机器被黑以后处理步骤

Posted by CnFeat on October 9, 2017

前言

如果你管理的服务器被黑了,你该如何分辨?

具体介绍及操作

1、入侵者可能会删除机器的日志信息,查看日志信息是否存在

[root@linux-node1 ~]# ll /var/log/
[root@linux-node1 ~]# du -sh /var/log/*

2、查看是否修改了用户名及密码文件

[root@linux-node1 ~]# cat /etc/passwd
[root@linux-node1 ~]# cat /etc/shadow

3、查看是否创建了一个新的存放用户名及密码文件

[root@linux-node1 ~]# ll /etc/pass*
-rw-r--r--  1 root root 1971 7月  17 12:30 /etc/passwd
-rw-r--r--. 1 root root 1904 7月  14 11:37 /etc/passwd-
[root@linux-node1 ~]# ll /etc/sha*
----------  1 root root 1315 7月  17 12:30 /etc/shadow
----------. 1 root root 1294 7月  14 11:37 /etc/shadow-

4、查看机器最近成功登陆的时间和最后一次不成功登陆时间

[root@linux-node1 ~]# lastlog 

5、查看机器当前登录的全部用户

[root@linux-node1 ~]# who
root     pts/0        2017-10-09 10:49 (192.168.56.1)

6、查看机器创建以来登陆过的用户

[root@linux-node1 ~]# last
root     pts/0        192.168.56.1     Mon Oct  9 10:49   still logged in   
reboot   system boot  3.10.0-327.22.2. Mon Oct  9 10:45 - 11:28  (00:42)    
reboot   system boot  3.10.0-327.22.2. Mon Oct  9 10:42 - 11:28  (00:45)    
root     pts/0        192.168.56.1     Fri Sep  8 16:41 - crash (30+18:00)  
root     tty1                          Fri Sep  8 16:31 - crash (30+18:10)  

7、查看机器所有用户的连接时间(这个命令需要单独安装)

[root@linux-node1 ~]# ac -dp

8、如果发现机器产生了异常流量,可以使用命令tcpdump来抓取网络包查看流量情况或者使用工具iperf查看流量情况

9、查看/var/log/secure日志文件,尝试发现入侵者的信息

[root@linux-node1 ~]# cat /var/log/secure | grep -i "accepted password"
Oct  9 11:39:36 linux-node1 sshd[4481]: Accepted password for root from 192.168.56.12 port 54850 ssh2

10、查看异常进程所对应的执行脚本文件

top查看异常进程对应的PID

[root@linux-node1 ~]# top
top - 12:26:40 up  1:40,  2 users,  load average: 0.02, 0.06, 0.05
Tasks: 350 total,   3 running, 347 sleeping,   0 stopped,   0 zombie
%Cpu(s):  0.3 us,  0.7 sy,  0.7 ni, 97.7 id,  0.7 wa,  0.0 hi,  0.0 si,  0.0 st
KiB Mem :  1009540 total,   278304 free,   398300 used,   332936 buff/cache
KiB Swap:  2097148 total,  1564324 free,   532824 used.   556332 avail Mem 

   PID USER      PR  NI    VIRT    RES    SHR S %CPU %MEM     TIME+ COMMAND                                                                                      
  1613 logstash  39  19 3190996  95628   5600 S  1.0  9.5   1:39.21 /bin/java -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -Djava.awt.headless=true -XX:CMSInitiatin+
  5121 root      20   0  157972   2468   1552 R  0.3  0.2   0:00.15 top                                                    

在虚拟文件系统目录查找该进程的可执行文件

[root@linux-node1 ~]# ll /proc/1613|grep -i exe
lrwxrwxrwx  1 logstash logstash 0 10月  9 10:46 exe -> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.101-3.b13.el7_2.x86_64/jre/bin/java
[root@linux-node1 ~]# ll /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.101-3.b13.el7_2.x86_64/jre/bin/java
-rwxr-xr-x 1 root root 7336 7月  20 2016 /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.101-3.b13.el7_2.x86_64/jre/bin/java

11、如果确定被入侵,重要文件已经被删除,可以舱室找回删除文件

假设我手动删除secure然后在找回

[root@linux-node1 ~]# rm -f /var/log/secure
[root@linux-node1 ~]# ll /var/log/secure
ls: 无法访问/var/log/secure: 没有那个文件或目录

[root@linux-node1 ~]# lsof|grep /var/log/secure
rsyslogd  1229          root    7w      REG              253,0       206       2826 /var/log/secure (deleted)
in:imjour 1229 1251     root    7w      REG              253,0       206       2826 /var/log/secure (deleted)
rs:main   1229 1252     root    7w      REG              253,0       206       2826 /var/log/secure (deleted)


查看需要恢复得数据
[root@linux-node1 ~]# tail /proc/1229/fd/7
Oct  9 11:39:36 linux-node1 sshd[4481]: Accepted password for root from 192.168.56.12 port 54850 ssh2
Oct  9 11:39:36 linux-node1 sshd[4481]: pam_unix(sshd:session): session opened for user root by (uid=0)
[root@linux-node1 ~]# cat /proc/1229/fd
fd/     fdinfo/ 

恢复
[root@linux-node1 ~]# cat /proc/1229/fd/4 >/var/log/secure
[root@linux-node1 ~]# head /var/log/secure
Oct  9 11:39:36 linux-node1 systemd: Started Session 8 of user root.
Oct  9 11:39:36 linux-node1 systemd-logind: New session 8 of user root.
Oct  9 11:39:36 linux-node1 systemd: Starting Session 8 of user root.
Oct  9 11:40:01 linux-node1 systemd: Started Session 9 of user root.
Oct  9 11:40:01 linux-node1 systemd: Starting Session 9 of user root.
Oct  9 11:50:01 linux-node1 systemd: Started Session 10 of user root.
Oct  9 11:50:01 linux-node1 systemd: Starting Session 10 of user root.
Oct  9 12:00:01 linux-node1 systemd: Started Session 11 of user root.
Oct  9 12:00:01 linux-node1 systemd: Starting Session 11 of user root.
Oct  9 12:01:01 linux-node1 systemd: Started Session 12 of user root.
[root@linux-node1 ~]# 


参考blog: http://www.cnblogs.com/stonehe/p/7562374.html