在使用腳本前須要安裝:ag命令php
安裝方式以下:java
[root@xinsz08-63 LinuxCheck]# yum install epel-release[root@xinsz08-63 LinuxCheck]# yum install the_silver_searcher
ag的平常使用:
ag相似於grep和find,可是執行效率比後二者高node
ag -g a.txt 查找名字爲a.txt的文件
ag -i test 忽略大小寫搜索包含test的文本
ag -A 5 abc 顯示搜索到的包含abc的行以及他以後的5行文本信息python
演示:nginx
[root@xinsz08-63 ~]# cp /etc/passwd /root/passwd[root@xinsz08-63 ~]# ag -A 5 geoc passwd34:geoclue:x:992:986:User for geoclue:/var/lib/geoclue:/sbin/nologin 35-setroubleshoot:x:991:985::/var/lib/setroubleshoot:/sbin/nologin 36-saned:x:990:984:SANE scanner daemon user:/usr/share/sane:/sbin/nologin 37-gdm:x:42:42::/var/lib/gdm:/sbin/nologin 38-gnome-initial-setup:x:989:983::/run/gnome-initial-setup/:/sbin/nologin 39-sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
此腳本涉及到系統的安全檢測,好比MD5校驗,檢測經常使用命令是否被別人改動過,檢測是否有挖礦病毒,是否有***,登錄用戶是否正常,等等。git
#!/usr/bin/env bash 3 echo "" 4 echo " ========================================================= " 5 echo " \ Linux應急響應/信息蒐集腳本 V3.0 / " 6 echo " ========================================================= " 7 echo " # 支持Centos、Debian系統檢測 " 8 echo " # author:al0ne " 9 echo " # https://github.com/al0ne " 10 echo -e "\n" 11 12 # WEB Path 13 # 設置web目錄 默認的話是從/目錄去搜索 性能較慢 14 webpath='/' 15 16 echo -e "\e[00;31m[+]環境檢測\e[00m" 17 # 驗證是否爲root權限 18 if [ $UID -ne 0 ]; then 19 echo -e "\n\e[00;33m請使用root權限運行 \e[00m" 20 exit 1 21 else 22 echo -e "\e[00;32m當前爲root權限 \e[00m" 23 fi 24 25 # 驗證操做系統是debian系仍是centos 26 OS='None' 27 28 if [ -e "/etc/os-release" ]; then 29 source /etc/os-release 30 case ${ID} in 31 "debian" | "ubuntu" | "devuan") 32 OS='Debian' 33 ;; 34 "centos" | "rhel fedora" | "rhel") 35 OS='Centos' 36 ;; 37 *) ;; 38 esac 39 fi 40 41 if [ $OS = 'None' ]; then 42 if command -v apt-get >/dev/null 2>&1; then 43 OS='Debian' 44 elif command -v yum >/dev/null 2>&1; then 45 OS='Centos' 46 else 47 echo -e "\n不支持這個系統\n" 48 echo -e "已退出" 49 exit 1 50 fi 51 fi 52 53 #ifconfig 54 if ifconfig >/dev/null 2>&1; then 55 echo -e "\e[00;32mifconfig已安裝 \e[00m" 56 else 57 if [ $OS = 'Centos' ]; then 58 yum -y install net-tools >/dev/null 2>&1 59 else 60 apt-get -y install net-tools >/dev/null 2>&1 61 fi 62 63 fi 64 65 #Centos安裝lsof 66 if lsof -v >/dev/null 2>&1; then 69 if [ $OS = 'Centos' ]; then 70 yum -y install lsof >/dev/null 2>&1 71 else 72 apt-get -y install lsof >/dev/null 2>&1 73 fi 74 75 fi 80 else 81 if [ $OS = 'Centos' ]; then 82 yum -y install the_silver_searcher >/dev/null 2>&1 83 else 85 fi 86 87 fi 88 89 echo -e "\n" 90 91 # 設置保存文件 94 filename=$ipaddress'_'$(hostname)'_'$(whoami)'_'$(date +%s)'.log' 95 96 #對比hash,看看有沒有系統文件被替換掉 99 rpm -Va | tee -a $filename102 debsums -e | ag -v 'OK' | tee -a $filename107 #當前用戶108 echo -e "USER:\t\t" $(whoami) 2>/dev/null | tee -a $filename109 #版本信息110 echo -e "OS Version:\t" $(uname -r) | tee -a $filename111 #主機名112 echo -e "Hostname: \t" $(hostname -s) | tee -a $filename113 #uptime115 #cpu信息117 #ipaddress120 echo -e "\n" | tee -a $filename121 126 "Used " (total-free)/total*100"%"}' | tee -a $filename127 done 128 echo -e "\n" | tee -a $filename129 #登錄用戶 130 echo -e "\e[00;31m[+]登錄用戶\e[00m" | tee -a $filename131 who $filename132 echo -e "\n" | tee -a $filename133 #CPU佔用TOP 15 136 #內存佔用TOP 15 139 #內存佔用 142 echo -e "\n" | tee -a $filename143 #剩餘空間 146 echo -e "\n" | tee -a $filename147 echo -e "\e[00;31m[+]硬盤掛載\e[00m" | tee -a $filename149 echo -e "\n" | tee -a $filename150 #ifconfig 151 echo -e "\e[00;31m[+]ifconfig\e[00m" | tee -a $filename152 /sbin/ifconfig -a | tee -a $filename155 echo -e "\e[00;31m[+]網絡流量 \e[00m" | tee -a $filename157 awk ' NR>2' /proc/net/dev | while read line; do 158 echo "$line" | awk -F ':' '{print " "$1" " $2}' | \ 162 #端口監聽 163 echo -e "\e[00;31m[+]端口監聽\e[00m" | tee -a $filename164 netstat -tulpen | ag 'tcp|udp.*' --nocolor | tee -a $filename165 echo -e "\n" | tee -a $filename166 #對外開放端口 167 echo -e "\e[00;31m[+]對外開放端口\e[00m" | tee -a $filename169 echo -e "\n" | tee -a $filename170 #網絡鏈接 173 echo -e "\n" | tee -a $filename174 #鏈接狀態 175 echo -e "\e[00;31m[+]TCP鏈接狀態\e[00m" | tee -a $filename177 echo -e "\n" | tee -a $filename180 /sbin/route -nee | tee -a $filename181 echo -e "\n" | tee -a $filename182 #路由轉發 183 echo -e "\e[00;31m[+]路由轉發\e[00m" | tee -a $filename185 if [ -n "$ip_forward" ]; then 187 else 188 echo "該服務器未開啓路由轉發" | tee -a $filename189 fi 190 echo -e "\n" | tee -a $filename191 #DNS 192 echo -e "\e[00;31m[+]DNS Server\e[00m" | tee -a $filename194 echo -e "\n" | tee -a $filename195 #ARP 196 echo -e "\e[00;31m[+]ARP\e[00m" | tee -a $filename197 arp -n -a | tee -a $filename198 echo -e "\n" | tee -a $filename199 #混雜模式 200 echo -e "\e[00;31m[+]網卡混雜模式\e[00m" | tee -a $filename201 if ip link | ag PROMISC >/dev/null 2>&1; then 202 echo "網卡存在混雜模式!" | tee -a $filename203 else 204 echo "網卡不存在混雜模式" | tee -a $filename205 206 fi 207 echo -e "\n" | tee -a $filename208 #安裝軟件 209 echo -e "\e[00;31m[+]經常使用軟件\e[00m" | tee -a $filename210 cmdline=( 211 "which perl" 212 "which gcc" 213 "which g++" 214 "which python" 215 "which php" 216 "which cc" 217 "which go" 218 "which node" 219 "which nodejs" 220 "which bind" 221 "which tomcat" 222 "which clang" 223 "which ruby" 224 "which curl" 225 "which wget" 228 "which ssserver" 229 "which vsftpd" 230 "which java" 231 "which apache" 232 "which nginx" 233 "which git" 234 "which mongodb" 235 "which docker" 236 "which tftp" 237 "which psql" 242 if [ "$soft" ] 2>/dev/null; then 244 fi 245 done 246 echo -e "\n" | tee -a $filename247 #crontab 248 echo -e "\e[00;31m[+]Crontab\e[00m" | tee -a $filename249 crontab -u root -l | ag -v '#' --nocolor | tee -a $filename250 ls -alht /etc/cron.*/* | tee -a $filename251 echo -e "\n" | tee -a $filename252 #crontab可疑命令253 echo -e "\e[00;31m[+]Crontab Backdoor \e[00m" | tee -a $filename255 echo -e "\n" | tee -a $filename256 #env257 echo -e "\e[00;31m[+]env\e[00m" | tee -a $filename258 env | tee -a $filename259 echo -e "\n" | tee -a $filename260 #PATH261 echo -e "\e[00;31m[+]PATH\e[00m" | tee -a $filename262 echo $PATH | tee -a $filename263 echo -e "\n" | tee -a $filename264 #LD_PRELOAD265 echo -e "\e[00;31m[+]LD_PRELOAD\e[00m" | tee -a $filename266 echo ${LD_PRELOAD} | tee -a $filename267 echo -e "\n" | tee -a $filename268 #LD_ELF_PRELOAD269 echo -e "\e[00;31m[+]LD_ELF_PRELOAD\e[00m" | tee -a $filename270 echo ${LD_ELF_PRELOAD} | tee -a $filename271 echo -e "\n" | tee -a $filename274 echo ${LD_LIBRARY_PATH} | tee -a $filename279 if [ -e "${preload}" ]; then280 cat ${preload} | tee -a $filename281 else282 echo -e "/etc/ld.so.preload 文件不存在" | tee -a $filename283 fi284 echo -e "\n" | tee -a $filename285 #passwd信息286 echo -e "\e[00;31m[+]可登錄用戶\e[00m" | tee -a $filename287 cat /etc/passwd | ag -v 'nologin$|false$' | tee -a $filename288 echo -e "\n" | tee -a $filename290 echo -e "\n" | tee -a $filename293 echo -e "\n" | tee -a $filename294 #防火牆298 #登錄信息299 echo -e "\e[00;31m[+]登陸信息\e[00m" | tee -a $filename300 w | tee -a $filename301 echo -e "\n" | tee -a $filename304 lastlog | tee -a $filename307 echo -e "\n" | tee -a $filename308 #SSH爆破IP309 echo -e "\e[00;31m[+]SSH爆破\e[00m" | tee -a $filename318 fi319 echo -e "\n" | tee -a $filename320 #查看history文件321 echo -e "\e[00;31m[+]History\e[00m" | tee -a $filename322 ls -alht ~/.*_history | tee -a $filename323 ls -alht /root/.*_history | tee -a $filename324 echo -e "\n" | tee -a $filename326 echo -e "\n" | tee -a $filename327 #HOSTS328 echo -e "\e[00;31m[+]/etc/hosts \e[00m" | tee -a $filename329 cat /etc/hosts | ag -v "#" | tee -a $filename330 echo -e "\n" | tee -a $filename331 #/etc/profile334 echo -e "\n" | tee -a $filename335 #/etc/rc.local336 echo -e "\e[00;31m[+]/etc/rc.local \e[00m" | tee -a $filename337 cat /etc/rc.local | ag -v '#' | tee -a $filename340 echo -e "\e[00;31m[+]~/.bash_profile \e[00m" | tee -a $filename341 cat ~/.bash_profile | ag -v '#' | tee -a $filename342 echo -e "\n" | tee -a $filename343 #~/.bashrc346 echo -e "\n" | tee -a $filename347 #bash反彈shell348 echo -e "\e[00;31m[+]bash反彈shell \e[00m" | tee -a $filename350 echo -e "\n" | tee -a $filename351 #SSHD352 echo -e "\e[00;31m[+]SSHD \e[00m" | tee -a $filename353 echo -e "/usr/sbin/sshd"360 echo -e "\n" | tee -a $filename361 #tmp目錄362 echo -e "\e[00;31m[+]/tmp \e[00m" | tee -a $filename363 ls /tmp /var/tmp /dev/shm -alht | tee -a $filename364 echo -e "\n" | tee -a $filename365 #alias 別名372 echo -e "\n" | tee -a $filename378 #近7天改動381 echo -e "\n" | tee -a $filename382 #近7天改動387 #有些***會將數據庫、網站打包成一個文件而後下載388 echo -e "\e[00;31m[+]大文件>100mb \e[00m" | tee -a $filename424 echo -e "\n" | tee -a $filename425 #挖礦***檢測426 echo -e "\e[00;31m[+]挖礦***檢測\e[00m" | tee -a $filename428 echo -e "\n" | tee -a $filename429 #Rkhunter查殺432 rkhunter --checkall --sk | ag -v 'OK|Not found|None found'433 else434 if [ -e "rkhunter.tar.gz" ]; then435 tar -zxvf rkhunter.tar.gz >/dev/null 2>&1 436 cd rkhunter-1.4.6/ 437 ./installer.sh --install >/dev/null 2>&1 438 rkhunter --checkall --sk | ag -v 'OK|Not found|Non e found'439 else440 echo -e "找不到rkhunter.tar.gz嘗試下載"441 wget https://github.com/al0ne/LinuxCheck/raw/maste r/rkhunter.tar.gz >/dev/null 2>&1;442 tar -zxvf rkhunter.tar.gz >/dev/null 2>&1 443 cd rkhunter-1.4.6/ 444 ./installer.sh --install >/dev/null 2>&1 445 rkhunter --checkall --sk | ag -v 'OK|Not found|Non e found'446 fi447 fi
執行後以下:github