【应急响应】辅助脚本

此脚本用于简化应急响应过程,主要是针对CentOS系统应急响应的一些基础项,如下所示:

1)系统负载、内存占用、CPU使用率高的进程

2)系统初始化调用

3)定时任务

4)监听端口、主动外连(高并发机器慎用)

5)777目录下的可执行文件

6)系统命令替换

7)SSH登录成功和失败IP

8)调用河马检测最近修改的jsp文件

9)调用rkhunter查杀Rootkit

 

脚本如下:

#!/bin/bash
#**************************************1********************
#  Author: Vinc
#  Mail: 776711462@qq.com
#  Time: 2018.6.13
#  Description: For CentOS System
#**********************************************************

#mtime of jsp file 
WEBSHELLCHECK=1
#application dir
WEBDIR=/web/jboss/dir/
#mtime of the system command
BINCHECK=5
#mtime of sysinit
INITCHECK=5

Finittab5(){
    echo "***************System Init Check***************"
    echo "------------------------------------------------------"
    echo "/etc/inittab"
    stat /etc/inittab | grep "Modify"
    echo "------------------------------------------------------"
    echo "/etc/rc.d/rc.sysinit"
    stat /etc/rc.d/rc.sysinit | grep "Modify"
    echo "------------------------------------------------------"
    echo "modified files under the /etc/rc.d/init.d/ directory:"
    find /etc/rc.d/init.d -mtime -${INITCHECK}
    echo "------------------------------------------------------"
    echo "/etc/rc.d/rc.local"
    stat /etc/rc.d/rc.local | grep "Modify"
    echo "------------------------------------------------------"
}

Finittab6(){
    echo "***************System Init Check***************"
    echo "------------------------------------------------------"
    echo "modified files under the /etc/init/ directory:"
    find /etc/init/ -name "*.conf" -mtime -${INITCHECK} 
    echo "------------------------------------------------------"
    echo "/etc/rc.d/rc.sysinit"
    stat /etc/rc.d/rc.sysinit | grep "Modify"
    echo "------------------------------------------------------"
    echo "modified files under the /etc/rc.d/init.d/ directory:"
    find /etc/rc.d/init.d/ -mtime -${INITCHECK} 
    echo "------------------------------------------------------"
    echo "/etc/rc.d/rc.local"
    stat /etc/rc.d/rc.local | grep "Modify"
    echo "------------------------------------------------------"
}

Finittab7(){
    echo "***************System Init Check***************"
    echo "------------------------------------------------------"
    echo "modified files under the /usr/lib/systemd/system/ directory:"
    find /usr/lib/systemd/system/ -maxdepth 1 -name "*.service" -mtime -${INITCHECK}
    echo "------------------------------------------------------"
    echo "modified files under the /etc/systemd/system/ directory:"	
    find /etc/systemd/system/ -maxdepth 1 -name "*.service" -mtime -${INITCHECK}
    echo "------------------------------------------------------"
    echo "modified files under the /etc/rc.d/init.d/ directory:"
    find /etc/rc.d/init.d -mtime -${INITCHECK} -type f 
    echo "------------------------------------------------------"
    echo "/etc/rc.d/rc.local"
    stat /etc/rc.d/rc.local | grep "Modify"
    echo "------------------------------------------------------"
}

Fcrontab(){
    echo "***************Crontab Check***************"
    echo "------------------------------------------------------"
    for file in $(ls /var/spool/cron/)
        do
            echo "/var/spool/cron/${file}"
            cat /var/spool/cron/${file} | grep -v "^$" | grep -v "^#"
            echo "------------------------------------------------------"
        done
    echo "/etc/crontab"
    cat /etc/crontab | grep -v "^$" | grep -v "^#"
    echo "------------------------------------------------------"
    echo "/etc/anacrontab"
    cat /etc/anacrontab | grep -v "^$" | grep -v "^#"
    echo "------------------------------------------------------"
    for file in $(find /etc -name "cron.*" -type d)
        do
            echo "${file}"
            ls -alt ${file} | grep '^-' 
            echo "------------------------------------------------------"
        done
}

Fnetlink(){
    echo "***************Netstat Check***************"
    echo "------------------------------------------------------"
    echo "Listening port list:"
    netstat -antlp -A inet | grep LISTEN | awk '{printf "%-20s %-20s\n",$4,$7}'
    echo "------------------------------------------------------"
    echo "The connection initiated by the machine:"
    regstr="("
    for port in $(netstat -antlp -A inet | grep LISTEN | awk -F '[ :]+' '{print $5}')
    do
        regstr="${regstr}${port}|"
    done
    regstr="${regstr%?})"
    regExternal="^((192\.168|172\.([1][6-9]|[2][0-9]|3[01]))(\.([2][0-4][0-9]|[2][5][0-5]|[01]?[0-9]?[0-9])){2}|10(\.([2][0-4][0-9]|[2][5][0-5]|[01]?[0-9]?[0-9])){3})$"
    netstat -antlp -A inet | grep -v '127.0.0.1' | grep ESTABLISHED | awk -F '[ :]+' '{if($5 !~ /'$regstr'/)print $0}' | while read link 
    do
        echo $link | awk -F '[ :]+' '{print $6}' | egrep -v $regExternal >> /dev/null
        if [ $? -eq 0 ];then
            echo $link | awk '{print $4" "$5" "$7}'
        fi
    done
    echo "------------------------------------------------------"
}

FSensitiveDir(){
    echo "***************Sensitive Directory Check(/tmp、/var/tmp、/dev/shm)***************"
    ls /proc/ -tr | grep -v "[a-z]" | while read line
    do
        if [ -d "/proc/$line" ];then
            pname=`readlink /proc/$line/exe`
            echo $pname | egrep '^/(tmp|var/tmp|dev/shm)' >> /dev/null
            if [ $? -eq 0 ];then
                printf "%-20s %-20s\n" $line $pname
            fi
        fi
    done
}

FModifyFile(){
    echo "***************System Command Check(/bin、/sbin、/usr/bin、/usr/sbin)***************"
    echo "------------------------------------------------------"
    echo "The binary files that are modified within ${BINCHECK} days:"
    find /bin/ /sbin/ /usr/sbin/ /usr/bin/ -mtime -${BINCHECK} -type f | while read line
    do
        echo $line
    done
    echo "------------------------------------------------------"
    echo "RPM consistency check:"
    rpm -aV
    echo "------------------------------------------------------"
}

FSshLogin(){
    echo "***************Ssh Login Check***************"
    echo "------------------------------------------------------"
    echo "List of successful IPs for SSH login:"
    grep 'Accepted' /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr
    echo "------------------------------------------------------"
    echo "List of failed IPs for SSH login:"
    grep 'Failed' /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr
    echo "------------------------------------------------------"
}

FLoad(){
    echo "***************System Information***************"
    echo "------------------------------------------------------"
    echo "load average:"
    uptime | awk '{print $10,$11,$12}'
    echo "------------------------------------------------------"
    echo "Memory usage:"
    free -g | grep Mem | awk '{print "Total Mem:"$2"G"}'
    free -g | grep buffers/cache | awk '{print "Used Mem:"$3"G"}'
    echo "------------------------------------------------------"
    echo "The process of CPU usage over 50%:"
    ps aux | sort -rn -k +3 | awk '{if(($3>50))print $0}'
    echo "------------------------------------------------------"
}

FWebshellCheck(){
    echo "***************WebShell Check(hm)***************"
    echo "Jsp files that are modified within ${WEBSHELLCHECK} days:"
    modifydir=/tmp/$(date +%s)/
    mkdir $modifydir
    ls ${WEBDIR} | while read project
    do
        if [ -f ${WEBDIR}${project}/conf/server.xml ];then
            cat "${WEBDIR}${project}/conf/server.xml" | egrep -o 'docBase=".*"' | awk -F '"' '{print $2}' | while read line
            do
                find $line -name '*.jsp' -mtime -${WEBSHELLCHECK}  | while read fname
                do
                    modifyfile=$(echo $fname | sed 's/\//@/g')
                    cp ${fname} ${modifydir}${modifyfile}
                done
            done
        fi
    done
    filecount=$(ls -al ${modifydir} | grep '^-' | wc -l)
    echo "Dir: ${modifydir}"
    echo "JSP files to be detected: ${filecount}"
    if ((${filecount}>0));then
        if [ ! -f /tmp/hm-linux.tgz ];then
            echo "Download the webshell check tool"
            if [ ${bit} -eq 64 ];then
                wget -O /tmp/hm-linux.tgz http://down.shellpub.com/hm/latest/hm-linux-amd64.tgz?version=1.4.2 
            elif [ ${bit} -eq 32 ];then
                wget -O /tmp/hm-linux.tgz http://down.shellpub.com/hm/latest/hm-linux-386.tgz?version=1.4.2 
            fi 
        fi
        [ ! -d /tmp/hmwebshell ] && mkdir /tmp/hmwebshell 
        tar zxvf /tmp/hm-linux.tgz -C /tmp/hmwebshell >> /dev/null
        [ -f /tmp/hmwebshell/hm ] && /tmp/hmwebshell/hm scan ${modifydir} >> /dev/null
        if [ -f result.csv ];then
            count=$(cat result.csv | wc -l)
            if [ ${count} -gt 1 ];then
                echo "The suspicious files are as follows: "
                cat result.csv | egrep '^[0-9]' | awk -F ',' '{print $3}' | awk -F '/' '{print $4}' | sed 's/@/\//g'
            else
                echo "No suspicious files were found"
            fi
        fi
    fi
    rm -rf ${modifydir}
}

FRootkitCheck(){
    echo "***************Rootkit Check***************"
    if [ ! -f /usr/local/bin/rkhunter ];then
        echo "Install rkhunter"
        [ ! -f /tmp/rkhunter-1.4.6.tar.gz ] && wget -O /tmp/rkhunter-1.4.6.tar.gz http://vinc.top/tools/rkhunter-1.4.6.tar.gz
        tar zxvf /tmp/rkhunter-1.4.6.tar.gz && cd /tmp/rkhunter-1.4.6/ && ./installer.sh --install 
    fi
    /usr/local/bin/rkhunter --check -sk
}

ver=$(cat /etc/redhat-release | grep -E -o [0-9.]+ | cut -d . -f 1)
bit=$(getconf LONG_BIT)

FLoad
FSshLogin
FSensitiveDir
FModifyFile
Fcrontab
Fnetlink
case $ver in     
    5)   
    Finittab5
    ;;      
    6)
    Finittab6
    ;;
    7)
    Finittab7
    ;;
esac     
FWebshellCheck
FRootkitCheck