7.linux安全基線加固

本文大多截圖出自於：http://c.biancheng.net/cpp/shell/

現在大多數企業都是使用linux作為服務器，不僅是linux是開源系統，更是因為linux比windows更安全。但是由於管理員的安全意識不全或者疏忽，導致linux的敏感端口和服務沒有正確的配置，可能會被惡意利用，所以需要進行基線加固。

1.基線

即安全基線配置，諸如操作系統、中間件和數據庫的一個整體配置，這個版本中各項配置都符合安全方面的標准。
比如在系統安裝后需要按安全基線標准，將新機器中各項配置調整到一個安全、高效、合理的數值。

2.基線掃描

使用自動化工具、抓取系統和服務的配置項。將抓取到的實際值和標准值進行對比，將不符合的項顯示出來，最終以報告
的形式體現出掃描結果有的工具將配置采集和配置對比分開，通過自動化腳本采集配置后再通過特別的軟件轉換為適合人類閱讀的文檔

3.基線加固自動化腳本的編寫

本篇文章主要是記錄和學習安全加固腳本，首先放幾張安全加固shell腳本的命令語法：

基本命令語法介紹完了，借用網上的腳本來學習：

在執行腳本前需要提前做好備份：

#!/bin/bash
cp /etc/login.defs /etc/login.defs.bak
cp /etc/security/limits.conf /etc/security/limits.conf.bak
cp /etc/pam.d/su  /etc/pam.d/su.bak
cp /etc/profile /etc/profile.bak
cp /etc/issue.net /etc/issue.net.bak
cp /etc/shadow /etc/shadow.bak
cp /etc/passwd /etc/passwd.bak
cp /etc/pam.d/passwd  /etc/pam.d/passwd.bak
cp /etc/pam.d/common-password /etc/pam.d/common-password.bak
cp /etc/host.conf /etc/host.conf.bak
cp /etc/hosts.allow /etc/hosts.allow.bak
cp /etc/ntp.conf /etc/ntp.conf.bak
cp -p /etc/sysctl.conf /etc/sysctl.conf.bak
echo "============備份完成=================="

1.檢查是否設置口令更改最小間隔天數

MINDAY=`cat -n /etc/login.defs | grep -v ".*#.*"| grep PASS_MIN_DAYS|awk '{print $1}'`
sed -i ''$MINDAY's/.*PASS_MIN_DAYS.*/PASS_MIN_DAYS 6/' /etc/login.defs echo "檢查口令更改最小間隔天數完成"

2.檢查是否設置口令過期前警告天數

 

WARNAGE=`cat -n /etc/login.defs | grep -v ".*#.*"| grep PASS_WARN_AGE|awk '{print $1}'`
sed -i ''$WARNAGE's/.*PASS_WARN.*/PASS_WARN_AGE 30/' /etc/login.defs echo "檢查口令過期前警告天數完成"

3.檢查口令生存周期

MAXDAY=`cat -n /etc/login.defs | grep -v ".*#.*"| grep PASS_MAX_DAYS|awk '{print $1}'` sed -i ''$MAXDAY's/.*PASS_MAX.*/PASS_MAX_DAYS 90/' /etc/login.defs
echo "檢查口令生存周期完成"

4.檢查口令最小長度

MINLEN=`cat -n /etc/login.defs | grep -v ".*#.*"| grep PASS_MIN_LEN|awk '{print $1}'` sed -i ''$MINDAY's/.*PASS_MIN_LEN.*/PASS_MIN_ LEN 6/' /etc/login.defs
echo "檢查口令最小長度"

5.檢查是否設置grub，lilo密碼

grub="/etc/menu.lst"
if [ ! -x "$grub" ];then touch "$grub" echo password=123456 >> "$grub"
else echo password=123456 >> "$grub" fi lilo="/etc/lilo.conf"
if [ ! -x "$lilo" ];then touch "$lilo" echo password=123456 >> "$lilo"
else echo password=123456 >> "$lilo" fi

6.檢查是否設置core

c=`cat -n /etc/security/limits.conf | grep "#root" | awk '{print $1}'`
d=`cat -n /etc/security/limits.conf | grep "#root" | awk '{print $5}'`
sed -i ''$c' s/$d/0/g' /etc/security/limits.conf
echo "設置* hard core 0完成"

e=`cat -n /etc/security/limits.conf | grep soft | grep core | awk '{print $1}'`
f=`cat -n /etc/security/limits.conf | grep soft | grep core | awk '{print $5}'`
sed -i ''$e' s/'$f'/0/g' /etc/security/limits.conf
echo "設置* soft core 0完成"

7.檢查系統是否禁用ctrl+alt+del組合

a=`cat -n /etc/control-alt-delete.conf|grep -v "#" | grep /sbin/shutdown | awk '{print $1}'` if [ -z $a ];then
 echo ok else sed -i ''$a' s/^/#/' /etc/control-alt-delete.conf fi

8.檢查保留歷史記錄文件的大小與數量

echo "HISTFILESIZE=5" >> /etc/profile echo " 檢查保留歷史命令的記錄文件大小完成" echo "HISTSIZE=5" >> /etc/profile echo "檢查保留歷史命令的條數完成"

9.檢查是否使用PAM認證模塊禁止wheel組之外的用戶su為root

10.檢查是否刪除了/etc/issue.net文件

if [ -f /etc/issue.net ] then mv /etc/issue.net /etc/issue.net.bak else echo "issue.net 文件不存在" fi if [ -f /etc/issue ] then mv /etc/issue /etc/issue.bak else echo "issue 文件不存在" fi

11.是否刪除與設備運行，維護等工作無關的賬戶

12.檢查密碼重復使用次數限制

13.檢查是否配置賬戶認證失敗次數限制

cd /etc/pam.d if [ -f system-auth ];then cp /etc/pam.d/system-auth  /etc #num=`grep -n "md5" /etc/system-auth | cut -d ":" -f 1` #sed -i ''$num' r s/$/ remember=5' /etc/system-auth kk=`cat -n /etc/system-auth | grep -v ".*#.*"| grep md5|awk '{print $1}'` echo $kk version="password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=500" sed -i ""$kk"c $version" /etc/system-auth letter=`cat -n /etc/system-auth |grep password | grep requisite | awk '{print $1}'` sed -i ''$letter's/pam_cracklib.so/& ucredit=-1 lcredit=-1 dcredit=-1 /' /etc/pam.d/system-auth fi

14.檢查是否配置關閉IP偽裝與綁定

snu=`cat /etc/host.conf | awk '{print $2}'` if [ "$snu" = "on" ]; then echo "沒有關閉ip偽裝" fi sed -i 's/on/off/g' /etc/host.conf echo " 關閉IP偽裝完成"

15.檢查/etc/hosts配置

if [ -f hosts.allow ];then cp /etc/hosts.allow /etc/ echo "all:172.18.12.:all" >> /etc/hosts.allow echo "sshd:172.18.12.:all" >> /etc/hosts.allow fi cd /etc if [ -f hosts.deny ];then cp /etc/hosts.deny /etc/ echo "all:all" >> /etc/hosts.deny fi

16.

17.檢查重要文件是否存在suid和sgid權限

find /usr/bin/chage /usr/bin/gpasswd /usr/bin/wall /usr/bin/chfn /usr/bin/chsh /usr/bin/newgrp /usr/bin/write /usr/sbin/usernetctl /usr/sbin/traceroute /bin/mount /bin/umount /bin/ping /sbin/netreport -type f -perm +6000 2>/dev/null >file.txt
if [ -s file.txt ]; then
echo " find。。這條命令有輸出"
for i in `cat file.txt`
do
chmod 755 $idoneelse
echo "find 。。這條命令沒有輸出"
fi

18.

19.權限設置

chmod 644 /etc/passwd
chmod 644 /etc/group
chmod 400 /etc/shadow
#chmod 600 /etc/xinetd.conf
chmod 644 /etc/services
chmod 600 /etc/security
chmod 600 /etc/grub.conf
chmod 600 /boot/grub/grub.conf
chmod 600 /etc/lilo.conf echo "文件權限設置完成"

給出幾個大佬的綜合腳本：

1.

echo ---------------開始-------------------- echo ---------------aboutkey---------------- cd /etc if [ -f login.defs ];then cp /etc/login.defs  /home/test1 MINDAY=`cat -n /home/test1/login.defs | grep -v ".*#.*"| grep PASS_MIN_DAYS|awk '{print $1}'` sed -i ''$MINDAY's/.*PASS_MIN_DAYS.*/PASS_MIN_DAYS 6/' /home/test1/login.defs WARNAGE=`cat -n /home/test1/login.defs | grep -v ".*#.*"| grep PASS_WARN_AGE|awk '{print $1}'` sed -i ''$WARNAGE's/.*PASS_WARN.*/PASS_WARN_AGE 30/' /home/test1/login.defs MAXDAY=`cat -n /home/test1/login.defs | grep -v ".*#.*"| grep PASS_MAX_DAYS|awk '{print $1}'` sed -i ''$MAXDAY's/.*PASS_MAX.*/PASS_MAX_DAYS 90/' /home/test1/login.defs MINLEN=`cat -n /home/test1/login.defs | grep -v ".*#.*"| grep PASS_MIN_LEN|awk '{print $1}'` sed -i ''$MINDAY's/.*PASS_MIN_LEN.*/PASS_MIN_ LEN 6/' /home/test1/login.defs fi echo --------------------ok--------------------------- echo -------------------stop the del------------------------ cd /etc/init if [ -f control-alt-delete.conf ];then cp /etc/init/control-alt-delete.conf /home/test1 #delete=`grep -n "/sbin/shutdown -r now" /home/test1/control-alt-delete.conf | cut -d ":" -f 1` #sed -i ''$delete' r s/^/#/' /home/test1/control-alt-delete.conf #cp /etc/init/control-alt-delete.conf /home/test1 #num1=`grep -n "/sbin/shutdown" /home/test1/control-alt-delete.conf | cut -d "" -f 1` #sed -i ''$num' r s/^/#/' /home/test1/control-alt-delete.conf #a=`cat -n /home/test1/control-alt-delete.conf|grep -v "#" | grep "/sbin/shutdown" | awk '{print $1}'` #text=`sed -n "$a"p /home/test1/control-alt-delete.conf` #sed -i ''$a'c # '$text'' /home/test1/control-alt-delete.conf a=`cat -n /home/test1/control-alt-delete.conf|grep -v "#" | grep /sbin/shutdown | awk '{print $1}'` if [ -z $a ];then echo ok else sed -i ''$a' s/^/#/' /home/test1/control-alt-delete.conf fi fi echo ---------------------ok--------------------------------------- echo ------------------------grub and lilo key------------------------ grub="/home/test1/menu.lst"
if [ ! -x "$grub" ];then touch "$grub" echo password=123456 >> "$grub"
else echo password=123456 >> "$grub" fi lilo="/home/test1/lilo.conf"
if [ ! -x "$lilo" ];then touch "$lilo" echo password=123456 >> "$lilo"
else echo password=123456 >> "$lilo" fi echo ---------------------ok-------------------------------------- echo ----------------------the history of mouthpasswd------------------ cd /etc if [ -f profile ];then cp /etc/profile /home/test1 #num=`sed -n /home/test1/profile | grep HISTFILESIZE | awk '{print $1}'` #/home/test1/profile | sed $num'c HISTFILESIZE=5' echo "HISTFILESIZE=5" >> /home/test1/profile echo "ulimit -S -c unlimited" >> /home/test1/profile fi echo -------------------------ok--------------------- echo ------------------------issue----------------- #issu="/etc/issue.net" cd /etc if [ -f issue.net ];then cp issue.net /home/test1/issue.net.bak echo ok fi echo ok if [ -f issue ];then cp issue /home/test1/issue.bak echo ok fi echo -----------------------allow/deny ip------------------- cd /etc if [ -f hosts.allow ];then cp /etc/hosts.allow /home/test1 echo "all:172.18.12.:all" >> /home/test1/hosts.allow echo "sshd:172.18.12.:all" >> /home/test1/hosts.allow fi cd /etc if [ -f hosts.deny ];then cp /etc/hosts.deny /home/test1 echo "all:all" >> /home/test1/hosts.deny fi echo -----------------ok------------------------ #/etc/init.d/xinetd restart echo -----------------------------core dump------------------- cd /etc/security if [ -f limits.conf ];then cp /etc/security/limits.conf  /home/test1 echo "*soft core 0" >> /home/test1/limits.conf echo "*hard core 0" >> /home/test1/limits.conf fi echo --------------ok------------------------- echo ----------------------------passwdrepeat--------------------- cd /etc/pam.d if [ -f system-auth ];then cp /etc/pam.d/system-auth  /home/test1 #num=`grep -n "md5" /home/test1/system-auth | cut -d ":" -f 1` #sed -i ''$num' r s/$/ remember=5' /home/test1/system-auth kk=`cat -n /home/test1/system-auth | grep -v ".*#.*"| grep md5|awk '{print $1}'` echo $kk version="password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=500" sed -i ""$kk"c $version" /home/test1/system-auth letter=`cat -n /home/test1/system-auth |grep password | grep requisite | awk '{print $1}'` sed -i ''$letter's/pam_cracklib.so/& ucredit=-1 lcredit=-1 dcredit=-1 /' /etc/pam.d/system-auth fi echo -----------------ok-------------------- echo --------------------超出退出-------------- cd /etc if [ -f profile ];then cp /etc/profile /home/test1 echo "export TMOUT=600" >> /home/test1/profile fi echo ------------------ok------------------- echo ------------------權限------------------- chmod 644 /etc/passwd chmod 644 /etc/group chmod 400 /etc/shadow #chmod 600 /etc/xinetd.conf chmod 644 /etc/services chmod 600 /etc/security chmod 600 /etc/grub.conf chmod 600 /boot/grub/grub.conf chmod 600 /etc/lilo.conf echo ------------------unmask-------------------- cp /etc/csh.cshrc /home/test1 cp /etc/csh.login /home/test1 cp /etc/bashrc /home/test1 cp /etc/profile /home/test1 sed -i '11 s/.*umask.*/umask 077/' /home/test1/csh.cshrc sed -i '58 s/.*umask.*/umask 077/' /home/test1/csh.login sed -i '66 s/.*UMASK.*/UMASK 077/' /home/test1/bashrc sed -i '62s/.*umask.*/umask 077/' /home/test1/profile echo --------------------before login banner------------------- cd /etc if [ -f ssh_banner ];then touch /etc/ssh_banner chown bin:bin /etc/ssh_banner chmod 644 /etc/ssh_banner echo "Authorized only.All activity will be monitored and reported" > /etc/ssh_banner fi echo -----------------------ok---------------------------- echo -------------------stop root ssh login------------------ cp /etc/pam.d/login /home/test1 echo "auth required pam_securetty.so" >> /home/test1/login cp /etc/ssh/sshd_config /home/test1 echo "Banner /etc/ssh_banner" >> /home/test1/sshd_config echo "PermitRootLogin no" >> /home/test1/sshd_config service sshd restart echo -------------------------ok------------------- echo --------------------openssh---------------------------- openssh=`cat -n /home/test1/sshd_config | grep -v ".*#.*"| grep Protocol |awk '{print $1}'` sed -i ''$openssh's/.*Protocol.*/Protocol 2/' /home/test1/sshd_config echo -------------ok---------------------------

2.

#!/bin/bash
read key
echo "警告：本腳本只是一個檢查的操作，未對服務器做任何修改，管理員可以根據此報告進行相應的設置。"
echo ---------------------------------------主機安全檢查-----------------------
echo "系統版本"
uname -a
echo --------------------------------------------------------------------------
echo "本機的ip地址是："
ifconfig | grep --color "\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}"
echo --------------------------------------------------------------------------
awk -F":" '{if($2!~/^!|^*/){print "("$1")" " 是一個未被鎖定的賬戶，請管理員檢查是否需要鎖定它或者刪除它。"}}' /etc/shadow
echo --------------------------------------------------------------------------
more /etc/login.defs | grep -E "PASS_MAX_DAYS" | grep -v "#" |awk -F' '  '{if($2!=90){print "/etc/login.defs里面的"$1 "設置的是"$2"天，請管理員改成90天。"}}'
echo --------------------------------------------------------------------------
more /etc/login.defs | grep -E "PASS_MIN_LEN" | grep -v "#" |awk -F' '  '{if($2!=6){print "/etc/login.defs里面的"$1 "設置的是"$2"個字符，請管理員改成6個字符。"}}'
echo --------------------------------------------------------------------------
more /etc/login.defs | grep -E "PASS_WARN_AGE" | grep -v "#" |awk -F' '  '{if($2!=10){print "/etc/login.defs里面的"$1 "設置的是"$2"天，請管理員將口令到期警告天數改成10天。"}}'
echo --------------------------------------------------------------------------
grep TMOUT /etc/profile /etc/bashrc > /dev/null|| echo "未設置登錄超時限制，請設置之，設置方法：在/etc/profile或者/etc/bashrc里面添加TMOUT=600參數"
echo --------------------------------------------------------------------------
if ps -elf |grep xinet |grep -v "grep xinet";then
echo "xinetd 服務正在運行，請檢查是否可以把xinnetd服務關閉"
else
echo "xinetd 服務未開啟"
fi
echo --------------------------------------------------------------------------
echo "查看系統密碼文件修改時間"
ls -ltr /etc/passwd
echo --------------------------------------------------------------------------
echo  "查看是否開啟了ssh服務"
if service sshd status | grep -E "listening on|active \(running\)"; then
echo "SSH服務已開啟"
else
echo "SSH服務未開啟"
fi
echo --------------------------------------------------------------------------
echo "查看是否開啟了TELNET服務"
if more /etc/xinetd.d/telnetd 2>&1|grep -E "disable=no"; then
echo  "TELNET服務已開啟 "
else
echo  "TELNET服務未開啟 "
fi
echo --------------------------------------------------------------------------
echo  "查看系統SSH遠程訪問設置策略(host.deny拒絕列表)"
if more /etc/hosts.deny | grep -E "sshd: ";more /etc/hosts.deny | grep -E "sshd"; then
echo  "遠程訪問策略已設置 "
else
echo  "遠程訪問策略未設置 "
fi
echo --------------------------------------------------------------------------
echo  "查看系統SSH遠程訪問設置策略(hosts.allow允許列表)"
if more /etc/hosts.allow | grep -E "sshd: ";more /etc/hosts.allow | grep -E "sshd"; then
echo  "遠程訪問策略已設置 "
else
echo  "遠程訪問策略未設置 "
fi
echo "當hosts.allow和 host.deny相沖突時，以hosts.allow設置為准。"
echo -------------------------------------------------------------------------
echo "查看shell是否設置超時鎖定策略"
if more /etc/profile | grep -E "TIMEOUT= "; then
echo  "系統設置了超時鎖定策略 "
else
echo  "未設置超時鎖定策略 "
fi
echo -------------------------------------------------------------------------
echo "查看syslog日志審計服務是否開啟"
if service syslog status | egrep " active \(running";then
echo "syslog服務已開啟"
else
echo "syslog服務未開啟，建議通過service syslog start開啟日志審計功能"
fi
echo -------------------------------------------------------------------------
echo "查看syslog日志是否開啟外發"
if more /etc/rsyslog.conf | egrep "@...\.|@..\.|@.\.|\*.\* @...\.|\*\.\* @..\.|\*\.\* @.\.";then
echo "客戶端syslog日志已開啟外發"
else
echo "客戶端syslog日志未開啟外發"
fi
echo -------------------------------------------------------------------------
echo "查看passwd文件中有哪些特權用戶"
awk -F: '$3==0 {print $1}' /etc/passwd
echo ------------------------------------------------------------------------
echo "查看系統中是否存在空口令賬戶"
awk -F: '($2=="!!") {print $1}' /etc/shadow
echo "該結果不適用於Ubuntu系統"
echo ------------------------------------------------------------------------
echo "查看系統中root用戶外連情況"
lsof -u root |egrep "ESTABLISHED|SYN_SENT|LISTENING"
echo ----------------------------狀態解釋------------------------------
echo "ESTABLISHED的意思是建立連接。表示兩台機器正在通信。"
echo "LISTENING的"
echo "SYN_SENT狀態表示請求連接"
echo ------------------------------------------------------------------------
echo "查看系統中root用戶TCP連接情況"
lsof -u root |egrep "TCP"
echo ------------------------------------------------------------------------
echo "查看系統中存在哪些非系統默認用戶"
echo "root:x:“該值大於500為新創建用戶，小於或等於500為系統初始用戶”"
more /etc/passwd |awk -F ":" '{if($3>500){print "/etc/passwd里面的"$1 "的值為"$3"，請管理員確認該賬戶是否正常。"}}'
echo ------------------------------------------------------------------------
echo "檢查系統守護進程"
more /etc/xinetd.d/rsync | grep -v "^#"
echo ------------------------------------------------------------------------
echo "檢查系統是否存在入侵行為"
more /var/log/secure |grep refused
echo ------------------------------------------------------------------------
echo "-----------------------檢查系統是否存在PHP腳本后門---------------------"
if find / -type f -name *.php | xargs egrep -l "mysql_query\($query, $dbconn\)|專用網馬|udf.dll|class PHPzip\{|ZIP壓縮程序 荒野無燈修改版|$writabledb|AnonymousUserName|eval\(|Root_CSS\(\)|黑狼PHP木馬|eval\(gzuncompress\(base64_decode|if\(empty\($_SESSION|$shellname|$work_dir |PHP木馬|Array\("$filename"| eval\($_POST\[|class packdir|disk_total_space|wscript.shell|cmd.exe|shell.application|documents and settings|system32|serv-u|提權|phpspy|后門" |sort -n|uniq -c |sort -rn 1>/dev/null 2>&1;then
echo "檢測到PHP腳本后門"
find / -type f -name *.php | xargs egrep -l "mysql_query\($query, $dbconn\)|專用網馬|udf.dll|class PHPzip\{|ZIP壓縮程序 荒野無燈修改版|$writabledb|AnonymousUserName|eval\(|Root_CSS\(\)|黑狼PHP木馬|eval\(gzuncompress\(base64_decode|if\(empty\($_SESSION|$shellname|$work_dir |PHP木馬|Array\("$filename"| eval\($_POST\[|class packdir|disk_total_space|wscript.shell|cmd.exe|shell.application|documents and settings|system32|serv-u|提權|phpspy|后門" |sort -n|uniq -c |sort -rn
find / -type f -name *.php | xargs egrep -l "mysql_query\($query, $dbconn\)|專用網馬|udf.dll|class PHPzip\{|ZIP壓縮程序 荒野無燈修改版|$writabledb|AnonymousUserName|eval\(|Root_CSS\(\)|黑狼PHP木馬|eval\(gzuncompress\(base64_decode|if\(empty\($_SESSION|$shellname|$work_dir |PHP木馬|Array\("$filename"| eval\($_POST\[|class packdir|disk_total_space|wscript.shell|cmd.exe|shell.application|documents and settings|system32|serv-u|提權|phpspy|后門" |sort -n|uniq -c |sort -rn |awk '{print $2}' | xargs -I{} cp {} /tmp/
echo "后門樣本已拷貝到/tmp/目錄"
else
echo "未檢測到PHP腳本后門"
fi
echo ------------------------------------------------------------------------
echo "-----------------------檢查系統是否存在JSP腳本后門---------------------"
find / -type f -name *.jsp | xargs egrep -l "InputStreamReader\(this.is\)|W_SESSION_ATTRIBUTE|strFileManag|getHostAddress|wscript.shell|gethostbyname|cmd.exe|documents and settings|system32|serv-u|提權|jspspy|后門" |sort -n|uniq -c |sort -rn 2>&1
find / -type f -name *.jsp | xargs egrep -l "InputStreamReader\(this.is\)|W_SESSION_ATTRIBUTE|strFileManag|getHostAddress|wscript.shell|gethostbyname|cmd.exe|documents and settings|system32|serv-u|提權|jspspy|后門" |sort -n|uniq -c |sort -rn| awk '{print $2}' | xargs -I{} cp {} /tmp/  2>&1 
echo ------------------------------------------------------------------------
echo "----------------------檢查系統是否存在HTML惡意代碼---------------------"
if find / -type f -name *.html | xargs egrep -l "WriteData|svchost.exe|DropPath|wsh.Run|WindowBomb|a1.createInstance|CurrentVersion|myEncString|DropFileName|a = prototype;|204.351.440.495.232.315.444.550.64.330" 1>/dev/null 2>&1;then
echo "發現HTML惡意代碼"
find / -type f -name *.html | xargs egrep -l "WriteData|svchost.exe|DropPath|wsh.Run|WindowBomb|a1.createInstance|CurrentVersion|myEncString|DropFileName|a = prototype;|204.351.440.495.232.315.444.550.64.330" |sort -n|uniq -c |sort -rn
find / -type f -name *.html | xargs egrep -l "WriteData|svchost.exe|DropPath|wsh.Run|WindowBomb|a1.createInstance|CurrentVersion|myEncString|DropFileName|a = prototype;|204.351.440.495.232.315.444.550.64.330" |sort -n|uniq -c |sort -rn| awk '{print $2}' | xargs -I{} cp {} /tmp/
echo "后門樣本已拷貝到/tmp/目錄"
else
echo "未檢測到HTML惡意代碼"
fi
echo "----------------------檢查系統是否存在perl惡意程序----------------------"
if find / -type f -name *.pl | xargs egrep -l "SHELLPASSWORD|shcmd|backdoor|setsockopt|IO::Socket::INET;" 1>/dev/null 2>&1;then
echo "發現perl惡意程序"
find / -type f -name *.pl | xargs egrep -l "SHELLPASSWORD|shcmd|backdoor|setsockopt|IO::Socket::INET;"|sort -n|uniq -c |sort -rn
find / -type f -name *.pl | xargs egrep -l "SHELLPASSWORD|shcmd|backdoor|setsockopt|IO::Socket::INET;"|sort -n|uniq -c |sort -rn| awk '{print $2}' | xargs -I{} cp {} /tmp/
echo "可疑樣本已拷貝到/tmp/目錄"
else
echo "未檢測到perl惡意程序"
fi
echo "----------------------檢查系統是否存在Python惡意程序----------------------"
find / -type f -name *.py | xargs egrep -l "execCmd|cat /etc/issue|getAppProc|exploitdb" |sort -n|uniq -c |sort -rn
find / -type f -name *.py | xargs egrep -l "execCmd|cat /etc/issue|getAppProc|exploitdb" |sort -n|uniq -c |sort -rn| awk '{print $2}' | xargs -I{} cp {} /tmp/
echo ------------------------------------------------------------------------
echo "-----------------------檢查系統是否存在惡意程序---------------------"
find / -type f -perm -111  |xargs egrep "UpdateProcessER12CUpdateGatesE6C|CmdMsg\.cpp|MiniHttpHelper.cpp|y4'r3 1uCky k1d\!|execve@@GLIBC_2.0|initfini.c|ptmalloc_unlock_all2|_IO_wide_data_2|system@@GLIBC_2.0|socket@@GLIBC_2.0|gettimeofday@@GLIBC_2.0|execl@@GLIBC_2.2.5|WwW.SoQoR.NeT|2.6.17-2.6.24.1.c|Local Root Exploit|close@@GLIBC_2.0|syscall\(\__NR\_vmsplice,|Linux vmsplice Local Root Exploit|It looks like the exploit failed|getting root shell" 2>/dev/null
echo ------------------------------------------------------------------------
echo "檢查網絡連接和監聽端口"
netstat -an 
echo "--------------------------路由表、網絡連接、接口信息--------------"
netstat -rn 
echo "------------------------查看網卡詳細信息--------------------------"
ifconfig -a 
echo ------------------------------------------------------------------------
echo "查看正常情況下登錄到本機的所有用戶的歷史記錄"
last
echo ------------------------------------------------------------------------
echo "檢查系統中core文件是否開啟"
ulimit -c
echo "core是unix系統的內核。當你的程序出現內存越界的時候,操作系統會中止你的進程,並將當前內存狀態倒出到core文件中,以便進一步分析，如果返回結果為0，則是關閉了此功能，系統不會生成core文件"
echo ------------------------------------------------------------------------
echo "檢查系統中關鍵文件修改時間"
ls -ltr /bin/ls /bin/login /etc/passwd /bin/ps /usr/bin/top /etc/shadow|awk '{print "文件名："$8"  ""最后修改時間："$6" "$7}'
echo "ls文件：是存儲ls命令的功能函數，被刪除以后，就無法執行ls命令，黑客可利用篡改ls文件來執行后門或其他程序。
login文件：login是控制用戶登錄的文件，一旦被篡改或刪除，系統將無法切換用戶或登陸用戶
user/bin/passwd是一個命令，可以為用戶添加、更改密碼，但是，用戶的密碼並不保存在/etc/passwd當中，而是保存在了/etc/shadow當中
etc/passwd是一個文件，主要是保存用戶信息。
sbin/portmap是文件轉換服務，缺少該文件后，無法使用磁盤掛載、轉換類型等功能。
bin/ps 進程查看命令功能支持文件，文件損壞或被更改后，無法正常使用ps命令。
usr/bin/top  top命令支持文件，是Linux下常用的性能分析工具,能夠實時顯示系統中各個進程的資源占用狀況。
etc/shadow shadow 是 /etc/passwd 的影子文件，密碼存放在該文件當中，並且只有root用戶可讀。"
echo --------------------------------------------------------------------------
echo "-------------------查看系統日志文件是否存在--------------------"
log=/var/log/syslog
log2=/var/log/messages
if [ -e "$log" ]; then
echo  "syslog日志文件存在！ "
else
echo  "/var/log/syslog日志文件不存在！ "
fi
if [ -e "$log2" ]; then
echo  "/var/log/messages日志文件存在！ "
else
echo  "/var/log/messages日志文件不存在！ "
fi
echo --------------------------------------------------------------------------
echo "檢查系統文件完整性2(MD5檢查)"
echo "該項會獲取部分關鍵文件的MD5值並入庫，默認保存在/etc/md5db中"
echo "如果第一次執行，則會提示md5sum: /sbin/portmap: 沒有那個文件或目錄"
echo "第二次重復檢查時，則會對MD5DB中的MD5值進行匹配，來判斷文件是否被更改過"
file="/etc/md5db"
if [ -e "$file" ]; then md5sum -c /etc/md5db 2>&1; 
else 
md5sum /etc/passwd >>/etc/md5db
md5sum /etc/shadow >>/etc/md5db
md5sum /etc/group >>/etc/md5db
md5sum /usr/bin/passwd >>/etc/md5db
md5sum /sbin/portmap>>/etc/md5db
md5sum /bin/login >>/etc/md5db
md5sum /bin/ls >>/etc/md5db
md5sum /bin/ps >>/etc/md5db
md5sum /usr/bin/top >>/etc/md5db;
fi
echo ----------------------------------------------------------------------
echo "------------------------主機性能檢查--------------------------------"
echo "CPU檢查"
dmesg | grep -i cpu
echo -----------------------------------------------------------------------
more /proc/cpuinfo
echo -----------------------------------------------------------------------
echo "內存狀態檢查"
vmstat 2 5
echo -----------------------------------------------------------------------
more /proc/meminfo
echo -----------------------------------------------------------------------
free -m
echo -----------------------------------------------------------------------
echo "文件系統使用情況"
df -h
echo -----------------------------------------------------------------------
echo "網卡使用情況"
lspci -tv
echo ----------------------------------------------------------------------
echo "查看僵屍進程"
ps -ef | grep zombie
echo ----------------------------------------------------------------------
echo "耗CPU最多的進程"
ps auxf |sort -nr -k 3 |head -5
echo ----------------------------------------------------------------------
echo "耗內存最多的進程"
ps auxf |sort -nr -k 4 |head -5
echo ----------------------------------------------------------------------