Linux应急响应的常用命令

• 筛选暴力破解 grep -o "Failed password" /var/log/secure|uniq -c

• 定位具体攻击ip grep "Failed password" /var/log/secure|grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"|uniq -c | sort -nr

• 筛选登录成功过的ip grep "Accepted " /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr | more

• 检查特权用户情况 awk -F: '$3==0{print $1}' /etc/passwd

• 检查可以远程登录的帐号 awk '/$1|$6/{print $1}' /etc/shadow

• 检查其他帐号是否存在sudo权限 more /etc/sudoers | grep -v "^#|^$" | grep "ALL=(ALL)"

• 检查历史命令 histroy

• 分析可疑端口、IP、PID netstat -antlp|more

• 定位可疑进程 ps aux | grep pid

• 定位pid文件路径 ls -l /proc/$PID/exe或file /proc/$PID/exe（$PID 为对应的pid 号）

• 检查启动项 more /etc/rc.local /etc/rc.d/rc[0~6].d ls -l /etc/rc.d/rc3.d/

• 检查定时任务
  /var/spool/cron/*
  /etc/crontab
  /etc/cron.d/*
  /etc/cron.daily/*
  /etc/cron.hourly/*
  /etc/cron.monthly/*
  /etc/cron.weekly/
  /etc/anacrontab
  /var/spool/anacron/*

• 检查异常文件 find /opt -iname "*" -atime 1 -type f

• 检查服务自启 chkconfig --list