当前位置:   article > 正文

linux服务器被攻击怎么看,检查Linux服务器是否被攻击的常用命令及方法

centos如何查看被攻击日志

1. 使用last命令查看登录服务器的用户记录。

[root@centos8 ~]# last

rusking pts/2 192.168.1.102 Sun Aug 23 18:38 still logged in

rusking pts/2 192.168.1.102 Sun Aug 23 18:08 - 18:14 (00:05)

rusking pts/2 192.168.1.102 Sun Aug 23 18:05 - 18:07 (00:01)

rusking pts/2 192.168.1.102 Sun Aug 23 17:38 - 17:58 (00:19)

rusking pts/2 192.168.1.102 Sun Aug 23 16:41 - 17:38 (00:56)

rusking pts/1 192.168.1.82 Sun Aug 23 16:33 still logged in

root web console Sun Aug 23 15:03 - 15:18 (00:15)

rusking pts/0 192.168.1.82 Sun Aug 23 14:49 still logged in

root tty1 Sun Aug 23 14:49 still logged in

reboot system boot 4.18.0-193.14.2. Sun Aug 23 14:48 still running

rusking pts/0 192.168.1.82 Sat Aug 15 09:07 - 18:30 (2+09:22)

rusking tty1 Sat Aug 15 09:07 - crash (8+05:40)

reboot system boot 4.18.0-193.14.2. Sat Aug 15 09:06 still running

2. 使用who命令查看当前登录的用户。

[root@centos8 ~]# who -a

system boot 2020-08-23 14:48

root + tty1 2020-08-23 14:49 03:59 2059

rusking + pts/0 2020-08-23 14:49 00:51 3193 (192.168.1.82)

web console 2020-08-23 15:18 9190 id=919 term=0 exit=0

rusking + pts/1 2020-08-23 16:33 . 3193 (192.168.1.82)

rusking + pts/2 2020-08-23 18:38 00:10 96080 (192.168.1.102)

[root@centos8 ~]#

3.查看命令执行记录 。

# tail -n 200 ~/.bash_history | more #查看当前帐户的操作命令。-n 200显示最近200条记录。

# tail -n 200 /home/rusking/.bash_history | more #查看指定用户名为rusking的操作命令记录。 可以将rusking替换成其它用户。

4. 查看最近2天修改过的文件

# find /etc /var -mtime -2

5.使用netstat 命令查看本机各端口连接情况。

#netstat -aplunt 常用命令,关注LISTEN和ESTABLISHED情况。

[root@centos8 ~]# netstat -aplunt

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 0 0.0.0.0:9090 0.0.0.0:* LISTEN 1/systemd

tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 1972/systemd-resolv

tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd

tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 2400/dnsmasq

tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1415/cupsd

tcp 0 0 0.0.0.0:8888 0.0.0.0:* LISTEN 1414/sshd

tcp 0 248 192.168.1.101:8888 192.168.1.82:54949 ESTABLISHED 3193/sshd: rusking

tcp 0 0 192.168.1.101:8888 192.168.1.102:53426 ESTABLISHED 96080/sshd: rusking

udp 0 0 0.0.0.0:45742 0.0.0.0:* 1029/avahi-daemon:

udp 0 0 0.0.0.0:5353 0.0.0.0:* 1029/avahi-daemon:

udp 0 0 0.0.0.0:5355 0.0.0.0:* 1972/systemd-resolv

udp 0 0 192.168.122.1:53 0.0.0.0:* 2400/dnsmasq

udp 0 0 127.0.0.53:53 0.0.0.0:* 1972/systemd-resolv

udp 0 0 0.0.0.0:67 0.0.0.0:* 2400/dnsmasq

udp 0 0 0.0.0.0:111 0.0.0.0:* 1/systemd

6. 使用lsof命令查看打开的文件。

# lsof -i

# lsof -p pid

[root@centos8 ~]# lsof -i

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

systemd 1 root 42u IPv4 18941 0t0 TCP *:sunrpc (LISTEN)

systemd 1 root 43u IPv4 18942 0t0 UDP *:sunrpc

systemd 1 root 51u IPv4 22690 0t0 TCP *:websm (LISTEN)

rpcbind 960 rpc 4u IPv4 18941 0t0 TCP *:sunrpc (LISTEN)

rpcbind 960 rpc 5u IPv4 18942 0t0 UDP *:sunrpc

avahi-dae 1029 avahi 15u IPv4 25088 0t0 UDP *:mdns

avahi-dae 1029 avahi 16u IPv4 25099 0t0 UDP *:45742

sshd 1414 root 5u IPv4 27123 0t0 TCP *:ddi-tcp-1 (LISTEN)

cupsd 1415 root 10u IPv4 27305 0t0 TCP localhost:ipp (LISTEN)

systemd-r 1972 systemd-resolve 12u IPv4 29589 0t0 UDP *:hostmon

systemd-r 1972 systemd-resolve 13u IPv4 29590 0t0 TCP *:hostmon (LISTEN)

systemd-r 1972 systemd-resolve 16u IPv4 29593 0t0 UDP 127.0.0.53:domain

dnsmasq 2400 dnsmasq 3u IPv4 32237 0t0 UDP *:bootps

dnsmasq 2400 dnsmasq 5u IPv4 32240 0t0 UDP centos8.test.com:domain

dnsmasq 2400 dnsmasq 6u IPv4 32241 0t0 TCP centos8.test.com:domain (LISTEN)

sshd 3193 root 5u IPv4 34113 0t0 TCP centos8.test.com:ddi-tcp-1->UltraPower:54949 (ESTABLISHED)

sshd 3210 rusking 5u IPv4 34113 0t0 TCP centos8.test.com:ddi-tcp-1->UltraPower:54949 (ESTABLISHED)

sshd 96080 root 5u IPv4 252937 0t0 TCP centos8.test.com:ddi-tcp-1->192.168.1.102:53426 (ESTABLISHED)

sshd 96083 rusking 5u IPv4 252937 0t0 TCP centos8.test.com:ddi-tcp-1->192.168.1.102:53426 (ESTABLISHED)

[root@centos8 ~]# lsof -p 96083

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

sshd 96083 rusking cwd DIR 253,0 265 128 /

sshd 96083 rusking rtd DIR 253,0 265 128 /

sshd 96083 rusking txt REG 253,0 1228192 3786429 /usr/sbin/sshd

sshd 96083 rusking mem REG 253,0 906648 640148 /usr/lib64/libnss_systemd.so.2

sshd 96083 rusking mem REG 253,0 10406312 34621674 /var/lib/sss/mc/initgroups

......

7. 使用ps命令查看当前系统中正在运行的进程信息。

#ps -aux

[root@centos8 ~]# ps -aux | grep rusking

root 3193 0.0 0.3 161180 10768 ? Ss 14:49 0:00 sshd: rusking [priv]

rusking 3197 0.0 0.3 93812 9400 ? Ss 14:49 0:00 /usr/lib/systemd/systemd --user

rusking 3199 0.0 0.1 251456 3760 ? S 14:49 0:00 (sd-pam)

rusking 3208 0.0 0.3 300224 9324 ? Ssl 14:49 0:00 /usr/bin/pulseaudio --daemonize=no

rusking 3210 0.0 0.2 161180 6084 ? S 14:49 0:01 sshd: rusking@pts/0,pts/1

rusking 3211 0.0 0.1 24696 5432 pts/0 Ss 14:49 0:00 -bash

rusking 3266 0.0 0.1 74292 4480 ? Ss 14:49 0:00 /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

rusking 46209 0.0 0.1 24696 5220 pts/1 Ss 16:33 0:00 -bash

root 96080 0.0 0.3 161180 10760 ? Ss 18:38 0:00 sshd: rusking [priv]

rusking 96083 0.0 0.1 161180 5352 ? S 18:38 0:00 sshd: rusking@pts/2

rusking 96084 0.0 0.1 24712 5336 pts/2 Ss+ 18:38 0:00 -bash

root 102735 0.0 0.0 12108 1072 pts/1 S+ 18:55 0:00 grep --color=auto rusking

8. 使用top或htop命令查看进程对CPU/内存的消耗情况。

注意消耗CPU/内存较高的进程。

[root@centos8 ~]# top

top - 18:56:58 up 4:08, 4 users, load average: 0.00, 0.00, 0.00

Tasks: 145 total, 1 running, 144 sleeping, 0 stopped, 0 zombie

%Cpu(s): 0.2 us, 0.3 sy, 0.0 ni, 99.2 id, 0.0 wa, 0.2 hi, 0.2 si, 0.0 st

MiB Mem : 2834.8 total, 1845.2 free, 301.6 used, 688.0 buff/cache

MiB Swap: 3072.0 total, 3072.0 free, 0.0 used. 2356.1 avail Mem

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND

103380 root 20 0 64536 4452 3768 R 0.3 0.2 0:00.01 top

1 root 20 0 177912 11676 8100 S 0.0 0.4 0:11.04 systemd

2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd

3 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 rcu_gp

4 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 rcu_par_gp

6 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 kworker/0:0H-kblockd

8 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 mm_percpu_wq

9 root 20 0 0 0 0 S 0.0 0.0 0:00.25 ksoftirqd/0

10 root 20 0 0 0 0 I 0.0 0.0 0:01.49 rcu_sched

11 root rt 0 0 0 0 S 0.0 0.0 0:00.03 migration/0

12 root rt 0 0 0 0 S 0.0 0.0 0:00.01 watchdog/0

13 root 20 0 0 0 0 S 0.0 0.0 0:00.00 cpuhp/0

14 root 20 0 0 0 0 S 0.0 0.0 0:00.00 cpuhp/1

15 root rt 0 0 0 0 S 0.0 0.0 0:00.01 watchdog/1

16 root rt 0 0 0 0 S 0.0 0.0 0:00.04 migration/1

17 root 20 0 0 0 0 S 0.0 0.0 0:00.15 ksoftirqd/1

19 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 kworker/1:0H-kblockd

...

9. 查看SSH登录日志。

centos/RHEL Linux查看Secure和audit日志。

/var/log/secure

关键字”Accepted password“

/var/log/audit/audit.log

关键字:”type=USER_AUTH“

其它LInux查看auto.log日志

/var/log/auth.log

10. 查看以下目录下是否有特殊文件。

# ls /tmp/ -la

# ls /dev/shm -la

# ls /var/tmp -la

11. 查看cronjob配置文件是否有异常的job

# crontab -l

# cat /etc/crontab

# ls /etc/cron 查看以下所有目录下是否有异常文件,以及这些文件的内容是否被修改。

cron.d/ cron.daily/ cron.deny cron.hourly/ cron.monthly/ crontab cron.weekly/

12. 使用nmap命令查看打开的端口

#nmap localhost 注意是否有异常开启的端口。

[root@centos8 ~]# nmap localhost

Starting Nmap 7.70 ( https://nmap.org ) at 2020-08-23 19:00 +04

Nmap scan report for localhost (127.0.0.1)

Host is up (0.0000080s latency).

Other addresses for localhost (not scanned): ::1

Not shown: 996 closed ports

PORT STATE SERVICE

111/tcp open rpcbind

631/tcp open ipp

8888/tcp open sun-answerbook

9090/tcp open zeus-admin

Nmap done: 1 IP address (1 host up) scanned in 1.70 seconds

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/空白诗007/article/detail/862894
推荐阅读
相关标签
  

闽ICP备14008679号