如何检查服务器是否遭到黑客攻击？

当发现服务器运行异常，或者怀疑遭到了黑客攻击。那么如何用基本的命令，初步筛查下服务器是否遭到了攻击。

本文以 Ubuntu 20.04.4 LTS 系统为例，在仅使用系统命令的情况下，列出初步筛查步骤。

1. last 命令看下最近登录的用户，检查是否存在异常登录的账号

yxh@rangotec.com:~$ last
yxh      pts/0        2408:8215:46a:db Tue May 17 14:29   still logged in
yxh      pts/0        2408:8215:46a:db Tue May 17 13:43 - 14:24  (00:40)
yxh      pts/0        2408:8215:46a:db Tue May 17 10:18 - 11:38  (01:19)
reboot   system boot  5.4.0-110-generi Tue May 17 02:00   still running
yxh      pts/0        2408:8215:46a:db Mon May 16 08:40 - 11:09  (02:28)
yxh      pts/0        2409:893c:454:1b Mon May 16 08:11 - 08:11  (00:00)

2.  lastb 命令查看最近ban掉的用户。查看是由有穷举账号的情况。

yxh@rangotec.com:~$ sudo lastb

btmp begins Sun May  1 00:00:00 2022

如果没有ban掉的用户，说明未遭到字典爆破

3.  w 命令查看当前在线的用户，检查是否有未知的用户

yxh@rangotec.com:~$ w
 14:31:55 up 12:31,  1 user,  load average: 0.06, 0.10, 0.04
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
yxh      pts/0    2408:8215:46a:xx 14:29    1.00s  0.03s  0.00s w

4.  netstat 命令，查看当前网络已建立的连接， 检查是否有异常连接。

yxh@rangotec.com:~$ sudo netstat -anp | grep ESTABLISHED
tcp        0      0 127.0.0.1:48520         127.0.0.1:6379          ESTABLISHED 1043/php-fpm: pool
tcp        0      0 127.0.0.1:48526         127.0.0.1:6379          ESTABLISHED 1042/php-fpm: pool
tcp        0      0 127.0.0.1:6379          127.0.0.1:48514         ESTABLISHED 819/redis-server 12
tcp        0      0 127.0.0.1:3306          127.0.0.1:39336         ESTABLISHED 1007/mysqld
tcp        0      0 127.0.0.1:3306          127.0.0.1:39350         ESTABLISHED 1007/mysqld
tcp6       0      0 127.0.0.1:39338         127.0.0.1:3306          ESTABLISHED 927/java
tcp6       0   5740 2409:8a3c:444:eed0:::22 2408:8215:46a:db8:55572 ESTABLISHED 58800/sshd: yxh [pr
tcp6       0      0 127.0.0.1:39336         127.0.0.1:3306          ESTABLISHED 927/java
tcp6       0      0 127.0.0.1:39352         127.0.0.1:3306          ESTABLISHED 927/java
tcp6       0      0 127.0.0.1:4369          127.0.0.1:58757         ESTABLISHED 725/epmd
tcp6       0      0 2409:8a3c:444:eed0:::81 2408:8215:46a:db8:55449 ESTABLISHED 56373/nginx: worker
tcp6       0      0 127.0.0.1:39322         127.0.0.1:3306          ESTABLISHED 927/java

5. debsums 命令，校验程序安装包是否完整。  比如有人入侵了你的系统，修改了系统启动脚本，并且替换了一些关键程序来隐藏他的程序。Debian 系列可以用 debsum 来校验安装包的完整性。

yxh@rangotec.com:~$ sudo debsums -s
debsums: changed file /lib/systemd/system/networking.service (from ifupdown package)
debsums: missing file /boot/System.map-5.4.0-64-generic (from linux-modules-5.4.0-64-generic package)
debsums: missing file /boot/config-5.4.0-64-generic (from linux-modules-5.4.0-64-generic package)
debsums: missing file /tmp/pht_script/phdaemon (from phddns package)
debsums: missing file /tmp/pht_script/index.html.2 (from phddns package)
debsums: missing file /tmp/pht_script/phddns_vinit (from phddns package)
debsums: missing file /tmp/pht_script/phtunnel-cgi-bin/phtunnel_cgi (from phddns package)
debsums: missing file /tmp/pht_script/index.html (from phddns package)
debsums: missing file /tmp/pht_script/phddns_service (from phddns package)
debsums: missing file /tmp/pht_script/index.html.1 (from phddns package)
debsums: missing file /tmp/pht_script/phddns_systemd (from phddns package)
debsums: missing file /tmp/pht_script/phddns_mini_httpd.service (from phddns package)
debsums: missing file /tmp/pht_script/phtunnel.service (from phddns package)

比如上面的结果，就提示我修改了 networking.service 文件，以及丢失了某些文件。

6. top 命令查看服务器资源是否正常，如cpu使用率是否一直爆满

top - 14:45:12 up 12:44,  1 user,  load average: 0.07, 0.05, 0.04
Tasks: 192 total,   1 running, 191 sleeping,   0 stopped,   0 zombie
%Cpu(s):  1.5 us,  1.5 sy,  0.0 ni, 96.9 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
MiB Mem :   7777.1 total,   3408.8 free,   2268.4 used,   2099.9 buff/cache
MiB Swap:   8192.0 total,   8192.0 free,      0.0 used.   5150.7 avail Mem

    PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND
  60119 yxh       20   0    8052   3824   3156 R   6.2   0.0   0:00.01 top
      1 root      20   0  168240  11896   8164 S   0.0   0.1   0:05.29 systemd
      2 root      20   0       0      0      0 S   0.0   0.0   0:00.01 kthreadd

7.  ps 命令查看是否存在异常进程

yxh@rangotec.com:~$ sudo ps -elf
F S UID          PID    PPID  C PRI  NI ADDR SZ WCHAN  STIME TTY          TIME CMD
4 S root           1       0  0  80   0 - 42060 ep_pol 02:00 ?        00:00:05 /sbin/init splash
1 I root         622       2  0  60 -20 -     0 rescue 02:00 ?        00:00:00 [ext4-rsv-conver]
4 S systemd+     641       1  0  80   0 -  5997 ep_pol 02:00 ?        00:00:01 /lib/systemd/systemd-resolved
4 S systemd+     642       1  0  80   0 - 22547 ep_pol 02:00 ?        00:00:00 /lib/systemd/systemd-timesyncd
4 S message+     693       1  0  80   0 -  1911 ep_pol 02:00 ?        00:00:02 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --syst
4 S root         697       1  0  80   0 - 20470 poll_s 02:00 ?        00:00:03 /usr/sbin/irqbalance --foreground
4 S root         700       1  0  80   0 -  6746 poll_s 02:00 ?        00:00:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers

检查是否有异常的CMD 程序在执行。