千古八方的博客
如何检查服务器是否遭到黑客攻击?
服务器

当发现服务器运行异常,或者怀疑遭到了黑客攻击。那么如何用基本的命令,初步筛查下服务器是否遭到了攻击。

本文以 Ubuntu 20.04.4 LTS 系统为例,在仅使用系统命令的情况下,对系统进行初步筛查。

1. last 命令看下最近登录的用户,检查是否存在异常登录的账号

yxh@rangotec.com:~$ last
yxh      pts/0        2408:8215:46a:db Tue May 17 14:29   still logged in
yxh      pts/0        2408:8215:46a:db Tue May 17 13:43 - 14:24  (00:40)
yxh      pts/0        2408:8215:46a:db Tue May 17 10:18 - 11:38  (01:19)
reboot   system boot  5.4.0-110-generi Tue May 17 02:00   still running
yxh      pts/0        2408:8215:46a:db Mon May 16 08:40 - 11:09  (02:28)
yxh pts/0 2409:893c:454:1b Mon May 16 08:11 - 08:11 (00:00)

2.  lastb 命令查看最近ban掉的用户。查看是由有穷举账号的情况。

yxh@rangotec.com:~$ sudo lastb
btmp begins Sun May 1 00:00:00 2022

如果没有ban掉的用户,说明未遭到字典爆破

3.  w 命令查看当前在线的用户,检查是否有未知的用户

yxh@rangotec.com:~$ w
 14:31:55 up 12:31,  1 user,  load average: 0.06, 0.10, 0.04
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
yxh pts/0 2408:8215:46a:xx 14:29 1.00s 0.03s 0.00s w

4.  netstat 命令,查看当前网络已建立的连接, 检查是否有异常连接。

yxh@rangotec.com:~$ sudo netstat -anp | grep ESTABLISHED
tcp        0      0 127.0.0.1:48520         127.0.0.1:6379          ESTABLISHED 1043/php-fpm: pool
tcp        0      0 127.0.0.1:48526         127.0.0.1:6379          ESTABLISHED 1042/php-fpm: pool
tcp        0      0 127.0.0.1:6379          127.0.0.1:48514         ESTABLISHED 819/redis-server 12
tcp        0      0 127.0.0.1:3306          127.0.0.1:39336         ESTABLISHED 1007/mysqld
tcp        0      0 127.0.0.1:3306          127.0.0.1:39350         ESTABLISHED 1007/mysqld
tcp6       0      0 127.0.0.1:39338         127.0.0.1:3306          ESTABLISHED 927/java
tcp6       0   5740 2409:8a3c:444:eed0:::22 2408:8215:46a:db8:55572 ESTABLISHED 58800/sshd: yxh [pr
tcp6       0      0 127.0.0.1:39336         127.0.0.1:3306          ESTABLISHED 927/java
tcp6       0      0 127.0.0.1:39352         127.0.0.1:3306          ESTABLISHED 927/java
tcp6       0      0 127.0.0.1:4369          127.0.0.1:58757         ESTABLISHED 725/epmd
tcp6       0      0 2409:8a3c:444:eed0:::81 2408:8215:46a:db8:55449 ESTABLISHED 56373/nginx: worker
tcp6 0 0 127.0.0.1:39322 127.0.0.1:3306 ESTABLISHED 927/java

 

5. debsums 命令,校验程序安装包是否完整。  比如有人入侵了你的系统,修改了系统启动脚本,并且替换了一些关键程序来隐藏他的程序。Debian 系列可以用 debsum 来校验安装包的完整性。

yxh@rangotec.com:~$ sudo debsums -s
debsums: changed file /lib/systemd/system/networking.service (from ifupdown package)
debsums: missing file /boot/System.map-5.4.0-64-generic (from linux-modules-5.4.0-64-generic package)
debsums: missing file /boot/config-5.4.0-64-generic (from linux-modules-5.4.0-64-generic package)
debsums: missing file /tmp/pht_script/phdaemon (from phddns package)
debsums: missing file /tmp/pht_script/index.html.2 (from phddns package)
debsums: missing file /tmp/pht_script/phddns_vinit (from phddns package)
debsums: missing file /tmp/pht_script/phtunnel-cgi-bin/phtunnel_cgi (from phddns package)
debsums: missing file /tmp/pht_script/index.html (from phddns package)
debsums: missing file /tmp/pht_script/phddns_service (from phddns package)
debsums: missing file /tmp/pht_script/index.html.1 (from phddns package)
debsums: missing file /tmp/pht_script/phddns_systemd (from phddns package)
debsums: missing file /tmp/pht_script/phddns_mini_httpd.service (from phddns package)
debsums: missing file /tmp/pht_script/phtunnel.service (from phddns package)

比如上面的结果,就提示我修改了 networking.service 文件,以及丢失了某些文件。

6. top 命令查看服务器资源是否正常,如cpu使用率是否一直爆满

top - 14:45:12 up 12:44,  1 user,  load average: 0.07, 0.05, 0.04
Tasks: 192 total,   1 running, 191 sleeping,   0 stopped,   0 zombie
%Cpu(s):  1.5 us,  1.5 sy,  0.0 ni, 96.9 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
MiB Mem :   7777.1 total,   3408.8 free,   2268.4 used,   2099.9 buff/cache
MiB Swap:   8192.0 total,   8192.0 free,      0.0 used.   5150.7 avail Mem

    PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND
  60119 yxh       20   0    8052   3824   3156 R   6.2   0.0   0:00.01 top
      1 root      20   0  168240  11896   8164 S   0.0   0.1   0:05.29 systemd
2 root 20 0 0 0 0 S 0.0 0.0 0:00.01 kthreadd

7.  ps 命令查看是否存在异常进程

yxh@rangotec.com:~$ sudo ps -elf
F S UID          PID    PPID  C PRI  NI ADDR SZ WCHAN  STIME TTY          TIME CMD
4 S root           1       0  0  80   0 - 42060 ep_pol 02:00 ?        00:00:05 /sbin/init splash
1 I root         622       2  0  60 -20 -     0 rescue 02:00 ?        00:00:00 [ext4-rsv-conver]
4 S systemd+     641       1  0  80   0 -  5997 ep_pol 02:00 ?        00:00:01 /lib/systemd/systemd-resolved
4 S systemd+     642       1  0  80   0 - 22547 ep_pol 02:00 ?        00:00:00 /lib/systemd/systemd-timesyncd
4 S message+     693       1  0  80   0 -  1911 ep_pol 02:00 ?        00:00:02 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --syst
4 S root         697       1  0  80   0 - 20470 poll_s 02:00 ?        00:00:03 /usr/sbin/irqbalance --foreground
4 S root 700 1 0 80 0 - 6746 poll_s 02:00 ? 00:00:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers

 

 

检查是否有异常的CMD 程序在执行。

 

 

评论列表:
分类目录
未分类 Android Linux NAS 黑群晖 Spring Boot 内网穿透 服务器 私有云 资源下载 PC软件 Andorid软件
热门标签
Android Android Utils Android Widgets Android系统编译 DPI git linux NAS Nextcloud NPS PPI Spring Boot svn swap TrueNAS ubuntu Windows 内网穿透 分辨率 安全维护 我开源的APP 散篇 服务器 私有云 群晖NAS 资源下载 PC软件 Andorid软件

备案号:京ICP备14020471号-4

Copyright © 2023 千古八方的博客 版权所有