Centos入侵检测
Last updated
2023-01-28 10:44:56
{"value":"\uff08\u5176\u5b83\u7cfb\u7edf\u53ef\u4ee5\u6839\u636e\u6b64\u601d\u8def\u68c0\u6d4b\uff09\n\n<a name=\"44ace9f2\"><\/a>\n\n### 1.\u67e5\u770b\u65e5\u5fd7\u4fe1\u606f\u662f\u5426\u8fd8\u5b58\u5728\u6216\u8005\u88ab\u6e05\u7a7a\n\n\n```shell\n#\t\u67e5\u770b\u65e5\u5fd7\u662f\u5426\u88ab\u5220\u9664\u6216\u8005\u5185\u5bb9\u88ab\u6e05\u7a7a\uff08\u6bd4\u5982\u67e5\u770b\u5173\u952e\u65e5\u5fd7secure\u6587\u4ef6\u5927\u5c0f\uff09\uff0c\u8fd9\u91cc\u662f\u6b63\u5e38\u7684\u3002\n[root@CDNCloud ~]#ll \/var\/log\/ -h\ntotal 4.0M\ndrwxr-xr-x. 2 root root 204 Aug 26 18:31 anaconda\ndrwx------. 2 root root 23 Aug 26 18:37 audit\n-rw-r--r-- 1 root root 121K Sep 6 22:34 dmesg\n-rw-r--r--. 1 root root 121K Sep 6 22:27 dmesg.old\n-rw-r-----. 1 root root 1.3K Sep 9 03:18 firewalld\n-rw------- 1 root root 1.4K Sep 9 03:18 grubby\n-rw-r--r--. 1 root root 193 Aug 26 18:30 grubby_prune_debug\n-rw-r--r--. 1 root root 286K Sep 12 21:23 lastlog\n-rw------- 1 root root 0 Sep 11 03:48 maillog\n-rw-------. 1 root root 388 Aug 26 18:55 maillog-20220902\n-rw-------. 1 root root 0 Sep 2 10:42 maillog-20220904\n-rw-------. 1 root root 792 Sep 6 22:34 maillog-20220911\n-rw------- 1 root root 9.4K Sep 12 21:30 messages\n-rw-------. 1 root root 315K Sep 2 10:42 messages-20220902\n-rw-------. 1 root root 12K Sep 4 03:31 messages-20220904\n-rw-------. 1 root root 631K Sep 11 03:48 messages-20220911\ndrwxr-xr-x. 2 root root 6 Aug 26 18:31 rhsm\ndrwxr-xr-x 2 root root 67 Sep 12 21:30 sa\n-rw------- 1 root root 698 Sep 12 21:23 secure\n-rw-------. 1 root root 5.4K Aug 31 20:42 secure-20220902\n-rw-------. 1 root root 199 Sep 4 01:46 secure-20220904\n-rw-------. 1 root root 11K Sep 10 23:30 secure-20220911\n```\n\n<a name=\"e9e1dacb\"><\/a>\n\n### 2.\u67e5\u770b\u662f\u5426\u5b58\u5728\u5f02\u5e38\u7684\u7528\u6237\u540d\u6216\u8005\u5bc6\u7801\u6587\u4ef6\n\n```shell\n#\t\u53ef\u4ee5\u67e5\u770b\/etc\/passwd\u53ca\/etc\/shadow\u6587\u4ef6,\u4e0b\u9762\u4e3a\u6b63\u5e38\u7684\u60c5\u51b5\n[root@CDNCloud ~]# ll \/etc\/pass*\n-rw-r--r-- 1 root root 938 Sep 12 21:41 \/etc\/passwd\n-rw-r--r--. 1 root root 975 Sep 8 00:25 \/etc\/passwd-\n[root@CDNCloud ~]#ll \/etc\/shadow*\n---------- 1 root root 599 Sep 12 21:41 \/etc\/shadow\n---------- 1 root root 599 Sep 12 21:42 \/etc\/shadow-\n```\n\n<a name=\"892fbd22\"><\/a>\n\n### 3.\u67e5\u770b\u7528\u6237\u540d\u6216\u8005\u5bc6\u7801\u6587\u4ef6\u662f\u5426\u88ab\u4fee\u6539\n\n\n```shell\n#\t\u53ef\u4ee5\u67e5\u770b\/etc\/passwd\u53ca\/etc\/shadow\u6587\u4ef6\u5185\u5bb9\u8fdb\u884c\u9274\u522b\uff0c\u4ee5Centos7.9\u4e3a\u4f8b\uff0c\u4ee5\u4e0b\u4e3a\u9ed8\u8ba4\u5185\u5bb9\n[root@CDNCloud ~]#more \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\nbin:x:1:1:bin:\/bin:\/sbin\/nologin\ndaemon:x:2:2:daemon:\/sbin:\/sbin\/nologin\nadm:x:3:4:adm:\/var\/adm:\/sbin\/nologin\nlp:x:4:7:lp:\/var\/spool\/lpd:\/sbin\/nologin\nsync:x:5:0:sync:\/sbin:\/bin\/sync\nshutdown:x:6:0:shutdown:\/sbin:\/sbin\/shutdown\nhalt:x:7:0:halt:\/sbin:\/sbin\/halt\nmail:x:8:12:mail:\/var\/spool\/mail:\/sbin\/nologin\noperator:x:11:0:operator:\/root:\/sbin\/nologin\ngames:x:12:100:games:\/usr\/games:\/sbin\/nologin\nftp:x:14:50:FTP User:\/var\/ftp:\/sbin\/nologin\nnobody:x:99:99:Nobody:\/:\/sbin\/nologin\nsystemd-network:x:192:192:systemd Network Management:\/:\/sbin\/nologin\ndbus:x:81:81:System message bus:\/:\/sbin\/nologin\npolkitd:x:999:998:User for polkitd:\/:\/sbin\/nologin\ntss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:\/dev\/null:\/sbin\/nologin\nabrt:x:173:173::\/etc\/abrt:\/sbin\/nologin\nsshd:x:74:74:Privilege-separated SSH:\/var\/empty\/sshd:\/sbin\/nologin\npostfix:x:89:89::\/var\/spool\/postfix:\/sbin\/nologin\n[root@CDNCloud ~]#more \/etc\/shadow\nroot:$6$z6\/jBzBg$RPnSPOucPzL1ysCfT\/Jx\/78JH0sXKGPbBiwK81ldfZYxR43HpOAMqs57VcKuiLqJCrlxFI4\/eXR1FvNX5Ajrc0:19241:0:99999:7:::\nbin:*:18353:0:99999:7:::\ndaemon:*:18353:0:99999:7:::\nadm:*:18353:0:99999:7:::\nlp:*:18353:0:99999:7:::\nsync:*:18353:0:99999:7:::\nshutdown:*:18353:0:99999:7:::\nhalt:*:18353:0:99999:7:::\nmail:*:18353:0:99999:7:::\noperator:*:18353:0:99999:7:::\ngames:*:18353:0:99999:7:::\nftp:*:18353:0:99999:7:::\nnobody:*:18353:0:99999:7:::\nsystemd-network:!!:19230::::::\ndbus:!!:19230::::::\npolkitd:!!:19230::::::\ntss:!!:19230::::::\nabrt:!!:19230::::::\nsshd:!!:19230::::::\npostfix:!!:19230::::::\n\n#\t\u8fd8\u53ef\u4ee5\u67e5\u770b\u884c\u6570\uff0c\u4ee5Centos7.9\u4e3a\u4f8b\uff0c\u9ed8\u8ba4\u4e3a20\u884c\n[root@CDNCloud ~]#more \/etc\/shadow |wc -l;more \/etc\/passwd| wc -l\n20\n20\n```\n\n<a name=\"1e81c445\"><\/a>\n\n### 4.\u67e5\u770b\u673a\u5668\u6700\u8fd1\u6210\u529f\u767b\u9646\u7684\u4e8b\u4ef6\u548c\u6700\u540e\u4e00\u6b21\u4e0d\u6210\u529f\u7684\u767b\u9646\u4e8b\u4ef6\n\n\n```shell\n#\t\u8be5\u547d\u4ee4\u5bf9\u5e94\u7684\u65e5\u5fd7\u4e3a'\/var\/log\/lastlog'\n[root@CDNCloud ~]#lastlog \nUsername Port From Latest\nroot pts\/0 10.0.0.1 Mon Sep 12 21:23:06 +0800 2022\nbin **Never logged in**\ndaemon **Never logged in**\nadm **Never logged in**\nlp **Never logged in**\nsync **Never logged in**\nshutdown **Never logged in**\nhalt **Never logged in**\nmail **Never logged in**\noperator **Never logged in**\ngames **Never logged in**\nftp **Never logged in**\nnobody **Never logged in**\nsystemd-network **Never logged in**\ndbus **Never logged in**\npolkitd **Never logged in**\ntss **Never logged in**\nabrt **Never logged in**\nsshd **Never logged in**\npostfix **Never logged in**\n```\n\n<a name=\"66bfa5f4\"><\/a>\n\n### 5.\u67e5\u770b\u673a\u5668\u5f53\u524d\u767b\u5f55\u7684\u5168\u90e8\u7528\u6237\n\n\n```shell\n#\t\u5bf9\u5e94\u65e5\u5fd7\u6587\u4ef6\"\/var\/run\/utmp\",\u540e\u9762\u5e26IP\u4e3a\u8fdc\u7a0b\u767b\u5f55\uff0c\u4e0d\u5e26IP\u4e3a\u63a7\u5236\u53f0\u672c\u5730\u767b\u5f55\u3002\n[root@CDNCloud]#who\nroot tty1 2022-09-06 22:34\nroot pts\/0 2022-09-12 21:23 (10.0.0.1)\n```\n\n<a name=\"62adc37e\"><\/a>\n\n### 6.\u67e5\u770b\u673a\u5668\u521b\u5efa\u4ee5\u6765\u767b\u9646\u8fc7\u7684\u7528\u6237\n\n\n```shell\n#\t\u5bf9\u5e94\u65e5\u5fd7\u6587\u4ef6\"\/var\/log\/wtmp\"\n[root@CDNCloud ~]#last\nroot pts\/0 10.0.0.1 Mon Sep 12 21:23 still logged in \nroot pts\/1 10.0.0.1 Sun Sep 11 08:42 - 08:43 (00:00) \nroot pts\/0 10.0.0.1 Sat Sep 10 23:30 - 08:43 (09:12) \nroot pts\/4 10.0.0.1 Sat Sep 10 21:38 - 22:27 (00:49) \nroot pts\/3 10.0.0.1 Sat Sep 10 21:27 - 23:03 (01:35) \nroot pts\/2 10.0.0.1 Fri Sep 9 02:17 - 22:16 (1+19:58) \nroot pts\/1 10.0.0.1 Fri Sep 9 02:17 - 22:16 (1+19:58) \nroot pts\/0 10.0.0.1 Fri Sep 9 01:58 - 22:16 (1+20:17) \nroot pts\/0 10.0.0.1 Thu Sep 8 21:31 - 01:44 (04:12) \nroot pts\/0 10.0.0.1 Thu Sep 8 03:51 - 08:53 (05:01) \nroot pts\/0 10.0.0.1 Thu Sep 8 03:48 - 03:51 (00:03)\n```\n\n<a name=\"9de1877c\"><\/a>\n\n### 7.\u67e5\u770b\/var\/log\/secure\u65e5\u5fd7\u6587\u4ef6\n\n\n```shell\n#\t\u5c1d\u8bd5\u53d1\u73b0\u5165\u4fb5\u8005\u7684\u4fe1\u606f\n[root@CDNCloud ~]#more \/var\/log\/secure | grep -i 'accepted password'\nSep 11 08:42:23 hhw79-100 sshd[76849]: Accepted password for root from 10.0.0.1 port 29947 ssh2\nSep 12 21:23:06 hhw79-100 sshd[77306]: Accepted password for root from 10.0.0.1 port 2098 ssh2\n```\n\n<a name=\"ce0c93a9\"><\/a>\n\n### 8.\u67e5\u770b\u8fde\u63a5\u60c5\u51b5\n\n\n```shell\n[root@CDNCloud ~]#ss -ntpu\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port \ntcp ESTAB 0 36 10.0.0.100:22 10.0.0.1:2098 users:((\"sshd\",pid=77306,fd=3))\n```\n\n<a name=\"ae7c59ee\"><\/a>\n\n### 9.\u67e5\u8be2\u5f02\u5e38\u8fdb\u7a0b\u6240\u5bf9\u5e94\u7684\u6267\u884c\u811a\u672c\u6587\u4ef6\n\n<a name=\"41b26651\"><\/a>\n\n#### 9.1top\u547d\u4ee4\u67e5\u770b\u5f02\u5e38\u8fdb\u7a0b\u5bf9\u5e94\u7684PID\n\n\n```shell\n[root@CDNCloud ~]#top\ntop - 22:49:10 up 1 day, 16:00, 2 users, load average: 0.00, 0.01, 0.05\nTasks: 110 total, 1 running, 109 sleeping, 0 stopped, 0 zombie\n%Cpu(s): 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st\nKiB Mem : 2027892 total, 451032 free, 293684 used, 1283176 buff\/cache\nKiB Swap: 2097148 total, 2084084 free, 13064 used. 1539916 avail Mem \n\n PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND \n 1 root 20 0 43628 3940 2444 S 0.0 0.2 0:02.37 systemd \n 2 root 20 0 0 0 0 S 0.0 0.0 0:00.03 kthreadd \n 4 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kworker\/0:0H \n 6 root 20 0 0 0 0 S 0.0 0.0 0:02.55 ksoftirqd\/0 \n 7 root rt 0 0 0 0 S 0.0 0.0 0:00.24 migration\/0 \n 8 root 20 0 0 0 0 S 0.0 0.0 0:00.00 rcu_bh \n 9 root 20 0 0 0 0 S 0.0 0.0 0:06.46 rcu_sched \n 10 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 lru-add-drain \n 11 root rt 0 0 0 0 S 0.0 0.0 0:00.56 watchdog\/0 \n 12 root rt 0 0 0 0 S 0.0 0.0 0:00.40 watchdog\/1 \n 13 root rt 0 0 0 0 S 0.0 0.0 0:00.17 migration\/1 \n 14 root 20 0 0 0 0 S 0.0 0.0 0:00.74 ksoftirqd\/1\n```\n\n<a name=\"10064e5f\"><\/a>\n\n#### 9.2\u5728\u865a\u62df\u6587\u4ef6\u7cfb\u7edf\u76ee\u5f55\u67e5\u627e\u8be5\u8fdb\u7a0b\u7684\u53ef\u6267\u884c\u6587\u4ef6\n\n```shell\n#\t\u4ee5\u4e0b\u6587\u4ef6\u4e3a\u6b63\u5e38\u7684\uff0c\u8fd9\u91cc\u4ec5\u505a\u793a\u8303\n[root@CDNCloud ~]#ll \/proc\/77306 |grep -i exe\n#\t\u67e5\u5230\u5bf9\u5e94\u7a0b\u5e8f\u6240\u5728\u76ee\u5f55\nlrwxrwxrwx 1 root root 0 Sep 12 21:23 exe -> \/usr\/sbin\/sshd\n\n[root@CDNCloud ~]#ll \/usr\/sbin\/sshd\n-rwxr-xr-x 1 root root 852888 Nov 25 2021 \/usr\/sbin\/sshd\n```\n\n"}
Pre-sales customer service 1:Timfei