├── LICENSE
├── LinuxCheck.sh
├── README.md
├── rkhunter.tar.gz
├── silversearcher-ag_2.2.0-1+b1_amd64.deb
├── silversearcher-ag_2.2.0-1_i386.deb
├── the_silver_searcher-2.1.0-1.el6.x86_64.rpm
└── the_silver_searcher-2.1.0-1.el7.x86_64.rpm


/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2019 al0ne
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/LinuxCheck.sh:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env bash
  2 | 
  3 | echo ""
  4 | echo " ========================================================= "
  5 | echo " \        Linux应急处置/信息搜集/漏洞检测脚本 V3.0      / "
  6 | echo " ========================================================= "
  7 | echo " # 支持Centos、Debian系统检测                    "
  8 | echo " # author：al0ne                    "
  9 | echo " # https://github.com/al0ne                    "
 10 | echo " # 更新日期：2024年4月20日                    "
 11 | echo " # 参考来源：                "
 12 | echo " #   1.Gscan https://github.com/grayddq/GScan  "
 13 | echo " #   2.Lynis https://github.com/CISOfy/lynis  "
 14 | echo " #   3.container-escape-check https://github.com/teamssix/container-escape-check"
 15 | echo -e "\n"
 16 | 
 17 | # WEB Path 设置web目录，检测Webshell。
 18 | webpath='/'
 19 | 
 20 | # 报告上报的地址
 21 | webhook_url='http://localhost:5000/upload'
 22 | 
 23 | # 设置保存文件
 24 | ipaddress=$(ip address | grep -oP '(?<=inet )\d+\.\d+\.\d+\.\d+(?=\/2)' | head -n 1)
 25 | filename=$ipaddress'_'$(hostname)'_'$(whoami)'_'$(date +%s)_log'.md'
 26 | 
 27 | print_msg() {
 28 |   echo -e "$1\n" | tee -a $filename
 29 | }
 30 | 
 31 | print_code() {
 32 |   echo -e "\`\`\`shell\n$1\n\`\`\`\n" | tee -a $filename
 33 | }
 34 | 
 35 | reverse_shell_check() {
 36 |   echo -e "\n"
 37 |   print_code "$(grep -P '(tftp\s\-i|scp\s|sftp\s|bash\s\-i|nc\s\-e|sh\s\-i|wget\s|curl\s|\bexec|/dev/tcp/|/dev/udp/)' $1 $2 $3)"
 38 |   print_code "$(grep -P '(useradd|groupadd|chattr|fsockopen|socat|base64|socket|perl|openssl)' $1 $2 $3)"
 39 | }
 40 | 
 41 | ### 1.环境检查 ###
 42 | print_msg "## 环境检测"
 43 | # 验证是否为root权限
 44 | if [ $UID -ne 0 ]; then
 45 |   print_msg "请使用root权限运行！"
 46 |   exit 1
 47 | else
 48 |   print_msg "当前为root权限！"
 49 | fi
 50 | 
 51 | # 验证操作系统是debian系还是centos
 52 | OS='None'
 53 | 
 54 | if [ -e "/etc/os-release" ]; then
 55 |   source /etc/os-release
 56 |   case ${ID} in
 57 |   "debian" | "ubuntu" | "devuan")
 58 |     OS='Debian'
 59 |     ;;
 60 |   "centos" | "rhel fedora" | "rhel")
 61 |     OS='Centos'
 62 |     ;;
 63 |   *) ;;
 64 |   esac
 65 | fi
 66 | 
 67 | if [ $OS = 'None' ]; then
 68 |   if command -v apt-get >/dev/null 2>&1; then
 69 |     OS='Debian'
 70 |   elif command -v yum >/dev/null 2>&1; then
 71 |     OS='Centos'
 72 |   else
 73 |     echo -e "\n不支持这个系统\n"
 74 |     echo -e "已退出"
 75 |     exit 1
 76 |   fi
 77 | fi
 78 | 
 79 | # 安装应急必备工具
 80 | cmdline=(
 81 |   "net-tools"
 82 |   "telnet"
 83 |   "nc"
 84 |   "lrzsz"
 85 |   "wget"
 86 |   "strace"
 87 |   "traceroute"
 88 |   "htop"
 89 |   "tar"
 90 |   "lsof"
 91 |   "tcpdump"
 92 | )
 93 | for prog in "${cmdline[@]}"; do
 94 | 
 95 |   if [ $OS = 'Centos' ]; then
 96 |     soft=$(rpm -q "$prog")
 97 |     if echo "$soft" | grep -E '没有安装|未安装|not installed' >/dev/null 2>&1; then
 98 |       echo -e "$prog 安装中......"
 99 |       yum install -y "$prog" >/dev/null 2>&1
100 |       yum install -y the_silver_searcher >/dev/null 2>&1
101 |     fi
102 |   else
103 |     if dpkg -L $prog | grep 'does not contain any files' >/dev/null 2>&1; then
104 |       echo -e "$prog 安装中......"
105 |       apt install -y "$prog" >/dev/null 2>&1
106 |     fi
107 | 
108 |   fi
109 | done
110 | 
111 | echo -e "\n"
112 | 
113 | base_check() {
114 |   print_msg "## 基础配置检查"
115 |   print_msg "### 系统信息"
116 |   #当前用户
117 |   print_msg "**USER:**\t\t$(whoami)" 2>/dev/null
118 |   #版本信息
119 |   print_msg "**OS Version:**\t$(uname -r)"
120 |   #主机名
121 |   print_msg "**Hostname:** \t$(hostname -s)"
122 |   #服务器SN
123 |   print_msg "**服务器SN:** \t$(dmidecode -t1 | grep -oP '(?<=Serial Number: ).*')"
124 |   #uptime
125 |   print_msg "**Uptime:** \t$(uptime | awk -F ',' '{print $1}')"
126 |   #系统负载
127 |   print_msg "**系统负载:** \t$(uptime | awk '{print $9" "$10" "$11" "$12" "$13}')"
128 |   #cpu信息
129 |   print_msg "**CPU info:**\t$(grep -oP '(?<=model name\t: ).*' </proc/cpuinfo | head -n 1)"
130 |   #cpu核心
131 |   print_msg "**CPU 核心:**\t$(cat /proc/cpuinfo | grep 'processor' | sort | uniq | wc -l)"
132 |   #ipaddress
133 |   ipaddress=$(ifconfig | grep -oP '(?<=inet |inet addr:)\d+\.\d+\.\d+\.\d+' | grep -v '127.0.0.1') >/dev/null 2>&1
134 |   print_msg "**IPADDR:**\t\t${ipaddress}" | sed ":a;N;s/\n/ /g;ta"
135 |   print_msg "**CPU使用率:**  "
136 |   awk '$0 ~/cpu[0-9]/' /proc/stat 2>/dev/null | while read line; do
137 |     print_msg "$(echo $line | awk '{total=$2+$3+$4+$5+$6+$7+$8;free=$5;\
138 |         print$1" Free "free/total*100"%",\
139 |         "Used " (total-free)/total*100"%"}')"
140 |   done
141 | 
142 |   #内存占用
143 |   print_msg "### 内存占用"
144 |   print_code "$(free -mh)"
145 | 
146 |   #剩余空间
147 |   print_msg "### 剩余空间"
148 |   print_code "$(df -mh)"
149 | 
150 |   print_msg "### 硬盘挂载"
151 |   print_code "$(grep -v '#' </etc/fstab | awk '{print $1,$2,$3}')"
152 | 
153 |   #安装软件
154 |   # print_msg "### 常用软件"
155 |   cmdline=(
156 |     "which perl"
157 |     "which gcc"
158 |     "which g++"
159 |     "which python"
160 |     "which php"
161 |     "which cc"
162 |     "which go"
163 |     "which node"
164 |     "which nodejs"
165 |     "which bind"
166 |     "which tomcat"
167 |     "which clang"
168 |     "which ruby"
169 |     "which curl"
170 |     "which wget"
171 |     "which mysql"
172 |     "which redis"
173 |     "which ssserver"
174 |     "which vsftpd"
175 |     "which java"
176 |     "which apache"
177 |     "which apache2"
178 |     "which nginx"
179 |     "which git"
180 |     "which mongodb"
181 |     "which docker"
182 |     "which tftp"
183 |     "which psql"
184 |     "which kafka"
185 | 
186 |   )
187 | 
188 |   #HOSTS
189 |   print_msg "### /etc/hosts"
190 |   print_code "$(cat /etc/hosts | egrep -v "#")"
191 | }
192 | 
193 | process_check() {
194 |   print_msg "## 进程信息检查"
195 | 
196 |   print_msg "### CPU占用TOP 15"
197 |   cpu=$(ps aux | grep -v ^'USER' | sort -rn -k3 | head -15) 2>/dev/null
198 |   print_code "${cpu}"
199 | 
200 |   print_msg "### 内存占用TOP 15"
201 |   mem=$(ps aux | grep -v ^'USER' | sort -rn -k4 | head -15) 2>/dev/null
202 |   print_code "${mem}"
203 | 
204 |   print_msg "### 父进程为1的进程信息"
205 |   print_code "$(ps -e -o user,pid,ppid,cmd | awk '$3 == 1' | egrep -v "containerd-shim|/lib/systemd/systemd|/usr/sbin/cron|dbus|rsyslogd|containerd|/usr/sbin/sshd|/usr/bin/dockerd|/usr/sbin/arpd|/bin/login|/usr/sbin/vnstatd")"
206 | 
207 |   print_msg "### bash反弹shell进程"
208 |   tcp_reverse=$(ps -ef | grep -P 'sh -i' | egrep -v 'grep' | awk '{print $2}' | xargs -i{} lsof -p {} | grep 'ESTAB')
209 |   if [ -n $tcp_reverse ]; then
210 |     print_code "$tcp_reverse"
211 |   else
212 |     print_code "未发现 bash -i 反弹shell！"
213 |   fi
214 |   print_msg "### SSH 软连接后门进程"
215 |   if ps -ef | grep -P '\s+\-oport=\d+' >/dev/null 2>&1; then
216 |     print_msg "$(ps -ef | grep -P '\s+\-oport=\d+')"
217 |   else
218 |     print_msg "未检测到SSH软连接后门"
219 | 
220 |   fi
221 | }
222 | 
223 | network_check() {
224 |   print_msg "## 网络/流量检查"
225 |   #ifconfig
226 |   print_msg '### ifconfig'
227 |   print_code "$(/sbin/ifconfig -a)"
228 | 
229 |   #网络流量
230 |   print_msg "### 网络流量"
231 |   print_msg "**Interface**    **ByteRec**   **PackRec**   **ByteTran**   **PackTran**"
232 |   awk ' NR>2' /proc/net/dev | while read line; do
233 |     print_msg "$line" | awk -F ':' '{print "  "$1"  " $2}' | awk '{print $1"   "$2 "    "$3"   "$10"  "$11}'
234 |   done
235 | 
236 |   #端口监听
237 |   print_msg "### 端口监听"
238 |   print_code "$(netstat -tulpen | grep -P 'tcp|udp.*')"
239 | 
240 |   #对外开放端口
241 |   print_msg "### 对外开放端口"
242 |   print_code "$(netstat -tulpen | awk '{print $1,$4}' | grep -P -o '.*0.0.0.0:(\d+)|:::\d+')"
243 | 
244 |   #网络连接
245 |   print_msg "### 网络连接"
246 |   print_msg "**TCP连接**"
247 |   print_code "$(netstat -antop | grep -P ESTAB)"
248 |   print_msg "**UDP连接**"
249 |   print_code "$(netstat -anp | grep -P udp)"
250 | 
251 |   #连接状态
252 |   print_msg "### TCP连接状态"
253 |   print_code "$(netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}')"
254 | 
255 |   #路由表
256 |   print_msg "### 路由表"
257 |   print_code "$(/sbin/route -nee)"
258 | 
259 |   #路由转发
260 |   print_msg "### 路由转发"
261 |   ip_forward=$(more /proc/sys/net/ipv4/ip_forward | awk -F: '{if ($1==1) print "1"}')
262 |   if [ -n "$ip_forward" ]; then
263 |     print_code "/proc/sys/net/ipv4/ip_forward 已开启路由转发！"
264 |   else
265 |     print_code "该服务器未开启路由转发！"
266 |   fi
267 | 
268 |   #DNS
269 |   print_msg "### DNS Server"
270 |   print_code "$(grep -oP '\d+\.\d+\.\d+\.\d+' </etc/resolv.conf)"
271 | 
272 |   #ARP
273 |   print_msg "### ARP"
274 |   print_code "$(arp -n -a)"
275 | 
276 |   #混杂模式
277 |   print_msg "### 网卡混杂模式"
278 |   if ip link | grep -P PROMISC >/dev/null 2>&1; then
279 |     print_code "网卡存在混杂模式！"
280 |   else
281 |     print_code "网卡不存在混杂模式！"
282 | 
283 |   fi
284 | 
285 |   #防火墙
286 |   print_msg "### IPTABLES防火墙"
287 |   print_code "$(iptables -L)"
288 | 
289 | }
290 | 
291 | crontab_check() {
292 |   print_msg "## 任务计划检查"
293 | 
294 |   #crontab
295 |   print_msg "### Crontab 文件"
296 |   print_msg "crontab -l"
297 |   print_code "$(crontab -u root -l | egrep -v '#')"
298 |   print_msg "ls -alht /etc/cron.*/*"
299 |   print_code "$(ls -alht /etc/cron.*/*)"
300 | 
301 |   # crontab 内容
302 |   print_msg "### Crontab 文件内容"
303 |   print_code "$(find /var/spool/cron/ -type f -print0 | xargs -0 sudo cat | egrep -v '#')"
304 | 
305 |   #crontab可疑命令
306 |   print_msg "### Crontab Backdoor"
307 |   reverse_shell_check /etc/cron*
308 |   reverse_shell_check /var/spool/cron/*
309 | }
310 | 
311 | env_check() {
312 |   print_msg "## 环境变量检查"
313 |   #env
314 |   print_msg "### env"
315 |   print_code "$(env)"
316 | 
317 |   #PATH
318 |   print_msg "### PATH"
319 |   print_code "$PATH"
320 | 
321 |   print_msg "### Linux 动态链接库变量"
322 | 
323 |   #LD_PRELOAD
324 |   if [[ -n $LD_PRELOAD ]]; then
325 |     print_msg "**LD_PRELOAD**"
326 |     print_code $LD_PRELOAD
327 |   fi
328 |   #LD_ELF_PRELOAD
329 |   if [[ -n $LD_ELF_PRELOAD ]]; then
330 |     print_msg "**LD_ELF_PRELOAD**"
331 |     print_code $LD_ELF_PRELOAD
332 |   fi
333 |   #LD_AOUT_PRELOAD
334 |   if [[ -n $LD_AOUT_PRELOAD ]]; then
335 |     print_msg "**LD_AOUT_PRELOAD**"
336 |     print_code $LD_AOUT_PRELOAD
337 |   fi
338 |   #PROMPT_COMMAND
339 |   if [[ -n $PROMPT_COMMAND ]]; then
340 |     print_msg "**PROMPT_COMMAND**"
341 |     print_code $PROMPT_COMMAND
342 |   fi
343 |   #LD_LIBRARY_PATH
344 |   if [[ -n $LD_LIBRARY_PATH ]]; then
345 |     print_msg "**LD_LIBRARY_PATH**"
346 |     print_code $LD_LIBRARY_PATH
347 |   fi
348 |   #ld.so.preload
349 |   preload='/etc/ld.so.preload'
350 |   if [ -e "${preload}" ]; then
351 |     print_msg "**ld.so.preload**"
352 |     print_code ${preload}
353 |   fi
354 |   # 正在运行的环境变量
355 |   print_msg "### 正在运行的进程环境变量问题"
356 |   print_code "$(grep -P 'LD_PRELOAD|LD_ELF_PRELOAD|LD_AOUT_PRELOAD|PROMPT_COMMAND|LD_LIBRARY_PATH' /proc/*/environ)"
357 | }
358 | 
359 | user_check() {
360 |   print_msg "## 用户信息检查"
361 | 
362 |   print_msg "### 可登陆用户"
363 |   print_code "$(cat /etc/passwd | egrep -v 'nologin$|false$')"
364 | 
365 |   print_msg "### Root权限（非root）账号"
366 |   print_code "$(cat /etc/passwd | awk -F ':' '$3==0' | egrep -v root:)"
367 | 
368 |   print_msg "### /etc/passwd文件修改日期: "
369 | 
370 |   print_code "$(stat /etc/passwd | grep -P -o '(?<=Modify: ).*')"
371 | 
372 |   print_msg "### sudoers(请注意NOPASSWD)"
373 |   print_code "$(cat /etc/sudoers | egrep -v '#' | sed -e '/^$/d' | grep -P ALL)"
374 | 
375 |   print_msg "### 登录信息 w"
376 |   print_code "$(w)"
377 |   print_msg "### 登录信息 last"
378 |   print_code "$(last)"
379 |   print_msg "### 登录信息 lastlog"
380 |   print_code "$(lastlog)"
381 | 
382 |   print_msg "### 登陆ip"
383 |   print_code "$(grep -i -a Accepted /var/log/secure /var/log/auth.* 2>/dev/null | grep -Po '\d+\.\d+\.\d+\.\d+' | sort | uniq)"
384 | 
385 | }
386 | 
387 | init_check() {
388 |   print_msg "## Linux启动项排查"
389 | 
390 |   print_msg "### /etc/init.d 记录"
391 |   print_code "$(ls -alhtR /etc/init.d | head -n 30)"
392 |   print_msg "### /etc/init.d 黑特征"
393 |   reverse_shell_check /etc/init.d/*
394 | }
395 | 
396 | service_check() {
397 | 
398 |   print_msg "## 服务状态检查"
399 | 
400 |   print_msg "### 正在运行的Service "
401 |   print_code "$(systemctl -l | grep running | awk '{print $1}')"
402 | 
403 |   print_msg "### 最近添加的Service "
404 |   print_code "$(ls -alhtR /etc/systemd/system/multi-user.target.wants)"
405 |   print_code "$(ls -alht /etc/systemd/system/*.service | egrep -v 'dbus-org')"
406 | 
407 | }
408 | 
409 | bash_check() {
410 | 
411 |   print_msg -e "## Bash配置检查"
412 |   #查看history文件
413 |   print_msg "### History文件"
414 |   print_code "$(ls -alht /root/.*_history)"
415 | 
416 |   print_msg "### History敏感操作"
417 |   print_code "$(cat ~/.*history | grep -P '(?<![0-9])(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2}))(?![0-9])|http://|https://|\bssh\b|\bscp\b|\.tar|\bwget\b|\bcurl\b|\bnc\b|\btelnet\b|\bbash\b|\bsh\b|\bchmod\b|\bchown\b|/etc/passwd|/etc/shadow|/etc/hosts|\bnmap\b|\bfrp\b|\bnfs\b|\bsshd\b|\bmodprobe\b|\blsmod\b|\bsudo\b|mysql\b|mysqldump' | egrep -v 'man\b|ag\b|cat\b|sed\b|git\b|docker\b|rm\b|touch\b|mv\b|\bapt\b|\bapt-get\b')"
418 | 
419 |   #/etc/profile
420 |   print_msg "### /etc/profile "
421 |   print_code "$(cat /etc/profile | egrep -v '#')"
422 | 
423 |   # $HOME/.profile
424 |   print_msg "### .profile "
425 |   print_code "$(cat $HOME/.profile | egrep -v '#')"
426 | 
427 |   #/etc/rc.local
428 |   print_msg "### /etc/rc.local "
429 |   print_code "$(cat /etc/rc.local | egrep -v '#')"
430 | 
431 |   #~/.bash_profile
432 |   print_msg "### ~/.bash_profile "
433 |   if [ -e "$HOME/.bash_profile" ]; then
434 |     print_code "$(cat ~/.bash_profile | egrep -v '#')"
435 |   fi
436 | 
437 |   #~/.bashrc
438 |   print_msg "### ~/.bashrc "
439 |   print_code "$(cat ~/.bashrc | egrep -v '#' | sort | uniq)"
440 | 
441 |   #~/.bashrc
442 |   print_msg "### ~/.zshrc "
443 |   print_code "$(cat ~/.zshrc | egrep -v '#' | sort | uniq)"
444 | 
445 | }
446 | 
447 | file_check() {
448 |   print_msg "## 文件检查"
449 |   print_msg "系统文件修改时间 "
450 |   cmdline=(
451 |     "/sbin/ifconfig"
452 |     "/bin/ls"
453 |     "/bin/login"
454 |     "/bin/netstat"
455 |     "/bin/top"
456 |     "/bin/ps"
457 |     "/bin/find"
458 |     "/bin/grep"
459 |     "/etc/passwd"
460 |     "/etc/shadow"
461 |     "/usr/bin/curl"
462 |     "/usr/bin/wget"
463 |     "/root/.ssh/authorized_keys"
464 |   )
465 |   for soft in "${cmdline[@]}"; do
466 |     print_msg "文件：$soft\t\t\t修改日期：$(stat $soft | grep -P -o '(?<=Modify: )[\d-\s:]+')"
467 |   done
468 | 
469 |   print_msg "### ...隐藏文件"
470 |   print_msg "$(find / ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/boot/*" -name ".*.")"
471 | 
472 |   #tmp目录
473 |   print_msg "### /tmp"
474 |   print_code "$(ls /tmp /var/tmp /dev/shm -alht)"
475 | 
476 |   #alias 别名
477 |   print_msg "### alias"
478 |   print_code "$(alias | egrep -v 'git')"
479 | 
480 |   #SUID
481 |   print_msg "### SUID"
482 |   print_code "$(find / ! -path "/proc/*" -perm -004000 -type f | egrep -v 'snap|docker|pam_timestamp_check|unix_chkpwd|ping|mount|su|pt_chown|ssh-keysign|at|passwd|chsh|crontab|chfn|usernetctl|staprun|newgrp|chage|dhcp|helper|pkexec|top|Xorg|nvidia-modprobe|quota|login|security_authtrampoline|authopen|traceroute6|traceroute|ps')"
483 | 
484 |   #lsof -L1 进程存在但文件已经没有了
485 |   print_msg "### lsof +L1"
486 |   print_code "$(lsof +L1)"
487 | 
488 |   #近7天改动
489 |   print_msg "### 近七天文件改动 mtime "
490 |   print_code "$(find /etc /bin /lib /sbin /dev /root/ /home /tmp /var /usr ! -path "/var/log*" ! -path "/var/spool/exim4*" ! -path "/var/backups*" -mtime -7 -type f | egrep -v '\.log|cache|vim|/share/|/lib/|.zsh|.gem|\.git|LICENSE|README|/_\w+\.\w+|\blogs\b|elasticsearch|nohup|i18n' | xargs -i{} ls -alh {})"
491 | 
492 |   #近7天改动
493 |   print_msg "### 近七天文件改动 ctime "
494 |   print_code "$(find /etc /bin /lib /sbin /dev /root/ /home /tmp /var /usr ! -path "/var/log*" ! -path "/var/spool/exim4*" ! -path "/var/backups*" -ctime -7 -type f | egrep -v '\.log|cache|vim|/share/|/lib/|.zsh|.gem|\.git|LICENSE|README|/_\w+\.\w+|\blogs\b|elasticsearch|nohup|i18n' | xargs -i{} ls -alh {})"
495 | 
496 |   #大文件200mb
497 |   #有些黑客会将数据库、网站打包成一个文件然后下载
498 |   print_msg "### 大文件>200mb "
499 |   print_code "$(find / ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/boot/*" -size +200M -exec ls -alht {} + 2>/dev/null | grep -P '\.gif|\.jpeg|\.jpg|\.png|\.zip|\.tar.gz|\.tgz|\.7z|\.log|\.xz|\.rar|\.bak|\.old|\.sql|\.1|\.txt|\.tar|\.db|/\w+$' | egrep -v 'ib_logfile|ibd|mysql-bin|mysql-slow|ibdata1|overlay2')"
500 | 
501 |   #敏感文件
502 |   print_msg "### 敏感文件 "
503 |   print_code "$(find / ! -path "/lib/modules*" ! -path "/usr/src*" ! -path "/snap*" ! -path "/usr/include/*" -regextype posix-extended -regex '.*sqlmap|.*msfconsole|.*\bncat|.*\bnmap|.*nikto|.*ettercap|.*tunnel\.(php|jsp|asp|py)|.*/nc\b|.*socks.(php|jsp|asp|py)|.*proxy.(php|jsp|asp|py)|.*brook.*|.*frps|.*frpc|.*aircrack|.*hydra|.*miner|.*/ew$' -type f | egrep -v '/lib/python' | xargs -i{} ls -alh {})"
504 | 
505 |   print_msg "### 可疑黑客文件 "
506 |   print_code "$(find /root /home /opt /tmp /var/ /dev -regextype posix-extended -regex '.*wget|.*curl|.*openssl|.*mysql' -type f 2>/dev/null | xargs -i{} ls -alh {} | egrep -v '/pkgs/|/envs/|overlay2')"
507 | 
508 | }
509 | 
510 | rootkit_check() {
511 |   print_msg "## Rootkit检查"
512 |   #lsmod 可疑模块
513 |   print_msg "### lsmod 可疑模块"
514 |   print_code "$(lsmod | egrep -v 'ablk_helper|ac97_bus|acpi_power_meter|aesni_intel|ahci|ata_generic|ata_piix|auth_rpcgss|binfmt_misc|bluetooth|bnep|bnx2|bridge|cdrom|cirrus|coretemp|crc_t10dif|crc32_pclmul|crc32c_intel|crct10dif_common|crct10dif_generic|crct10dif_pclmul|cryptd|dca|dcdbas|dm_log|dm_mirror|dm_mod|dm_region_hash|drm|drm_kms_helper|drm_panel_orientation_quirks|e1000|ebtable_broute|ebtable_filter|ebtable_nat|ebtables|edac_core|ext4|fb_sys_fops|floppy|fuse|gf128mul|ghash_clmulni_intel|glue_helper|grace|i2c_algo_bit|i2c_core|i2c_piix4|i7core_edac|intel_powerclamp|ioatdma|ip_set|ip_tables|ip6_tables|ip6t_REJECT|ip6t_rpfilter|ip6table_filter|ip6table_mangle|ip6table_nat|ip6ta ble_raw|ip6table_security|ipmi_devintf|ipmi_msghandler|ipmi_si|ipmi_ssif|ipt_MASQUERADE|ipt_REJECT|iptable_filter|iptable_mangle|iptable_nat|iptable_raw|iptable_security|iTCO_vendor_support|iTCO_wdt|jbd2|joydev|kvm|kvm_intel|libahci|libata|libcrc32c|llc|lockd|lpc_ich|lrw|mbcache|megaraid_sas|mfd_core|mgag200|Module|mptbase|mptscsih|mptspi|nf_conntrack|nf_conntrack_ipv4|nf_conntrack_ipv6|nf_defrag_ipv4|nf_defrag_ipv6|nf_nat|nf_nat_ipv4|nf_nat_ipv6|nf_nat_masquerade_ipv4|nfnetlink|nfnetlink_log|nfnetlink_queue|nfs_acl|nfsd|parport|parport_pc|pata_acpi|pcspkr|ppdev|rfkill|sch_fq_codel|scsi_transport_spi|sd_mod|serio_raw|sg|shpchp|snd|snd_ac97_codec|snd_ens1371|snd_page_alloc|snd_pcm|snd_rawmidi|snd_seq|snd_seq_device|snd_seq_midi|snd_seq_midi_event|snd_timer|soundcore|sr_mod|stp|sunrpc|syscopyarea|sysfillrect|sysimgblt|tcp_lp|ttm|tun|uvcvideo|videobuf2_core|videobuf2_memops|videobuf2_vmalloc|videodev|virtio|virtio_balloon|virtio_console|virtio_net|virtio_pci|virtio_ring|virtio_scsi|vmhgfs|vmw_balloon|vmw_vmci|vmw_vsock_vmci_transport|vmware_balloon|vmwgfx|vsock|xfs|xt_CHECKSUM|xt_conntrack|xt_state|raid*|tcpbbr|btrfs|.*diag|psmouse|ufs|linear|msdos|cpuid|veth|xt_tcpudp|xfrm_user|xfrm_algo|xt_addrtype|br_netfilter|input_leds|sch_fq|ib_iser|rdma_cm|iw_cm|ib_cm|ib_core|.*scsi.*|tcp_bbr|pcbc|autofs4|multipath|hfs.*|minix|ntfs|vfat|jfs|usbcore|usb_common|ehci_hcd|uhci_hcd|ecb|crc32c_generic|button|hid|usbhid|evdev|hid_generic|overlay|xt_nat|qnx4|sb_edac|acpi_cpufreq|ixgbe|pf_ring|tcp_htcp|cfg80211|x86_pkg_temp_thermal|mei_me|mei|processor|thermal_sys|lp|enclosure|ses|ehci_pci|igb|i2c_i801|pps_core|isofs|nls_utf8|xt_REDIRECT|xt_multiport|iosf_mbi|qxl|cdc_ether|usbnet|ip6table_raw|skx_edac|intel_rapl|wmi|acpi_pad|ast|i40e|ptp|nfit|libnvdimm|bpfilter|failover|toa|tls|nft_|qemu_fw_cfg')"
515 | 
516 |   print_msg "### Rootkit 内核模块"
517 |   kernel=$(grep -E 'hide_tcp4_port|hidden_files|hide_tcp6_port|diamorphine|module_hide|module_hidden|is_invisible|hacked_getdents|hacked_kill|heroin|kernel_unlink|hide_module|find_sys_call_tbl|h4x_delete_module|h4x_getdents64|h4x_kill|h4x_tcp4_seq_show|new_getdents|old_getdents|should_hide_file_name|should_hide_task_name' </proc/kallsyms)
518 |   if [ -n "$kernel" ]; then
519 |     print_msg "存在内核敏感函数！疑似Rootkit内核模块"
520 |     print_msg "$kernel"
521 |   else
522 |     print_msg "未找到内核敏感函数"
523 |   fi
524 | 
525 |   print_msg "### 可疑的.ko模块"
526 |   print_code "$(find / ! -path '/var/lib/docker/overlay2/*' ! -path '/proc/*' ! -path '/usr/lib/modules/*' ! -path '/lib/modules/*' ! -path '/boot/*' -regextype posix-extended -regex '.*\.ko' | egrep -v 'tutor.ko')"
527 | 
528 | }
529 | 
530 | ssh_check() {
531 |   print_msg "## SSH检查"
532 |   #SSH爆破IP
533 |   print_msg "### SSH爆破"
534 |   if [ $OS = 'Centos' ]; then
535 |     print_code "$(grep -P -i -a 'authentication failure' /var/log/secure* | awk '{print $14}' | awk -F '=' '{print $2}' | grep -P '\d+\.\d+\.\d+\.\d+' | sort | uniq -c | sort -nr | head -n 25)"
536 |   else
537 |     print_code "$(grep -P -i -a 'authentication failure' /var/log/auth.* | awk '{print $14}' | awk -F '=' '{print $2}' | grep -P '\d+\.\d+\.\d+\.\d+' | sort | uniq -c | sort -nr | head -n 25)"
538 |   fi
539 | 
540 |   #SSHD
541 |   print_msg "### SSHD"
542 |   print_msg "/usr/sbin/sshd"
543 |   print_code "$(stat /usr/sbin/sshd | grep -P 'Access|Modify|Change')"
544 | 
545 |   #ssh后门配置检查
546 |   print_msg "### SSH 后门配置"
547 |   if [ -e "$HOME/.ssh/config" ]; then
548 |     print_msg "$(grep LocalCommand <~/.ssh/config)"
549 |     print_msg "$(grep ProxyCommand <~/.ssh/config)"
550 |   else
551 |     print_msg "未发现ssh配置文件"
552 |   fi
553 | 
554 |   #PAM后门检查
555 |   print_msg "### PAM 后门检测 "
556 |   ls -la /usr/lib/security 2>/dev/null
557 |   ls -la /usr/lib64/security 2>/dev/null
558 | 
559 |   print_msg "### SSH inetd后门检查 "
560 |   if [ -e "/etc/inetd.conf" ]; then
561 |     grep -E '(bash -i)' </etc/inetd.conf
562 |   fi
563 | 
564 |   print_msg "### SSH key"
565 |   user_dirs=$(ls /home)
566 |   for user_dir in $user_dirs; do
567 |     sshkey="/home/${user_dir}/.ssh/authorized_keys"
568 | 
569 |     if [ -s "${sshkey}" ]; then
570 |       print_msg "User: ${user_dir}\n"
571 |       print_code "$(cat ${sshkey})"
572 |     fi
573 |   done
574 | 
575 |   # 检查/root目录的authorized_keys文件
576 |   print_msg "### authorized_keys"
577 |   root_sshkey="/root/.ssh/authorized_keys"
578 | 
579 |   if [ -s "${root_sshkey}" ]; then
580 |     print_code "$(cat ${root_sshkey})"
581 |   else
582 |     print_code "User: root - SSH key文件不存在"
583 |   fi
584 | }
585 | 
586 | webshell_check() {
587 | 
588 |   print_msg "## Webshell检查"
589 | 
590 |   print_msg "### PHP webshell查杀"
591 |   print_code "$(grep -P -i -r -l 'array_map\(|pcntl_exec\(|proc_open\(|popen\(|assert\(|phpspy|c99sh|milw0rm|eval?\(|\(gunerpress|\(base64_decoolcode|spider_bc|shell_exec\(|passthru\(|base64_decode\s?\(|gzuncompress\s?\(|gzinflate|\(\$\$\w+|call_user_func\(|call_user_func_array\(|preg_replace_callback\(|preg_replace\(|register_shutdown_function\(|register_tick_function\(|mb_ereg_replace_callback\(|filter_var\(|ob_start\(|usort\(|uksort\(|uasort\(|GzinFlate\s?\(|\$\w+\(\d+\)\.\$\w+\(\d+\)\.|\$\w+=str_replace\(|eval\/\*.*\*\/\(' $webpath --include='*.php*' --include='*.phtml')"
592 |   print_code "$(grep -P -i -r -l '^(\xff\xd8|\x89\x50|GIF89a|GIF87a|BM|\x00\x00\x01\x00\x01)[\s\S]*<\?\s*php' $webpath --include='*.php*' --include='*.phtml')"
593 |   print_code "$(grep -P -i -r -l '\b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\b[\/*\s]*\(+[\/*\s]*((\$_(GET|POST|REQUEST|COOKIE)\[.{0,25})|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]*(\$_(GET|POST|REQUEST|COOKIE)\[.{0,25}))' $webpath --include='*.php*' --include='*.phtml')"
594 |   print_code "$(grep -P -i -r -l '\$\s*(\w+)\s*=[\s\(\{]*(\$_(GET|POST|REQUEST|COOKIE)\[.{0,25});[\s\S]{0,200}\b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\b[\/*\s]*\(+[\s"\/*]*(\$\s*\1|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\("]*\$\s*\1))' $webpath --include='*.php*' --include='*.phtml')"
595 |   print_code "$(grep -P -i -r -l '\b(filter_var|filter_var_array)\b\s*\(.*FILTER_CALLBACK[^;]*((\$_(GET|POST|REQUEST|COOKIE|SERVER)\[.{0,25})|(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec))' $webpath --include='*.php*' --include='*.phtml')"
596 |   print_code "$(grep -P -i -r -l "\b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|include)\b\s*\(\s*(file_get_contents\s*\(\s*)?[\'\"]php:\/\/input" $webpath --include='*.php*' --include='*.phtml')"
597 |   print_code "$(grep -P -i -r -l 'getruntime|processimpl|processbuilder|defineclass|classloader|naming.lookup|internaldofilter|elprocessor|scriptenginemanager|urlclassloader|versionhelper|registermapping|registerhandler|detecthandlermethods|\\u0063\\u006c\\u0061\\u0073\\u0073' $webpath --include='*.php*' --include='*.phtml')"
598 |   print_code "$(grep -P -i -r -l 'phpinfo|move_uploaded_file|system|shell_exec|passthru|popen|proc_open|pcntl_exec|call_user_func|ob_start' $webpath --include='*.php*' --include='*.phtml')"
599 |   print_code "$(grep -P -i -r -l 'array_map|uasort|uksort|array_diff_uassoc|array_diff_ukey|array_intersect_uassoc|array_intersect_ukey|array_reduce|array_filter|array_udiff|array_udiff_assoc|array_udiff_uassoc|array_uintersect|array_uintersect_assoc|array_uintersect_uassoc|array_walk|array_walk_recursive|register_shutdown_function|register_tick_function|filter_var_array|yaml_parse|sqlite_create_function|fgetc|fgets|fgetss|fpassthru|fread|file_get_contents|readfile|stream_get_contents|stream_get_line|highlight_file|show_source|file_put_contents|pfsockopen|fsockopen' $webpath --include='*.php*' --include='*.phtml')"
600 | 
601 |   #JSP webshell查杀
602 |   print_msg "### JSP webshell查杀"
603 |   print_code "$(grep -P -i -r -l '<%@\spage\simport=[\s\S]*\\u00\d+\\u00\d+|<%@\spage\simport=[\s\S]*Runtime.getRuntime\(\).exec\(request.getParameter\(|Runtime.getRuntime\(\)' $webpath --include='*.jsp*' --include='*.jhtml')"
604 | 
605 | }
606 | 
607 | poison_check() {
608 | 
609 |   print_msg "## 供应链投毒检测"
610 | 
611 |   print_msg "### Python2 pip 检测"
612 |   print_code "$(pip freeze | grep -P 'istrib|djanga|easyinstall|junkeldat|libpeshka|mumpy|mybiubiubiu|nmap-python|openvc|python-ftp|pythonkafka|python-mongo|python-mysql|python-mysqldb|python-openssl|python-sqlite|virtualnv|mateplotlib|request=|aioconsol')"
613 | 
614 |   print_msg "### Python3 pip 检测"
615 |   print_code "$(pip3 freeze | grep -P 'istrib|djanga|easyinstall|junkeldat|libpeshka|mumpy|mybiubiubiu|nmap-python|openvc|python-ftp|pythonkafka|python-mongo|python-mysql|python-mysqldb|python-openssl|python-sqlite|virtualnv|mateplotlib|request=|aioconsol')"
616 | 
617 | }
618 | 
619 | miner_check() {
620 | 
621 |   print_msg "## 挖矿木马检查"
622 | 
623 |   print_msg "### 常规挖矿进程检测"
624 |   print_code "$(ps aux | grep -P "systemctI|kworkerds|init10.cfg|wl.conf|crond64|watchbog|sustse|donate|proxkekman|test.conf|/var/tmp/apple|/var/tmp/big|/var/tmp/small|/var/tmp/cat|/var/tmp/dog|/var/tmp/mysql|/var/tmp/sishen|ubyx|cpu.c|tes.conf|psping|/var/tmp/java-c|pscf|cryptonight|sustes|xmrig|xmr-stak|suppoie|ririg|/var/tmp/ntpd|/var/tmp/ntp|/var/tmp/qq|/tmp/qq|/var/tmp/aa|gg1.conf|hh1.conf|apaqi|dajiba|/var/tmp/look|/var/tmp/nginx|dd1.conf|kkk1.conf|ttt1.conf|ooo1.conf|ppp1.conf|lll1.conf|yyy1.conf|1111.conf|2221.conf|dk1.conf|kd1.conf|mao1.conf|YB1.conf|2Ri1.conf|3Gu1.conf|crant|nicehash|linuxs|linuxl|Linux|crawler.weibo|stratum|gpg-daemon|jobs.flu.cc|cranberry|start.sh|watch.sh|krun.sh|killTop.sh|cpuminer|/60009|ssh_deny.sh|clean.sh|\./over|mrx1|redisscan|ebscan|barad_agent|\.sr0|clay|udevs|\.sshd|/tmp/init|xmr|xig|ddgs|minerd|hashvault|geqn|\.kthreadd|httpdz|pastebin.com|sobot.com|kerbero|2t3ik|ddgs|qW3xt|ztctb|i2pd" | egrep -v 'grep')"
625 |   print_code "$(find / ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/boot/*" -regextype posix-extended -regex '.*systemctI|.*kworkerds|.*init10.cfg|.*wl.conf|.*crond64|.*watchbog|.*sustse|.*donate|.*proxkekman|.*cryptonight|.*sustes|.*xmrig|.*xmr-stak|.*suppoie|.*ririg|gg1.conf|.*cpuminer|.*xmr|.*xig|.*ddgs|.*minerd|.*hashvault|\.kthreadd|.*httpdz|.*kerbero|.*2t3ik|.*qW3xt|.*ztctb|.*miner.sh' -type f)"
626 | 
627 |   print_msg "### Ntpclient 挖矿木马检测"
628 |   print_code "$(find / ! -path "/proc/*" ! -path "/sys/*" ! -path "/boot/*" -regextype posix-extended -regex 'ntpclient|Mozz')"
629 |   print_code "$(ls -alh /tmp/.a /var/tmp/.a /run/shm/a /dev/.a /dev/shm/.a 2>/dev/null)"
630 | 
631 |   print_msg "### WorkMiner 挖矿木马检测"
632 |   print_code "$(ps aux | grep -P "work32|work64|/tmp/secure.sh|/tmp/auth.sh" | egrep -v 'grep')"
633 |   print_code "$(ls -alh /tmp/xmr /tmp/config.json /tmp/secure.sh /tmp/auth.sh /usr/.work/work64 2>/dev/null)"
634 | 
635 | }
636 | 
637 | risk_check() {
638 | 
639 |   print_msg "## 服务器风险/漏洞检查"
640 | 
641 |   print_msg "### Redis弱密码检测"
642 |   print_code "$(cat /etc/redis/redis.conf 2>/dev/null | grep -P '(?<=requirepass )(test|123456|admin|root|12345678|111111|p@ssw0rd|test|qwerty|zxcvbnm|123123|12344321|123qwe|password|1qaz|000000|666666|888888)')"
643 | 
644 |   print_msg "### JDWP调试检测"
645 |   if ps aux | grep -P '(?:runjdwp|agentlib:jdwp)' | egrep -v 'grep' >/dev/null 2>&1; then
646 |     print_code "存在JDWP调试高风险进程\n $(ps aux | grep -P '(?:runjdwp|agentlib:jdwp)' | egrep -v 'grep') "
647 |   fi
648 | 
649 |   print_msg "### Python http.server 列目录检测"
650 |   print_code "$(ps aux | grep -P http.server | egrep -v 'grep')"
651 | }
652 | 
653 | docker_check() {
654 | 
655 |   print_msg "## Docker信息检测"
656 | 
657 |   print_msg "### Docker运行的镜像"
658 |   print_code "$(docker ps)"
659 | 
660 |   print_msg "### 检测CAP_SYS_ADMIN权限"
661 |   if command -v capsh >/dev/null 2>&1; then
662 |     cap_sys_adminNum=$(capsh --print | grep cap_sys_admin | wc -l)
663 |     if [ $cap_sys_adminNum -gt 0 ]; then
664 |       print_code "存在CAP_SYS_ADMIN权限！"
665 |     fi
666 |   else
667 |     print_code "未发现capsh命令！"
668 |   fi
669 | 
670 |   print_msg "### 检测CAP_DAC_READ_SEARCH权限"
671 |   if command -v capsh >/dev/null 2>&1; then
672 |     cap_dac_read_searchNum=$(capsh --print | grep cap_dac_read_search | wc -l)
673 |     if [ $cap_dac_read_searchNum -gt 0 ]; then
674 |       print_code "存在CAP_DAC_READ_SEARCH！"
675 |     fi
676 |   else
677 |     print_code "未发现capsh命令！"
678 |   fi
679 | }
680 | 
681 | upload_report() {
682 | 
683 |   # 上传到指定接口
684 |   if [[ -n $webhook_url ]]; then
685 |     curl -X POST -F "file=@$filename" "$webhook_url"
686 |   fi
687 | 
688 | }
689 | 
690 | # 服务器基础信息排查
691 | base_check
692 | # 进程信息排查（CPU/内存占用，后门进程排查）
693 | process_check
694 | # 网络排查
695 | network_check
696 | # 任务计划排查
697 | crontab_check
698 | # 环境变量排查
699 | env_check
700 | # 用户文件排查
701 | user_check
702 | # 启动项排查
703 | init_check
704 | # 服务排查
705 | service_check
706 | # bash 排查
707 | bash_check
708 | # 黑客/后门文件排查
709 | file_check
710 | # rootkit 排查
711 | rootkit_check
712 | # ssh 排查
713 | ssh_check
714 | # webshell 排查
715 | webshell_check
716 | # 供应链排查
717 | poison_check
718 | # 挖矿排查
719 | miner_check
720 | # 服务器风险检测
721 | risk_check
722 | # Docker 检测
723 | docker_check
724 | # upload_report
725 | upload_report
726 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # LinuxCheck
  2 | 
  3 | Linux应急处置/信息搜集/漏洞检测工具，支持基础配置/网络流量/任务计划/环境变量/用户信息/Services/bash/恶意文件/内核Rootkit/SSH/Webshell/挖矿文件/挖矿进程/供应链/服务器风险等13类70+项检查
  4 | 
  5 | ## 更新
  6 | 
  7 | 更新日志：2024年4月20日
  8 | 
  9 | - 调整输出为Markdown报告
 10 | - 弃用ag，还是使用Linux原生的grep命令，避免额外安装
 11 | - 优化代码格式，不在每条都要tee -a
 12 | - 更新Webshell检测逻辑
 13 | - 更新authorized_keys检测逻辑
 14 | - 服务器风险检查添加JDWP和Python HTTP Server检查
 15 | - 添加Docker 容器检测
 16 | - 添加PAM后门检测
 17 | - 添加本地报告上传能力，应对批量机器应急的情况。
 18 | 
 19 | 更新日志：2022年08月05日
 20 | 
 21 | - 修复内核模块检查日志过多问题
 22 | 
 23 | 更新日志：2022年03月07日
 24 | 
 25 | - 添加SSH软连接后门检测
 26 | 
 27 | 更新日期：2021年10月17日
 28 | 
 29 | - 添加Ntpclient/WorkMiner/TeamTNT挖矿木马检测
 30 | - 添加Rootkit模块检测逻辑
 31 | - 添加Python pip投毒检测
 32 | - 添加$HOME/.profile查看
 33 | - 添加服务器风险检查(Redis)
 34 | 
 35 | ## 功能
 36 | 
 37 | * 基础配置检查
 38 |     * 系统配置改动检查
 39 |     * 系统信息（IP地址/用户/开机时间/系统版本/Hostname/服务器SN）
 40 |     * CPU使用率
 41 |     * 登录用户信息
 42 |     * CPU TOP 15
 43 |     * 内存 TOP 15
 44 |     * 磁盘剩余空间检查
 45 |     * 硬盘挂载
 46 |     * 常用软件检查
 47 |     * /etc/hots
 48 | * 网络/流量检查
 49 |     * ifconfig
 50 |     * 网络流量
 51 |     * 端口监听
 52 |     * 对外开放端口
 53 |     * 网络连接
 54 |     * TCP连接状态
 55 |     * 路由表
 56 |     * 路由转发
 57 |     * DNS Server
 58 |     * ARP
 59 |     * 网卡混杂模式检查
 60 |     * iptables 防火墙
 61 | * 任务计划检查
 62 |     * 当前用户任务计划
 63 |     * /etc/系统任务计划
 64 |     * 任务计划文件创建时间
 65 |     * crontab 后门排查
 66 | * 环境变量检查
 67 |     * env
 68 |     * path
 69 |     * LD_PRELOAD
 70 |     * LD_ELF_PRELOAD
 71 |     * LD_AOUT_PRELOAD
 72 |     * PROMPT_COMMAND
 73 |     * LD_LIBRARY_PATH
 74 |     * ld.so.preload
 75 | * 用户信息检查
 76 |     * 可登陆用户
 77 |     * passwd文件修改日期
 78 |     * sudoers
 79 |     * 登录信息（w/last/lastlog）
 80 |     * 历史登陆ip
 81 | * Services 检查
 82 |     * SystemD运行服务
 83 |     * SystemD服务创建时间
 84 | * bash检查
 85 |     * History
 86 |     * History命令审计
 87 |     * /etc/profile
 88 |     * $HOME/.profile
 89 |     * /etc/rc.local
 90 |     * ~/.bash_profile
 91 |     * ~/.bashrc
 92 |     * bash反弹shell
 93 | * 文件检查
 94 |     * ...隐藏文件
 95 |     * 系统文件修改时间检测
 96 |     * 临时文件检查（/tmp /var/tmp /dev/shm）
 97 |     * alias
 98 |     * suid特殊权限检查
 99 |     * 进程存在文件未找到
100 |     * 近七天文件改动 mtime
101 |     * 近七天文件改动 ctime
102 |     * 大文件>200mb
103 |     * 敏感文件审计（nmap/sqlmap/ew/frp/nps等黑客常用工具）
104 |     * 可疑黑客文件（黑客上传的wget/curl等程序，或者将恶意程序改成正常软件例如nps文件改为mysql）
105 | * 内核Rootkit 检查
106 |     * lsmod 可疑模块
107 |     * 内核符号表检查
108 |     * rootkit hunter 检查
109 |     * rootkit .ko模块检查
110 | * SSH检查
111 |     * SSH 爆破
112 |     * SSHD 检测
113 |     * SSH 后门配置
114 |     * SSH inetd后门检查
115 |     * SSH key
116 | * Webshell 检查
117 |     * php webshell检查
118 |     * jsp webshell检查
119 | * 挖矿文件/进程检查
120 |     * 挖矿文件检查
121 |     * 挖矿进程检查
122 |     * WorkMiner检测
123 |     * Ntpclient检测
124 | * 供应链投毒检查
125 |     * Python PIP 投毒检查
126 | * 服务器风险检查
127 |     * Redis弱密码检测
128 |     * JDWP 服务检测
129 |     * Python http.server 检测
130 | * Docker 权限检查
131 | 
132 | ## Usage
133 | 
134 | 第一种方式：通过git clone 安装
135 | 
136 | ```bash
137 | git clone https://github.com/al0ne/LinuxCheck.git
138 | chmod u+x LinuxCheck.sh
139 | ./LinuxCheck.sh  
140 | ```
141 | 第二种方式：直接在线调用【在线调用就没办法使用报告上传的能力】
142 | 
143 | ```
144 | bash -c "$(curl -sSL https://raw.githubusercontent.com/al0ne/LinuxCheck/master/LinuxCheck.sh)"  
145 | ```
146 | 
147 | 文件会保存成ipaddr_hostname_username_timestamp.log 这种格式
148 | 
149 | ### 报告自动上传
150 | 
151 | 如果是批量机器下发，脚本执行后会自动提交到某一个url下，将脚本里面的webhook_url 改成你自己的地址
152 | 
153 | ```shell
154 | # 报告上报的地址
155 | webhook_url='http://localhost:5000/upload'
156 | 
157 | upload_report() {
158 | 
159 |   # 上传到指定接口
160 |   if [[ -n $webhook_url ]]; then
161 |     curl -X POST -F "file=@$filename" "$webhook_url"
162 |   fi
163 | 
164 | }
165 | ```
166 | 
167 | 在你的服务器上用Flask起一个服务，接收服务器上报的Markdown报告。
168 | 
169 | ```python
170 | from flask import Flask, request
171 | 
172 | app = Flask(__name__)
173 | 
174 | @app.route('/upload', methods=['POST'])
175 | def upload_file():
176 |     if 'file' not in request.files:
177 |         return "No file part", 400
178 |     file = request.files['file']
179 |     if file.filename == '':
180 |         return "No selected file", 400
181 |     if file:
182 |         filename = file.filename
183 |         file.save(filename)
184 |         return "File successfully uploaded", 200
185 | 
186 | if __name__ == '__main__':
187 |     app.run(debug=True, host="0.0.0.0", port=9999)
188 | ```
189 | 
190 | 
191 | 
192 | ## 参考
193 | 
194 | 此工具的编写主要参考了以下几款工具/文章并结合个人经验完成
195 | 
196 | Linenum
197 | https://github.com/lis912/Evaluation_tools  
198 | https://ixyzero.com/blog/archives/4.html  
199 | https://github.com/T0xst/linux   
200 | https://github.com/grayddq/GScan  
201 | 


--------------------------------------------------------------------------------
/rkhunter.tar.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/al0ne/LinuxCheck/468c9620ec8dd987149486eec434ea358fb161f2/rkhunter.tar.gz


--------------------------------------------------------------------------------
/silversearcher-ag_2.2.0-1+b1_amd64.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/al0ne/LinuxCheck/468c9620ec8dd987149486eec434ea358fb161f2/silversearcher-ag_2.2.0-1+b1_amd64.deb


--------------------------------------------------------------------------------
/silversearcher-ag_2.2.0-1_i386.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/al0ne/LinuxCheck/468c9620ec8dd987149486eec434ea358fb161f2/silversearcher-ag_2.2.0-1_i386.deb


--------------------------------------------------------------------------------
/the_silver_searcher-2.1.0-1.el6.x86_64.rpm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/al0ne/LinuxCheck/468c9620ec8dd987149486eec434ea358fb161f2/the_silver_searcher-2.1.0-1.el6.x86_64.rpm


--------------------------------------------------------------------------------
/the_silver_searcher-2.1.0-1.el7.x86_64.rpm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/al0ne/LinuxCheck/468c9620ec8dd987149486eec434ea358fb161f2/the_silver_searcher-2.1.0-1.el7.x86_64.rpm


--------------------------------------------------------------------------------