conf|crond64|watchbog|sustse|donate|proxkekman|test.conf|/var/tmp/apple|/var/tmp/big|/var/tmp/small|/var/tmp/cat|/var/tmp/dog|/var/tmp/mysql|/var/tmp/sishen|ubyx|cpu.c|tes.conf|psping|/var/tmp/java-c|pscf|cryptonight|sustes|xmrig|xmr-stak|suppoie|ririg|/var/tmp/ntpd|/var/tmp/ntp|/var/tmp/qq|/tmp/qq|/var/tmp/aa|gg1.conf|hh1.conf|apaqi|dajiba|/var/tmp/look|/var/tmp/nginx|dd1.conf|kkk1.conf|ttt1.conf|ooo1.conf|ppp1.conf|lll1.conf|yyy1.conf|1111.conf|2221.conf|dk1.conf|kd1.conf|mao1.conf|YB1.conf|2Ri1.conf|3Gu1.conf|crant|nicehash|linuxs|linuxl|Linux|crawler.weibo|stratum|gpg-daemon|jobs.flu.cc|cranberry|start.sh|watch.sh|krun.sh|killTop.sh|cpuminer|/60009|ssh_deny.sh|clean.sh|\./over|mrx1|redisscan|ebscan|barad_agent|\.sr0|clay|udevs|\.sshd|/tmp/init|xmr|xig|ddgs|minerd|hashvault|geqn|\.kthreadd|httpdz|pastebin.com|sobot.com|kerbero|2t3ik|ddgs|qW3xt|ztctb" | ag -v 'ag' | tee -a "$vuln"
  531.   find / ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/boot/*" -regextype posix-extended -regex '.*systemctI|.*kworkerds|.*init10.cfg|.*wl.conf|.*crond64|.*watchbog|.*sustse|.*donate|.*proxkekman|.*cryptonight|.*sustes|.*xmrig|.*xmr-stak|.*suppoie|.*ririg|gg1.conf|.*cpuminer|.*xmr|.*xig|.*ddgs|.*minerd|.*hashvault|\.kthreadd|.*httpdz|.*kerbero|.*2t3ik|.*qW3xt|.*ztctb|.*miner.sh' -type f | tee -a "$vuln"
  532.   echo -e "\n" | tee -a "$vuln"
  533.   echo -e "\e[00;31m[+]Ntpclient 挖矿木马检测\e[00m" | tee -a "$vuln"
  534.   find / ! -path "/proc/*" ! -path "/sys/*" ! -path "/boot/*" -regextype posix-extended -regex 'ntpclient|Mozz' | tee -a "$vuln"
  535.   ls -alh /tmp/.a /var/tmp/.a /run/shm/a /dev/.a /dev/shm/.a 2>/dev/null | tee -a "$vuln"
  536.   echo -e "\n" | tee -a "$vuln"
  537.   echo -e "\e[00;31m[+]WorkMiner 挖矿木马检测\e[00m" | tee -a "$vuln"
  538.   ps aux | ag "work32|work64|/tmp/secure.sh|/tmp/auth.sh" | ag -v 'ag'
  539.   ls -alh /tmp/xmr /tmp/config.json /tmp/secure.sh /tmp/auth.sh /usr/.work/work64 2>/dev/null | tee -a "$vuln"
  540.   echo -e "\n" | tee -a "$vuln"
  541. }
  542. risk_check() {
  543.   echo -e "############ 服务器风险/漏洞检查 ############\n" | tee -a "$vuln"
  544.   echo -e "\e[00;31m[+]Redis弱密码检测\e[00m" | tee -a "$vuln"
  545.   cat /etc/redis/redis.conf 2>/dev/null | ag '(?<=requirepass )(test|123456|admin|root|12345678|111111|p@ssw0rd|test|qwerty|zxcvbnm|123123|12344321|123qwe|password|1qaz|000000|666666|888888)' | tee -a "$vuln"
  546.   echo -e "\n" | tee -a "$vuln"
  547. }
  548. base_check
  549. network_check
  550. crontab_check
  551. env_check
  552. user_check
  553. service_check
  554. bash_check
  555. file_check
  556. rootkit_check
  557. ssh_check
  558. webshell_check
  559. poison_check
  560. miner_check
  561. risk_check
复制代码

原文:https://github.com/al0ne/LinuxCheck
我帮忙写的代码不需要付钱。如果一定要给,请在微信群或QQ群发给大家吧。
【微信公众号、微信群、QQ群】http://bbs.bathome.net/thread-3473-1-1.html
【支持批处理之家,加入VIP会员!】http://bbs.bathome.net/thread-67716-1-1.html

返回列表