如何排查 Linux 機器是否已經被入侵?[此文件原始教學在CentOS 6.9,我在UBUNTU18.04 VPS實驗,並把會動結果補上]
如何排查 Linux 機器是否已經被入侵?[此文件原始教學在CentOS 6.9,我在UBUNTU18.04 VPS實驗,並把會動結果補上]
1.入侵者可能會刪除機器的日誌資訊,可以查看日誌資訊是否還存在或者是否被清空,相關命令示例:
$ ll -h /var/log total 180M drwxrwxr-x 11 root syslog 4.0K Jul 9 00:05 ./ drwxr-xr-x 14 root root 4.0K May 1 15:30 ../ -rw-r--r-- 1 root root 0 Jul 1 00:06 alternatives.log -rw-r--r-- 1 root root 317 Jun 27 08:30 alternatives.log.1 -rw-r--r-- 1 root root 4.6K May 30 05:57 alternatives.log.2.gz -rw-r----- 1 root adm 0 May 19 00:09 apport.log -rw-r----- 1 root adm 664 May 18 09:26 apport.log.1 -rw-r----- 1 root adm 467 May 2 13:53 apport.log.2.gz drwxr-xr-x 2 root root 4.0K Jul 1 00:06 apt/ -rw-r----- 1 syslog adm 4.6M Jul 9 04:59 auth.log -rw-r----- 1 syslog adm 13M Jul 7 00:08 auth.log.1 -rw-r----- 1 syslog adm 1.5M Jul 1 00:04 auth.log.2.gz -rw-r----- 1 syslog adm 1.6M Jun 23 00:09 auth.log.3.gz -rw-r----- 1 syslog adm 1.8M Jun 16 00:07 auth.log.4.gz -rw-rw---- 1 root utmp 25M Jul 9 04:59 btmp -rw-rw---- 1 root utmp 133M Jul 1 00:04 btmp.1 drwxr-xr-x 2 root root 4.0K Jul 9 00:05 cups/ drwxr-xr-x 2 root root 4.0K Apr 10 03:05 dist-upgrade/ -rw-r--r-- 1 root root 0 Jul 1 00:06 dpkg.log -rw-r--r-- 1 root root 1.4K Jun 27 08:30 dpkg.log.1 -rw-r--r-- 1 root root 127K May 30 05:57 dpkg.log.2.gz -rw-r--r-- 1 root root 32K May 2 03:42 faillog -rw-r--r-- 1 root root 6.1K May 1 15:33 fontconfig.log -rw-r--r-- 1 root root 1.2K May 3 04:21 gpu-manager.log drwxr-xr-x 3 root root 4.0K May 1 15:26 hp/ drwxr-xr-x 3 root root 4.0K May 1 15:19 installer/ drwxr-sr-x+ 3 root systemd-journal 4.0K May 1 15:20 journal/ -rw-r----- 1 syslog adm 4.1K Jul 9 04:29 kern.log -rw-r----- 1 syslog adm 11K Jul 6 23:29 kern.log.1 -rw-r----- 1 syslog adm 3.0K Jun 30 23:29 kern.log.2.gz -rw-r----- 1 syslog adm 2.6K Jun 22 23:29 kern.log.3.gz -rw-r----- 1 syslog adm 2.4K Jun 15 23:29 kern.log.4.gz -rw-rw-r-- 1 root utmp 286K May 2 03:42 lastlog drwxr-xr-x 2 mpd audio 4.0K Jul 7 00:08 mpd/ -rw-r--r-- 1 sddm sddm 0 May 1 15:33 sddm.log -rw-r----- 1 syslog adm 6.6K Jul 9 04:58 syslog -rw-r----- 1 syslog adm 16K Jul 9 00:05 syslog.1 -rw-r----- 1 syslog adm 2.7K Jul 8 00:05 syslog.2.gz -rw-r----- 1 syslog adm 2.5K Jul 7 00:08 syslog.3.gz -rw-r----- 1 syslog adm 2.6K Jul 6 00:07 syslog.4.gz -rw-r----- 1 syslog adm 3.3K Jul 5 00:09 syslog.5.gz -rw-r----- 1 syslog adm 2.7K Jul 4 00:08 syslog.6.gz -rw-r----- 1 syslog adm 2.5K Jul 3 00:06 syslog.7.gz -rw------- 1 root root 63K May 2 03:42 tallylog drwxr-xr-x 2 root root 4.0K May 4 09:10 teamviewer14/ drwxr-x--- 2 root adm 4.0K Jun 1 00:05 unattended-upgrades/ -rw-r----- 1 root adm 12K Jul 9 04:57 vsftpd.log -rw-r----- 1 root adm 6.7K Jul 6 18:30 vsftpd.log.1 -rw-r----- 1 root adm 15K Jun 30 23:28 vsftpd.log.2 -rw-r----- 1 root adm 5.0K Jun 22 23:26 vsftpd.log.3 -rw-r----- 1 root adm 14K Jun 15 20:15 vsftpd.log.4 -rw-rw-r-- 1 root utmp 384 Jul 9 04:58 wtmp -rw-rw-r-- 1 root utmp 768 Jun 27 08:38 wtmp.1 -rw-r--r-- 1 root root 23K Jun 30 03:40 Xorg.0.log -rw-r--r-- 1 root root 15K May 3 04:21 Xorg.0.log.old
2.入侵者可能創建一個新的存放用戶名及密碼檔,可以查看/etc/passwd及/etc/shadow檔,相關命令示例:
$ ll /etc/pass* -rw-r--r-- 1 root root 2443 May 2 03:42 /etc/passwd -rw-r--r-- 1 root root 2405 May 1 15:43 /etc/passwd- $ ll /etc/sha* -rw-r----- 1 root shadow 1396 May 2 03:42 /etc/shadow -rw-r----- 1 root shadow 1376 May 1 15:43 /etc/shadow-
3.入侵者可能修改用戶名及密碼檔,可以查看/etc/passwd及/etc/shadow檔內容進行鑒別,相關命令示例:
$ more /etc/passwd
$ more /etc/shadow
太多懶得貼
4.查看機器最近成功登陸的事件和最後一次不成功的登陸事件,對應日誌“/var/log/lastlog”,相關命令示例:
$ lastlog Username Port From Latest root tty1 Wed May 1 15:20:54 +0200 2019 daemon **Never logged in** bin **Never logged in** sys **Never logged in** sync **Never logged in** games **Never logged in** man **Never logged in** lp **Never logged in** mail **Never logged in** news **Never logged in** uucp **Never logged in** proxy **Never logged in** www-data **Never logged in** backup **Never logged in** list **Never logged in** irc **Never logged in** gnats **Never logged in** nobody **Never logged in** systemd-network **Never logged in** systemd-resolve **Never logged in** syslog **Never logged in** messagebus **Never logged in** _apt **Never logged in** uuidd **Never logged in** sshd **Never logged in** jashliao **Never logged in** kernoops **Never logged in** rtkit **Never logged in** dnsmasq **Never logged in** avahi-autoipd **Never logged in** usbmux **Never logged in** whoopsie **Never logged in** avahi **Never logged in** cups-pk-helper **Never logged in** saned **Never logged in** sddm **Never logged in** colord **Never logged in** pulse **Never logged in** hplip **Never logged in** mpd **Never logged in** geoclue **Never logged in** ftp **Never logged in** mysql **Never logged in**
5.查看機器當前登錄的全部使用者,對應日誌檔“/var/run/utmp”,相關命令示例:
$ who jashliao tty1 2019-05-03 04:21 (:0) jashliao pts/0 2019-05-03 04:21 (:0) jashliao pts/1 2019-07-09 04:58 (:0)
6.查看機器創建以來登陸過的使用者,對應日誌檔“/var/log/wtmp”,相關命令示例:
$ last jashliao pts/1 :0 Tue Jul 9 04:58 still logged in wtmp begins Tue Jul 9 04:58:54 2019
7.查看機器所有使用者的連線時間(小時),對應日誌檔“/var/log/wtmp”,相關命令示例:
$ at -dp
8.如果發現機器產生了異常流量,可以使用命令“tcpdump”抓取網路包查看流量情況或者使用工具”iperf”查看流量情況。
9.可以查看/var/log/secure日誌檔,嘗試發現入侵者的資訊,相關命令示例:
$ cat /var/log/secure | grep -i "accepted password"
10.查詢異常進程所對應的執行指令檔
$ top
關鍵字: 命令/SHELL 判斷/檢查/檢視 LINUX VPS 主機/設備/電腦 被駭/入侵/植入木馬/異常/駭客/黑客