应急响应实战命令手册(加强版)
1. 快速排查组合拳
1.1 10分钟完整排查流程
#!/bin/bash
# quick_check.sh - 一键快速排查
echo "====== 开始快速排查 ======"
echo "$(date)"
echo -e "\n[1/8] 系统负载检查"
top -bn1 | head -5
uptime
echo -e "\n[2/8] 可疑进程检查"
# 按CPU排序
ps aux --sort=-%cpu | head -10
echo "---"
# 按内存排序
ps aux --sort=-%mem | head -10
echo -e "\n[3/8] 网络连接分析"
echo "监听端口:"
netstat -tulpan | grep LISTEN | head -15
echo "---"
echo "外连连接:"
netstat -tulpan | grep ESTAB | grep -v "127.0.0.1" | head -15
echo -e "\n[4/8] 用户登录情况"
echo "最近登录:"
last | head -10
echo "当前在线:"
who
echo -e "\n[5/8] 临时目录检查"
ls -la /tmp/ | head -15
ls -la /var/tmp/ | head -10
echo -e "\n[6/8] 定时任务检查"
crontab -l
echo "系统定时任务:"
ls -la /etc/cron*/* 2>/dev/null | head -10
echo -e "\n[7/8] 系统服务检查"
systemctl list-units --type=service --state=running | head -10
echo -e "\n[8/8] 最近修改文件"
find /etc /bin /sbin -type f -mtime -7 2>/dev/null | head -10
echo "====== 排查完成 ======"
1.2 怀疑挖矿/木马专用检查
#!/bin/bash
# mining_check.sh - 挖矿木马专项检查
echo "挖矿木马专项检查..."
# 检查常见挖矿进程
echo "1. 挖矿进程检查:"
ps aux | grep -iE "(minerd|cpuminer|xmrig|ccminer|mining|monero)" | grep -v grep
# 检查CPU异常进程
echo -e "\n2. CPU占用前10:"
ps aux --sort=-%cpu | awk 'NR<=11 {print $2, $3, $11}' | while read pid cpu cmd; do
if [ "$cpu" != "%CPU" ] && [ $(echo "$cpu > 20.0" | bc) -eq 1 ]; then
echo "高CPU进程: PID=$pid, CPU=$cpu%, CMD=$cmd"
fi
done
# 检查矿池连接
echo -e "\n3. 可疑外连(常见矿池端口):"
netstat -tulpan | grep -E "(:3333|:4444|:5555|:6666|:7777|:8888|:9999|:14444|:45700)"
# 检查挖矿相关文件
echo -e "\n4. 挖矿相关文件:"
find /tmp /var/tmp /dev/shm -name "*miner*" -o -name "*xmrig*" -o -name "*monero*" 2>/dev/null
# 检查系统负载
echo -e "\n5. 系统负载:"
cat /proc/loadavg
2. 深度文件排查
2.1 全面文件搜索
#!/bin/bash
# file_hunt.sh - 深度文件搜索
echo "深度文件搜索..."
# 找最近1天修改的重要文件
echo "1. 最近1天修改的系统文件:"
find /etc /bin /sbin /usr/bin /usr/sbin -type f -mtime -1 2>/dev/null
# 找隐藏文件
echo -e "\n2. 隐藏文件搜索:"
find /home /tmp /var/tmp -name ".*" -type f 2>/dev/null | grep -v "\.\.$" | head -20
# 找可疑脚本文件
echo -e "\n3. 可疑脚本文件:"
find / -name "*.sh" -type f -mtime -7 2>/dev/null | head -15
find / -name "*.py" -type f -mtime -7 2>/dev/null | head -15
find / -name "*.pl" -type f -mtime -7 2>/dev/null | head -15
# 找Webshell特征
echo -e "\n4. Webshell特征搜索:"
find /var/www /opt /home -name "*.php" -type f -exec grep -l "eval(\|base64_decode\|shell_exec" {} \; 2>/dev/null
# 找大文件
echo -e "\n5. 大文件查找(>100M):"
find / -type f -size +100M -exec ls -lh {} \; 2>/dev/null | head -10
# 找权限异常文件
echo -e "\n6. 权限异常文件:"
find / -perm -4000 -type f 2>/dev/null # SUID文件
find / -perm -2000 -type f 2>/dev/null # SGID文件
find / -perm -o=w -type f 2>/dev/null # 全局可写文件
2.2 文件时间线分析
#!/bin/bash
# timeline.sh - 文件时间线分析
echo "构建攻击时间线..."
# 按时间排序显示文件修改
echo "最近7天修改的重要文件:"
find /etc /bin /sbin /usr/bin /usr/sbin -type f -mtime -7 -printf "%Tb %Td %TH:%TM %p\n" 2>/dev/null | sort
echo -e "\n/tmp目录时间线:"
find /tmp -type f -mtime -7 -printf "%Tb %Td %TH:%TM %p\n" 2>/dev/null | sort
echo -e "\nWeb目录时间线:"
find /var/www /opt/lampp/htdocs -type f -mtime -7 -printf "%Tb %Td %TH:%TM %p\n" 2>/dev/null | sort 2>/dev/null
3. 进程和网络深度分析
3.1 进程关系分析
#!/bin/bash
# process_deep.sh - 进程深度分析
echo "进程深度分析..."
# 显示完整进程树
echo "1. 完整进程树:"
pstree -p -a
# 检查进程命令行参数
echo -e "\n2. 进程详细信息:"
ps auxfww
# 检查进程打开的文件
echo -e "\n3. 进程打开文件:"
for pid in $(ps aux | awk 'NR>1{print $2}' | head -20); do
echo "进程 $pid 打开文件:"
ls -la /proc/$pid/fd 2>/dev/null | head -5
done
# 检查隐藏进程(已删除但仍在运行)
echo -e "\n4. 隐藏进程检查:"
ls -la /proc/*/exe 2>/dev/null | grep deleted
3.2 网络连接深度分析
#!/bin/bash
# network_deep.sh - 网络深度分析
echo "网络深度分析..."
# 显示所有连接
echo "1. 所有网络连接:"
ss -tulpan
# 检查DNS查询
echo -e "\n2. DNS配置检查:"
cat /etc/resolv.conf
cat /etc/hosts
# 检查路由表
echo -e "\n3. 路由表:"
ip route show
# 检查ARP表
echo -e "\n4. ARP表:"
arp -a
# 实时监控网络连接
echo -e "\n5. 网络连接变化监控(10秒):"
netstat -tulpan > /tmp/net1.txt
sleep 10
netstat -tulpan > /tmp/net2.txt
diff /tmp/net1.txt /tmp/net2.txt
4. 溯源分析技术
4.1 攻击者行为溯源
#!/bin/bash
# trace_attacker.sh - 攻击者行为溯源
echo "攻击者行为溯源..."
# 1. 登录溯源
echo "1. 登录记录分析:"
echo "最近成功登录:"
grep "Accepted" /var/log/auth.log /var/log/secure 2>/dev/null | tail -20
echo "最近失败登录:"
grep "Failed" /var/log/auth.log /var/log/secure 2>/dev/null | tail -20
echo "SSH登录IP统计:"
grep "Accepted" /var/log/auth.log 2>/dev/null | awk '{print $11}' | sort | uniq -c | sort -nr
# 2. 文件操作溯源
echo -e "\n2. 文件操作痕迹:"
echo "最近下载的文件:"
find /home /tmp -name "*.tar.gz" -o -name "*.zip" -o -name "*.tgz" 2>/dev/null | head -10
echo "命令历史分析:"
tail -50 ~/.bash_history
4.2 攻击时间线重建
#!/bin/bash
# timeline_reconstruct.sh - 攻击时间线重建
LOG_DIR="/var/log"
echo "重建攻击时间线..."
# 提取关键日志时间点
echo "关键事件时间线:"
# SSH登录时间线
echo "SSH登录时间线:"
grep -h "Accepted" $LOG_DIR/auth.log* $LOG_DIR/secure* 2>/dev/null | \
awk '{print $1, $2, $3, $11, $9}' | sort | tail -10
# 文件修改时间线
echo -e "\n重要文件修改时间线:"
find /etc /bin /sbin /usr/bin -type f -mtime -30 -printf "%Tb %Td %TH:%TM %p\n" 2>/dev/null | \
sort | tail -20
# 进程启动时间线
echo -e "\n进程启动时间线:"
ps -eo pid,lstart,cmd --sort=start_time | tail -10
# 组合时间线
echo -e "\n综合时间线(最近3天):"
{
# SSH日志
grep "Accepted" $LOG_DIR/auth.log 2>/dev/null | \
awk '{print "SSH登录: "$1" "$2" "$3" 用户:"$9" 来源:"$11}'
# 文件修改
find /etc -type f -mtime -3 -printf "文件修改: %Tb %Td %TH:%TM %p\n" 2>/dev/null
# 服务重启
grep -h "Started\|stopped" $LOG_DIR/syslog $LOG_DIR/messages 2>/dev/null | \
grep -E "(ssh|apache|nginx|mysql)" | head -10
} | sort
4.3 攻击路径分析
#!/bin/bash
# attack_path.sh - 攻击路径分析
echo "攻击路径分析..."
# 检查入口点
echo "1. 可能入口点检查:"
echo "SSH配置:"
grep -E "(PermitRootLogin|PasswordAuthentication|Port)" /etc/ssh/sshd_config
echo "Web服务:"
systemctl status apache2 nginx httpd 2>/dev/null | grep "Active:"
# 检查权限提升痕迹
echo -e "\n2. 权限提升痕迹:"
echo "SUDO使用记录:"
grep "sudo:" /var/log/auth.log 2>/dev/null | tail -10
echo "SUID文件:"
find / -perm -4000 -type f 2>/dev/null | head -10
# 检查持久化手段
echo -e "\n3. 持久化检查:"
echo "定时任务:"
crontab -l
ls -la /etc/cron*/* 2>/dev/null
echo "系统服务:"
systemctl list-unit-files --type=service | grep enabled | grep -v systemd
echo "开机启动:"
ls -la /etc/rc.local /etc/init.d/ /etc/systemd/system/ 2>/dev/null
5. 实用溯源脚本
5.1 完整溯源报告生成
#!/bin/bash
# trace_report.sh - 生成溯源报告
REPORT_DIR="/opt/security_report_$(date +%Y%m%d_%H%M%S)"
mkdir -p $REPORT_DIR
echo "生成溯源报告中..."
# 系统信息
{
echo "=== 系统信息 ==="
uname -a
cat /etc/os-release
uptime
date
} > $REPORT_DIR/system_info.txt
# 用户活动
{
echo "=== 用户活动分析 ==="
echo "最近登录:"
last | head -20
echo -e "\n当前在线用户:"
who
echo -e "\nSUDO使用记录:"
grep "sudo:" /var/log/auth.log 2>/dev/null | tail -20
} > $REPORT_DIR/user_activity.txt
# 网络活动
{
echo "=== 网络活动分析 ==="
echo "网络连接:"
netstat -tulpan
echo -e "\nSSH登录统计:"
grep "Accepted" /var/log/auth.log 2>/dev/null | awk '{print $11}' | sort | uniq -c | sort -nr
} > $REPORT_DIR/network_activity.txt
# 文件系统变化
{
echo "=== 文件系统变化 ==="
echo "最近3天修改的系统文件:"
find /etc /bin /sbin /usr/bin -type f -mtime -3 2>/dev/null
echo -e "\n/tmp目录内容:"
ls -la /tmp/
} > $REPORT_DIR/filesystem_changes.txt
# 时间线重建
{
echo "=== 攻击时间线 ==="
echo "最近关键事件:"
{
grep "Accepted" /var/log/auth.log 2>/dev/null | awk '{print "SSH登录: "$1" "$2" "$3" "$9"@"$11}'
find /etc -type f -mtime -7 -printf "文件修改: %Tb %Td %TH:%TM %p\n" 2>/dev/null
} | sort | tail -20
} > $REPORT_DIR/timeline.txt
echo "溯源报告生成完成: $REPORT_DIR"
5.2 实时监控脚本
#!/bin/bash
# live_monitor.sh - 实时监控可疑活动
echo "开始实时监控..."
# 监控新进程
echo "监控新进程启动..."
while true; do
# 获取当前进程列表
ps aux --sort=pid > /tmp/current_procs.txt
# 比较差异
if [ -f /tmp/old_procs.txt ]; then
echo "新进程:"
diff /tmp/old_procs.txt /tmp/current_procs.txt | grep ">" | head -5
fi
# 监控网络连接
echo "新网络连接:"
netstat -tulpan | grep ESTAB | sort > /tmp/current_net.txt
if [ -f /tmp/old_net.txt ]; then
diff /tmp/old_net.txt /tmp/current_net.txt | grep ">" | head -3
fi
# 保存当前状态
cp /tmp/current_procs.txt /tmp/old_procs.txt
cp /tmp/current_net.txt /tmp/old_net.txt
sleep 30
echo "--- 监控周期完成 $(date) ---"
done
6. 应急响应 checklist
6.1 必须检查的项目
# 应急响应 checklist
#!/bin/bash
echo "应急响应检查清单:"
check_items=(
"高CPU进程: ps aux --sort=-%cpu | head -5"
"高内存进程: ps aux --sort=-%mem | head -5"
"网络外连: netstat -tulpan | grep ESTAB | grep -v 127.0.0.1"
"异常监听端口: netstat -tulpan | grep LISTEN"
"最近登录: last | head -10"
"定时任务: crontab -l && ls -la /etc/cron*/*"
"系统服务: systemctl list-units --type=service --state=running"
"临时目录: ls -la /tmp/ /var/tmp/"
"SUID文件: find / -perm -4000 -type f 2>/dev/null | head -10"
"隐藏进程: ls -la /proc/*/exe 2>/dev/null | grep deleted"
)
for item in "${check_items[@]}"; do
name=$(echo $item | cut -d: -f1)
cmd=$(echo $item | cut -d: -f2-)
echo -e "\n检查: $name"
eval $cmd 2>/dev/null | head -5
done
记住这些关键命令,遇到安全事件时按顺序排查,大部分问题都能找到线索!