本文已参与「新人创作礼」活动，一起开启掘金创作之路。

Emergency Response

echo "################Emergency Response By HSCSEC################" > result.log
echo "----------------uptime----------------" >> result.log
uptime >> result.log
echo "----------------netstat -antlp----------------" >> result.log
netstat -antlp | more >> result.log
echo "----------------/etc/rc.local----------------" >> result.log
ls -l /etc/rc.local >> result.log
echo "----------------ps aux | grep crond----------------" >> result.log 
ps aux | grep crond >> result.log
echo "----------------chkconfig----------------" >> result.log
chkconfig  --list >> result.log
echo "----------------chkconfig --list | grep----------------" >> result.log
chkconfig --list | grep "3:on\|5:on" >> result.log
echo "----------------/etc/rsyslog.conf----------------" >> result.log
cat /etc/rsyslog.conf >> result.log
echo "">> result.log
echo "">> result.log
echo "">> result.log
echo "################CRONTAB################" >> result.log
echo "----------------/etc/anacrontab----------------" >> result.log
cat /etc/anacrontab >> result.log
echo "----------------/etc/crontab----------------" >> result.log 
cat /etc/crontab >> result.log
echo "----------------crontab/root----------------" >> result.log 
cat /var/spool/cron/crontabs/root >> result.log
echo "----------------/etc/cron.d/*----------------" >> result.log
cat /etc/cron.d/* >> result.log
cat /etc/cron.d/.* >> result.log
echo "----------------cron daily----------------" >> result.log
cat /etc/cron.daily/*  >> result.log
cat /etc/cron.daily/.*  >> result.log
echo "----------------cron hourly----------------" >> result.log
chkconfig --list | grep "3:on\|5:on" >> result.log
cat /etc/cron.hourly/.* >> result.log
echo "----------------cron monthly----------------" >> result.log 
cat /etc/cron.monthly/* >> result.log
cat /etc/cron.monthly/.* >> result.log
echo "----------------cron weekly----------------" >> result.log
cat /etc/cron.weekly/* >> result.log
cat /etc/cron.weekly/.* >> result.log
echo "----------------cron/*/*----------------" >> result.log
cat /var/spool/cron/*/* >> result.log
echo "----------------spool anacron----------------" >> result.log
cat /var/spool/anacron/* >> result.log
echo "----------------/etc/anacrontab----------------" >> result.log
cat /etc/anacrontab >> result.log
echo "################CRONTAB################" >> result.log
echo "">> result.log
echo "">> result.log
echo "">> result.log
echo "################SECURE################" >> result.log
echo "----------------/etc/passwd----------------" >> result.log
cat /etc/passwd >> result.log
echo "----------------/etc/shadow----------------" >> result.log
cat /etc/shadow >> result.log
echo "----------------Other user for sudo----------------" >> result.log
cat /etc/sudoers | grep -v "^#\|^$" | grep "ALL=(ALL)" >> result.log
echo "----------------Remote login account----------------" >> result.log
awk '/\$1|\$6/{print $1}' /etc/shadow >> result.log
echo "----------------Failed password for root----------------" >> result.log
grep "Failed password for root" /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr >> result.log
grep "Failed password for root" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -nr >> result.log
echo "----------------Failed password IP----------------" >> result.log
grep "Failed password" /var/log/secure | grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"|uniq -c >> result.log
grep "Failed password" /var/log/auth.log | grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"|uniq -c >> result.log
echo "----------------Failed password USER----------------" >> result.log
grep "Failed password" /var/log/secure|perl -e 'while($_=<>){ /for(.*?) from/; print "$1\n";}'|uniq -c|sort -nr >> result.log
grep "Failed password" /var/log/auth.log|perl -e 'while($_=<>){ /for(.*?) from/; print "$1\n";}'|uniq -c|sort -nr >> result.log
echo "----------------Login Accepted DATA USER IP----------------" >> result.log
grep "Accepted " /var/log/secure | awk '{print $1,$2,$3,$9,$11}' >> result.log
grep "Accepted " /var/log/auth.log | awk '{print $1,$2,$3,$9,$11}' >> result.log
echo "----------------Login Accepted----------------" >> result.log
grep "Accepted " /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr >> result.log
grep "Accepted " /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -nr >> result.log
echo "----------------Login Accepted----------------" >> result.log
grep "Accepted " /var/log/secure | awk '{print $1,$2,$3,$9,$11}' >> result.log
grep "Accepted " /var/log/auth.log | awk '{print $1,$2,$3,$9,$11}' >> result.log
echo "----------------useradd----------------" >> result.log
grep "useradd" /var/log/secure  >> result.log
grep "useradd" /var/log/auth.log  >> result.log
echo "----------------userdel----------------" >> result.log
grep "userdel" /var/log/secure >> result.log
grep "userdel" /var/log/auth.log >> result.log
echo "----------------last----------------" >> result.log
last >> result.log
echo "----------------lastlog----------------" >> result.log
lastlog >> result.log
echo "----------------lastb----------------" >> result.log
lastb >> result.log
echo "----------------Kernel and public information logs----------------" >> result.log
cat /var/log/messages/* >> result.log
echo "----------------history----------------" >> result.log
history >> result.log
echo "----------------auth log----------------" >> result.log
top >> result.log
echo "################SECURE################" >> result.log

################README################

################Author################

Author:kayden

Mail:kayden@hscsec.cn

Website:www.hscsec.cn

######################################

Usage：

wget --http-user=er@hscsec.cn --http-passwd=HSC2019 er.hscsec.cn/er.sh && chmod +777 er.sh && ./er.sh

Output:

result.log

################Other instructions################

其他说明

用户信息文件 /etc/passwd

root:x:0:0:root:/root:/bin/bash

account:password:UID:GID:GECOS:directory:shell

用户名：密码：用户ID：组ID：用户说明：家目录：登陆之后的 shell

注意：无密码只允许本机登陆，远程不允许登陆

影子文件 /etc/shadow

root: $6$ oGs1PqhL2p3ZetrE$X7o7bzoouHQVSEmSgsYN5UD4.kMHx6qgbTqwNVC5oOAouXvcjQSt.Ft7ql1WpkopY0UV9ajBwUt1DpYxTCVvI/:16809:0:99999:7:::

用户名：加密密码：密码最后一次修改日期：两次密码的修改时间间隔：密码有效期：密码修改到期到的警告天数：密码过期之后的宽限天数：账号失效时间：保留

查询特权用户特权用户(uid 为0)

awk -F: ' $3==0{print$ 1}' /etc/passwd

查询可以远程登录的帐号信息

awk '/$1|$6/{print $1}' /etc/shadow

禁用或删除多余及可疑的帐号

usermod -L user 禁用帐号，帐号无法登录，/etc/shadow 第二栏为 ! 开头

userdel user 删除 user 用户

userdel -r user 将删除 user 用户，并且将 /home 目录下的 user 目录一并删除

获取并记录进程的文件路径：

ls -l /proc/$PID/exe

file /proc/$PID/exe

杀进程

kill -9 $PID

下线用户

pkill -kill -t pts/1

################Rootkit查杀################

chkrootkit

www.chkrootkit.org](www.chkrootkit.org

使用方法：

wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

tar zxvf chkrootkit.tar.gz

cd chkrootkit-0.52

make sense

#编译完成没有报错的话执行检查

./chkrootkit

################rkhunter################

rkhunter

rkhunter.sourceforge.net](rkhunter.sourceforge.net

使用方法：

Wget nchc.dl.sourceforge.net/project/rkh…

tar -zxvf rkhunter-1.4.4.tar.gz

cd rkhunter-1.4.4

./installer.sh --install

rkhunter -c

################2.2 病毒查杀################

Clamav

www.clamav.net/download.ht…](www.clamav.net/download.ht…

安装方式一：

1、安装 zlib：

wget nchc.dl.sourceforge.net/project/lib…

tar -zxvf zlib-1.2.7.tar.gz

cd zlib-1.2.7

#安装一下gcc编译环境： yum install gcc

CFLAGS="-O3 -fPIC" ./configure --prefix= /usr/local/zlib/

make && make install

2、添加用户组 clamav 和组成员 clamav：

groupadd clamav

useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav

3、安装 Clamav

tar –zxvf clamav-0.97.6.tar.gz

cd clamav-0.97.6

./configure --prefix=/opt/clamav --disable-clamav -with-zlib=/usr/local/zlib

make

make install

4、配置 Clamav

mkdir /opt/clamav/logs

mkdir /opt/clamav/updata

touch /opt/clamav/logs/freshclam.log

touch /opt/clamav/logs/clamd.log

cd /opt/clamav/logs

chown clamav:clamav clamd.log

chown clamav:clamav freshclam.log

5、ClamAV 使用：

/opt/clamav/bin/freshclam 升级病毒库

./clamscan –h 查看相应的帮助信息

./clamscan -r /home 扫描所有用户的主目录就使用

./clamscan -r --bell -i /bin 扫描bin目录并且显示有问题的文件的扫描结果

安装方式二：

#安装

yum install -y clamav

#更新病毒库

freshclam

#扫描方法

clamscan -r /etc --max-dir-recursion=5 -l /root/etcclamav.log

clamscan -r /bin --max-dir-recursion=5 -l /root/binclamav.log

clamscan -r /usr --max-dir-recursion=5 -l /root/usrclamav.log

#扫描并杀毒

clamscan -r --remove /usr/bin/bsd-port

clamscan -r --remove /usr/bin/

clamscan -r --remove /usr/local/zabbix/sbin

#查看日志发现

cat /root/usrclamav.log |grep FOUND

################2.3 webshell查杀################

mkdir -p /tmp/hm

cd /tmp/hm

wget dl.shellpub.com/hm/latest/h… -O /tmp/hm/hm-linux-amd64.tgz

tar xvf hm-linux-*.tgz

./hm scan

################################################

快速应急响应

Emergency Response