应急分析信息收集linux

之前写过一篇《黑客入侵应急分析手工排查》,为了提升排查效率,部分是能够实现自动化的。比如linux的基础信息收集、web日志和系统日志的自动化分析。
这次就把之前的命令统一收集起来。本来打算用python写的,发现还是linux默认集成的shell会好一些(对于基础信息收集)

这个bash脚本可以后续应急分析排查时做信息收集使用。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
#!/bin/bash
# by sm0nk
# usage: bash securityCheck.sh >> all.txt &

echo "start......" `date`

echo "basicFile security check"
ls -alt /tmp/
ls -alt /etc/init.d/
find ./ -mtime 0 -name "*.jsp"
find / -perm 4777
netstat -anp
ps -aux
ls -alt /usr/bin | head -10
ls -alt /usr/sbin | head -10
ls -alt /sbin | head -10
stat /usr/bin/ls /usr/bin/netstat
stat /bin/ls /bin/netstat

echo "sysinfo secuity check"
history
history | grep wget
history | grep ssh
cat /root/.bash_history
crontab -l
ls /etc/cron*
echo $PATH
ls -alt /etc/init.d/
cat /etc/init.d/rc.local

echo "user info select"
cat /etc/passwd
awk -F: '{if($3==0)print $1}' /etc/passwd
cat /etc/passwd | grep -E "/bin/bash$"

echo "log info check"
last
lastlog
lastb
who
w
# cat /var/log/auth.log
# cat /var/log/auth.log | egrep '[1-9]{1,3}\.[1-9]{1,3}\.'
# cd /var/log/ && cat message auth.log userlog cron secure faillog
cd /var/log && strings wtmp btmp faillog lastlog >> /tmp/linuxsys.log
echo "login failed IP......"
grep "Failed password" /var/log/auth.log | awk '{print $13}' | sort | uniq -c | sort -nr | more
echo "login success IP......"
grep "Accepted" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -nr | more

echo "file packet"
tar zcPf /tmp/apacheAccess.tar.gz /var/log/apache2/access.log
tar zxPf /tmp/nginxAccess.tar.gz /var/log/nginx/access.log
tar zcPf /tmp/varALL.tar.gz /var/log/

echo "end......" `date`

本来打算是用python写的,奈何subprocess处理 多参数时,代码略显臃肿.但这个模块还是比较值得推荐的.

例如批量检测c段存活

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#coding=utf-8

import thread
import time
from subprocess import Popen,PIPE

def ping_check(ip):
check = Popen(['/bin/bash','-c','ping -c 2 '+ip],stdin=PIPE,stdout=PIPE)
data = check.stdout.read()
if 'ttl' in data :
print '%s is up'%ip

def main():
for i in range(1,255):
ip = '192.168.0.'+str(i)
thread.start_new_thread(ping_check,(ip,)) #2.8s
# ping_check(ip)
time.sleep(0.01)

if __name__ == '__main__':
main()

写了一部分的python linux信息收集,虽然改用了bash,但subprocess的用法记录下。

  1. subprocess.check_output ,几个执行命令的参数中例如run call Popen 应该是即写即执行,这个check_output 可以将执行结果存入到变量。但又一个问题有困扰,假如cat /var/log/message 应该是会增加机器的内存开销的…

  2. shell=True 用法,可以直接用单引号包裹后,引入系统命令,假如不使用shell=True 需要传入列表形式的命令,例如find /Users/sm0nk/Downloads -name “find*.txt”,太长了需要使用shlex.split 分割成单点列表

  3. 管道类多重命令交互,需要两次定义

    1
    2
    3
    4
    ip1 = Popen('ifconfig',stdout=PIPE)
    ip2 = Popen('grep 192.168.',stdin=ip1.stdout,stdout=PIPE,shell=True)
    out,err = ip2.communicate()
    print out
  4. 搜索学习过程,发现cnblog 有个作者写的python的博客,可谓研究者心态。顺便贴个链接。

Python之系统交互(subprocess)

云游道士


用python写的信息收集半成品,留作备忘。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
#coding=utf-8
# emergencySecurity_linux.py
# by sm0nk

import os
import subprocess,shlex
from subprocess import Popen,PIPE

def basicFileAnalysis():
os.chdir('/tmp')
tmplist = subprocess.check_output(['ls -al'],shell=True)
print tmplist
try:
os.chdir('/etc/init.d/')
onstart = subprocess.check_output(['ls -al '],shell=True)
print onstart
except Exception as e:
print e

# 例如要查找24小时内被修改的JSP文件,www目录为核心,操作频繁的目录也需要检查;
# mtime 相对靠谱,linux 没有创建时间
try:
# os.system("find /var/www -mtime 0 ")
# os.system("find /private/tmp -mtime 0")
find_cmd = shlex.split('find /tmp -mtime 0')
p1 = subprocess.check_output(find_cmd)
# p1 = subprocess.check_output('find /Users/sm0nk/Downloads -name \'find*.txt\'',shell=True)
print p1
# ip1 = Popen('ifconfig',stdout=PIPE)
# ip2 = Popen('grep 192.168',stdin=ip1.stdout,stdout=PIPE,shell=True)
# out,err = ip2.communicate()
# print out

# 查找指定目录大权限文件,/tmp /var/www等目录
permlist = subprocess.check_output('find /tmp -perm 777',shell=True)
print permlist
except Exception as e:
print e

# basicFileAnalysis()

def processConn():
try:
processlist = subprocess.check_output('ps -aux',shell=True)
print "########## cmd: ps -aux ##########\n"+ processlist
netconn = subprocess.check_output('netstat -anp',shell=True)
print "########## cmd: netstat -anp ##########\n" + netconn

except Exception as e:
print e

# processConn()
def cmdAnalysis():
try:
# 查看命令目录最近的时间排序
bincmd1 = subprocess.Popen('ls -alt /usr/bin ',stdout=PIPE,shell=True)
bincmd2 = subprocess.Popen('head -10',stdin=bincmd1.stdout,stdout=PIPE,shell=True)
out,err = bincmd2.communicate()
print "########## cmd: ls -alt /usr/bin | head -10 ##########\n",out
bincmd3 = subprocess.Popen('ls -alt /usr/sbin ',stdout=PIPE,shell=True)
bincmd4 = subprocess.Popen('head -10',stdin=bincmd3.stdout,stdout=PIPE,shell=True)
out4,err = bincmd4.communicate()
print "########## cmd: ls -alt /usr/sbin | head -10 ##########\n",out4
except Exception as e:
print e
cmdAnalysis()