在使用脚本前需要安装:ag命令
安装方式如下:
[root@xinsz08-63 LinuxCheck]# yum install epel-release
[root@xinsz08-63 LinuxCheck]# yum install the_silver_searcher
ag的日常使用:
ag类似于grep和find,但是执行效率比后两者高
ag -g a.txt 查找名字为a.txt的文件
ag -i test 忽略大小写搜索包含test的文本
ag -A 5 abc 显示搜索到的包含abc的行以及他之后的5行文本信息
演示:
[root@xinsz08-63 ~]# cp /etc/passwd /root/passwd
[root@xinsz08-63 ~]# ag -A 5 geoc passwd
34:geoclue:x:992:986:User for geoclue:/var/lib/geoclue:/sbin/nologin
35-setroubleshoot:x:991:985::/var/lib/setroubleshoot:/sbin/nologin
36-saned:x:990:984:SANE scanner daemon user:/usr/share/sane:/sbin/nologin
37-gdm:x:42:42::/var/lib/gdm:/sbin/nologin
38-gnome-initial-setup:x:989:983::/run/gnome-initial-setup/:/sbin/nologin
39-sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
此脚本涉及到系统的安全检测,比如MD5校验,检测常用命令是否被别人改动过,检测是否有挖矿病毒,是否有木马,登陆用户是否正常,等等。
#!/usr/bin/env bash
3 echo ""
4 echo " ========================================================= "
5 echo " \ Linux应急响应/信息搜集脚本 V3.0 / "
6 echo " ========================================================= "
7 echo " # 支持Centos、Debian系统检测 "
8 echo " # author:al0ne "
9 echo " # https://github.com/al0ne "
10 echo -e "\n"
11
12 # WEB Path
13 # 设置web目录 默认的话是从/目录去搜索 性能较慢
14 webpath='/'
15
16 echo -e "\e[00;31m[+]环境检测\e[00m"
17 # 验证是否为root权限
18 if [ $UID -ne 0 ]; then
19 echo -e "\n\e[00;33m请使用root权限运行 \e[00m"
20 exit 1
21 else
22 echo -e "\e[00;32m当前为root权限 \e[00m"
23 fi
24
25 # 验证操作系统是debian系还是centos
26 OS='None'
27
28 if [ -e "/etc/os-release" ]; then
29 source /etc/os-release
30 case ${ID} in
31 "debian" | "ubuntu" | "devuan")
32 OS='Debian'
33 ;;
34 "centos" | "rhel fedora" | "rhel")
35 OS='Centos'
36 ;;
37 *) ;;
38 esac
39 fi
40
41 if [ $OS = 'None' ]; then
42 if command -v apt-get >/dev/null 2>&1; then
43 OS='Debian'
44 elif command -v yum >/dev/null 2>&1; then
45 OS='Centos'
46 else
47 echo -e "\n不支持这个系统\n"
48 echo -e "已退出"
49 exit 1
50 fi
51 fi
52
53 #ifconfig
54 if ifconfig >/dev/null 2>&1; then
55 echo -e "\e[00;32mifconfig已安装 \e[00m"
56 else
57 if [ $OS = 'Centos' ]; then
58 yum -y install net-tools >/dev/null 2>&1
59 else
60 apt-get -y install net-tools >/dev/null 2>&1
61 fi
62
63 fi
64
65 #Centos安装lsof
66 if lsof -v >/dev/null 2>&1; then
69 if [ $OS = 'Centos' ]; then
70 yum -y install lsof >/dev/null 2>&1
71 else
72 apt-get -y install lsof >/dev/null 2>&1
73 fi
74
75 fi
80 else
81 if [ $OS = 'Centos' ]; then
82 yum -y install the_silver_searcher >/dev/null 2>&1
83 else
85 fi
86
87 fi
88
89 echo -e "\n"
90
91 # 设置保存文件
94 filename=$ipaddress'_'$(hostname)'_'$(whoami)'_'$(date +%s)'.log'
95
96 #对比hash,看看有没有系统文件被替换掉
99 rpm -Va | tee -a $filename
102 debsums -e | ag -v 'OK' | tee -a $filename
107 #当前用户
108 echo -e "USER:\t\t" $(whoami) 2>/dev/null | tee -a $filename
109 #版本信息
110 echo -e "OS Version:\t" $(uname -r) | tee -a $filename
111 #主机名
112 echo -e "Hostname: \t" $(hostname -s) | tee -a $filename
113 #uptime
115 #cpu信息
117 #ipaddress
120 echo -e "\n" | tee -a $filename
121
126 "Used " (total-free)/total*100"%"}' | tee -a $filename
127 done
128 echo -e "\n" | tee -a $filename
129 #登陆用户
130 echo -e "\e[00;31m[+]登陆用户\e[00m" | tee -a $filename
131 who $filename
132 echo -e "\n" | tee -a $filename
133 #CPU占用TOP 15
136 #内存占用TOP 15
139 #内存占用
142 echo -e "\n" | tee -a $filename
143 #剩余空间
146 echo -e "\n" | tee -a $filename
147 echo -e "\e[00;31m[+]硬盘挂载\e[00m" | tee -a $filename
149 echo -e "\n" | tee -a $filename
150 #ifconfig
151 echo -e "\e[00;31m[+]ifconfig\e[00m" | tee -a $filename
152 /sbin/ifconfig -a | tee -a $filename
155 echo -e "\e[00;31m[+]网络流量 \e[00m" | tee -a $filename
157 awk ' NR>2' /proc/net/dev | while read line; do
158 echo "$line" | awk -F ':' '{print " "$1" " $2}' | \
162 #端口监听
163 echo -e "\e[00;31m[+]端口监听\e[00m" | tee -a $filename
164 netstat -tulpen | ag 'tcp|udp.*' --nocolor | tee -a $filename
165 echo -e "\n" | tee -a $filename
166 #对外开放端口
167 echo -e "\e[00;31m[+]对外开放端口\e[00m" | tee -a $filename
169 echo -e "\n" | tee -a $filename
170 #网络连接
173 echo -e "\n" | tee -a $filename
174 #连接状态
175 echo -e "\e[00;31m[+]TCP连接状态\e[00m" | tee -a $filename
177 echo -e "\n" | tee -a $filename
180 /sbin/route -nee | tee -a $filename
181 echo -e "\n" | tee -a $filename
182 #路由转发
183 echo -e "\e[00;31m[+]路由转发\e[00m" | tee -a $filename
185 if [ -n "$ip_forward" ]; then
187 else
188 echo "该服务器未开启路由转发" | tee -a $filename
189 fi
190 echo -e "\n" | tee -a $filename
191 #DNS
192 echo -e "\e[00;31m[+]DNS Server\e[00m" | tee -a $filename
194 echo -e "\n" | tee -a $filename
195 #ARP
196 echo -e "\e[00;31m[+]ARP\e[00m" | tee -a $filename
197 arp -n -a | tee -a $filename
198 echo -e "\n" | tee -a $filename
199 #混杂模式
200 echo -e "\e[00;31m[+]网卡混杂模式\e[00m" | tee -a $filename
201 if ip link | ag PROMISC >/dev/null 2>&1; then
202 echo "网卡存在混杂模式!" | tee -a $filename
203 else
204 echo "网卡不存在混杂模式" | tee -a $filename
205
206 fi
207 echo -e "\n" | tee -a $filename
208 #安装软件
209 echo -e "\e[00;31m[+]常用软件\e[00m" | tee -a $filename
210 cmdline=(
211 "which perl"
212 "which gcc"
213 "which g++"
214 "which python"
215 "which php"
216 "which cc"
217 "which go"
218 "which node"
219 "which nodejs"
220 "which bind"
221 "which tomcat"
222 "which clang"
223 "which ruby"
224 "which curl"
225 "which wget"
228 "which ssserver"
229 "which vsftpd"
230 "which java"
231 "which apache"
232 "which nginx"
233 "which git"
234 "which mongodb"
235 "which docker"
236 "which tftp"
237 "which psql"
242 if [ "$soft" ] 2>/dev/null; then
244 fi
245 done
246 echo -e "\n" | tee -a $filename
247 #crontab
248 echo -e "\e[00;31m[+]Crontab\e[00m" | tee -a $filename
249 crontab -u root -l | ag -v '#' --nocolor | tee -a $filename
250 ls -alht /etc/cron.*/* | tee -a $filename
251 echo -e "\n" | tee -a $filename
252 #crontab可疑命令
253 echo -e "\e[00;31m[+]Crontab Backdoor \e[00m" | tee -a $filename
255 echo -e "\n" | tee -a $filename
256 #env
257 echo -e "\e[00;31m[+]env\e[00m" | tee -a $filename
258 env | tee -a $filename
259 echo -e "\n" | tee -a $filename
260 #PATH
261 echo -e "\e[00;31m[+]PATH\e[00m" | tee -a $filename
262 echo $PATH | tee -a $filename
263 echo -e "\n" | tee -a $filename
264 #LD_PRELOAD
265 echo -e "\e[00;31m[+]LD_PRELOAD\e[00m" | tee -a $filename
266 echo ${LD_PRELOAD} | tee -a $filename
267 echo -e "\n" | tee -a $filename
268 #LD_ELF_PRELOAD
269 echo -e "\e[00;31m[+]LD_ELF_PRELOAD\e[00m" | tee -a $filename
270 echo ${LD_ELF_PRELOAD} | tee -a $filename
271 echo -e "\n" | tee -a $filename
274 echo ${LD_LIBRARY_PATH} | tee -a $filename
279 if [ -e "${preload}" ]; then
280 cat ${preload} | tee -a $filename
281 else
282 echo -e "/etc/ld.so.preload 文件不存在" | tee -a $filename
283 fi
284 echo -e "\n" | tee -a $filename
285 #passwd信息
286 echo -e "\e[00;31m[+]可登陆用户\e[00m" | tee -a $filename
287 cat /etc/passwd | ag -v 'nologin$|false$' | tee -a $filename
288 echo -e "\n" | tee -a $filename
290 echo -e "\n" | tee -a $filename
293 echo -e "\n" | tee -a $filename
294 #防火墙
298 #登陆信息
299 echo -e "\e[00;31m[+]登录信息\e[00m" | tee -a $filename
300 w | tee -a $filename
301 echo -e "\n" | tee -a $filename
304 lastlog | tee -a $filename
307 echo -e "\n" | tee -a $filename
308 #SSH爆破IP
309 echo -e "\e[00;31m[+]SSH爆破\e[00m" | tee -a $filename
318 fi
319 echo -e "\n" | tee -a $filename
320 #查看history文件
321 echo -e "\e[00;31m[+]History\e[00m" | tee -a $filename
322 ls -alht ~/.*_history | tee -a $filename
323 ls -alht /root/.*_history | tee -a $filename
324 echo -e "\n" | tee -a $filename
326 echo -e "\n" | tee -a $filename
327 #HOSTS
328 echo -e "\e[00;31m[+]/etc/hosts \e[00m" | tee -a $filename
329 cat /etc/hosts | ag -v "#" | tee -a $filename
330 echo -e "\n" | tee -a $filename
331 #/etc/profile
334 echo -e "\n" | tee -a $filename
335 #/etc/rc.local
336 echo -e "\e[00;31m[+]/etc/rc.local \e[00m" | tee -a $filename
337 cat /etc/rc.local | ag -v '#' | tee -a $filename
340 echo -e "\e[00;31m[+]~/.bash_profile \e[00m" | tee -a $filename
341 cat ~/.bash_profile | ag -v '#' | tee -a $filename
342 echo -e "\n" | tee -a $filename
343 #~/.bashrc
346 echo -e "\n" | tee -a $filename
347 #bash反弹shell
348 echo -e "\e[00;31m[+]bash反弹shell \e[00m" | tee -a $filename
350 echo -e "\n" | tee -a $filename
351 #SSHD
352 echo -e "\e[00;31m[+]SSHD \e[00m" | tee -a $filename
353 echo -e "/usr/sbin/sshd"
360 echo -e "\n" | tee -a $filename
361 #tmp目录
362 echo -e "\e[00;31m[+]/tmp \e[00m" | tee -a $filename
363 ls /tmp /var/tmp /dev/shm -alht | tee -a $filename
364 echo -e "\n" | tee -a $filename
365 #alias 别名
372 echo -e "\n" | tee -a $filename
378 #近7天改动
381 echo -e "\n" | tee -a $filename
382 #近7天改动
387 #有些黑客会将数据库、网站打包成一个文件然后下载
388 echo -e "\e[00;31m[+]大文件>100mb \e[00m" | tee -a $filename
424 echo -e "\n" | tee -a $filename
425 #挖矿木马检测
426 echo -e "\e[00;31m[+]挖矿木马检测\e[00m" | tee -a $filename
428 echo -e "\n" | tee -a $filename
429 #Rkhunter查杀
432 rkhunter --checkall --sk | ag -v 'OK|Not found|None found'
433 else
434 if [ -e "rkhunter.tar.gz" ]; then
435 tar -zxvf rkhunter.tar.gz >/dev/null 2>&1
436 cd rkhunter-1.4.6/
437 ./installer.sh --install >/dev/null 2>&1
438 rkhunter --checkall --sk | ag -v 'OK|Not found|Non e found'
439 else
440 echo -e "找不到rkhunter.tar.gz尝试下载"
441 wget https://github.com/al0ne/LinuxCheck/raw/maste r/rkhunter.tar.gz >/dev/null 2>&1;
442 tar -zxvf rkhunter.tar.gz >/dev/null 2>&1
443 cd rkhunter-1.4.6/
444 ./installer.sh --install >/dev/null 2>&1
445 rkhunter --checkall --sk | ag -v 'OK|Not found|Non e found'
446 fi
447 fi
执行后如下: