From 52a47c88b61ef9bea304745a73449574f32bfc78 Mon Sep 17 00:00:00 2001 From: al0ne <13449320+al0ne@users.noreply.github.com> Date: 2022年9月24日 16:27:14 +0800 Subject: [PATCH 1/6] Update LinuxCheck.sh --- LinuxCheck.sh | 72 +++++++++++++++++++++++++-------------------------- 1 file changed, 35 insertions(+), 37 deletions(-) diff --git a/LinuxCheck.sh b/LinuxCheck.sh index c285391..74529ec 100644 --- a/LinuxCheck.sh +++ b/LinuxCheck.sh @@ -7,30 +7,38 @@ echo " ========================================================= " echo " # 支持Centos、Debian系统检测 " echo " # author:al0ne " echo " # https://github.com/al0ne " -echo " # 更新日期:2021年10月17日 " +echo " # 更新日期:2022年08月5日 " echo " # 参考来源: " echo " # 1.Gscan https://github.com/grayddq/GScan " echo " # 2.Lynis https://github.com/CISOfy/lynis " echo -e "\n" +# 更新日志:2022年08月05日 +#### 修复内核模块检查日志过多问题 +# 更新日志:2022年03月07日 +#### 添加SSH软连接后门检测 # 更新日期:2021年10月17日 -# 添加Ntpclient/WorkMiner/TeamTNT挖矿木马检测 -# 添加Rootkit模块检测逻辑 -# 添加Python pip投毒检测 -# 添加$HOME/.profile查看 -# 添加服务器风险检查(Redis) +#### 添加Ntpclient/WorkMiner/TeamTNT挖矿木马检测 +#### 添加Rootkit模块检测逻辑 +#### 添加Python pip投毒检测 +#### 添加$HOME/.profile查看 +#### 添加服务器风险检查(Redis) # WEB Path 设置web目录 默认的话是从/目录去搜索 性能较慢 webpath='/' +print_msg() { + echo -e "\e[00;31m[+]1ドル\e[00m" +} + ### 1.环境检查 ### -echo -e "\e[00;31m[+]环境检测\e[00m" +print_msg "环境检测" # 验证是否为root权限 if [ $UID -ne 0 ]; then - echo -e "\n\e[00;33m请使用root权限运行 \e[00m" + print_msg "请使用root权限运行!" exit 1 else - echo -e "\e[00;32m当前为root权限 \e[00m" + print_msg "当前为root权限" fi # 验证操作系统是debian系还是centos @@ -69,12 +77,11 @@ cmdline=( "lrzsz" "wget" "strace" + "traceroute" "htop" "tar" "lsof" "tcpdump" - "the_silver_searcher" - "silversearcher-ag" ) for prog in "${cmdline[@]}"; do @@ -83,11 +90,13 @@ for prog in "${cmdline[@]}"; do if echo "$soft" | grep -E '没有安装|未安装|not installed'>/dev/null 2>&1; then echo -e "$prog 安装中......" yum install -y "$prog">/dev/null 2>&1 + yum install -y the_silver_searcher>/dev/null 2>&1 fi else if dpkg -L $prog | grep 'does not contain any files'>/dev/null 2>&1; then echo -e "$prog 安装中......" apt install -y "$prog">/dev/null 2>&1 + apt install -y silversearcher-ag>/dev/null 2>&1 fi fi @@ -138,8 +147,8 @@ base_check() { cpu=$(ps aux | grep -v ^'USER' | sort -rn -k3 | head -15) 2>/dev/null echo -e "\e[00;31m[+]CPU TOP15: \e[00m\n${cpu}\n" | tee -a "$filename" #内存占用TOP 15 - cpu=$(ps aux | grep -v ^'USER' | sort -rn -k3 | head -15) 2>/dev/null - echo -e "\e[00;31m[+]内存占用 TOP15: \e[00m\n${cpu}\n" | tee -a "$filename" + mem=$(ps aux | grep -v ^'USER' | sort -rn -k4 | head -15) 2>/dev/null + echo -e "\e[00;31m[+]内存占用 TOP15: \e[00m\n${mem}\n" | tee -a "$filename" #内存占用 echo -e "\e[00;31m[+]内存占用\e[00m" | tee -a "$filename" free -mh | tee -a "$filename" @@ -457,7 +466,7 @@ rootkit_check() { echo -e "############ Rootkit检查 ############\n" | tee -a "$vuln" #lsmod 可疑模块 echo -e "\e[00;31m[+]lsmod 可疑模块\e[00m" | tee -a "$vuln" - lsmod | ag -v "ablk_helper|ac97_bus|acpi_power_meter|aesni_intel|ahci|ata_generic|ata_piix|auth_rpcgss|binfmt_misc|bluetooth|bnep|bnx2|bridge|cdrom|cirrus|coretemp|crc_t10dif|crc32_pclmul|crc32c_intel|crct10dif_common|crct10dif_generic|crct10dif_pclmul|cryptd|dca|dcdbas|dm_log|dm_mirror|dm_mod|dm_region_hash|drm|drm_kms_helper|drm_panel_orientation_quirks|e1000|ebtable_broute|ebtable_filter|ebtable_nat|ebtables|edac_core|ext4|fb_sys_fops|floppy|fuse|gf128mul|ghash_clmulni_intel|glue_helper|grace|i2c_algo_bit|i2c_core|i2c_piix4|i7core_edac|intel_powerclamp|ioatdma|ip_set|ip_tables|ip6_tables|ip6t_REJECT|ip6t_rpfilter|ip6table_filter|ip6table_mangle|ip6table_nat|ip6ta ble_raw|ip6table_security|ipmi_devintf|ipmi_msghandler|ipmi_si|ipmi_ssif|ipt_MASQUERADE|ipt_REJECT|iptable_filter|iptable_mangle|iptable_nat|iptable_raw|iptable_security|iTCO_vendor_support|iTCO_wdt|jbd2|joydev|kvm|kvm_intel|libahci|libata|libcrc32c|llc|lockd|lpc_ich|lrw|mbcache|megaraid_sas|mfd_core|mgag200|Module|mptbase|mptscsih|mptspi|nf_conntrack|nf_conntrack_ipv4|nf_conntrack_ipv6|nf_defrag_ipv4|nf_defrag_ipv6|nf_nat|nf_nat_ipv4|nf_nat_ipv6|nf_nat_masquerade_ipv4|nfnetlink|nfnetlink_log|nfnetlink_queue|nfs_acl|nfsd|parport|parport_pc|pata_acpi|pcspkr|ppdev|rfkill|sch_fq_codel|scsi_transport_spi|sd_mod|serio_raw|sg|shpchp|snd|snd_ac97_codec|snd_ens1371|snd_page_alloc|snd_pcm|snd_rawmidi|snd_seq|snd_seq_device|snd_seq_midi|snd_seq_midi_event|snd_timer|soundcore|sr_mod|stp|sunrpc|syscopyarea|sysfillrect|sysimgblt|tcp_lp|ttm|tun|uvcvideo|videobuf2_core|videobuf2_memops|videobuf2_vmalloc|videodev|virtio|virtio_balloon|virtio_console|virtio_net|virtio_pci|virtio_ring|virtio_scsi|vmhgfs|vmw_balloon|vmw_vmci|vmw_vsock_vmci_transport|vmware_balloon|vmwgfx|vsock|xfs|xt_CHECKSUM|xt_conntrack|xt_state|raid*|tcpbbr|btrfs|.*diag|psmouse|ufs|linear|msdos|cpuid|veth|xt_tcpudp|xfrm_user|xfrm_algo|xt_addrtype|br_netfilter|input_leds|sch_fq|ib_iser|rdma_cm|iw_cm|ib_cm|ib_core|.*scsi.*|tcp_bbr|pcbc|autofs4|multipath|hfs.*|minix|ntfs|vfat|jfs|usbcore|usb_common|ehci_hcd|uhci_hcd|ecb|crc32c_generic|button|hid|usbhid|evdev|hid_generic|overlay|xt_nat|qnx4|sb_edac|acpi_cpufreq|ixgbe|pf_ring|tcp_htcp|cfg80211|x86_pkg_temp_thermal|mei_me|mei|processor|thermal_sys|lp|enclosure|ses|ehci_pci|igb|i2c_i801|pps_core|isofs|nls_utf8|xt_REDIRECT|xt_multiport|iosf_mbi|qxl|cdc_ether|usbnet" | tee -a "$vuln" + lsmod | ag -v "ablk_helper|ac97_bus|acpi_power_meter|aesni_intel|ahci|ata_generic|ata_piix|auth_rpcgss|binfmt_misc|bluetooth|bnep|bnx2|bridge|cdrom|cirrus|coretemp|crc_t10dif|crc32_pclmul|crc32c_intel|crct10dif_common|crct10dif_generic|crct10dif_pclmul|cryptd|dca|dcdbas|dm_log|dm_mirror|dm_mod|dm_region_hash|drm|drm_kms_helper|drm_panel_orientation_quirks|e1000|ebtable_broute|ebtable_filter|ebtable_nat|ebtables|edac_core|ext4|fb_sys_fops|floppy|fuse|gf128mul|ghash_clmulni_intel|glue_helper|grace|i2c_algo_bit|i2c_core|i2c_piix4|i7core_edac|intel_powerclamp|ioatdma|ip_set|ip_tables|ip6_tables|ip6t_REJECT|ip6t_rpfilter|ip6table_filter|ip6table_mangle|ip6table_nat|ip6ta ble_raw|ip6table_security|ipmi_devintf|ipmi_msghandler|ipmi_si|ipmi_ssif|ipt_MASQUERADE|ipt_REJECT|iptable_filter|iptable_mangle|iptable_nat|iptable_raw|iptable_security|iTCO_vendor_support|iTCO_wdt|jbd2|joydev|kvm|kvm_intel|libahci|libata|libcrc32c|llc|lockd|lpc_ich|lrw|mbcache|megaraid_sas|mfd_core|mgag200|Module|mptbase|mptscsih|mptspi|nf_conntrack|nf_conntrack_ipv4|nf_conntrack_ipv6|nf_defrag_ipv4|nf_defrag_ipv6|nf_nat|nf_nat_ipv4|nf_nat_ipv6|nf_nat_masquerade_ipv4|nfnetlink|nfnetlink_log|nfnetlink_queue|nfs_acl|nfsd|parport|parport_pc|pata_acpi|pcspkr|ppdev|rfkill|sch_fq_codel|scsi_transport_spi|sd_mod|serio_raw|sg|shpchp|snd|snd_ac97_codec|snd_ens1371|snd_page_alloc|snd_pcm|snd_rawmidi|snd_seq|snd_seq_device|snd_seq_midi|snd_seq_midi_event|snd_timer|soundcore|sr_mod|stp|sunrpc|syscopyarea|sysfillrect|sysimgblt|tcp_lp|ttm|tun|uvcvideo|videobuf2_core|videobuf2_memops|videobuf2_vmalloc|videodev|virtio|virtio_balloon|virtio_console|virtio_net|virtio_pci|virtio_ring|virtio_scsi|vmhgfs|vmw_balloon|vmw_vmci|vmw_vsock_vmci_transport|vmware_balloon|vmwgfx|vsock|xfs|xt_CHECKSUM|xt_conntrack|xt_state|raid*|tcpbbr|btrfs|.*diag|psmouse|ufs|linear|msdos|cpuid|veth|xt_tcpudp|xfrm_user|xfrm_algo|xt_addrtype|br_netfilter|input_leds|sch_fq|ib_iser|rdma_cm|iw_cm|ib_cm|ib_core|.*scsi.*|tcp_bbr|pcbc|autofs4|multipath|hfs.*|minix|ntfs|vfat|jfs|usbcore|usb_common|ehci_hcd|uhci_hcd|ecb|crc32c_generic|button|hid|usbhid|evdev|hid_generic|overlay|xt_nat|qnx4|sb_edac|acpi_cpufreq|ixgbe|pf_ring|tcp_htcp|cfg80211|x86_pkg_temp_thermal|mei_me|mei|processor|thermal_sys|lp|enclosure|ses|ehci_pci|igb|i2c_i801|pps_core|isofs|nls_utf8|xt_REDIRECT|xt_multiport|iosf_mbi|qxl|cdc_ether|usbnet|ip6table_raw|skx_edac|intel_rapl|wmi|acpi_pad|ast|i40e|ptp|nfit|libnvdimm|bpfilter|failover" | tee -a "$vuln" echo -e "\n" | tee -a "$vuln" echo -e "\e[00;31m[+]Rootkit 内核模块\e[00m" | tee -a "$vuln" @@ -471,7 +480,7 @@ rootkit_check() { echo -e "\n" | tee -a "$vuln" echo -e "\e[00;31m[+]可疑的.ko模块\e[00m" | tee -a "$vuln" - find / ! -path "/proc/*" ! -path "/usr/lib/modules/*" ! -path "/boot/*" -regextype posix-extended -regex '.*\.ko' | tee -a "$vuln" + find / ! -path "/proc/*" ! -path "/usr/lib/modules/*" ! -path "/lib/modules/*" ! -path "/boot/*" -regextype posix-extended -regex '.*\.ko' | tee -a "$vuln" echo -e "\n" | tee -a "$vuln" } @@ -501,13 +510,23 @@ ssh_check() { fi echo -e "\n" | tee -a "$vuln" + #ssh后门配置检查 + echo -e "\e[00;31m[+]SSH 软连接后门 \e[00m" | tee -a "$vuln" + if ps -ef | ag '\s+\-oport=\d+'>/dev/null 2>&1; then + ps -ef | ag '\s+\-oport=\d+' | tee -a "$vuln" + else + echo "未检测到SSH软连接后门" | tee -a "$vuln" + + fi + echo -e "\n" | tee -a "$vuln" + echo -e "\e[00;31m[+]SSH inetd后门检查 \e[00m" | tee -a "$vuln" if [ -e "/etc/inetd.conf" ]; then grep -E '(bash -i)' /dev/null 2>&1; then - rkhunter --checkall --sk | ag -v 'OK|Not found|None found' - else - if [ -e "/tmp/rkhunter.tar.gz" ]; then - cd /tmp && tar -zxvf /tmp/rkhunter.tar.gz>/dev/null 2>&1 - cd /tmp/rkhunter-1.4.6/ && ./installer.sh --install>/dev/null 2>&1 - rkhunter --checkall --sk | ag -v 'OK|Not found|None found' - else - echo -e "找不到rkhunter.tar.gz尝试下载" - wget https://github.com/al0ne/LinuxCheck/raw/master/rkhunter.tar.gz -O /tmp/rkhunter.tar.gz>/dev/null 2>&1 - tar -zxvf /tmp/rkhunter.tar.gz>/dev/null 2>&1 - cd /tmp/rkhunter-1.4.6/ && ./installer.sh --install>/dev/null 2>&1 - rkhunter --checkall --sk | ag -v 'OK|Not found|None found' - fi - fi -} - risk_check() { echo -e "############ 服务器风险/漏洞检查 ############\n" | tee -a "$vuln" echo -e "\e[00;31m[+]Redis弱密码检测\e[00m" | tee -a "$vuln" @@ -602,5 +601,4 @@ ssh_check webshell_check poison_check miner_check -rkhunter_install risk_check From c0a156c3fbada3966cef6b6fee50032c1a765a0d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=86=BB=E6=9F=A0=E8=8C=B6=E9=85=8D=E8=8F=A0=E8=90=9D?= =?UTF-8?q?=E5=8C=85?= Date: 2023年2月16日 21:41:37 +0800 Subject: [PATCH 2/6] Update README.md --- README.md | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index da2b53a..3d391ea 100644 --- a/README.md +++ b/README.md @@ -105,11 +105,23 @@ Linux应急处置/信息搜集/漏洞检测工具,支持基础配置/网络流 - Debian:dpkg -i silversearcher-ag_2.2.0-1+b1_amd64.deb - Centos:rpm -ivh the_silver_searcher-2.1.0-1.el7.x86_64.rpm +``` git clone https://github.com/al0ne/LinuxCheck.git -chmod u+x LinuxCheck.sh +``` +``` +chmod u+x LinuxCheck.sh +``` + +``` ./LinuxCheck.sh -如果已经安装了ag和rkhunter可以直接使用以下命令 +``` + +如果已经安装了ag和rkhunter可以直接使用以下命令 + +``` bash -c "$(curl -sSL https://raw.githubusercontent.com/al0ne/LinuxCheck/master/LinuxCheck.sh)" +``` + 文件会保存成ipaddr_hostname_username_timestamp.log 这种格式 ### 参考 From 0b6cca77243bd5183dca04e1267547a240df6473 Mon Sep 17 00:00:00 2001 From: al0ne <13449320+al0ne@users.noreply.github.com> Date: 2024年5月10日 00:01:25 +0800 Subject: [PATCH 3/6] Update LinuxCheck.sh --- LinuxCheck.sh | 755 +++++++++++++++++++++++++++++--------------------- 1 file changed, 438 insertions(+), 317 deletions(-) diff --git a/LinuxCheck.sh b/LinuxCheck.sh index 74529ec..7450c89 100644 --- a/LinuxCheck.sh +++ b/LinuxCheck.sh @@ -2,43 +2,50 @@ echo "" echo " ========================================================= " -echo " \ Linux应急处置/信息搜集/漏洞检测脚本 V2.3 / " +echo " \ Linux应急处置/信息搜集/漏洞检测脚本 V3.0 / " echo " ========================================================= " echo " # 支持Centos、Debian系统检测 " echo " # author:al0ne " echo " # https://github.com/al0ne " -echo " # 更新日期:2022年08月5日 " +echo " # 更新日期:2024年4月20日 " echo " # 参考来源: " echo " # 1.Gscan https://github.com/grayddq/GScan " echo " # 2.Lynis https://github.com/CISOfy/lynis " +echo " # 3.container-escape-check https://github.com/teamssix/container-escape-check" echo -e "\n" -# 更新日志:2022年08月05日 -#### 修复内核模块检查日志过多问题 -# 更新日志:2022年03月07日 -#### 添加SSH软连接后门检测 -# 更新日期:2021年10月17日 -#### 添加Ntpclient/WorkMiner/TeamTNT挖矿木马检测 -#### 添加Rootkit模块检测逻辑 -#### 添加Python pip投毒检测 -#### 添加$HOME/.profile查看 -#### 添加服务器风险检查(Redis) - -# WEB Path 设置web目录 默认的话是从/目录去搜索 性能较慢 +# WEB Path 设置web目录,检测Webshell。 webpath='/' +# 报告上报的地址 +webhook_url='http://localhost:5000/upload' + +# 设置保存文件 +ipaddress=$(ip address | grep -oP '(?<=inet )\d+\.\d+\.\d+\.\d+(?=\/2)' | head -n 1) +filename=$ipaddress'_'$(hostname)'_'$(whoami)'_'$(date +%s)_log'.md' + print_msg() { - echo -e "\e[00;31m[+]1ドル\e[00m" + echo -e "1ドル\n" | tee -a $filename +} + +print_code() { + echo -e "\`\`\`shell\n1ドル\n\`\`\`\n" | tee -a $filename +} + +reverse_shell_check() { + echo -e "\n" + print_code "$(grep -P '(tftp\s\-i|scp\s|sftp\s|bash\s\-i|nc\s\-e|sh\s\-i|wget\s|curl\s|\bexec|/dev/tcp/|/dev/udp/)' 1ドル 2ドル 3ドル)" + print_code "$(grep -P '(useradd|groupadd|chattr|fsockopen|socat|base64|socket|perl|openssl)' 1ドル 2ドル 3ドル)" } ### 1.环境检查 ### -print_msg "环境检测" +print_msg "## 环境检测" # 验证是否为root权限 if [ $UID -ne 0 ]; then - print_msg "请使用root权限运行!" + print_msg "请使用root权限运行!" exit 1 else - print_msg "当前为root权限" + print_msg "当前为root权限!" fi # 验证操作系统是debian系还是centos @@ -96,7 +103,6 @@ for prog in "${cmdline[@]}"; do if dpkg -L $prog | grep 'does not contain any files'>/dev/null 2>&1; then echo -e "$prog 安装中......" apt install -y "$prog">/dev/null 2>&1 - apt install -y silversearcher-ag>/dev/null 2>&1 fi fi @@ -104,64 +110,48 @@ done echo -e "\n" -# 设置保存文件 -ipaddress=$(ip address | ag -o '(?<=inet )\d+\.\d+\.\d+\.\d+(?=\/2)' | head -n 1) -filename=$ipaddress'_'$(hostname)'_'$(whoami)'_'$(date +%s)_log'.log' -vuln="$ipaddress_$(hostname)_$(whoami)_$(date +%s)_vuln.log" - base_check() { - echo -e "############ 基础配置检查 ############\n" | tee -a "$filename" - echo -e "\e[00;31m[+]系统信息\e[00m" | tee -a "$filename" + print_msg "## 基础配置检查" + print_msg "### 系统信息" #当前用户 - echo -e "USER:\t\t$(whoami)" 2>/dev/null | tee -a "$filename" + print_msg "**USER:**\t\t$(whoami)" 2>/dev/null #版本信息 - echo -e "OS Version:\t$(uname -r)" | tee -a "$filename" + print_msg "**OS Version:**\t$(uname -r)" #主机名 - echo -e "Hostname: \t$(hostname -s)" | tee -a "$filename" + print_msg "**Hostname:** \t$(hostname -s)" #服务器SN - echo -e "服务器SN: \t$(dmidecode -t1 | ag -o '(?<=serial Number: ).*')" | tee -a "$filename" + print_msg "**服务器SN:** \t$(dmidecode -t1 | grep -oP '(?<=serial Number: ).*')" #uptime - echo -e "Uptime: \t$(uptime | awk -F ',' '{print 1ドル}')" | tee -a "$filename" + print_msg "**Uptime:** \t$(uptime | awk -F ',' '{print 1ドル}')" #系统负载 - echo -e "系统负载: \t$(uptime | awk '{print 9ドル" "10ドル" "11ドル" "12ドル" "13ドル}')" | tee -a "$filename" + print_msg "**系统负载:** \t$(uptime | awk '{print 9ドル" "10ドル" "11ドル" "12ドル" "13ドル}')" #cpu信息 - echo -e "CPU info:\t$(ag -o '(?<=model name\t: ).*' /dev/null 2>&1 - echo -e "IPADDR:\t\t${ipaddress}" | sed ":a;N;s/\n/ /g;ta" | tee -a "$filename" - echo -e "\n" | tee -a "$filename" - echo -e "\e[00;31m[+]CPU使用率: \e[00m" | tee -a "$filename" + ipaddress=$(ifconfig | grep -oP '(?<=inet |inet addr:)\d+\.\d+\.\d+\.\d+' | grep -v '127.0.0.1')>/dev/null 2>&1 + print_msg "**IPADDR:**\t\t${ipaddress}" | sed ":a;N;s/\n/ /g;ta" + print_msg "**CPU使用率:** " awk '0ドル ~/cpu[0-9]/' /proc/stat 2>/dev/null | while read line; do - echo "$line" | awk '{total=2ドル+3ドル+4ドル+5ドル+6ドル+7ドル+8ドル;free=5ドル;\ + print_msg "$(echo $line | awk '{total=2ドル+3ドル+4ドル+5ドル+6ドル+7ドル+8ドル;free=5ドル;\ print1ドル" Free "free/total*100"%",\ - "Used " (total-free)/total*100"%"}' | tee -a "$filename" + "Used " (total-free)/total*100"%"}')" done - echo -e "\n" | tee -a "$filename" - #登陆用户 - echo -e "\e[00;31m[+]登陆用户\e[00m" | tee -a "$filename" - who | tee -a "$filename" - echo -e "\n" | tee -a "$filename" - #CPU占用TOP 15 - cpu=$(ps aux | grep -v ^'USER' | sort -rn -k3 | head -15) 2>/dev/null - echo -e "\e[00;31m[+]CPU TOP15: \e[00m\n${cpu}\n" | tee -a "$filename" - #内存占用TOP 15 - mem=$(ps aux | grep -v ^'USER' | sort -rn -k4 | head -15) 2>/dev/null - echo -e "\e[00;31m[+]内存占用 TOP15: \e[00m\n${mem}\n" | tee -a "$filename" + #内存占用 - echo -e "\e[00;31m[+]内存占用\e[00m" | tee -a "$filename" - free -mh | tee -a "$filename" - echo -e "\n" | tee -a "$filename" + print_msg "### 内存占用" + print_code "$(free -mh)" + #剩余空间 - echo -e "\e[00;31m[+]剩余空间\e[00m" | tee -a "$filename" - df -mh | tee -a "$filename" - echo -e "\n" | tee -a "$filename" - echo -e "\e[00;31m[+]硬盘挂载\e[00m" | tee -a "$filename" - ag -v "#" /dev/null; then - echo -e "$soft" | ag -o '\w+$' --nocolor | tee -a "$filename" - fi - done - echo -e "\n" | tee -a "$filename" #HOSTS - echo -e "\e[00;31m[+]/etc/hosts \e[00m" | tee -a "$filename" - cat /etc/hosts | ag -v "#" | tee -a "$filename" - echo -e "\n" | tee -a "$filename" + print_msg "### /etc/hosts" + print_code "$(cat /etc/hosts | egrep -v "#")" +} + +process_check() { + print_msg "## 进程信息检查" + + print_msg "### CPU占用TOP 15" + cpu=$(ps aux | grep -v ^'USER' | sort -rn -k3 | head -15) 2>/dev/null + print_code "${cpu}" + + print_msg "### 内存占用TOP 15" + mem=$(ps aux | grep -v ^'USER' | sort -rn -k4 | head -15) 2>/dev/null + print_code "${mem}" + + print_msg "### 父进程为1的进程信息" + print_code "$(ps -e -o user,pid,ppid,cmd | awk '3ドル == 1' | egrep -v "containerd-shim|/lib/systemd/systemd|/usr/sbin/cron|dbus|rsyslogd|containerd|/usr/sbin/sshd|/usr/bin/dockerd|/usr/sbin/arpd|/bin/login|/usr/sbin/vnstatd")" + + print_msg "### bash反弹shell进程" + tcp_reverse=$(ps -ef | grep -P 'sh -i' | egrep -v 'grep' | awk '{print 2ドル}' | xargs -i{} lsof -p {} | grep 'ESTAB') + if [ -n $tcp_reverse ]; then + print_code "$tcp_reverse" + else + print_code "未发现 bash -i 反弹shell!" + fi + print_msg "### SSH 软连接后门进程" + if ps -ef | grep -P '\s+\-oport=\d+'>/dev/null 2>&1; then + print_msg "$(ps -ef | grep -P '\s+\-oport=\d+')" + else + print_msg "未检测到SSH软连接后门" + + fi } network_check() { - echo -e "############ 网络/流量检查 ############\n" | tee -a "$filename" + print_msg "## 网络/流量检查" #ifconfig - echo -e "\e[00;31m[+]ifconfig\e[00m" | tee -a "$filename" - /sbin/ifconfig -a | tee -a "$filename" - echo -e "\n" | tee -a "$filename" + print_msg '### ifconfig' + print_code "$(/sbin/ifconfig -a)" + #网络流量 - echo -e "\e[00;31m[+]网络流量 \e[00m" | tee -a "$filename" - echo "Interface ByteRec PackRec ByteTran PackTran" | tee -a "$filename" + print_msg "### 网络流量" + print_msg "**Interface** **ByteRec** **PackRec** **ByteTran** **PackTran**" awk ' NR>2' /proc/net/dev | while read line; do - echo "$line" | awk -F ':' '{print " "1ドル" " 2ドル}' | - awk '{print 1ドル" "2ドル " "3ドル" "10ドル" "11ドル}' | tee -a "$filename" + print_msg "$line" | awk -F ':' '{print " "1ドル" " 2ドル}' | awk '{print 1ドル" "2ドル " "3ドル" "10ドル" "11ドル}' done - echo -e "\n" | tee -a "$filename" + #端口监听 - echo -e "\e[00;31m[+]端口监听\e[00m" | tee -a "$filename" - netstat -tulpen | ag 'tcp|udp.*' --nocolor | tee -a "$filename" - echo -e "\n" | tee -a "$filename" + print_msg "### 端口监听" + print_code "$(netstat -tulpen | grep -P 'tcp|udp.*')" + #对外开放端口 - echo -e "\e[00;31m[+]对外开放端口\e[00m" | tee -a "$filename" - netstat -tulpen | awk '{print 1,ドル4ドル}' | ag -o '.*0.0.0.0:(\d+)|:::\d+' --nocolor | tee -a "$filename" - echo -e "\n" | tee -a "$filename" + print_msg "### 对外开放端口" + print_code "$(netstat -tulpen | awk '{print 1,ドル4ドル}' | grep -P -o '.*0.0.0.0:(\d+)|:::\d+')" + #网络连接 - echo -e "\e[00;31m[+]网络连接\e[00m" | tee -a "$filename" - netstat -antop | ag ESTAB --nocolor | tee -a "$filename" - echo -e "\n" | tee -a "$filename" + print_msg "### 网络连接" + print_msg "**TCP连接**" + print_code "$(netstat -antop | grep -P ESTAB)" + print_msg "**UDP连接**" + print_code "$(netstat -anp | grep -P udp)" + #连接状态 - echo -e "\e[00;31m[+]TCP连接状态\e[00m" | tee -a "$filename" - netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}' | tee -a "$filename" - echo -e "\n" | tee -a "$filename" + print_msg "### TCP连接状态" + print_code "$(netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}')" + #路由表 - echo -e "\e[00;31m[+]路由表\e[00m" | tee -a "$filename" - /sbin/route -nee | tee -a "$filename" - echo -e "\n" | tee -a "$filename" + print_msg "### 路由表" + print_code "$(/sbin/route -nee)" + #路由转发 - echo -e "\e[00;31m[+]路由转发\e[00m" | tee -a "$filename" + print_msg "### 路由转发" ip_forward=$(more /proc/sys/net/ipv4/ip_forward | awk -F: '{if (1ドル==1) print "1"}') if [ -n "$ip_forward" ]; then - echo "/proc/sys/net/ipv4/ip_forward 已开启路由转发" | tee -a "$filename" + print_code "/proc/sys/net/ipv4/ip_forward 已开启路由转发!" else - echo "该服务器未开启路由转发" | tee -a "$filename" + print_code "该服务器未开启路由转发!" fi - echo -e "\n" | tee -a "$filename" + #DNS - echo -e "\e[00;31m[+]DNS Server\e[00m" | tee -a "$filename" - ag -o '\d+\.\d+\.\d+\.\d+' --nocolor /dev/null 2>&1; then - echo "网卡存在混杂模式!" | tee -a "$filename" + print_msg "### 网卡混杂模式" + if ip link | grep -P PROMISC>/dev/null 2>&1; then + print_code "网卡存在混杂模式!" else - echo "网卡不存在混杂模式" | tee -a "$filename" + print_code "网卡不存在混杂模式!" fi - echo -e "\n" | tee -a "$filename" + #防火墙 - echo -e "\e[00;31m[+]IPTABLES防火墙\e[00m" | tee -a "$filename" - iptables -L | tee -a "$filename" - echo -e "\n" | tee -a "$filename" + print_msg "### IPTABLES防火墙" + print_code "$(iptables -L)" + } crontab_check() { - echo -e "############ 任务计划检查 ############\n" | tee -a "$filename" | tee -a "$vuln" + print_msg "## 任务计划检查" + #crontab - echo -e "\e[00;31m[+]Crontab\e[00m" | tee -a "$filename" - crontab -u root -l | ag -v '#' --nocolor | tee -a "$filename" - ls -alht /etc/cron.*/* | tee -a "$filename" - echo -e "\n" | tee -a "$filename" + print_msg "### Crontab 文件" + print_msg "crontab -l" + print_code "$(crontab -u root -l | egrep -v '#')" + print_msg "ls -alht /etc/cron.*/*" + print_code "$(ls -alht /etc/cron.*/*)" + + # crontab 内容 + print_msg "### Crontab 文件内容" + print_code "$(find /var/spool/cron/ -type f -print0 | xargs -0 sudo cat | egrep -v '#')" #crontab可疑命令 - echo -e "\e[00;31m[+]Crontab Backdoor \e[00m" | tee -a "$vuln" - ag '((?:useradd|groupadd|chattr)|(?:wget\s|curl\s|tftp\s\-i|scp\s|sftp\s)|(?:bash\s\-i|fsockopen|nc\s\-e|sh\s\-i|\"/bin/sh\"|\"/bin/bash\"))' /etc/cron* /var/spool/cron/* --nocolor | tee -a "$vuln" - echo -e "\n" | tee -a "$vuln" + print_msg "### Crontab Backdoor" + reverse_shell_check /etc/cron* + reverse_shell_check /var/spool/cron/* } env_check() { - echo -e "############ 环境变量检查 ############\n" | tee -a "$filename" + print_msg "## 环境变量检查" #env - echo -e "\e[00;31m[+]env\e[00m" | tee -a "$filename" - env | tee -a "$filename" - echo -e "\n" | tee -a "$filename" + print_msg "### env" + print_code "$(env)" + #PATH - echo -e "\e[00;31m[+]PATH\e[00m" | tee -a "$filename" - echo "$PATH" | tee -a "$filename" - echo -e "\n" | tee -a "$filename" + print_msg "### PATH" + print_code "$PATH" + + print_msg "### Linux 动态链接库变量" + #LD_PRELOAD - echo -e "\e[00;31m[+]LD_PRELOAD\e[00m" | tee -a "$vuln" - echo ${LD_PRELOAD} | tee -a "$vuln" - echo -e "\n" | tee -a "$vuln" + if [[ -n $LD_PRELOAD ]]; then + print_msg "**LD_PRELOAD**" + print_code $LD_PRELOAD + fi #LD_ELF_PRELOAD - echo -e "\e[00;31m[+]LD_ELF_PRELOAD\e[00m" | tee -a "$vuln" - echo ${LD_ELF_PRELOAD} | tee -a "$vuln" - echo -e "\n" | tee -a "$vuln" + if [[ -n $LD_ELF_PRELOAD ]]; then + print_msg "**LD_ELF_PRELOAD**" + print_code $LD_ELF_PRELOAD + fi #LD_AOUT_PRELOAD - echo -e "\e[00;31m[+]LD_AOUT_PRELOAD\e[00m" | tee -a "$vuln" - echo ${LD_AOUT_PRELOAD} | tee -a "$vuln" - echo -e "\n" | tee -a "$vuln" + if [[ -n $LD_AOUT_PRELOAD ]]; then + print_msg "**LD_AOUT_PRELOAD**" + print_code $LD_AOUT_PRELOAD + fi #PROMPT_COMMAND - echo -e "\e[00;31m[+]PROMPT_COMMAND\e[00m" | tee -a "$vuln" - echo "${PROMPT_COMMAND}" | tee -a "$vuln" - echo -e "\n" | tee -a "$vuln" + if [[ -n $PROMPT_COMMAND ]]; then + print_msg "**PROMPT_COMMAND**" + print_code $PROMPT_COMMAND + fi #LD_LIBRARY_PATH - echo -e "\e[00;31m[+]LD_LIBRARY_PATH\e[00m" | tee -a "$vuln" - echo "${LD_LIBRARY_PATH}" | tee -a "$vuln" - echo -e "\n" | tee -a "$vuln" + if [[ -n $LD_LIBRARY_PATH ]]; then + print_msg "**LD_LIBRARY_PATH**" + print_code $LD_LIBRARY_PATH + fi #ld.so.preload - echo -e "\e[00;31m[+]ld.so.preload\e[00m" | tee -a "$vuln" preload='/etc/ld.so.preload' if [ -e "${preload}" ]; then - cat ${preload} | tee -a "$vuln" + print_msg "**ld.so.preload**" + print_code ${preload} fi - echo -e "\n" | tee -a "$vuln" + # 正在运行的环境变量 + print_msg "### 正在运行的进程环境变量问题" + print_code "$(grep -P 'LD_PRELOAD|LD_ELF_PRELOAD|LD_AOUT_PRELOAD|PROMPT_COMMAND|LD_LIBRARY_PATH' /proc/*/environ)" } user_check() { - echo -e "############ 用户信息检查 ############\n" | tee -a "$filename" - echo -e "\e[00;31m[+]可登陆用户\e[00m" | tee -a "$filename" - cat /etc/passwd | ag -v 'nologin$|false$' | tee -a "$filename" - echo -e "\n" | tee -a "$filename" - echo -e "\e[00;31m[+]passwd文件修改日期: \e[00m" $(stat /etc/passwd | ag -o '(?<=modify: ).*' --nocolor) | tee -a "$filename" - echo -e "\n" | tee -a "$filename" - echo -e "\e[00;31m[+]sudoers(请注意NOPASSWD)\e[00m" | tee -a "$filename" - cat /etc/sudoers | ag -v '#' | sed -e '/^$/d' | ag ALL --nocolor | tee -a "$filename" - echo -e "\n" | tee -a "$filename" - echo -e "\e[00;31m[+]登录信息\e[00m" | tee -a "$filename" - w | tee -a "$filename" - echo -e "\n" | tee -a "$filename" - last | tee -a "$filename" - echo -e "\n" | tee -a "$filename" - lastlog | tee -a "$filename" - echo -e "\n" | tee -a "$filename" - echo "登陆ip: $(ag -a accepted /var/log/secure /var/log/auth.* 2>/dev/null | ag -o '\d+\.\d+\.\d+\.\d+' | sort | uniq)" | tee -a "$filename" - echo -e "\n" | tee -a "$filename" + print_msg "## 用户信息检查" + + print_msg "### 可登陆用户" + print_code "$(cat /etc/passwd | egrep -v 'nologin$|false$')" + + print_msg "### Root权限(非root)账号" + print_code "$(cat /etc/passwd | awk -F ':' '3ドル==0' | egrep -v root:)" + + print_msg "### /etc/passwd文件修改日期: " + + print_code "$(stat /etc/passwd | grep -P -o '(?<=modify: ).*')" + + print_msg "### sudoers(请注意NOPASSWD)" + print_code "$(cat /etc/sudoers | egrep -v '#' | sed -e '/^$/d' | grep -P ALL)" + + print_msg "### 登录信息 w" + print_code "$(w)" + print_msg "### 登录信息 last" + print_code "$(last)" + print_msg "### 登录信息 lastlog" + print_code "$(lastlog)" + + print_msg "### 登陆ip" + print_code "$(grep -i -a Accepted /var/log/secure /var/log/auth.* 2>/dev/null | grep -Po '\d+\.\d+\.\d+\.\d+' | sort | uniq)" + +} + +init_check() { + print_msg "## Linux启动项排查" + + print_msg "### /etc/init.d 记录" + print_code "$(ls -alhtR /etc/init.d | head -n 30)" + print_msg "### /etc/init.d 黑特征" + reverse_shell_check /etc/init.d/* } service_check() { - echo -e "############ 服务状态检查 ############\n" | tee -a "$filename" - echo -e "\e[00;31m[+]正在运行的Service \e[00m" | tee -a "$filename" - systemctl -l | grep running | awk '{print 1ドル}' | tee -a "$filename" - echo -e "\n" | tee -a "$filename" - echo -e "\e[00;31m[+]最近添加的Service \e[00m" | tee -a "$filename" - ls -alhtR /etc/systemd/system/multi-user.target.wants | tee -a "$filename" - ls -alht /etc/systemd/system/*.service | ag -v 'dbus-org' | tee -a "$filename" - echo -e "\n" | tee -a "$filename" + + print_msg "## 服务状态检查" + + print_msg "### 正在运行的Service " + print_code "$(systemctl -l | grep running | awk '{print 1ドル}')" + + print_msg "### 最近添加的Service " + print_code "$(ls -alhtR /etc/systemd/system/multi-user.target.wants)" + print_code "$(ls -alht /etc/systemd/system/*.service | egrep -v 'dbus-org')" + } bash_check() { - echo -e "######Bash配置检查######\n" | tee -a "$filename" + + print_msg -e "## Bash配置检查" #查看history文件 - echo -e "\e[00;31m[+]History\e[00m" | tee -a "$filename" - ls -alht /root/.*_history | tee -a "$filename" - echo -e "\n" | tee -a "$filename" - cat ~/.*history | ag '(?200mb \e[00m" | tee -a "$filename" - find / ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/boot/*" -size +200M -exec ls -alht {} + 2>/dev/null | ag '\.gif|\.jpeg|\.jpg|\.png|\.zip|\.tar.gz|\.tgz|\.7z|\.log|\.xz|\.rar|\.bak|\.old|\.sql|\.1|\.txt|\.tar|\.db|/\w+$' --nocolor | ag -v 'ib_logfile|ibd|mysql-bin|mysql-slow|ibdata1' | tee -a "$filename" - echo -e "\n" | tee -a "$filename" + print_msg "### 大文件>200mb " + print_code "$(find / ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/boot/*" -size +200M -exec ls -alht {} + 2>/dev/null | grep -P '\.gif|\.jpeg|\.jpg|\.png|\.zip|\.tar.gz|\.tgz|\.7z|\.log|\.xz|\.rar|\.bak|\.old|\.sql|\.1|\.txt|\.tar|\.db|/\w+$' | egrep -v 'ib_logfile|ibd|mysql-bin|mysql-slow|ibdata1')" + #敏感文件 - echo -e "\e[00;31m[+]敏感文件 \e[00m" | tee -a "$vuln" - find / ! -path "/lib/modules*" ! -path "/usr/src*" ! -path "/snap*" ! -path "/usr/include/*" -regextype posix-extended -regex '.*sqlmap|.*msfconsole|.*\bncat|.*\bnmap|.*nikto|.*ettercap|.*tunnel\.(php|jsp|asp|py)|.*/nc\b|.*socks.(php|jsp|asp|py)|.*proxy.(php|jsp|asp|py)|.*brook.*|.*frps|.*frpc|.*aircrack|.*hydra|.*miner|.*/ew$' -type f | ag -v '/lib/python' | xargs -i{} ls -alh {} | tee -a "$vuln" - echo -e "\n" | tee -a "$vuln" + print_msg "### 敏感文件 " + print_code "$(find / ! -path "/lib/modules*" ! -path "/usr/src*" ! -path "/snap*" ! -path "/usr/include/*" -regextype posix-extended -regex '.*sqlmap|.*msfconsole|.*\bncat|.*\bnmap|.*nikto|.*ettercap|.*tunnel\.(php|jsp|asp|py)|.*/nc\b|.*socks.(php|jsp|asp|py)|.*proxy.(php|jsp|asp|py)|.*brook.*|.*frps|.*frpc|.*aircrack|.*hydra|.*miner|.*/ew$' -type f | egrep -v '/lib/python' | xargs -i{} ls -alh {})" + + print_msg "### 可疑黑客文件 " + print_code "$(find /root /home /opt /tmp /var/ /dev -regextype posix-extended -regex '.*wget|.*curl|.*openssl|.*mysql' -type f 2>/dev/null | xargs -i{} ls -alh {} | egrep -v '/pkgs/|/envs/|overlay2')" - echo -e "\e[00;31m[+]可疑黑客文件 \e[00m" | tee -a "$vuln" - find /root /home /opt /tmp /var/ /dev -regextype posix-extended -regex '.*wget|.*curl|.*openssl|.*mysql' -type f 2>/dev/null | xargs -i{} ls -alh {} | ag -v '/pkgs/|/envs/' | tee -a "$vuln" - echo -e "\n" | tee -a "$vuln" } rootkit_check() { - echo -e "############ Rootkit检查 ############\n" | tee -a "$vuln" + print_msg "## Rootkit检查" #lsmod 可疑模块 - echo -e "\e[00;31m[+]lsmod 可疑模块\e[00m" | tee -a "$vuln" - lsmod | ag -v "ablk_helper|ac97_bus|acpi_power_meter|aesni_intel|ahci|ata_generic|ata_piix|auth_rpcgss|binfmt_misc|bluetooth|bnep|bnx2|bridge|cdrom|cirrus|coretemp|crc_t10dif|crc32_pclmul|crc32c_intel|crct10dif_common|crct10dif_generic|crct10dif_pclmul|cryptd|dca|dcdbas|dm_log|dm_mirror|dm_mod|dm_region_hash|drm|drm_kms_helper|drm_panel_orientation_quirks|e1000|ebtable_broute|ebtable_filter|ebtable_nat|ebtables|edac_core|ext4|fb_sys_fops|floppy|fuse|gf128mul|ghash_clmulni_intel|glue_helper|grace|i2c_algo_bit|i2c_core|i2c_piix4|i7core_edac|intel_powerclamp|ioatdma|ip_set|ip_tables|ip6_tables|ip6t_REJECT|ip6t_rpfilter|ip6table_filter|ip6table_mangle|ip6table_nat|ip6ta ble_raw|ip6table_security|ipmi_devintf|ipmi_msghandler|ipmi_si|ipmi_ssif|ipt_MASQUERADE|ipt_REJECT|iptable_filter|iptable_mangle|iptable_nat|iptable_raw|iptable_security|iTCO_vendor_support|iTCO_wdt|jbd2|joydev|kvm|kvm_intel|libahci|libata|libcrc32c|llc|lockd|lpc_ich|lrw|mbcache|megaraid_sas|mfd_core|mgag200|Module|mptbase|mptscsih|mptspi|nf_conntrack|nf_conntrack_ipv4|nf_conntrack_ipv6|nf_defrag_ipv4|nf_defrag_ipv6|nf_nat|nf_nat_ipv4|nf_nat_ipv6|nf_nat_masquerade_ipv4|nfnetlink|nfnetlink_log|nfnetlink_queue|nfs_acl|nfsd|parport|parport_pc|pata_acpi|pcspkr|ppdev|rfkill|sch_fq_codel|scsi_transport_spi|sd_mod|serio_raw|sg|shpchp|snd|snd_ac97_codec|snd_ens1371|snd_page_alloc|snd_pcm|snd_rawmidi|snd_seq|snd_seq_device|snd_seq_midi|snd_seq_midi_event|snd_timer|soundcore|sr_mod|stp|sunrpc|syscopyarea|sysfillrect|sysimgblt|tcp_lp|ttm|tun|uvcvideo|videobuf2_core|videobuf2_memops|videobuf2_vmalloc|videodev|virtio|virtio_balloon|virtio_console|virtio_net|virtio_pci|virtio_ring|virtio_scsi|vmhgfs|vmw_balloon|vmw_vmci|vmw_vsock_vmci_transport|vmware_balloon|vmwgfx|vsock|xfs|xt_CHECKSUM|xt_conntrack|xt_state|raid*|tcpbbr|btrfs|.*diag|psmouse|ufs|linear|msdos|cpuid|veth|xt_tcpudp|xfrm_user|xfrm_algo|xt_addrtype|br_netfilter|input_leds|sch_fq|ib_iser|rdma_cm|iw_cm|ib_cm|ib_core|.*scsi.*|tcp_bbr|pcbc|autofs4|multipath|hfs.*|minix|ntfs|vfat|jfs|usbcore|usb_common|ehci_hcd|uhci_hcd|ecb|crc32c_generic|button|hid|usbhid|evdev|hid_generic|overlay|xt_nat|qnx4|sb_edac|acpi_cpufreq|ixgbe|pf_ring|tcp_htcp|cfg80211|x86_pkg_temp_thermal|mei_me|mei|processor|thermal_sys|lp|enclosure|ses|ehci_pci|igb|i2c_i801|pps_core|isofs|nls_utf8|xt_REDIRECT|xt_multiport|iosf_mbi|qxl|cdc_ether|usbnet|ip6table_raw|skx_edac|intel_rapl|wmi|acpi_pad|ast|i40e|ptp|nfit|libnvdimm|bpfilter|failover" | tee -a "$vuln" - echo -e "\n" | tee -a "$vuln" + print_msg "### lsmod 可疑模块" + print_code "$(lsmod | egrep -v 'ablk_helper|ac97_bus|acpi_power_meter|aesni_intel|ahci|ata_generic|ata_piix|auth_rpcgss|binfmt_misc|bluetooth|bnep|bnx2|bridge|cdrom|cirrus|coretemp|crc_t10dif|crc32_pclmul|crc32c_intel|crct10dif_common|crct10dif_generic|crct10dif_pclmul|cryptd|dca|dcdbas|dm_log|dm_mirror|dm_mod|dm_region_hash|drm|drm_kms_helper|drm_panel_orientation_quirks|e1000|ebtable_broute|ebtable_filter|ebtable_nat|ebtables|edac_core|ext4|fb_sys_fops|floppy|fuse|gf128mul|ghash_clmulni_intel|glue_helper|grace|i2c_algo_bit|i2c_core|i2c_piix4|i7core_edac|intel_powerclamp|ioatdma|ip_set|ip_tables|ip6_tables|ip6t_REJECT|ip6t_rpfilter|ip6table_filter|ip6table_mangle|ip6table_nat|ip6ta ble_raw|ip6table_security|ipmi_devintf|ipmi_msghandler|ipmi_si|ipmi_ssif|ipt_MASQUERADE|ipt_REJECT|iptable_filter|iptable_mangle|iptable_nat|iptable_raw|iptable_security|iTCO_vendor_support|iTCO_wdt|jbd2|joydev|kvm|kvm_intel|libahci|libata|libcrc32c|llc|lockd|lpc_ich|lrw|mbcache|megaraid_sas|mfd_core|mgag200|Module|mptbase|mptscsih|mptspi|nf_conntrack|nf_conntrack_ipv4|nf_conntrack_ipv6|nf_defrag_ipv4|nf_defrag_ipv6|nf_nat|nf_nat_ipv4|nf_nat_ipv6|nf_nat_masquerade_ipv4|nfnetlink|nfnetlink_log|nfnetlink_queue|nfs_acl|nfsd|parport|parport_pc|pata_acpi|pcspkr|ppdev|rfkill|sch_fq_codel|scsi_transport_spi|sd_mod|serio_raw|sg|shpchp|snd|snd_ac97_codec|snd_ens1371|snd_page_alloc|snd_pcm|snd_rawmidi|snd_seq|snd_seq_device|snd_seq_midi|snd_seq_midi_event|snd_timer|soundcore|sr_mod|stp|sunrpc|syscopyarea|sysfillrect|sysimgblt|tcp_lp|ttm|tun|uvcvideo|videobuf2_core|videobuf2_memops|videobuf2_vmalloc|videodev|virtio|virtio_balloon|virtio_console|virtio_net|virtio_pci|virtio_ring|virtio_scsi|vmhgfs|vmw_balloon|vmw_vmci|vmw_vsock_vmci_transport|vmware_balloon|vmwgfx|vsock|xfs|xt_CHECKSUM|xt_conntrack|xt_state|raid*|tcpbbr|btrfs|.*diag|psmouse|ufs|linear|msdos|cpuid|veth|xt_tcpudp|xfrm_user|xfrm_algo|xt_addrtype|br_netfilter|input_leds|sch_fq|ib_iser|rdma_cm|iw_cm|ib_cm|ib_core|.*scsi.*|tcp_bbr|pcbc|autofs4|multipath|hfs.*|minix|ntfs|vfat|jfs|usbcore|usb_common|ehci_hcd|uhci_hcd|ecb|crc32c_generic|button|hid|usbhid|evdev|hid_generic|overlay|xt_nat|qnx4|sb_edac|acpi_cpufreq|ixgbe|pf_ring|tcp_htcp|cfg80211|x86_pkg_temp_thermal|mei_me|mei|processor|thermal_sys|lp|enclosure|ses|ehci_pci|igb|i2c_i801|pps_core|isofs|nls_utf8|xt_REDIRECT|xt_multiport|iosf_mbi|qxl|cdc_ether|usbnet|ip6table_raw|skx_edac|intel_rapl|wmi|acpi_pad|ast|i40e|ptp|nfit|libnvdimm|bpfilter|failover|toa|tls|nft_|qemu_fw_cfg')" - echo -e "\e[00;31m[+]Rootkit 内核模块\e[00m" | tee -a "$vuln" + print_msg "### Rootkit 内核模块" kernel=$(grep -E 'hide_tcp4_port|hidden_files|hide_tcp6_port|diamorphine|module_hide|module_hidden|is_invisible|hacked_getdents|hacked_kill|heroin|kernel_unlink|hide_module|find_sys_call_tbl|h4x_delete_module|h4x_getdents64|h4x_kill|h4x_tcp4_seq_show|new_getdents|old_getdents|should_hide_file_name|should_hide_task_name' /dev/null 2>&1; then - ps -ef | ag '\s+\-oport=\d+' | tee -a "$vuln" - else - echo "未检测到SSH软连接后门" | tee -a "$vuln" - fi - echo -e "\n" | tee -a "$vuln" + #PAM后门检查 + print_msg "### PAM 后门检测 " + ls -la /usr/lib/security 2>/dev/null + ls -la /usr/lib64/security 2>/dev/null - echo -e "\e[00;31m[+]SSH inetd后门检查 \e[00m" | tee -a "$vuln" + print_msg "### SSH inetd后门检查 " if [ -e "/etc/inetd.conf" ]; then - grep -E '(bash -i)' /dev/null | tee -a "$vuln" - echo -e "\n" | tee -a "$vuln" - - echo -e "\e[00;31m[+]WorkMiner 挖矿木马检测\e[00m" | tee -a "$vuln" - ps aux | ag "work32|work64|/tmp/secure.sh|/tmp/auth.sh" | ag -v 'ag' - ls -alh /tmp/xmr /tmp/config.json /tmp/secure.sh /tmp/auth.sh /usr/.work/work64 2>/dev/null | tee -a "$vuln" - echo -e "\n" | tee -a "$vuln" + + print_msg "## 挖矿木马检查" + + print_msg "### 常规挖矿进程检测" + print_code "$(ps aux | grep -P "systemctI|kworkerds|init10.cfg|wl.conf|crond64|watchbog|sustse|donate|proxkekman|test.conf|/var/tmp/apple|/var/tmp/big|/var/tmp/small|/var/tmp/cat|/var/tmp/dog|/var/tmp/mysql|/var/tmp/sishen|ubyx|cpu.c|tes.conf|psping|/var/tmp/java-c|pscf|cryptonight|sustes|xmrig|xmr-stak|suppoie|ririg|/var/tmp/ntpd|/var/tmp/ntp|/var/tmp/qq|/tmp/qq|/var/tmp/aa|gg1.conf|hh1.conf|apaqi|dajiba|/var/tmp/look|/var/tmp/nginx|dd1.conf|kkk1.conf|ttt1.conf|ooo1.conf|ppp1.conf|lll1.conf|yyy1.conf|1111.conf|2221.conf|dk1.conf|kd1.conf|mao1.conf|YB1.conf|2Ri1.conf|3Gu1.conf|crant|nicehash|linuxs|linuxl|Linux|crawler.weibo|stratum|gpg-daemon|jobs.flu.cc|cranberry|start.sh|watch.sh|krun.sh|killTop.sh|cpuminer|/60009|ssh_deny.sh|clean.sh|\./over|mrx1|redisscan|ebscan|barad_agent|\.sr0|clay|udevs|\.sshd|/tmp/init|xmr|xig|ddgs|minerd|hashvault|geqn|\.kthreadd|httpdz|pastebin.com|sobot.com|kerbero|2t3ik|ddgs|qW3xt|ztctb|i2pd" | egrep -v 'grep')" + print_code "$(find / ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/boot/*" -regextype posix-extended -regex '.*systemctI|.*kworkerds|.*init10.cfg|.*wl.conf|.*crond64|.*watchbog|.*sustse|.*donate|.*proxkekman|.*cryptonight|.*sustes|.*xmrig|.*xmr-stak|.*suppoie|.*ririg|gg1.conf|.*cpuminer|.*xmr|.*xig|.*ddgs|.*minerd|.*hashvault|\.kthreadd|.*httpdz|.*kerbero|.*2t3ik|.*qW3xt|.*ztctb|.*miner.sh' -type f)" + + print_msg "### Ntpclient 挖矿木马检测" + print_code "$(find / ! -path "/proc/*" ! -path "/sys/*" ! -path "/boot/*" -regextype posix-extended -regex 'ntpclient|Mozz')" + print_code "$(ls -alh /tmp/.a /var/tmp/.a /run/shm/a /dev/.a /dev/shm/.a 2>/dev/null)" + + print_msg "### WorkMiner 挖矿木马检测" + print_code "$(ps aux | grep -P "work32|work64|/tmp/secure.sh|/tmp/auth.sh" | egrep -v 'grep')" + print_code "$(ls -alh /tmp/xmr /tmp/config.json /tmp/secure.sh /tmp/auth.sh /usr/.work/work64 2>/dev/null)" + } risk_check() { - echo -e "############ 服务器风险/漏洞检查 ############\n" | tee -a "$vuln" - echo -e "\e[00;31m[+]Redis弱密码检测\e[00m" | tee -a "$vuln" - cat /etc/redis/redis.conf 2>/dev/null | ag '(?<=requirepass )(test|123456|admin|root|12345678|111111|p@ssw0rd|test|qwerty|zxcvbnm|123123|12344321|123qwe|password|1qaz|000000|666666|888888)' | tee -a "$vuln" - echo -e "\n" | tee -a "$vuln" + + print_msg "## 服务器风险/漏洞检查" + + print_msg "### Redis弱密码检测" + print_code "$(cat /etc/redis/redis.conf 2>/dev/null | grep -P '(?<=requirepass )(test|123456|admin|root|12345678|111111|p@ssw0rd|test|qwerty|zxcvbnm|123123|12344321|123qwe|password|1qaz|000000|666666|888888)')" + + print_msg "### JDWP调试检测" + if ps aux | grep -P '(?:runjdwp|agentlib:jdwp)' | egrep -v 'grep'>/dev/null 2>&1; then + print_code "存在JDWP调试高风险进程\n $(ps aux | grep -P '(?:runjdwp|agentlib:jdwp)' | egrep -v 'grep') " + fi + + print_msg "### Python http.server 列目录检测" + print_code "$(ps aux | grep -P http.server | egrep -v 'grep')" +} + +docker_check() { + + print_msg "## Docker信息检测" + + print_msg "### Docker运行的镜像" + print_code "$(docker ps)" + + print_msg "### 检测CAP_SYS_ADMIN权限" + if command -v capsh>/dev/null 2>&1; then + cap_sys_adminNum=$(capsh --print | grep cap_sys_admin | wc -l) + if [ $cap_sys_adminNum -gt 0 ]; then + print_code "存在CAP_SYS_ADMIN权限!" + fi + else + print_code "未发现capsh命令!" + fi + + print_msg "### 检测CAP_DAC_READ_SEARCH权限" + if command -v capsh>/dev/null 2>&1; then + cap_dac_read_searchNum=$(capsh --print | grep cap_dac_read_search | wc -l) + if [ $cap_dac_read_searchNum -gt 0 ]; then + print_code "存在CAP_DAC_READ_SEARCH!" + fi + else + print_code "未发现capsh命令!" + fi +} + +upload_report() { + + # 上传到指定接口 + if [[ -n $webhook_url ]]; then + curl -X POST -F "file=@$filename" "$webhook_url" + fi + } +# 服务器基础信息排查 base_check +# 进程信息排查(CPU/内存占用,后门进程排查) +process_check +# 网络排查 network_check +# 任务计划排查 crontab_check +# 环境变量排查 env_check +# 用户文件排查 user_check +# 启动项排查 +init_check +# 服务排查 service_check +# bash 排查 bash_check +# 黑客/后门文件排查 file_check +# rootkit 排查 rootkit_check +# ssh 排查 ssh_check +# webshell 排查 webshell_check +# 供应链排查 poison_check +# 挖矿排查 miner_check +# 服务器风险检测 risk_check +# Docker 检测 +docker_check +# upload_report +upload_report From bebca8ca774963526e2e39d59bce95373e7aa2c8 Mon Sep 17 00:00:00 2001 From: al0ne <13449320+al0ne@users.noreply.github.com> Date: 2024年5月10日 00:02:29 +0800 Subject: [PATCH 4/6] Update README.md --- README.md | 103 ++++++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 84 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index 3d391ea..9ef5cb1 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,38 @@ # LinuxCheck Linux应急处置/信息搜集/漏洞检测工具,支持基础配置/网络流量/任务计划/环境变量/用户信息/Services/bash/恶意文件/内核Rootkit/SSH/Webshell/挖矿文件/挖矿进程/供应链/服务器风险等13类70+项检查 -### 功能 + +## 更新 + +更新日志:2024年4月20日 + +- 调整输出为Markdown报告 +- 弃用ag,还是使用Linux原生的grep命令,避免额外安装 +- 优化代码格式,不在每条都要tee -a +- 更新Webshell检测逻辑 +- 更新authorized_keys检测逻辑 +- 服务器风险检查添加JDWP和Python HTTP Server检查 +- 添加Docker 容器检测 +- 添加PAM后门检测 +- 添加本地报告上传能力,应对批量机器应急的情况。 + +更新日志:2022年08月05日 + +- 修复内核模块检查日志过多问题 + +更新日志:2022年03月07日 + +- 添加SSH软连接后门检测 + +更新日期:2021年10月17日 + +- 添加Ntpclient/WorkMiner/TeamTNT挖矿木马检测 +- 添加Rootkit模块检测逻辑 +- 添加Python pip投毒检测 +- 添加$HOME/.profile查看 +- 添加服务器风险检查(Redis) + +## 功能 * 基础配置检查 * 系统配置改动检查 @@ -94,41 +125,75 @@ Linux应急处置/信息搜集/漏洞检测工具,支持基础配置/网络流 * Python PIP 投毒检查 * 服务器风险检查 * Redis弱密码检测 + * JDWP 服务检测 + * Python http.server 检测 +* Docker 权限检查 -### Usage +## Usage -联网状态: - - apt-get install silversearcher-ag - - yum -y install the_silver_searcher +第一种方式:通过git clone 安装 -离线状态: - - Debian:dpkg -i silversearcher-ag_2.2.0-1+b1_amd64.deb - - Centos:rpm -ivh the_silver_searcher-2.1.0-1.el7.x86_64.rpm - -``` -git clone https://github.com/al0ne/LinuxCheck.git -``` -``` +```bash +git clone https://github.com/al0ne/LinuxCheck.git chmod u+x LinuxCheck.sh +./LinuxCheck.sh ``` +第二种方式:直接在线调用【在线调用就没办法使用报告上传的能力】 ``` -./LinuxCheck.sh +bash -c "$(curl -sSL https://raw.githubusercontent.com/al0ne/LinuxCheck/master/LinuxCheck.sh)" ``` -如果已经安装了ag和rkhunter可以直接使用以下命令 +文件会保存成ipaddr_hostname_username_timestamp.log 这种格式 + +### 报告自动上传 + +如果是批量机器下发,脚本执行后会自动提交到某一个url下,将脚本里面的webhook_url 改成你自己的地址 +```shell +# 报告上报的地址 +webhook_url='http://localhost:5000/upload' + +upload_report() { + + # 上传到指定接口 + if [[ -n $webhook_url ]]; then + curl -X POST -F "file=@$filename" "$webhook_url" + fi + +} ``` -bash -c "$(curl -sSL https://raw.githubusercontent.com/al0ne/LinuxCheck/master/LinuxCheck.sh)" + +在你的服务器上用Flask起一个服务,接收服务器上报的Markdown报告。 + +```python +from flask import Flask, request + +app = Flask(__name__) + +@app.route('/upload', methods=['POST']) +def upload_file(): + if 'file' not in request.files: + return "No file part", 400 + file = request.files['file'] + if file.filename == '': + return "No selected file", 400 + if file: + filename = file.filename + file.save(filename) + return "File successfully uploaded", 200 + +if __name__ == '__main__': + app.run(debug=True) ``` -文件会保存成ipaddr_hostname_username_timestamp.log 这种格式 -### 参考 + +## 参考 此工具的编写主要参考了以下几款工具/文章并结合个人经验完成 -Linenum +Linenum https://github.com/lis912/Evaluation_tools https://ixyzero.com/blog/archives/4.html https://github.com/T0xst/linux From 2161af0c7c08e29a52bb8ec6608fe39b66e0d1db Mon Sep 17 00:00:00 2001 From: liuzhen Date: 2024年6月17日 18:51:30 +0800 Subject: [PATCH 5/6] mute docker container file info --- LinuxCheck.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/LinuxCheck.sh b/LinuxCheck.sh index 7450c89..e1fe499 100644 --- a/LinuxCheck.sh +++ b/LinuxCheck.sh @@ -493,10 +493,10 @@ file_check() { print_msg "### 近七天文件改动 ctime " print_code "$(find /etc /bin /lib /sbin /dev /root/ /home /tmp /var /usr ! -path "/var/log*" ! -path "/var/spool/exim4*" ! -path "/var/backups*" -ctime -7 -type f | egrep -v '\.log|cache|vim|/share/|/lib/|.zsh|.gem|\.git|LICENSE|README|/_\w+\.\w+|\blogs\b|elasticsearch|nohup|i18n' | xargs -i{} ls -alh {})" - #大文件100mb + #大文件200mb #有些黑客会将数据库、网站打包成一个文件然后下载 print_msg "### 大文件>200mb " - print_code "$(find / ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/boot/*" -size +200M -exec ls -alht {} + 2>/dev/null | grep -P '\.gif|\.jpeg|\.jpg|\.png|\.zip|\.tar.gz|\.tgz|\.7z|\.log|\.xz|\.rar|\.bak|\.old|\.sql|\.1|\.txt|\.tar|\.db|/\w+$' | egrep -v 'ib_logfile|ibd|mysql-bin|mysql-slow|ibdata1')" + print_code "$(find / ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/boot/*" -size +200M -exec ls -alht {} + 2>/dev/null | grep -P '\.gif|\.jpeg|\.jpg|\.png|\.zip|\.tar.gz|\.tgz|\.7z|\.log|\.xz|\.rar|\.bak|\.old|\.sql|\.1|\.txt|\.tar|\.db|/\w+$' | egrep -v 'ib_logfile|ibd|mysql-bin|mysql-slow|ibdata1|overlay2')" #敏感文件 print_msg "### 敏感文件 " From 468c9620ec8dd987149486eec434ea358fb161f2 Mon Sep 17 00:00:00 2001 From: al0ne <13449320+al0ne@users.noreply.github.com> Date: 2024年6月19日 10:13:41 +0800 Subject: [PATCH 6/6] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9ef5cb1..23fa601 100644 --- a/README.md +++ b/README.md @@ -184,7 +184,7 @@ def upload_file(): return "File successfully uploaded", 200 if __name__ == '__main__': - app.run(debug=True) + app.run(debug=True, host="0.0.0.0", port=9999) ```

AltStyle によって変換されたページ (->オリジナル) /