├── .gitignore
├── LICENSE
├── LinuxCheck - 应急响应实用脚本.sh
└── README.md


/.gitignore:
--------------------------------------------------------------------------------
  1 | # Byte-compiled / optimized / DLL files
  2 | __pycache__/
  3 | *.py[cod]
  4 | *$py.class
  5 | 
  6 | # C extensions
  7 | *.so
  8 | 
  9 | # Distribution / packaging
 10 | .Python
 11 | build/
 12 | develop-eggs/
 13 | dist/
 14 | downloads/
 15 | eggs/
 16 | .eggs/
 17 | lib/
 18 | lib64/
 19 | parts/
 20 | sdist/
 21 | var/
 22 | wheels/
 23 | pip-wheel-metadata/
 24 | share/python-wheels/
 25 | *.egg-info/
 26 | .installed.cfg
 27 | *.egg
 28 | MANIFEST
 29 | 
 30 | # PyInstaller
 31 | #  Usually these files are written by a python script from a template
 32 | #  before PyInstaller builds the exe, so as to inject date/other infos into it.
 33 | *.manifest
 34 | *.spec
 35 | 
 36 | # Installer logs
 37 | pip-log.txt
 38 | pip-delete-this-directory.txt
 39 | 
 40 | # Unit test / coverage reports
 41 | htmlcov/
 42 | .tox/
 43 | .nox/
 44 | .coverage
 45 | .coverage.*
 46 | .cache
 47 | nosetests.xml
 48 | coverage.xml
 49 | *.cover
 50 | *.py,cover
 51 | .hypothesis/
 52 | .pytest_cache/
 53 | 
 54 | # Translations
 55 | *.mo
 56 | *.pot
 57 | 
 58 | # Django stuff:
 59 | *.log
 60 | local_settings.py
 61 | db.sqlite3
 62 | db.sqlite3-journal
 63 | 
 64 | # Flask stuff:
 65 | instance/
 66 | .webassets-cache
 67 | 
 68 | # Scrapy stuff:
 69 | .scrapy
 70 | 
 71 | # Sphinx documentation
 72 | docs/_build/
 73 | 
 74 | # PyBuilder
 75 | target/
 76 | 
 77 | # Jupyter Notebook
 78 | .ipynb_checkpoints
 79 | 
 80 | # IPython
 81 | profile_default/
 82 | ipython_config.py
 83 | 
 84 | # pyenv
 85 | .python-version
 86 | 
 87 | # pipenv
 88 | #   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
 89 | #   However, in case of collaboration, if having platform-specific dependencies or dependencies
 90 | #   having no cross-platform support, pipenv may install dependencies that don't work, or not
 91 | #   install all needed dependencies.
 92 | #Pipfile.lock
 93 | 
 94 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow
 95 | __pypackages__/
 96 | 
 97 | # Celery stuff
 98 | celerybeat-schedule
 99 | celerybeat.pid
100 | 
101 | # SageMath parsed files
102 | *.sage.py
103 | 
104 | # Environments
105 | .env
106 | .venv
107 | env/
108 | venv/
109 | ENV/
110 | env.bak/
111 | venv.bak/
112 | 
113 | # Spyder project settings
114 | .spyderproject
115 | .spyproject
116 | 
117 | # Rope project settings
118 | .ropeproject
119 | 
120 | # mkdocs documentation
121 | /site
122 | 
123 | # mypy
124 | .mypy_cache/
125 | .dmypy.json
126 | dmypy.json
127 | 
128 | # Pyre type checker
129 | .pyre/
130 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |                                  Apache License
  2 |                            Version 2.0, January 2004
  3 |                         http://www.apache.org/licenses/
  4 | 
  5 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  6 | 
  7 |    1. Definitions.
  8 | 
  9 |       "License" shall mean the terms and conditions for use, reproduction,
 10 |       and distribution as defined by Sections 1 through 9 of this document.
 11 | 
 12 |       "Licensor" shall mean the copyright owner or entity authorized by
 13 |       the copyright owner that is granting the License.
 14 | 
 15 |       "Legal Entity" shall mean the union of the acting entity and all
 16 |       other entities that control, are controlled by, or are under common
 17 |       control with that entity. For the purposes of this definition,
 18 |       "control" means (i) the power, direct or indirect, to cause the
 19 |       direction or management of such entity, whether by contract or
 20 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 21 |       outstanding shares, or (iii) beneficial ownership of such entity.
 22 | 
 23 |       "You" (or "Your") shall mean an individual or Legal Entity
 24 |       exercising permissions granted by this License.
 25 | 
 26 |       "Source" form shall mean the preferred form for making modifications,
 27 |       including but not limited to software source code, documentation
 28 |       source, and configuration files.
 29 | 
 30 |       "Object" form shall mean any form resulting from mechanical
 31 |       transformation or translation of a Source form, including but
 32 |       not limited to compiled object code, generated documentation,
 33 |       and conversions to other media types.
 34 | 
 35 |       "Work" shall mean the work of authorship, whether in Source or
 36 |       Object form, made available under the License, as indicated by a
 37 |       copyright notice that is included in or attached to the work
 38 |       (an example is provided in the Appendix below).
 39 | 
 40 |       "Derivative Works" shall mean any work, whether in Source or Object
 41 |       form, that is based on (or derived from) the Work and for which the
 42 |       editorial revisions, annotations, elaborations, or other modifications
 43 |       represent, as a whole, an original work of authorship. For the purposes
 44 |       of this License, Derivative Works shall not include works that remain
 45 |       separable from, or merely link (or bind by name) to the interfaces of,
 46 |       the Work and Derivative Works thereof.
 47 | 
 48 |       "Contribution" shall mean any work of authorship, including
 49 |       the original version of the Work and any modifications or additions
 50 |       to that Work or Derivative Works thereof, that is intentionally
 51 |       submitted to Licensor for inclusion in the Work by the copyright owner
 52 |       or by an individual or Legal Entity authorized to submit on behalf of
 53 |       the copyright owner. For the purposes of this definition, "submitted"
 54 |       means any form of electronic, verbal, or written communication sent
 55 |       to the Licensor or its representatives, including but not limited to
 56 |       communication on electronic mailing lists, source code control systems,
 57 |       and issue tracking systems that are managed by, or on behalf of, the
 58 |       Licensor for the purpose of discussing and improving the Work, but
 59 |       excluding communication that is conspicuously marked or otherwise
 60 |       designated in writing by the copyright owner as "Not a Contribution."
 61 | 
 62 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 63 |       on behalf of whom a Contribution has been received by Licensor and
 64 |       subsequently incorporated within the Work.
 65 | 
 66 |    2. Grant of Copyright License. Subject to the terms and conditions of
 67 |       this License, each Contributor hereby grants to You a perpetual,
 68 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 69 |       copyright license to reproduce, prepare Derivative Works of,
 70 |       publicly display, publicly perform, sublicense, and distribute the
 71 |       Work and such Derivative Works in Source or Object form.
 72 | 
 73 |    3. Grant of Patent License. Subject to the terms and conditions of
 74 |       this License, each Contributor hereby grants to You a perpetual,
 75 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 76 |       (except as stated in this section) patent license to make, have made,
 77 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 78 |       where such license applies only to those patent claims licensable
 79 |       by such Contributor that are necessarily infringed by their
 80 |       Contribution(s) alone or by combination of their Contribution(s)
 81 |       with the Work to which such Contribution(s) was submitted. If You
 82 |       institute patent litigation against any entity (including a
 83 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 84 |       or a Contribution incorporated within the Work constitutes direct
 85 |       or contributory patent infringement, then any patent licenses
 86 |       granted to You under this License for that Work shall terminate
 87 |       as of the date such litigation is filed.
 88 | 
 89 |    4. Redistribution. You may reproduce and distribute copies of the
 90 |       Work or Derivative Works thereof in any medium, with or without
 91 |       modifications, and in Source or Object form, provided that You
 92 |       meet the following conditions:
 93 | 
 94 |       (a) You must give any other recipients of the Work or
 95 |           Derivative Works a copy of this License; and
 96 | 
 97 |       (b) You must cause any modified files to carry prominent notices
 98 |           stating that You changed the files; and
 99 | 
100 |       (c) You must retain, in the Source form of any Derivative Works
101 |           that You distribute, all copyright, patent, trademark, and
102 |           attribution notices from the Source form of the Work,
103 |           excluding those notices that do not pertain to any part of
104 |           the Derivative Works; and
105 | 
106 |       (d) If the Work includes a "NOTICE" text file as part of its
107 |           distribution, then any Derivative Works that You distribute must
108 |           include a readable copy of the attribution notices contained
109 |           within such NOTICE file, excluding those notices that do not
110 |           pertain to any part of the Derivative Works, in at least one
111 |           of the following places: within a NOTICE text file distributed
112 |           as part of the Derivative Works; within the Source form or
113 |           documentation, if provided along with the Derivative Works; or,
114 |           within a display generated by the Derivative Works, if and
115 |           wherever such third-party notices normally appear. The contents
116 |           of the NOTICE file are for informational purposes only and
117 |           do not modify the License. You may add Your own attribution
118 |           notices within Derivative Works that You distribute, alongside
119 |           or as an addendum to the NOTICE text from the Work, provided
120 |           that such additional attribution notices cannot be construed
121 |           as modifying the License.
122 | 
123 |       You may add Your own copyright statement to Your modifications and
124 |       may provide additional or different license terms and conditions
125 |       for use, reproduction, or distribution of Your modifications, or
126 |       for any such Derivative Works as a whole, provided Your use,
127 |       reproduction, and distribution of the Work otherwise complies with
128 |       the conditions stated in this License.
129 | 
130 |    5. Submission of Contributions. Unless You explicitly state otherwise,
131 |       any Contribution intentionally submitted for inclusion in the Work
132 |       by You to the Licensor shall be under the terms and conditions of
133 |       this License, without any additional terms or conditions.
134 |       Notwithstanding the above, nothing herein shall supersede or modify
135 |       the terms of any separate license agreement you may have executed
136 |       with Licensor regarding such Contributions.
137 | 
138 |    6. Trademarks. This License does not grant permission to use the trade
139 |       names, trademarks, service marks, or product names of the Licensor,
140 |       except as required for reasonable and customary use in describing the
141 |       origin of the Work and reproducing the content of the NOTICE file.
142 | 
143 |    7. Disclaimer of Warranty. Unless required by applicable law or
144 |       agreed to in writing, Licensor provides the Work (and each
145 |       Contributor provides its Contributions) on an "AS IS" BASIS,
146 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 |       implied, including, without limitation, any warranties or conditions
148 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 |       PARTICULAR PURPOSE. You are solely responsible for determining the
150 |       appropriateness of using or redistributing the Work and assume any
151 |       risks associated with Your exercise of permissions under this License.
152 | 
153 |    8. Limitation of Liability. In no event and under no legal theory,
154 |       whether in tort (including negligence), contract, or otherwise,
155 |       unless required by applicable law (such as deliberate and grossly
156 |       negligent acts) or agreed to in writing, shall any Contributor be
157 |       liable to You for damages, including any direct, indirect, special,
158 |       incidental, or consequential damages of any character arising as a
159 |       result of this License or out of the use or inability to use the
160 |       Work (including but not limited to damages for loss of goodwill,
161 |       work stoppage, computer failure or malfunction, or any and all
162 |       other commercial damages or losses), even if such Contributor
163 |       has been advised of the possibility of such damages.
164 | 
165 |    9. Accepting Warranty or Additional Liability. While redistributing
166 |       the Work or Derivative Works thereof, You may choose to offer,
167 |       and charge a fee for, acceptance of support, warranty, indemnity,
168 |       or other liability obligations and/or rights consistent with this
169 |       License. However, in accepting such obligations, You may act only
170 |       on Your own behalf and on Your sole responsibility, not on behalf
171 |       of any other Contributor, and only if You agree to indemnify,
172 |       defend, and hold each Contributor harmless for any liability
173 |       incurred by, or claims asserted against, such Contributor by reason
174 |       of your accepting any such warranty or additional liability.
175 | 
176 |    END OF TERMS AND CONDITIONS
177 | 
178 |    APPENDIX: How to apply the Apache License to your work.
179 | 
180 |       To apply the Apache License to your work, attach the following
181 |       boilerplate notice, with the fields enclosed by brackets "[]"
182 |       replaced with your own identifying information. (Don't include
183 |       the brackets!)  The text should be enclosed in the appropriate
184 |       comment syntax for the file format. We also recommend that a
185 |       file or class name and description of purpose be included on the
186 |       same "printed page" as the copyright notice for easier
187 |       identification within third-party archives.
188 | 
189 |    Copyright [yyyy] [name of copyright owner]
190 | 
191 |    Licensed under the Apache License, Version 2.0 (the "License");
192 |    you may not use this file except in compliance with the License.
193 |    You may obtain a copy of the License at
194 | 
195 |        http://www.apache.org/licenses/LICENSE-2.0
196 | 
197 |    Unless required by applicable law or agreed to in writing, software
198 |    distributed under the License is distributed on an "AS IS" BASIS,
199 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 |    See the License for the specific language governing permissions and
201 |    limitations under the License.
202 | 


--------------------------------------------------------------------------------
/LinuxCheck - 应急响应实用脚本.sh:
--------------------------------------------------------------------------------
  1 | # LinuxCheck - 应急响应实用脚本
  2 | 
  3 | #!/usr/bin/env bash
  4 | 
  5 | # 设置保存文件
  6 | 
  7 | # interface=$(cat /etc/network/interfaces | ag '(?<=\biface\b).*(?=\binet\b)' | ag -v 'lo|docker' | awk '{print $2}' | head -n 1) 2>/dev/null
  8 | 
  9 | ipaddress=$(ip addr | ag -o '(?<=inet | inet addr:)\d+\.\d+\.\d+\.\d+' | ag -v '127.0.0.1' | head -n 1) 2>/dev/null
 10 | FileName=$ipaddress'_'$(hostname)'_'$(whoami)'_'$(date +%s)'.log' 2>/dev/null
 11 | 
 12 | echo -e "==================================================" | tee -a $FileName
 13 | echo -e "                Linux 应急响应 V3.3                " | tee -a $FileName
 14 | echo -e "==================================================" | tee -a $FileName
 15 | echo -e "\n" | tee -a $FileName
 16 | echo -e "# 支持CentOS、Debian系统检测                        " | tee -a $FileName
 17 | echo -e "# 原author：al0ne                                  " | tee -a $FileName
 18 | echo -e "# 原项目：https://github.com/al0ne/LinuxCheck      " | tee -a $FileName
 19 | echo -e "# 更新项目：https://gitee.com/hulu20/LinuxCheck    " | tee -a $FileName
 20 | echo -e "# 对项目做了细微优化处理                            " | tee -a $FileName
 21 | echo -e "# 最新版本更新作者 author：利刃信安 - Mannix        " | tee -a $FileName
 22 | echo -e "# 最新版本更新日期：2021年4月29日                   " | tee -a $FileName
 23 | echo -e "\n" | tee -a $FileName
 24 | 
 25 | # WebPath
 26 | 
 27 | # 设置WebPath目录 默认的话是从/目录去搜索 性能较慢
 28 | 
 29 | WebPath='/'
 30 | 
 31 | # 环境检测开始 ……
 32 | 
 33 | echo -e "\e[00;31m[+] 环境检测开始……\e[00m" | tee -a $FileName
 34 | echo -e "\n" | tee -a $FileName
 35 | 
 36 | # 系统信息
 37 | 
 38 | echo -e "\e[00;31m[+] 系统信息\e[00m" | tee -a $FileName
 39 | echo -e "\n" | tee -a $FileName
 40 | 
 41 | # CurrentUser 当前用户
 42 | 
 43 | echo -e "CurrentUser:\t\t" $(whoami) 2>/dev/null | tee -a $FileName
 44 | 
 45 | # OS Version 版本信息
 46 | 
 47 | echo -e "OS Version:\t" $(uname -r) 2>/dev/null | tee -a $FileName
 48 | 
 49 | # Hostname 主机名
 50 | 
 51 | echo -e "Hostname: \t" $(hostname -s) 2>/dev/null | tee -a $FileName
 52 | 
 53 | # Uptime
 54 | 
 55 | echo -e "Uptime: \t" $(uptime | awk -F ',' '{print $1}') 2>/dev/null | tee -a $FileName
 56 | 
 57 | # CPU info CPU信息
 58 | 
 59 | echo -e "CPU info:\t" $(cat /proc/cpuinfo | ag -o '(?<=model name\t: ).*' | head -n 1)  2>/dev/null | tee -a $FileName
 60 | 
 61 | # ipaddress
 62 | 
 63 | ipaddress=$(ifconfig | ag -o '(?<=inet | inet addr:)\d+\.\d+\.\d+\.\d+' | ag -v '127.0.0.1')  2>/dev/null
 64 | echo -e "IPADDR:\t\t${ipaddress}" | sed ":a;N;s/\n/ /g;ta" | tee -a $FileName
 65 | echo -e "\n" | tee -a $FileName
 66 | 
 67 | # 验证是否为root权限
 68 | 
 69 | if [ $UID -ne 0 ]; then
 70 |     echo -e "\n\e[00;33m请使用root权限运行\e[00m" | tee -a $FileName
 71 |     exit 1
 72 | else
 73 |     echo -e "\e[00;32m当前为root权限\e[00m" | tee -a $FileName
 74 | fi
 75 | 
 76 | # 验证操作系统是debian系还是CentOS
 77 | 
 78 | OS='None'
 79 | 
 80 | if [ -e "/etc/os-release" ]; then
 81 |     source /etc/os-release
 82 |     case ${ID} in
 83 |     "debian" | "ubuntu" | "devuan")
 84 |         OS='Debian'
 85 |         ;;
 86 |     "CentOS" | "rhel fedora" | "rhel")
 87 |         OS='CentOS'
 88 |         ;;
 89 |     *) ;;
 90 |     esac
 91 | fi
 92 | 
 93 | if [ $OS = 'None' ]; then
 94 |     if command -v apt-get >/dev/null 2>&1; then
 95 |         OS='Debian'
 96 |     elif command -v yum >/dev/null 2>&1; then
 97 |         OS='CentOS'
 98 |     else
 99 |         echo -e "\n不支持这个系统\n" | tee -a $FileName
100 |         echo -e "已退出" | tee -a $FileName
101 |         exit 1
102 |     fi
103 | fi
104 | 
105 | # ifconfig
106 | 
107 | if ifconfig >/dev/null 2>&1; then
108 |     echo -e "\e[00;32mifconfig已安装\e[00m" | tee -a $FileName
109 | else
110 |     if [ $OS = 'CentOS' ]; then
111 |         yum -y install net-tools >/dev/null 2>&1
112 |     else
113 |         apt-get -y install net-tools >/dev/null 2>&1
114 |     fi
115 | fi
116 | 
117 | # CentOS安装lsof
118 | 
119 | if lsof -v >/dev/null 2>&1; then
120 |     echo -e "\e[00;32mlsof已安装\e[00m" | tee -a $FileName
121 | else
122 |     if [ $OS = 'CentOS' ]; then
123 |         yum -y install lsof >/dev/null 2>&1
124 |     else
125 |         apt-get -y install lsof >/dev/null 2>&1
126 |     fi
127 | fi
128 | 
129 | # 检测ag软件有没有安装
130 | 
131 | if ag -V >/dev/null 2>&1; then
132 |     echo -e "\e[00;32msilversearcher-ag已安装\e[00m" | tee -a $FileName
133 | else
134 |     if [ $OS = 'CentOS' ]; then
135 |         yum -y install the_silver_searcher >/dev/null 2>&1
136 |     else
137 |         apt-get -y install silversearcher-ag >/dev/null 2>&1
138 |     fi
139 | fi
140 | 
141 | # 检测rkhunter有没有安装
142 | 
143 | if rkhunter -V >/dev/null 2>&1; then
144 |     echo -e "\e[00;32mrkhunter已安装\e[00m" | tee -a $FileName
145 | else
146 |     if [ $OS = 'CentOS' ]; then
147 |         yum -y install rkhunter >/dev/null 2>&1
148 |     else
149 |         apt-get -y install rkhunter >/dev/null 2>&1
150 |     fi
151 | fi
152 | 
153 | echo -e "\n" | tee -a $FileName
154 | 
155 | # 系统改动
156 | 
157 | # 对比hash，看看有没有系统文件被替换掉
158 | 
159 | echo -e "\e[00;31m[+] 系统改动\e[00m" | tee -a $FileName
160 | echo -e "\n" | tee -a $FileName
161 | if [ $OS = 'CentOS' ]; then
162 |     rpm -Va | tee -a $FileName
163 | else
164 |     apt install -y debsums >/dev/null 2>&1
165 |     debsums -e | ag -v 'OK' | tee -a $FileName
166 | fi
167 | echo -e "\n" | tee -a $FileName
168 | 
169 | # CPU使用率
170 | 
171 | echo -e "\e[00;31m[+] CPU使用率: \e[00m" | tee -a $FileName
172 | echo -e "\n" | tee -a $FileName
173 | awk '$0 ~/cpu[0-9]/' /proc/stat 2>/dev/null | while read line; do
174 |     echo "$line" | awk '{total=$2+$3+$4+$5+$6+$7+$8;free=$5;\
175 |         print$1" Free "free/total*100"%",\
176 |         "Used " (total-free)/total*100"%"}' | tee -a $FileName
177 | done
178 | echo -e "\n" | tee -a $FileName
179 | 
180 | # 登录用户
181 | 
182 | echo -e "\e[00;31m[+] 登录用户\e[00m" | tee -a $FileName
183 | echo -e "\n" | tee -a $FileName
184 | w | tee -a $FileName
185 | echo -e "\n" | tee -a $FileName
186 | who -H | tee -a $FileName
187 | echo -e "\n" | tee -a $FileName
188 | 
189 | # CPU占用TOP15
190 | 
191 | cpu=$(ps aux | grep -v ^'USER' | sort -rn -k3 | head -15) 2>/dev/null
192 | echo -e "\e[00;31m[+] CPU TOP15: \e[00m\n\n${cpu}\n" | tee -a $FileName
193 | echo -e "\n" | tee -a $FileName
194 | 
195 | # 内存占用
196 | 
197 | echo -e "\e[00;31m[+] 内存占用\e[00m" | tee -a $FileName
198 | echo -e "\n" | tee -a $FileName
199 | free -mh | tee -a $FileName
200 | echo -e "\n" | tee -a $FileName
201 | 
202 | # 剩余空间
203 | 
204 | echo -e "\e[00;31m[+] 剩余空间\e[00m" | tee -a $FileName
205 | echo -e "\n" | tee -a $FileName
206 | df -mh | tee -a $FileName
207 | echo -e "\n" | tee -a $FileName
208 | 
209 | # 硬盘挂载
210 | 
211 | echo -e "\e[00;31m[+] 硬盘挂载\e[00m" | tee -a $FileName
212 | cat /etc/fstab | ag -v "#" | awk '{print $1,$2,$3}' | tee -a $FileName
213 | echo -e "\n" | tee -a $FileName
214 | 
215 | # ifconfig
216 | 
217 | echo -e "\e[00;31m[+] ifconfig\e[00m" | tee -a $FileName
218 | echo -e "\n" | tee -a $FileName
219 | /sbin/ifconfig -a | tee -a $FileName
220 | echo -e "\n" | tee -a $FileName
221 | 
222 | # ip address
223 | 
224 | echo -e "\e[00;31m[+] ip address\e[00m" | tee -a $FileName
225 | echo -e "\n" | tee -a $FileName
226 | ip add | tee -a $FileName
227 | echo -e "\n" | tee -a $FileName
228 | 
229 | # 网络流量
230 | 
231 | echo -e "\e[00;31m[+] 网络流量\e[00m" | tee -a $FileName
232 | echo -e "\n" | tee -a $FileName
233 | echo "Interface    ByteRec   PackRec   ByteTran   PackTran" | tee -a $FileName
234 | awk ' NR>2' /proc/net/dev | while read line; do
235 |     echo "$line" | awk -F ':' '{print "  "$1"  " $2}' | 
236 |         awk '{print $1"   "$2 "    "$3"   "$10"  "$11}' | tee -a $FileName
237 | done
238 | echo -e "\n" | tee -a $FileName
239 | 
240 | # 端口监听
241 | 
242 | echo -e "\e[00;31m[+] 端口监听\e[00m" | tee -a $FileName
243 | echo -e "\n" | tee -a $FileName
244 | netstat -atunlpe | ag 'tcp|udp.*' --nocolor | tee -a $FileName
245 | echo -e "\n" | tee -a $FileName
246 | 
247 | # 对外开放端口
248 | 
249 | echo -e "\e[00;31m[+] 对外开放端口\e[00m" | tee -a $FileName
250 | echo -e "\n" | tee -a $FileName
251 | netstat -atunlpe | awk '{print $1,$4}' | ag -o '.*0.0.0.0:(\d+)|:::\d+' --nocolor | tee -a $FileName
252 | echo -e "\n" | tee -a $FileName
253 | 
254 | # 网络连接
255 | 
256 | echo -e "\e[00;31m[+] 网络连接\e[00m" | tee -a $FileName
257 | echo -e "\n" | tee -a $FileName
258 | netstat -atunlpe | ag ESTABLISHED --nocolor | tee -a $FileName
259 | echo -e "\n" | tee -a $FileName
260 | 
261 | # TCP连接状态
262 | 
263 | echo -e "\e[00;31m[+] TCP连接状态\e[00m" | tee -a $FileName
264 | echo -e "\n" | tee -a $FileName
265 | netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}' | tee -a $FileName
266 | echo -e "\n" | tee -a $FileName
267 | 
268 | # 路由表
269 | 
270 | echo -e "\e[00;31m[+] 路由表\e[00m" | tee -a $FileName
271 | echo -e "\n" | tee -a $FileName
272 | /sbin/route -nee | tee -a $FileName
273 | echo -e "\n" | tee -a $FileName
274 | 
275 | # 路由转发
276 | 
277 | echo -e "\e[00;31m[+] 路由转发\e[00m" | tee -a $FileName
278 | echo -e "\n" | tee -a $FileName
279 | ip_forward=$(more /proc/sys/net/ipv4/ip_forward | awk -F: '{if ($1==1) print "1"}') 2>/dev/null
280 | if [ -n "$ip_forward" ]; then
281 |     echo -e "/proc/sys/net/ipv4/ip_forward 已开启路由转发" | tee -a $FileName
282 | else
283 |     echo -e "该服务器未开启路由转发" | tee -a $FileName
284 | fi
285 | echo -e "\n" | tee -a $FileName
286 | 
287 | # DNS Server
288 | 
289 | echo -e "\e[00;31m[+] DNS Server\e[00m" | tee -a $FileName
290 | echo -e "\n" | tee -a $FileName
291 | cat /etc/resolv.conf | ag -o '\d+\.\d+\.\d+\.\d+' --nocolor | tee -a $FileName
292 | echo -e "\n" | tee -a $FileName
293 | 
294 | # ARP
295 | 
296 | echo -e "\e[00;31m[+] ARP\e[00m" | tee -a $FileName
297 | echo -e "\n" | tee -a $FileName
298 | arp -n -a | tee -a $FileName
299 | echo -e "\n" | tee -a $FileName
300 | 
301 | # 网卡混杂模式
302 | 
303 | echo -e "\e[00;31m[+] 网卡混杂模式\e[00m" | tee -a $FileName
304 | echo -e "\n" | tee -a $FileName
305 | if ip link | ag PROMISC >/dev/null 2>&1; then
306 |     echo -e "网卡存在混杂模式！" | tee -a $FileName
307 | else
308 |     echo -e "网卡不存在混杂模式" | tee -a $FileName
309 | fi
310 | echo -e "\n" | tee -a $FileName
311 | 
312 | # 常用软件
313 | 
314 | echo -e "\e[00;31m[+] 常用软件\e[00m" | tee -a $FileName
315 | echo -e "\n" | tee -a $FileName
316 | cmdline=(
317 |     "which perl"
318 |     "which gcc"
319 |     "which g++"
320 |     "which python"
321 |     "which php"
322 |     "which cc"
323 |     "which go"
324 |     "which node"
325 |     "which nodejs"
326 |     "which bind"
327 |     "which tomcat"
328 |     "which clang"
329 |     "which ruby"
330 |     "which curl"
331 |     "which wget"
332 |     "which mysql"
333 |     "which redis"
334 |     "which ssserver"
335 |     "which vsftpd"
336 |     "which java"
337 |     "which apache"
338 |     "which nginx"
339 |     "which git"
340 |     "which mongodb"
341 |     "which docker"
342 |     "which tftp"
343 |     "which psql"
344 | )
345 | 
346 | for prog in "${cmdline[@]}"; do
347 |     soft=$($prog)
348 |     if [ "$soft" ] 2>/dev/null; then
349 |         echo -e "$soft" | ag -o '\w+$' --nocolor | tee -a $FileName
350 |     fi
351 | done
352 | echo -e "\n" | tee -a $FileName
353 | 
354 | # Crontab
355 | 
356 | echo -e "\e[00;31m[+] Crontab\e[00m" | tee -a $FileName
357 | echo -e "\n" | tee -a $FileName
358 | crontab -u root -l | ag -v '#' --nocolor | tee -a $FileName
359 | echo -e "\n" | tee -a $FileName
360 | crontab  -l | ag -v '#' --nocolor | tee -a $FileName
361 | ls -alht /etc/cron.*/* | tee -a $FileName
362 | echo -e "\n" | tee -a $FileName
363 | 
364 | # Crontab Backdoor Crontab可疑命令
365 | 
366 | echo -e "\e[00;31m[+] Crontab Backdoor\e[00m" | tee -a $FileName
367 | echo -e "\n" | tee -a $FileName
368 | ag '((?:useradd|groupadd|chattr)|(?:wget\s|curl\s|tftp\s\-i|scp\s|sftp\s)|(?:bash\s\-i|fsockopen|nc\s\-e|sh\s\-i|\"/bin/sh\"|\"/bin/bash\"))' /etc/cron* /var/spool/cron/* --nocolor | tee -a $FileName
369 | echo -e "\n" | tee -a $FileName
370 | 
371 | # env
372 | 
373 | echo -e "\e[00;31m[+] env\e[00m" | tee -a $FileName
374 | echo -e "\n" | tee -a $FileName
375 | env | tee -a $FileName
376 | echo -e "\n" | tee -a $FileName
377 | 
378 | # PATH
379 | 
380 | echo -e "\e[00;31m[+] PATH\e[00m" | tee -a $FileName
381 | echo -e "\n" | tee -a $FileName
382 | echo $PATH | tee -a $FileName
383 | echo -e "\n" | tee -a $FileName
384 | 
385 | # LD_PRELOAD
386 | 
387 | echo -e "\e[00;31m[+] LD_PRELOAD\e[00m" | tee -a $FileName
388 | echo -e "\n" | tee -a $FileName
389 | echo ${LD_PRELOAD} | tee -a $FileName
390 | echo -e "\n" | tee -a $FileName
391 | 
392 | # LD_ELF_PRELOAD
393 | 
394 | echo -e "\e[00;31m[+] LD_ELF_PRELOAD\e[00m" | tee -a $FileName
395 | echo -e "\n" | tee -a $FileName
396 | echo ${LD_ELF_PRELOAD} | tee -a $FileName
397 | echo -e "\n" | tee -a $FileName
398 | 
399 | # LD_LIBRARY_PATH
400 | 
401 | echo -e "\e[00;31m[+] LD_LIBRARY_PATH\e[00m" | tee -a $FileName
402 | echo -e "\n" | tee -a $FileName
403 | echo ${LD_LIBRARY_PATH} | tee -a $FileName
404 | echo -e "\n" | tee -a $FileName
405 | 
406 | # ld.so.preload
407 | 
408 | echo -e "\e[00;31m[+] ld.so.preload\e[00m" | tee -a $FileName
409 | echo -e "\n" | tee -a $FileName
410 | preload='/etc/ld.so.preload'
411 | if [ -e "${preload}" ]; then
412 |     cat ${preload} | tee -a $FileName
413 | else
414 |     echo -e "/etc/ld.so.preload 文件不存在" | tee -a $FileName
415 | fi
416 | echo -e "\n" | tee -a $FileName
417 | 
418 | # 可登录用户账号
419 | 
420 | echo -e "\e[00;31m[+] 可登录用户账号\e[00m" | tee -a $FileName
421 | echo -e "\n" | tee -a $FileName
422 | cat /etc/passwd | ag -v 'nologin$|false$' | tee -a $FileName
423 | echo -e "\n" | tee -a $FileName
424 | 
425 | # passwd文件修改日期
426 | 
427 | echo -e "\e[00;31m[+] passwd文件修改日期:\e[00m\n\n" $(stat /etc/passwd | ag -o '(?<=Modify: ).*' --nocolor) 2>/dev/null | tee -a $FileName
428 | echo -e "\n" | tee -a $FileName
429 | 
430 | # sudoers(请注意NOPASSWD)
431 | 
432 | echo -e "\e[00;31m[+] sudoers(请注意NOPASSWD)\e[00m" | tee -a $FileName
433 | echo -e "\n" | tee -a $FileName
434 | cat /etc/sudoers | ag -v '#' | sed -e '/^$/d' | ag ALL --nocolor | tee -a $FileName
435 | echo -e "\n" | tee -a $FileName
436 | 
437 | # IPTABLES防火墙
438 | 
439 | echo -e "\e[00;31m[+] IPTABLES防火墙\e[00m" | tee -a $FileName
440 | echo -e "\n" | tee -a $FileName
441 | iptables -L | tee -a $FileName
442 | echo -e "\n" | tee -a $FileName
443 | 
444 | # 登录用户信息
445 | 
446 | echo -e "\e[00;31m[+] 登录用户信息\e[00m" | tee -a $FileName
447 | echo -e "\n" | tee -a $FileName
448 | w | tee -a $FileName
449 | echo -e "\n" | tee -a $FileName
450 | last -n 20 -a -i | tee -a $FileName
451 | echo -e "\n" | tee -a $FileName
452 | lastlog | ag -v 'Never' | tee -a $FileName
453 | echo -e "\n" | tee -a $FileName
454 | echo "登录ip:" $(ag -a Accepted /var/log/secure /var/log/auth.* 2>/dev/null | ag -o '\d+\.\d+\.\d+\.\d+' | sort | uniq) 2>/dev/null | tee -a $FileName
455 | echo -e "\n" | tee -a $FileName
456 | 
457 | # SSH暴破IP
458 | 
459 | echo -e "\e[00;31m[+] SSH暴破IP\e[00m" | tee -a $FileName
460 | echo -e "\n" | tee -a $FileName
461 | if [ $OS = 'CentOS' ]; then
462 |     ag -a 'authentication failure' /var/log/secure* | awk '{print $14}' | awk -F '=' '{print $2}' | ag '\d+\.\d+\.\d+\.\d+' | sort | uniq -c | sort -nr | head -n 25 | tee -a $FileName
463 | else
464 |     ag -a 'authentication failure' /var/log/auth.* | awk '{print $14}' | awk -F '=' '{print $2}' | ag '\d+\.\d+\.\d+\.\d+' | sort | uniq -c | sort -nr | head -n 25 | tee -a $FileName
465 | 
466 | fi
467 | echo -e "\n" | tee -a $FileName
468 | 
469 | # 运行服务 Service
470 | 
471 | echo -e "\e[00;31m[+] Service\e[00m" | tee -a $FileName
472 | echo -e "\n" | tee -a $FileName
473 | if [ $OS = 'CentOS' ]; then
474 |     systemctl -l | grep running | awk '{print $1}' | tee -a $FileName
475 | else
476 |     service --status-all | ag -Q '+' --nocolor | tee -a $FileName
477 | fi
478 | echo -e "\n" | tee -a $FileName
479 | 
480 | # 查看History文件
481 | 
482 | echo -e "\e[00;31m[+] History\e[00m" | tee -a $FileName
483 | echo -e "\n" | tee -a $FileName
484 | ls -alht ~/.*_history | tee -a $FileName
485 | ls -alht /root/.*_history | tee -a $FileName
486 | echo -e "\n" | tee -a $FileName
487 | cat ~/.*history | ag '(?<![0-9])(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2}))(?![0-9])|http://|https://|\bssh\b|\bscp\b|\.tar|\bwget\b|\bcurl\b|\bnc\b|\btelnet\b|\bbash\b|\bsh\b|\bchmod\b|\bchown\b|/etc/passwd|/etc/shadow|/etc/hosts|\bnmap\b|\bfrp\b|\bnfs\b|\bsshd\b|\bmodprobe\b|\blsmod\b|\bsudo\b' --nocolor | ag -v 'man\b|ag\b|cat\b|sed\b|git\b|docker\b|rm\b|touch\b|mv\b|\bapt\b|\bapt-get\b' | tee -a $FileName
488 | echo -e "\n" | tee -a $FileName
489 | 
490 | # /etc/hosts
491 | 
492 | echo -e "\e[00;31m[+] /etc/hosts\e[00m" | tee -a $FileName
493 | echo -e "\n" | tee -a $FileName
494 | cat /etc/hosts | ag -v "#" | tee -a $FileName
495 | echo -e "\n" | tee -a $FileName
496 | 
497 | # /etc/profile
498 | 
499 | echo -e "\e[00;31m[+] /etc/profile\e[00m" | tee -a $FileName
500 | echo -e "\n" | tee -a $FileName
501 | cat /etc/profile | ag -v '#' | tee -a $FileName
502 | echo -e "\n" | tee -a $FileName
503 | 
504 | # /etc/rc.local
505 | 
506 | echo -e "\e[00;31m[+] /etc/rc.local\e[00m" | tee -a $FileName
507 | echo -e "\n" | tee -a $FileName
508 | cat /etc/rc.local | ag -v '#' | tee -a $FileName
509 | echo -e "\n" | tee -a $FileName
510 | 
511 | # ~/.bash_profile
512 | 
513 | echo -e "\e[00;31m[+] ~/.bash_profile\e[00m" | tee -a $FileName
514 | echo -e "\n" | tee -a $FileName
515 | cat ~/.bash_profile | ag -v '#' | tee -a $FileName
516 | echo -e "\n" | tee -a $FileName
517 | 
518 | # ~/.bashrc
519 | 
520 | echo -e "\e[00;31m[+] ~/.bashrc\e[00m" | tee -a $FileName
521 | echo -e "\n" | tee -a $FileName
522 | cat ~/.bashrc | ag -v '#' | tee -a $FileName
523 | echo -e "\n" | tee -a $FileName
524 | 
525 | # bash反弹shell
526 | 
527 | echo -e "\e[00;31m[+] bash反弹shell\e[00m" | tee -a $FileName
528 | echo -e "\n" | tee -a $FileName
529 | ps -ef | ag 'bash -i' | ag -v 'ag' | awk '{print $2}' | xargs -i{} lsof -p {} | ag 'ESTABLISHED' --nocolor | tee -a $FileName
530 | echo -e "\n" | tee -a $FileName
531 | 
532 | # SSHD
533 | 
534 | echo -e "\e[00;31m[+] SSHD\e[00m" | tee -a $FileName
535 | echo -e "\n" | tee -a $FileName
536 | echo -e "/usr/sbin/sshd"
537 | stat /usr/sbin/sshd | ag 'Access | Modify | Change' --nocolor | tee -a $FileName
538 | echo -e "\n" | tee -a $FileName
539 | 
540 | # ...隐藏文件
541 | 
542 | # Linux下常用的隐藏手法
543 | 
544 | echo -e "\e[00;31m[+] ...隐藏文件\e[00m" | tee -a $FileName
545 | echo -e "\n" | tee -a $FileName
546 | find / ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/boot/*" -name ".*." | tee -a $FileName
547 | echo -e "\n" | tee -a $FileName
548 | 
549 | # /tmp目录
550 | 
551 | echo -e "\e[00;31m[+] /tmp\e[00m" | tee -a $FileName
552 | echo -e "\n" | tee -a $FileName
553 | ls -alht /tmp /var/tmp /dev/shm | tee -a $FileName
554 | echo -e "\n" | tee -a $FileName
555 | 
556 | # alias 别名
557 | 
558 | echo -e "\e[00;31m[+] alias\e[00m" | tee -a $FileName
559 | echo -e "\n" | tee -a $FileName
560 | alias | ag -v 'git' | tee -a $FileName
561 | echo -e "\n" | tee -a $FileName
562 | 
563 | # SUID
564 | 
565 | echo -e "\e[00;31m[+] SUID\e[00m" | tee -a $FileName
566 | echo -e "\n" | tee -a $FileName
567 | find / ! -path "/proc/*" -perm -004000 -type f | ag -v 'snap|docker|pam_timestamp_check|unix_chkpwd|ping|mount|su|pt_chown|ssh-keysign|at|passwd|chsh|crontab|chfn|usernetctl|staprun|newgrp|chage|dhcp|helper|pkexec|top|Xorg|nvidia-modprobe|quota|login|security_authtrampoline|authopen|traceroute6|traceroute|ps' | tee -a $FileName
568 | echo -e "\n" | tee -a $FileName
569 | 
570 | # lsof +L1
571 | 
572 | #进程存在但文件已经没有了
573 | 
574 | echo -e "\e[00;31m[+] lsof +L1\e[00m" | tee -a $FileName
575 | echo -e "\n" | tee -a $FileName
576 | lsof +L1 | tee -a $FileName
577 | echo -e "\n" | tee -a $FileName
578 | 
579 | # 近七天文件改动 mtime
580 | 
581 | echo -e "\e[00;31m[+] 近七天文件改动 mtime\e[00m" | tee -a $FileName
582 | echo -e "\n" | tee -a $FileName
583 | find /etc /bin /lib /sbin /dev /root/ /home /tmp /opt /var ! -path "/var/log*" ! -path "/var/spool/exim4*" ! -path "/var/backups*" -mtime -7 -type f | ag -v '\.log|cache|vim|/share/|/lib/|.zsh|.gem|\.git|LICENSE|README|/_\w+\.\w+|\blogs\b|elasticsearch|nohup|i18n' | xargs -i{} ls -alh {} | tee -a $FileName
584 | echo -e "\n" | tee -a $FileName
585 | 
586 | # 近七天文件改动 ctime
587 | 
588 | echo -e "\e[00;31m[+] 近七天文件改动 ctime\e[00m" | tee -a $FileName
589 | echo -e "\n" | tee -a $FileName
590 | find /etc /bin /lib /sbin /dev /root/ /home /tmp /opt /var ! -path "/var/log*" ! -path "/var/spool/exim4*" ! -path "/var/backups*" -ctime -7 -type f | ag -v '\.log|cache|vim|/share/|/lib/|.zsh|.gem|\.git|LICENSE|README|/_\w+\.\w+|\blogs\b|elasticsearch|nohup|i18n' | xargs -i{} ls -alh {} | tee -a $FileName
591 | echo -e "\n" | tee -a $FileName
592 | 
593 | # 大文件>200mb
594 | 
595 | # 有些黑客会将数据库、网站打包成一个文件然后下载
596 | 
597 | echo -e "\e[00;31m[+] 大文件>100mb\e[00m" | tee -a $FileName
598 | echo -e "\n" | tee -a $FileName
599 | find / ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/boot/*" -size +100M -print 2>/dev/null | xargs -i{} ls -alh {} | ag '\.gif|\.jpeg|\.jpg|\.png|\.zip|\.tar.gz|\.tgz|\.7z|\.log|\.xz|\.rar|\.bak|\.old|\.sql|\.1|\.txt|\.tar|\.db|/\w+$' --nocolor | ag -v 'ib_logfile|ibd｜mysql-bin｜mysql-slow｜ibdata1' | tee -a $FileName
600 | echo -e "\n" | tee -a $FileName
601 | 
602 | # 敏感文件
603 | 
604 | echo -e "\e[00;31m[+] 敏感文件\e[00m" | tee -a $FileName
605 | echo -e "\n" | tee -a $FileName
606 | find / ! -path "/lib/modules*" ! -path "/usr/src*" ! -path "/snap*" ! -path "/usr/include/*" -regextype posix-extended -regex '.*sqlmap|.*msfconsole|.*\bncat|.*\bnmap|.*nikto|.*ettercap|.*tunnel\.(php|jsp|asp|py)|.*/nc\b|.*socks.(php|jsp|asp|py)|.*proxy.(php|jsp|asp|py)|.*brook.*|.*frps|.*frpc|.*aircrack|.*hydra|.*minerd|.*/ew$' -type f | ag -v '/lib/python' | xargs -i{} ls -alh {} | tee -a $FileName
607 | echo -e "\n" | tee -a $FileName
608 | 
609 | # lsmod 可疑模块
610 | 
611 | echo -e "\e[00;31m[+] lsmod 可疑模块\e[00m" | tee -a $FileName
612 | echo -e "\n" | tee -a $FileName
613 | lsmod | ag -v "ablk_helper|ac97_bus|acpi_power_meter|aesni_intel|ahci|ata_generic|ata_piix|auth_rpcgss|binfmt_misc|bluetooth|bnep|bnx2|bridge|cdrom|cirrus|coretemp|crc_t10dif|crc32_pclmul|crc32c_intel|crct10dif_common|crct10dif_generic|crct10dif_pclmul|cryptd|dca|dcdbas|dm_log|dm_mirror|dm_mod|dm_region_hash|drm|drm_kms_helper|drm_panel_orientation_quirks|e1000|ebtable_broute|ebtable_filter|ebtable_nat|ebtables|edac_core|ext4|fb_sys_fops|floppy|fuse|gf128mul|ghash_clmulni_intel|glue_helper|grace|i2c_algo_bit|i2c_core|i2c_piix4|i7core_edac|intel_powerclamp|ioatdma|ip_set|ip_tables|ip6_tables|ip6t_REJECT|ip6t_rpfilter|ip6table_filter|ip6table_mangle|ip6table_nat|ip6ta ble_raw|ip6table_security|ipmi_devintf|ipmi_msghandler|ipmi_si|ipmi_ssif|ipt_MASQUERADE|ipt_REJECT|iptable_filter|iptable_mangle|iptable_nat|iptable_raw|iptable_security|iTCO_vendor_support|iTCO_wdt|jbd2|joydev|kvm|kvm_intel|libahci|libata|libcrc32c|llc|lockd|lpc_ich|lrw|mbcache|megaraid_sas|mfd_core|mgag200|Module|mptbase|mptscsih|mptspi|nf_conntrack|nf_conntrack_ipv4|nf_conntrack_ipv6|nf_defrag_ipv4|nf_defrag_ipv6|nf_nat|nf_nat_ipv4|nf_nat_ipv6|nf_nat_masquerade_ipv4|nfnetlink|nfnetlink_log|nfnetlink_queue|nfs_acl|nfsd|parport|parport_pc|pata_acpi|pcspkr|ppdev|rfkill|sch_fq_codel|scsi_transport_spi|sd_mod|serio_raw|sg|shpchp|snd|snd_ac97_codec|snd_ens1371|snd_page_alloc|snd_pcm|snd_rawmidi|snd_seq|snd_seq_device|snd_seq_midi|snd_seq_midi_event|snd_timer|soundcore|sr_mod|stp|sunrpc|syscopyarea|sysfillrect|sysimgblt|tcp_lp|ttm|tun|uvcvideo|videobuf2_core|videobuf2_memops|videobuf2_vmalloc|videodev|virtio|virtio_balloon|virtio_console|virtio_net|virtio_pci|virtio_ring|virtio_scsi|vmhgfs|vmw_balloon|vmw_vmci|vmw_vsock_vmci_transport|vmware_balloon|vmwgfx|vsock|xfs|xt_CHECKSUM|xt_conntrack|xt_state|raid*|tcpbbr|btrfs|.*diag|psmouse|ufs|linear|msdos|cpuid|veth|xt_tcpudp|xfrm_user|xfrm_algo|xt_addrtype|br_netfilter|input_leds|sch_fq|ib_iser|rdma_cm|iw_cm|ib_cm|ib_core|.*scsi.*|tcp_bbr|pcbc|autofs4|multipath|hfs.*|minix|ntfs|vfat|jfs|usbcore|usb_common|ehci_hcd|uhci_hcd|ecb|crc32c_generic|button|hid|usbhid|evdev|hid_generic|overlay|xt_nat|qnx4|sb_edac|acpi_cpufreq|ixgbe|pf_ring|tcp_htcp|cfg80211|x86_pkg_temp_thermal|mei_me|mei|processor|thermal_sys|lp|enclosure|ses|ehci_pci|igb|i2c_i801|pps_core|isofs|nls_utf8|xt_REDIRECT|xt_multiport|iosf_mbi|qxl" | tee -a $FileName
614 | echo -e "\n" | tee -a $FileName
615 | 
616 | # Rootkit 内核模块
617 | 
618 | echo -e "\e[00;31m[+] Rootkit 内核模块\e[00m" | tee -a $FileName
619 | echo -e "\n" | tee -a $FileName
620 | kernel=$(cat /proc/kallsyms | egrep 'hide_tcp4_port|hidden_files|hide_tcp6_port') 2>/dev/null
621 | if [ -n "$kernel" ]; then
622 |     echo -e "存在内核敏感函数！ 疑似Rootkit内核模块" | tee -a $FileName
623 | else
624 |     echo -e "未找到内核敏感函数" | tee -a $FileName
625 | fi
626 | echo -e "\n" | tee -a $FileName
627 | 
628 | # 检查SSH key
629 | 
630 | echo -e "\e[00;31m[+] SSH key\e[00m" | tee -a $FileName
631 | echo -e "\n" | tee -a $FileName
632 | sshkey=${HOME}/.ssh/authorized_keys
633 | if [ -e "${sshkey}" ]; then
634 |     cat ${sshkey} | tee -a $FileName
635 | else
636 |     echo -e "SSH key文件不存在\n" | tee -a $FileName
637 | fi
638 | echo -e "\n" | tee -a $FileName
639 | 
640 | # PHP WebShell查杀
641 | 
642 | echo -e "\e[00;31m[+] PHP WebShell查杀\e[00m" | tee -a $FileName
643 | echo -e "\n" | tee -a $FileName
644 | ag --php -l -s -i 'array_map\(|pcntl_exec\(|proc_open\(|popen\(|assert\(|phpspy|c99sh|milw0rm|eval?\(|\(gunerpress|\(base64_decoolcode|spider_bc|shell_exec\(|passthru\(|base64_decode\s?\(|gzuncompress\s?\(|gzinflate|\(\$\$\w+|call_user_func\(|call_user_func_array\(|preg_replace_callback\(|preg_replace\(|register_shutdown_function\(|register_tick_function\(|mb_ereg_replace_callback\(|filter_var\(|ob_start\(|usort\(|uksort\(|uasort\(|GzinFlate\s?\(|\$\w+\(\d+\)\.\$\w+\(\d+\)\.|\$\w+=str_replace\(|eval\/\*.*\*\/\(' $WebPath | tee -a $FileName
645 | ag --php -l -s -i '^(\xff\xd8|\x89\x50|GIF89a|GIF87a|BM|\x00\x00\x01\x00\x01)[\s\S]*<\?\s*php' $WebPath | tee -a $FileName
646 | ag --php -l -s -i '\b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\b[\/*\s]*\(+[\/*\s]*((\$_(GET|POST|REQUEST|COOKIE)\[.{0,25})|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]*(\$_(GET|POST|REQUEST|COOKIE)\[.{0,25}))' $WebPath | tee -a $FileName
647 | ag --php -l -s -i '\$\s*(\w+)\s*=[\s\(\{]*(\$_(GET|POST|REQUEST|COOKIE)\[.{0,25});[\s\S]{0,200}\b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\b[\/*\s]*\(+[\s"\/*]*(\$\s*\1|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\("]*\$\s*\1))' $WebPath | tee -a $FileName
648 | ag --php -l -s -i '\b(filter_var|filter_var_array)\b\s*\(.*FILTER_CALLBACK[^;]*((\$_(GET|POST|REQUEST|COOKIE|SERVER)\[.{0,25})|(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec))' $WebPath | tee -a $FileName
649 | ag --php -l -s -i "\b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|include)\b\s*\(\s*(file_get_contents\s*\(\s*)?[\'\"]php:\/\/input" $WebPath | tee -a $FileName
650 | echo -e "\n" | tee -a $FileName
651 | 
652 | # JSP WebShell查杀
653 | 
654 | echo -e "\e[00;31m[+] JSP WebShell查杀\e[00m" | tee -a $FileName
655 | echo -e "\n" | tee -a $FileName
656 | ag --jsp -l -s -i '<%@\spage\simport=[\s\S]*\\u00\d+\\u00\d+|<%@\spage\simport=[\s\S]*Runtime.getRuntime\(\).exec\(request.getParameter\(|Runtime.getRuntime\(\)' $WebPath | tee -a $FileName
657 | echo -e "\n" | tee -a $FileName
658 | 
659 | # ASP/ASPX WebShell查杀
660 | 
661 | echo -e "\e[00;31m[+] ASP/ASPX WebShell查杀\e[00m" | tee -a $FileName
662 | echo -e "\n" | tee -a $FileName
663 | ag -G ".+\.asp" -l -i -s '<%@codepage=65000[\s\S]*=936:|<%eval\srequest\(\"|<%@\sPage\sLanguage=\"Jscript\"[\s\S]*eval\(\w+\+|<%@.*eval\(Request\.Item' $WebPath | tee -a $FileName
664 | echo -e "\n" | tee -a $FileName
665 | 
666 | # 挖矿木马检测
667 | 
668 | echo -e "\e[00;31m[+] 挖矿木马检测\e[00m" | tee -a $FileName
669 | echo -e "\n" | tee -a $FileName
670 | ps aux | ag "systemctI|kworkerds|init10.cfg|wl.conf|crond64|watchbog|sustse|donate|proxkekman|test.conf|/var/tmp/apple|/var/tmp/big|/var/tmp/small|/var/tmp/cat|/var/tmp/dog|/var/tmp/mysql|/var/tmp/sishen|ubyx|cpu.c|tes.conf|psping|/var/tmp/java-c|pscf|cryptonight|sustes|xmrig|xmr-stak|suppoie|ririg|/var/tmp/ntpd|/var/tmp/ntp|/var/tmp/qq|/tmp/qq|/var/tmp/aa|gg1.conf|hh1.conf|apaqi|dajiba|/var/tmp/look|/var/tmp/nginx|dd1.conf|kkk1.conf|ttt1.conf|ooo1.conf|ppp1.conf|lll1.conf|yyy1.conf|1111.conf|2221.conf|dk1.conf|kd1.conf|mao1.conf|YB1.conf|2Ri1.conf|3Gu1.conf|crant|nicehash|linuxs|linuxl|Linux|crawler.weibo|stratum|gpg-daemon|jobs.flu.cc|cranberry|start.sh|watch.sh|krun.sh|killTop.sh|cpuminer|/60009|ssh_deny.sh|clean.sh|\./over|mrx1|redisscan|ebscan|barad_agent|\.sr0|clay|udevs|\.sshd|/tmp/init|xmr|xig|ddgs|minerd|hashvault|geqn|\.kthreadd|httpdz|pastebin.com|sobot.com|kerbero|2t3ik|ddgs|qW3xt|ztctb" | ag -v "ag|$0" | tee -a $FileName
671 | echo -e "\n" | tee -a $FileName
672 | 
673 | # Rkhunter查杀
674 | 
675 | echo -e "\e[00;31m[+] Rkhunter查杀\e[00m" | tee -a $FileName
676 | echo -e "\n" | tee -a $FileName
677 | if rkhunter >/dev/null 2>&1; then
678 |     rkhunter --checkall --sk | ag -v 'OK | Not found | None found' | tee -a $FileName
679 | else
680 |     if [ -e "rkhunter.tar.gz" ]; then
681 |         tar -zxvf rkhunter.tar.gz >/dev/null 2>&1
682 |         cd rkhunter-1.4.6/
683 |         ./installer.sh --install >/dev/null 2>&1
684 |         rkhunter --checkall --sk | ag -v 'OK | Not found | None found' | tee -a $FileName
685 |     else
686 |         echo -e "找不到rkhunter.tar.gz尝试下载"
687 |         wget https://github.com/al0ne/LinuxCheck/raw/master/rkhunter.tar.gz >/dev/null 2>&1
688 |         tar -zxvf rkhunter.tar.gz >/dev/null 2>&1
689 |         cd rkhunter-1.4.6/
690 |         ./installer.sh --install >/dev/null 2>&1
691 |         rkhunter --checkall --sk | ag -v 'OK | Not found | None found' | tee -a $FileName
692 |     fi
693 | fi


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # LinuxCheck---
2 | LinuxCheck - 应急响应实用脚本
3 | 


--------------------------------------------------------------------------------