{"id":94,"date":"2024-05-24T10:00:00","date_gmt":"2023-07-13T02:00:00","guid":{"rendered":"http:\/\/123.207.45.199\/index.php\/2023\/07\/13\/%e5%ba%94%e6%80%a5%e5%93%8d%e5%ba%94-linux\/"},"modified":"2026-05-31T21:58:31","modified_gmt":"2026-05-31T13:58:31","slug":"%e5%ba%94%e6%80%a5%e5%93%8d%e5%ba%94-linux","status":"publish","type":"post","link":"https:\/\/www.redspear.cn\/index.php\/2024\/05\/24\/%e5%ba%94%e6%80%a5%e5%93%8d%e5%ba%94-linux\/","title":{"rendered":"\u5e94\u6025\u54cd\u5e94-linux"},"content":{"rendered":"

### \u4fe1\u606f\u6536\u96c6<\/p>\n

~~~
\nuname -a\t\u67e5\u770b\u7cfb\u7edf\u7248\u672c,\u5185\u6838\u7248\u672c
\nnetsat -antp\t\u67e5\u770b\u672c\u673a\u5f00\u653e\u7aef\u53e3\u4fe1\u606f
\ncat \/etc\/passwd\t\t\u67e5\u770b\u672c\u673a\u8d26\u6237 | grep “\/bin”
\n\u7528\u6237\u540d\uff1a\u5bc6\u7801\uff1a\u7528\u6237D:\u7ec4ID:\u7528\u6237\u8bf4\u660e\uff1a\u5bb6\u76ee\u5f55\uff1a\u767b\u9646\u4e4b\u540eshell
\ntop\t\t\t\u67e5\u770bcpu\u7b49\u4fe1\u606f
\nps\t\t\t\u67e5\u770b\u8fdb\u7a0b
\nwho\t\t\t\u67e5\u770b\u5f53\u524d\u767b\u5f55\u7528\u6237(tty\u672c\u5730\u767b\u5f55\tpts\u8fdc\u7a0b\u767b\u5f55)
\nW\t\t\t\u67e5\u770b\u7cfb\u7edf\u4fe1\u606f\uff0c\u60f3\u77e5\u9053\u67d0\u4e00\u65f6\u523b\u7528\u6237\u7684\u884c\u4e3a
\nlast\t\t\u67e5\u8be2\u5f53\u524d\u5df2\u7ecf\u767b\u5f55\u548c\u8fc7\u53bb\u767b\u5f55\u7684\u7528\u6237\u4fe1\u606f
\nlastlog\t\t\u67e5\u770b\u7cfb\u7edf\u4e2d\u6240\u6709\u7528\u6237\u7684\u6700\u540e\u4e00\u6b21\u767b\u5f55\u65f6\u95f4\u3001\u767b\u5f55\u7aef\u53e3\u548c\u6765\u6e90P
\n~~~<\/p>\n

\u9762\u8bd5\u9898=>\u5982\u4f55\u901a\u8fc7pid\u5b9a\u4f4d\u5230\u771f\u5b9e\u7684\u6076\u610f\u7a0b\u5e8f\/\u8fdb\u800c\u627e\u5230\u6587\u4ef6\/\u6587\u4ef6\u5939<\/p>\n

### \u5224\u65ad\u53ef\u7591\u7528\u6237<\/p>\n

~~~
\n\u5224\u65ad\u8d26\u53f7\u662f\u5426\u6709\u6dfb\u52a0\u65b0\u7684\u7528\u6237
\ncat \/etc\/passwd
\n\u7528\u6237\u540d\uff1a\u5bc6\u7801\uff1a\u7528\u6237D:\u7ec4ID:\u7528\u6237\u8bf4\u660e\uff1a\u5bb6\u76ee\u5f55\uff1a\u767b\u9646\u4e4b\u540eshell
\ncat \/etc\/shadow
\n\u6ce8\u610f\uff1a\u65e0\u5bc6\u7801\u53ea\u5141\u8bb8\u672c\u673a\u767b\u9646\uff0c\u8fdc\u7a0b\u4e0d\u5141\u8bb8\u767b\u9646
\n~~~<\/p>\n

### \u7981\u7528\/\u5220\u9664\u7528\u6237<\/p>\n

~~~
\n1.\u67e5\u8be2\u7ba1\u7406\u5458\u6743\u9650\u7528\u6237
\nawk -F: ‘$3==0{print $1}’ \/etc\/passwd<\/p>\n

2.\u67e5\u8be2\u53ef\u4ee5\u8fdc\u7a0b\u767b\u5f55\u7684\u7528\u6237
\nawk ‘\/\\$1|\\$6\/{print $1}’ \/etc\/shadow<\/p>\n

3.\u662f\u5426\u6709\u6743\u9650\u9519\u8bef\u914d\u7f6e\u7684\u7528\u6237:
\nsudo cat \/etc\/sudoers | grep -v “^#” | tr -s \u2018\\n\u2019<\/p>\n

cat \/etc\/passwd |grep “0”
\n~~~<\/p>\n

### \u8d26\u53f7\u7981\u7528<\/p>\n

~~~
\nusermod -L \u7528\u6237\u540d \u7981\u7528\u5e10\u53f7\uff0c\u5e10\u53f7\u65e0\u6cd5\u767b\u5f55\uff0c\/etc\/shadow\u7b2c\u4e8c\u680f\u4e3a!\u5f00\u5934<\/p>\n

userdel \u7528\u6237\u540d \u5220\u9664user\u7528\u6237<\/p>\n

userdel -r \u7528\u6237\u540d \u5c06\u5220\u9664user\u7528\u6237\uff0c\u5e76\u4e14\u5c06\/home\u76ee\u5f55\u4e0b\u7684user\u76ee\u5f55\u4e00\u5e76\u5220\u9664.<\/p>\n

usermod -U\t\u7528\u6237\u540d
\n~~~<\/p>\n

### \u67e5\u770b\u5386\u53f2\u547d\u4ee4<\/p>\n

~~~
\nroot\u8d26\u6237\u5386\u53f2\u547d\u4ee4\u67e5\u770b
\nhistory<\/p>\n

\u6253\u5f00\/home\u5404\u4e2a\u8d26\u53f7\u76ee\u5f55\u4e0b\u7684.bash_history,\u67e5\u770b\u666e\u901a\u8d26\u6237\u7684\u5386\u53f2\u547d\u4ee4
\n~~~<\/p>\n

### \u67e5\u770b\u5f02\u5e38\u7aef\u53e3<\/p>\n

~~~
\nnetstat -antlp| grep ESTABLISHED \u67e5\u770b\u5f00\u653e\u7aef\u53e3<\/p>\n

\u67e5\u770b\u4e0bpid\u6240\u5bf9\u5e94\u7684\u8fdb\u7a0b\u6587\u4ef6\u8def\u5f84
\n\u8fd0\u884cls -l \/proc\/$pid\/exe \u6216 file \/proc\/$PID\/exe ($PID\u4e3a\u5bf9\u5e94\u7684pid\u53f7)
\nfind \/ -iname “\u8fdb\u7a0b\u8f6f\u94fe\u63a5\u540d”
\n~~~<\/p>\n

### \u67e5\u770b\u5f02\u5e38\u8fdb\u7a0b<\/p>\n

~~~
\nps aux | grep “”
\n~~~<\/p>\n

### \u68c0\u67e5\u5f00\u673a\u542f\u52a8\u9879<\/p>\n

~~~
\ncat \/etc\/rc.local
\ncd etc\/rc.d\/rc[0~6].d
\nls -alt \/etc\/init.d
\n\u542f\u52a8\u9879\u6587\u4ef6\uff1a more \/etc\/rc.local \/etc\/rc.d\/rc[0~6].d ls -l \/etc\/rc.d\/rc3.d\/<\/p>\n

~~~<\/p>\n

### \u68c0\u67e5\u5b9a\u65f6\u4efb\u52a1<\/p>\n

~~~
\ncrontab -l \u5217\u51fa\u67d0\u4e2a\u7528\u6237cron\u670d\u52a1\u7684\u8be6\u7ec6\u5185\u5bb9
\nCrontab \u2013e \u4fee\u6539\u5b9a\u65f6\u4efb\u52a1
\nPs:\u901a\u8fc7\u4f7f\u7528crontab \u2013l\u6307\u4ee4, \u4e0d\u4f1a\u628a\u6211\u4eec\u4e0b\u9762\u7684\u5217\u51fa\u6765\u7684\u8fd9\u4e9b\u6587\u4ef6\u91cc\u9762\u7684\u5b9a\u65f6\u4efb\u52a1\u90fd\u5c55\u793a\u51fa\u6765,\u4f46\u662f\u4e0d\u5f71\u54cd\u5b9a\u65f6\u4efb\u52a1\u7684\u6267\u884c.<\/p>\n

\/var\/spool\/cron\/*
\n\/etc\/crontab(\u8fd9\u91cc\u9762\u7684\u5185\u5bb9,\u4e0d\u4f1a\u663e\u793a\u5728crontab\u4e2d)
\n\/etc\/cron.d\/*
\n\/etc\/cron.daily\/*
\n\/etc\/cron.hourly\/*
\n\/etc\/cron.monthly\/*
\n\/etc\/cron.weekly\/
\n\/etc\/anacrontab
\n\/var\/spool\/anacron\/*
\n~~~<\/p>\n

### \u68c0\u67e5\u5f02\u5e38\u4efb\u52a1<\/p>\n

~~~
\n1\u3001\u67e5\u770b\u654f\u611f\u76ee\u5f55\uff0c\u5982\/tmp\u76ee\u5f55\u4e0b\u7684\u6587\u4ef6\uff0c\u540c\u65f6\u6ce8\u610f\u9690\u85cf\u6587\u4ef6\u5939\uff0c\u4ee5\u201c..\u201d\u4e3a\u540d\u7684\u6587\u4ef6\u5939\u5177\u6709\u9690\u85cf\u5c5e\u6027
\nls -al
\nstat \u6587\u4ef6\u540d (\u53ef\u770b\u6700\u8fd1\u8bbf\u95ee,\u6700\u8fd1\u66f4\u6539.\u6700\u8fd1\u6539\u52a8)<\/p>\n

2 \u3001\u5f97\u5230\u53d1\u73b0WEBSHELL\u3001\u8fdc\u63a7\u6728\u9a6c\u7684\u521b\u5efa\u65f6\u95f4\uff0c\u5982\u4f55\u627e\u51fa\u540c\u4e00\u65f6\u95f4\u8303\u56f4\u5185\u521b\u5efa\u7684\u6587\u4ef6\uff1f<\/p>\n

Ps:\u53ef\u4ee5\u4f7f\u7528find\u547d\u4ee4\u6765\u67e5\u627e\uff0c\u5982 find \/opt -iname \u201c*\u201d -atime 1 -type f \u627e\u51fa \/opt \u6587\u4ef6\u5939\u4e0b,\u4e00\u5929\u524d\u8bbf\u95ee\u8fc7\u7684\u6587\u4ef6<\/p>\n

3\u3001\u9488\u5bf9\u53ef\u7591\u6587\u4ef6\u53ef\u4ee5\u4f7f\u7528stat\u67e5\u770b\u521b\u5efa \u4fee\u6539 \u6587\u4ef6\u65f6\u95f4\u3002
\nPs: stat \/usr\/bin\/lsof<\/p>\n

https:\/\/blog.csdn.net\/aoxue9\/article\/details\/128701236
\n~~~<\/p>\n

### linux\u65e5\u5fd7\u67e5\u770b<\/p>\n

\/var\/log\/secure<\/p>\n

![image-20230531214748637](image\/image-20230531214748637.png)<\/p>\n

### linux\u65e5\u5fd7\u6392\u9664<\/p>\n

~~~
\nlastlog\t\u7cfb\u7edf\u4e2d\u6240\u6709\u7528\u6237\u6700\u8fd1\u4e00\u6b21\u767b\u5f55\u4fe1\u606f
\nlastb\t\u7528\u4e8e\u663e\u793a\u7528\u6237\u9519\u8bef\u7684\u767b\u5f55\u5217\u8868
\n~~~<\/p>\n

### linux\u6740\u6bd2\u8f6f\u4ef6<\/p>\n

~~~
\nUbuntu\u5b89\u88c5Clamav
\napt-get install clamav
\napt-get install clamav-daemon
\nfreshclam
\nsystemctl restart clamav-freshclam.service<\/p>\n

clamscan -r \/home\t\t\t\t–\u9012\u5f52\u626b\u63cf\u4e0b\u9762\u7684\u76ee\u5f55<\/p>\n

clamscan -r \/home\/wwwroot\/ –move \/home\/test\/ –\u9012\u5f52\u626b\u63cf\u4e0b\u9762\u7684\u76ee\u5f55,\u5e76\u5c06\u75c5\u6bd2\u6587\u4ef6\u79fb\u52a8\u5230test\u76ee\u5f55\u4e0b
\n~~~<\/p>\n

### linux\u5b89\u5168\u811a\u672c<\/p>\n

~~~
\nhttps:\/\/github.com\/T0xst\/linux
\nhttps:\/\/github.com\/ppabc\/security_check
\nhttps:\/\/github.com\/MisakiKata\/Linuxcheck
\n~~~<\/p>\n

\u4e0b\u8f7drootkit\u4e13\u6740\u5de5\u5177<\/p>\n

\/bin\/ => #\t\t\u6709\u6548\u8d26\u53f7\t\t(apache\u7b49\u4e2d\u95f4\u4ef6\u9700\u6ce8\u610f)<\/p>\n

\u53ef\u7591\u8d26\u53f7=>\u9501\u5b9a<\/p>\n

rootkit\u75c5\u6bd2(\u9690\u85cf\u6587\u4ef6,\u9690\u85cf\u8fdb\u7a0b)=>\u53ef\u7be1\u6539linux\u547d\u4ee4\t\t\u7528linux\u7b2c\u4e09\u65b9\u5de5\u5177\u7bb1(\u745e\u58eb\u519b\u5200\u81ea\u5e26\u547d\u4ee4) rookkit\u4e13\u6740\u5de5\u5177<\/p>\n","protected":false},"excerpt":{"rendered":"

### \u4fe1\u606f\u6536\u96c6 ~~~ uname -a \u67e5\u770b\u7cfb\u7edf\u7248\u672c,\u5185\u6838\u7248\u672c netsat -antp \u67e5\u770b\u672c\u673a\u5f00\u653e\u7aef\u53e3 … <\/p>\n","protected":false},"author":3,"featured_media":96,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-94","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-neiwang"],"_links":{"self":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts\/94","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/comments?post=94"}],"version-history":[{"count":1,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts\/94\/revisions"}],"predecessor-version":[{"id":145,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts\/94\/revisions\/145"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/media\/96"}],"wp:attachment":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/media?parent=94"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/categories?post=94"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/tags?post=94"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}