在使用脚本前需要安装:ag命令
安装方式如下:
[root@xinsz08-63 LinuxCheck]# yum install epel-release[root@xinsz08-63 LinuxCheck]# yum install the_silver_searcher
ag的日常使用:
ag类似于grep和find,但是执行效率比后两者高
ag -g a.txt 查找名字为a.txt的文件
ag -i test 忽略大小写搜索包含test的文本
ag -A 5 abc 显示搜索到的包含abc的行以及他之后的5行文本信息
演示:
[root@xinsz08-63 ~]# cp /etc/passwd /root/passwd[root@xinsz08-63 ~]# ag -A 5 geoc passwd34:geoclue:x:992:986:User for geoclue:/var/lib/geoclue:/sbin/nologin 35-setroubleshoot:x:991:985::/var/lib/setroubleshoot:/sbin/nologin 36-saned:x:990:984:SANE scanner daemon user:/usr/share/sane:/sbin/nologin 37-gdm:x:42:42::/var/lib/gdm:/sbin/nologin 38-gnome-initial-setup:x:989:983::/run/gnome-initial-setup/:/sbin/nologin 39-sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
此脚本涉及到系统的安全检测,比如MD5校验,检测常用命令是否被别人改动过,检测是否有挖矿病毒,是否有木马,登陆用户是否正常,等等。
#!/usr/bin/env bash
3 echo ""
4 echo " ========================================================= "
5 echo " \ Linux应急响应/信息搜集脚本 V3.0 / "
6 echo " ========================================================= "
7 echo " # 支持Centos、Debian系统检测 "
8 echo " # author:al0ne "
9 echo " # https://github.com/al0ne "
10 echo -e "\n"
11
12 # WEB Path
13 # 设置web目录 默认的话是从/目录去搜索 性能较慢
14 webpath='/'
15
16 echo -e "\e[00;31m[+]环境检测\e[00m"
17 # 验证是否为root权限
18 if [ $UID -ne 0 ]; then
19 echo -e "\n\e[00;33m请使用root权限运行 \e[00m"
20 exit 1
21 else
22 echo -e "\e[00;32m当前为root权限 \e[00m"
23 fi
24
25 # 验证操作系统是debian系还是centos
26 OS='None'
27
28 if [ -e "/etc/os-release" ]; then
29 source /etc/os-release
30 case ${ID} in
31 "debian" | "ubuntu" | "devuan")
32 OS='Debian'
33 ;;
34 "centos" | "rhel fedora" | "rhel")
35 OS='Centos'
36 ;;
37 *) ;;
38 esac
39 fi
40
41 if [ $OS = 'None' ]; then
42 if command -v apt-get >/dev/null 2>&1; then
43 OS='Debian'
44 elif command -v yum >/dev/null 2>&1; then
45 OS='Centos'
46 else
47 echo -e "\n不支持这个系统\n"
48 echo -e "已退出"
49 exit 1
50 fi
51 fi
52
53 #ifconfig
54 if ifconfig >/dev/null 2>&1; then
55 echo -e "\e[00;32mifconfig已安装 \e[00m"
56 else
57 if [ $OS = 'Centos' ]; then
58 yum -y install net-tools >/dev/null 2>&1
59 else
60 apt-get -y install net-tools >/dev/null 2>&1
61 fi
62
63 fi
64
65 #Centos安装lsof
66 if lsof -v >/dev/null 2>&1; then
69 if [ $OS = 'Centos' ]; then
70 yum -y install lsof >/dev/null 2>&1
71 else
72 apt-get -y install lsof >/dev/null 2>&1
73 fi
74
75 fi
80 else
81 if [ $OS = 'Centos' ]; then
82 yum -y install the_silver_searcher >/dev/null 2>&1
83 else
85 fi
86
87 fi
88
89 echo -e "\n"
90
91 # 设置保存文件
94 filename=$ipaddress'_'$(hostname)'_'$(whoami)'_'$(date +%s)'.log'
95
96 #对比hash,看看有没有系统文件被替换掉
99 rpm -Va | tee -a $filename102 debsums -e | ag -v 'OK' | tee -a $filename107 #当前用户108 echo -e "USER:\t\t" $(whoami) 2>/dev/null | tee -a $filename109 #版本信息110 echo -e "OS Version:\t" $(uname -r) | tee -a $filename111 #主机名112 echo -e "Hostname: \t" $(hostname -s) | tee -a $filename113 #uptime115 #cpu信息117 #ipaddress120 echo -e "\n" | tee -a $filename121
126 "Used " (total-free)/total*100"%"}' | tee -a $filename127 done
128 echo -e "\n" | tee -a $filename129 #登陆用户
130 echo -e "\e[00;31m[+]登陆用户\e[00m" | tee -a $filename131 who $filename132 echo -e "\n" | tee -a $filename133 #CPU占用TOP 15
136 #内存占用TOP 15
139 #内存占用
142 echo -e "\n" | tee -a $filename143 #剩余空间
146 echo -e "\n" | tee -a $filename147 echo -e "\e[00;31m[+]硬盘挂载\e[00m" | tee -a $filename149 echo -e "\n" | tee -a $filename150 #ifconfig
151 echo -e "\e[00;31m[+]ifconfig\e[00m" | tee -a $filename152 /sbin/ifconfig -a | tee -a $filename155 echo -e "\e[00;31m[+]网络流量 \e[00m" | tee -a $filename157 awk ' NR>2' /proc/net/dev | while read line; do
158 echo "$line" | awk -F ':' '{print " "$1" " $2}' | \
162 #端口监听
163 echo -e "\e[00;31m[+]端口监听\e[00m" | tee -a $filename164 netstat -tulpen | ag 'tcp|udp.*' --nocolor | tee -a $filename165 echo -e "\n" | tee -a $filename166 #对外开放端口
167 echo -e "\e[00;31m[+]对外开放端口\e[00m" | tee -a $filename169 echo -e "\n" | tee -a $filename170 #网络连接
173 echo -e "\n" | tee -a $filename174 #连接状态
175 echo -e "\e[00;31m[+]TCP连接状态\e[00m" | tee -a $filename177 echo -e "\n" | tee -a $filename180 /sbin/route -nee | tee -a $filename181 echo -e "\n" | tee -a $filename182 #路由转发
183 echo -e "\e[00;31m[+]路由转发\e[00m" | tee -a $filename185 if [ -n "$ip_forward" ]; then
187 else
188 echo "该服务器未开启路由转发" | tee -a $filename189 fi
190 echo -e "\n" | tee -a $filename191 #DNS
192 echo -e "\e[00;31m[+]DNS Server\e[00m" | tee -a $filename194 echo -e "\n" | tee -a $filename195 #ARP
196 echo -e "\e[00;31m[+]ARP\e[00m" | tee -a $filename197 arp -n -a | tee -a $filename198 echo -e "\n" | tee -a $filename199 #混杂模式
200 echo -e "\e[00;31m[+]网卡混杂模式\e[00m" | tee -a $filename201 if ip link | ag PROMISC >/dev/null 2>&1; then
202 echo "网卡存在混杂模式!" | tee -a $filename203 else
204 echo "网卡不存在混杂模式" | tee -a $filename205
206 fi
207 echo -e "\n" | tee -a $filename208 #安装软件
209 echo -e "\e[00;31m[+]常用软件\e[00m" | tee -a $filename210 cmdline=(
211 "which perl"
212 "which gcc"
213 "which g++"
214 "which python"
215 "which php"
216 "which cc"
217 "which go"
218 "which node"
219 "which nodejs"
220 "which bind"
221 "which tomcat"
222 "which clang"
223 "which ruby"
224 "which curl"
225 "which wget"
228 "which ssserver"
229 "which vsftpd"
230 "which java"
231 "which apache"
232 "which nginx"
233 "which git"
234 "which mongodb"
235 "which docker"
236 "which tftp"
237 "which psql"
242 if [ "$soft" ] 2>/dev/null; then
244 fi
245 done
246 echo -e "\n" | tee -a $filename247 #crontab
248 echo -e "\e[00;31m[+]Crontab\e[00m" | tee -a $filename249 crontab -u root -l | ag -v '#' --nocolor | tee -a $filename250 ls -alht /etc/cron.*/* | tee -a $filename251 echo -e "\n" | tee -a $filename252 #crontab可疑命令253 echo -e "\e[00;31m[+]Crontab Backdoor \e[00m" | tee -a $filename255 echo -e "\n" | tee -a $filename256 #env257 echo -e "\e[00;31m[+]env\e[00m" | tee -a $filename258 env | tee -a $filename259 echo -e "\n" | tee -a $filename260 #PATH261 echo -e "\e[00;31m[+]PATH\e[00m" | tee -a $filename262 echo $PATH | tee -a $filename263 echo -e "\n" | tee -a $filename264 #LD_PRELOAD265 echo -e "\e[00;31m[+]LD_PRELOAD\e[00m" | tee -a $filename266 echo ${LD_PRELOAD} | tee -a $filename267 echo -e "\n" | tee -a $filename268 #LD_ELF_PRELOAD269 echo -e "\e[00;31m[+]LD_ELF_PRELOAD\e[00m" | tee -a $filename270 echo ${LD_ELF_PRELOAD} | tee -a $filename271 echo -e "\n" | tee -a $filename274 echo ${LD_LIBRARY_PATH} | tee -a $filename279 if [ -e "${preload}" ]; then280 cat ${preload} | tee -a $filename281 else282 echo -e "/etc/ld.so.preload 文件不存在" | tee -a $filename283 fi284 echo -e "\n" | tee -a $filename285 #passwd信息286 echo -e "\e[00;31m[+]可登陆用户\e[00m" | tee -a $filename287 cat /etc/passwd | ag -v 'nologin$|false$' | tee -a $filename288 echo -e "\n" | tee -a $filename290 echo -e "\n" | tee -a $filename293 echo -e "\n" | tee -a $filename294 #防火墙298 #登陆信息299 echo -e "\e[00;31m[+]登录信息\e[00m" | tee -a $filename300 w | tee -a $filename301 echo -e "\n" | tee -a $filename304 lastlog | tee -a $filename307 echo -e "\n" | tee -a $filename308 #SSH爆破IP309 echo -e "\e[00;31m[+]SSH爆破\e[00m" | tee -a $filename318 fi319 echo -e "\n" | tee -a $filename320 #查看history文件321 echo -e "\e[00;31m[+]History\e[00m" | tee -a $filename322 ls -alht ~/.*_history | tee -a $filename323 ls -alht /root/.*_history | tee -a $filename324 echo -e "\n" | tee -a $filename326 echo -e "\n" | tee -a $filename327 #HOSTS328 echo -e "\e[00;31m[+]/etc/hosts \e[00m" | tee -a $filename329 cat /etc/hosts | ag -v "#" | tee -a $filename330 echo -e "\n" | tee -a $filename331 #/etc/profile334 echo -e "\n" | tee -a $filename335 #/etc/rc.local336 echo -e "\e[00;31m[+]/etc/rc.local \e[00m" | tee -a $filename337 cat /etc/rc.local | ag -v '#' | tee -a $filename340 echo -e "\e[00;31m[+]~/.bash_profile \e[00m" | tee -a $filename341 cat ~/.bash_profile | ag -v '#' | tee -a $filename342 echo -e "\n" | tee -a $filename343 #~/.bashrc346 echo -e "\n" | tee -a $filename347 #bash反弹shell348 echo -e "\e[00;31m[+]bash反弹shell \e[00m" | tee -a $filename350 echo -e "\n" | tee -a $filename351 #SSHD352 echo -e "\e[00;31m[+]SSHD \e[00m" | tee -a $filename353 echo -e "/usr/sbin/sshd"360 echo -e "\n" | tee -a $filename361 #tmp目录362 echo -e "\e[00;31m[+]/tmp \e[00m" | tee -a $filename363 ls /tmp /var/tmp /dev/shm -alht | tee -a $filename364 echo -e "\n" | tee -a $filename365 #alias 别名372 echo -e "\n" | tee -a $filename378 #近7天改动381 echo -e "\n" | tee -a $filename382 #近7天改动387 #有些黑客会将数据库、网站打包成一个文件然后下载388 echo -e "\e[00;31m[+]大文件>100mb \e[00m" | tee -a $filename424 echo -e "\n" | tee -a $filename425 #挖矿木马检测426 echo -e "\e[00;31m[+]挖矿木马检测\e[00m" | tee -a $filename428 echo -e "\n" | tee -a $filename429 #Rkhunter查杀432 rkhunter --checkall --sk | ag -v 'OK|Not found|None found'433 else434 if [ -e "rkhunter.tar.gz" ]; then435 tar -zxvf rkhunter.tar.gz >/dev/null 2>&1
436 cd rkhunter-1.4.6/
437 ./installer.sh --install >/dev/null 2>&1
438 rkhunter --checkall --sk | ag -v 'OK|Not found|Non e found'439 else440 echo -e "找不到rkhunter.tar.gz尝试下载"441 wget https://github.com/al0ne/LinuxCheck/raw/maste r/rkhunter.tar.gz >/dev/null 2>&1;442 tar -zxvf rkhunter.tar.gz >/dev/null 2>&1
443 cd rkhunter-1.4.6/
444 ./installer.sh --install >/dev/null 2>&1
445 rkhunter --checkall --sk | ag -v 'OK|Not found|Non e found'446 fi447 fi执行后如下:
