Linux排查服务器是否已经被入侵
入侵者可能会删除机器的日志信息
可以查看日志信息是否还存在或者是否被清空,相关命令示例:
[root@centos8 ~]# ls -h /var/log/*
/var/log/boot.log /var/log/dnf.librepo.log-20210502 /var/log/hawkey.log-20210502
/var/log/boot.log-20200828 /var/log/dnf.librepo.log-20210509 /var/log/hawkey.log-20210509
/var/log/boot.log-20210318 /var/log/dnf.log /var/log/lastlog
/var/log/btmp /var/log/dnf.log.1 /var/log/maillog
/var/log/btmp-20210501 /var/log/dnf.log.2 /var/log/messages
/var/log/cloud-init.log /var/log/dnf.log-20200828 /var/log/qcloud_action.log
/var/log/cloud-init-output.log /var/log/dnf.rpm.log /var/log/secure
/var/log/cron /var/log/dnf.rpm.log-20200828 /var/log/secure-202103281616874601.gz
/var/log/dnf.librepo.log /var/log/hawkey.log /var/log/spooler
/var/log/dnf.librepo.log-20210418 /var/log/hawkey.log-20210418 /var/log/wtmp
/var/log/dnf.librepo.log-20210425 /var/log/hawkey.log-20210425
/var/log/anaconda:
anaconda.log dnf.librepo.log ifcfg.log ks-script-64obidnb.log ks-script-xc9zm2f2.log program.log syslog
dbus.log hawkey.log journal.log ks-script-drwrp_wh.log packaging.log storage.log
/var/log/audit:
audit.log audit.log.1 audit.log.2 audit.log.3
/var/log/chrony:
/var/log/insights-client:
/var/log/journal:
33790f3e0323419f9a055840e9d10b13
/var/log/nginx:
access.log access.log-20210319.gz error.log error.log-20210319.gz
/var/log/private:
/var/log/qemu-ga:
/var/log/samba:
old
/var/log/sssd:
sssd_implicit_files.log sssd_kcm.log sssd.log-20210502.gz sssd_nss.log-20200828.gz
sssd_implicit_files.log-20200828.gz sssd_kcm.log-20210318 sssd.log-20210509 sssd_nss.log-20210318
sssd_implicit_files.log-20210318 sssd.log sssd_nss.log
/var/log/tuned:
tuned.log
[root@centos8 ~]# du -sh /var/log/*
56K /var/log/anaconda
29M /var/log/audit
0 /var/log/boot.log
4.0K /var/log/boot.log-20200828
4.0K /var/log/boot.log-20210318
34M /var/log/btmp
184M /var/log/btmp-20210501
4.0K /var/log/chrony
212K /var/log/cloud-init.log
16K /var/log/cloud-init-output.log
14M /var/log/cron
52K /var/log/dnf.librepo.log
136K /var/log/dnf.librepo.log-20210418
136K /var/log/dnf.librepo.log-20210425
136K /var/log/dnf.librepo.log-20210502
132K /var/log/dnf.librepo.log-20210509
112K /var/log/dnf.log
1.1M /var/log/dnf.log.1
1.1M /var/log/dnf.log.2
4.0K /var/log/dnf.log-20200828
192K /var/log/dnf.rpm.log
4.0K /var/log/dnf.rpm.log-20200828
4.0K /var/log/hawkey.log
4.0K /var/log/hawkey.log-20210418
4.0K /var/log/hawkey.log-20210425
4.0K /var/log/hawkey.log-20210502
4.0K /var/log/hawkey.log-20210509
4.0K /var/log/insights-client
1001M /var/log/journal
8.0K /var/log/lastlog
4.0K /var/log/maillog
2.8M /var/log/messages
12K /var/log/nginx
4.0K /var/log/private
4.0K /var/log/qcloud_action.log
4.0K /var/log/qemu-ga
8.0K /var/log/samba
0 /var/log/secure
3.8M /var/log/secure-202103281616874601.gz
4.0K /var/log/spooler
36K /var/log/sssd
8.0K /var/log/tuned
4.0K /var/log/wtmp
入侵者可能创建一个新的存放用户名及密码文件
[root@centos8 ~]# ll /etc/passwd*
-rw-r--r-- 1 root root 1578 Mar 18 16:41 /etc/passwd
-rw-r--r--. 1 root root 1516 Mar 18 16:18 /etc/passwd-
[root@centos8 ~]# ll /etc/shadow*
---------- 1 root root 799 Mar 18 16:41 /etc/shadow
----------. 1 root root 778 Mar 18 16:18 /etc/shadow-
入侵者可能修改用户名及密码文件
[root@centos8 ~]# more /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
systemd-coredump:x:999:997:systemd Core Dumper:/:/sbin/nologin
systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
polkitd:x:998:996:User for polkitd:/:/sbin/nologin
unbound:x:997:994:Unbound DNS resolver:/etc/unbound:/sbin/nologin
libstoragemgmt:x:996:993:daemon account for libstoragemgmt:/var/run/lsm:/sbin/nologin
cockpit-ws:x:995:991:User for cockpit-ws:/:/sbin/nologin
setroubleshoot:x:994:990::/var/lib/setroubleshoot:/sbin/nologin
sssd:x:993:989:User for sssd:/:/sbin/nologin
insights:x:992:988:Red Hat Insights:/var/lib/insights:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
chrony:x:991:987::/var/lib/chrony:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
syslog:x:990:986::/home/syslog:/bin/false
cockpit-wsinstance:x:989:985:User for cockpit-ws instances:/nonexisting:/sbin/nologin
nginx:x:988:984:Nginx web server:/var/lib/nginx:/sbin/nologin
[root@centos8 ~]# more /etc/shadow
root:$1$MiAxHcSj$H9Peb.P53VkD4YxSkr6g9.:18704:0:99999:7:::
bin:*:18027:0:99999:7:::
daemon:*:18027:0:99999:7:::
adm:*:18027:0:99999:7:::
lp:*:18027:0:99999:7:::
sync:*:18027:0:99999:7:::
shutdown:*:18027:0:99999:7:::
halt:*:18027:0:99999:7:::
mail:*:18027:0:99999:7:::
operator:*:18027:0:99999:7:::
games:*:18027:0:99999:7:::
ftp:*:18027:0:99999:7:::
nobody:*:18027:0:99999:7:::
dbus:!!:18226::::::
systemd-coredump:!!:18226::::::
systemd-resolve:!!:18226::::::
tss:!!:18226::::::
polkitd:!!:18226::::::
unbound:!!:18226::::::
libstoragemgmt:!!:18226::::::
cockpit-ws:!!:18226::::::
setroubleshoot:!!:18226::::::
sssd:!!:18226::::::
insights:!!:18226::::::
sshd:!!:18226::::::
chrony:!!:18226::::::
tcpdump:!!:18226::::::
syslog:!!:18240::::::
cockpit-wsinstance:!!:18704::::::
nginx:!!:18704::::::
查看机器最近成功登陆的事件和最后一次不成功的登陆事件
对应日志“/var/log/lastlog”,相关命令示例:
[root@centos8 ~]# lastlog
Username Port From Latest
root pts/0 221.217.94.106 Tue May 11 13:31:28 +0800 2021
bin **Never logged in**
daemon **Never logged in**
adm **Never logged in**
lp **Never logged in**
sync **Never logged in**
shutdown **Never logged in**
halt **Never logged in**
mail **Never logged in**
operator **Never logged in**
games **Never logged in**
ftp **Never logged in**
nobody **Never logged in**
dbus **Never logged in**
systemd-coredump **Never logged in**
systemd-resolve **Never logged in**
tss **Never logged in**
polkitd **Never logged in**
unbound **Never logged in**
libstoragemgmt **Never logged in**
cockpit-ws **Never logged in**
setroubleshoot **Never logged in**
sssd **Never logged in**
insights **Never logged in**
sshd **Never logged in**
chrony **Never logged in**
tcpdump **Never logged in**
syslog **Never logged in**
cockpit-wsinstance **Never logged in**
nginx
查看全部用户的登录事件
Linux查看/var/log/wtmp文件查看可疑IP登陆
[weiyan@VM-6-168-centos ~]$ last -f /var/log/wtmp
weiyan pts/2 218.94.128.194 Thu Feb 2 13:51 - 13:51 (00:00)
weiyan pts/1 218.94.128.194 Thu Feb 2 13:36 still logged in
weiyan pts/0 218.94.128.194 Thu Feb 2 13:36 still logged in
weiyan pts/4 218.94.128.194 Thu Feb 2 11:30 - 11:33 (00:02)
weiyan pts/3 218.94.128.194 Thu Feb 2 11:30 - 11:33 (00:02)
weiyan pts/6 218.94.128.194 Thu Feb 2 11:12 - 11:12 (00:00)
weiyan pts/3 218.94.128.194 Thu Feb 2 11:12 - 11:12 (00:00)
weiyan pts/2 218.94.128.194 Thu Feb 2 10:59 - 12:22 (01:23)
该日志文件永久记录每个用户登录、注销及系统的启动、停机的事件。因此随着系统正常运行时间的增加,该文件的大小也会越来越大,
增加的速度取决于系统用户登录的次数。该日志文件可以用来查看用户的登录记录,
last命令就通过访问这个文件获得这些信息,并以反序从后向前显示用户的登录记录,last也能根据用户、终端tty或时间显示相应的记录。
查看/var/log/secure文件寻找可疑IP(218.94.128.194)登陆次数
[weiyan@VM-6-168-centos ~]$ sudo cat /var/log/secure|grep 218.94.128.194
Feb 2 10:06:52 VM-6-168-centos sshd[4131]: Accepted password for weiyan from 218.94.128.194 port 6380 ssh2
Feb 2 10:38:57 VM-6-168-centos sshd[8976]: Accepted password for weiyan from 218.94.128.194 port 3308 ssh2
Feb 2 10:38:58 VM-6-168-centos sshd[9026]: Accepted password for weiyan from 218.94.128.194 port 3474 ssh2
Feb 2 10:39:37 VM-6-168-centos sshd[9839]: Accepted password for weiyan from 218.94.128.194 port 4872 ssh2
Feb 2 10:39:42 VM-6-168-centos sshd[10259]: Received disconnect from 218.94.128.194 port 4872:11: disconnected by user
Feb 2 10:39:42 VM-6-168-centos sshd[10259]: Disconnected from 218.94.128.194 port 4872
查看机器当前登录的全部用户
对应日志文件“/var/run/utmp”,相关命令示例:
[root@centos8 ~]# who
root pts/0 2021-05-11 13:31 (221.217.94.106)
root pts/1 2021-05-11 13:45 (221.217.94.106)
查看机器所有用户的连接时间(小时)
对应日志文件“/var/log/wtmp”,相关命令示例:
[root@centos8 ~]# yum install psacct -y
[root@centos8 ~]# ac -dp
root 1.47
Mar 18 total 1.47
root 1.07
Today total 1.07
如果发现机器产生了异常流量
可以使用命令“tcpdump”抓取网络包查看流量情况或者使用工具”iperf”查看流量情况
可以查看/var/log/secure日志文件
尝试发现入侵者的信息,相关命令示例:
[root@centos8 ~]# cat /var/log/secure
[root@centos8 ~]# cat /var/log/secure |grep -i "accepted password"
查询异常进程所对应的执行脚本文件
top命令查看异常进程对应的PID
在虚拟文件系统目录查找该进程的可执行文件
[root@centos8 ~]# ll /proc/68405/ |grep -i exe
lrwxrwxrwx 1 root root 0 Mar 18 16:52 exe -> /usr/lib/jvm/java-11-openjdk-11.0.9.11-
3.el8_3.x86_64/bin/java
[root@centos8 ~]#
[root@centos8 ~]# ll /usr/lib/jvm/java-11-openjdk-11.0.9.11-3.el8_3.x86_64/bin/java
-rwxr-xr-x 1 root root 16048 Jan 5 01:07 /usr/lib/jvm/java-11-openjdk-11.0.9.11-3.el8_3.x86_64/bin/java
[root@centos8 ~]#
如果确认机器已被入侵,重要文件已被删除,可以尝试找回被删除的文件Note:
1、当进程打开了某个文件时,只要该进程保持打开该文件,即使将其删除,它依然存在于磁盘中。这意味着,进程并不知道文件已经被删除,它仍然可以向打开该文件时提供给它的文件描述符进行读取和写入。除了该进程之外,这个文件是不可见的,因为已经删除了其相应的目录索引节点。
2、在/proc 目录下,其中包含了反映内核和进程树的各种文件。/proc目录挂载的是在内存中所映射的一块区域,所以这些文件和目录并不存在于磁盘中,因此当我们对这些文件进行读取和写入时,实际上是在从内存中获取相关信息。大多数与 lsof 相关的信息都存储于以进程的 PID 命名的目录中,即 /proc/1234 中包含的是 PID 为 1234 的进程的信息。每个进程目录中存在着各种文件,它们可以使得应用程序简单地了解进程的内存空间、文件描述符列表、指向磁盘上的文件的符号链接和其他系统信息。lsof 程序使用该信息和其他关于内核内部状态的信息来产生其输出。所以lsof 可以显示进程的文件描述符和相关的文件名等信息。也就是我们通过访问进程的文件描述符可以找到该文件的相关信息。
3、当系统中的某个文件被意外地删除了,只要这个时候系统中还有进程正在访问该文件,那么我们就可以通过lsof从/proc目录下恢复该文件的内容。
假设入侵者将/var/log/secure文件删除掉了,尝试将/var/log/secure文件恢复的方法可以参考如下:
a.查看/var/log/secure文件,发现已经没有该文件
[root@centos8 ~]# ll /var/log/secure
-rw------- 1 root root 0 Mar 28 03:50 /var/log/secure
### 假设没有该文件
b.使用lsof命令查看当前是否有进程打开/var/log/secure,
[root@centos8 ~]# lsof |grep /var/log/secure
rsyslogd 29014 root 7w REG 253,1 268745466 399444 /var/log/secure-202103281616874601 (deleted)
rsyslogd 29014 29016 in:imjour root 7w REG 253,1 268745466 399444 /var/log/secure-202103281616874601 (deleted)
rsyslogd 29014 29017 rs:main root 7w REG 253,1 268745466 399444 /var/log/secure-202103281616874601 (deleted)
c.从上面的信息可以看到 PID 29014(rsyslogd)打开文件的文件描述符为7。同时还可以看到/var/log/ secure已经标记为被删除了。因此我们可以在/proc/29014/fd/7(fd下的每个以数字命名的文件表示进程对应的文件描述符)中查看相应的信息,如下:
[root@centos8 ~]# tail /proc/29014/fd/7
May 11 14:19:22 centos8 sshd[3022959]: Received disconnect from 68.183.84.221 port 54968:11: Bye Bye [preauth]
May 11 14:19:22 centos8 sshd[3022959]: Disconnected from invalid user alldigitalGE_ 68.183.84.221 port 54968 [preauth]
May 11 14:20:12 centos8 sshd[3023088]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.191.119.124 user=root
May 11 14:20:14 centos8 sshd[3023088]: Failed password for root from 60.191.119.124 port 64295 ssh2
May 11 14:20:15 centos8 sshd[3023088]: Received disconnect from 60.191.119.124 port 64295:11: Bye Bye [preauth]
May 11 14:20:15 centos8 sshd[3023088]: Disconnected from authenticating user root 60.191.119.124 port 64295 [preauth]
May 11 14:20:24 centos8 sshd[3023106]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=159.203.85.196 user=root
May 11 14:20:26 centos8 sshd[3023106]: Failed password for root from 159.203.85.196 port 58781 ssh2
May 11 14:20:27 centos8 sshd[3023106]: Received disconnect from 159.203.85.196 port 58781:11: Bye Bye [preauth]
May 11 14:20:27 centos8 sshd[3023106]: Disconnected from authenticating user root 159.203.85.196 port 58781 [preauth]
d.从上面的信息可以看出,查看/proc/29014/fd/7就可以得到所要恢复的数据。如果可以通过文件描述符查看相应的数据,那么就可以使用I/O重定向将其重定向到文件中,如:
[root@centos8 ~]# cat /proc/29014/fd/7 > /var/log/secure
e.再次查看/var/log/secure,发现该文件已经存在。对于许多应用程序,尤其是日志文件和数据库,这种恢复删除文件的方法非常有用。
[root@centos8 ~]# ll /var/log/secure
-rw------- 1 root root 0 Mar 28 03:50 /var/log/secure