教你判断linux服务器是否被攻击的常见手法
简介
判断linux服务器被攻击的方法有很多,常用的几种常见手法我这里列出来告诉大家,比如网口流量有异常,一般攻
击分这几种类型,如:大量发送 tcp syn, 发送 tcp rst包,发送udp包,发送icmp包等。下面我把具体的命令发出来挨个
举例说明
教程
先来使用PS命令查看当前系统中正在运行的进程信息,有无异常进程
ps -auxf
root@ecsFmlYt:~# ps -auxf USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 2 0.0 0.0 0 0 ? S Feb18 0:00 [kthreadd] root 3 0.0 0.0 0 0 ? I< Feb18 0:00 \_ [rcu_gp] root 4 0.0 0.0 0 0 ? I< Feb18 0:00 \_ [rcu_par_gp] root 6 0.0 0.0 0 0 ? I< Feb18 0:00 \_ [kworker/0:0H-kblockd] root 7 0.0 0.0 0 0 ? I Feb18 0:04 \_ [kworker/u2:0-events_unbound] root 8 0.0 0.0 0 0 ? I< Feb18 0:00 \_ [mm_percpu_wq] root 9 0.0 0.0 0 0 ? S Feb18 0:02 \_ [ksoftirqd/0] root 10 0.0 0.0 0 0 ? R Feb18 0:27 \_ [rcu_sched] root 11 0.0 0.0 0 0 ? I Feb18 0:00 \_ [rcu_bh] root 12 0.0 0.0 0 0 ? S Feb18 0:00 \_ [migration/0] root 14 0.0 0.0 0 0 ? S Feb18 0:00 \_ [cpuhp/0] root 15 0.0 0.0 0 0 ? S Feb18 0:00 \_ [kdevtmpfs] root 16 0.0 0.0 0 0 ? I< Feb18 0:00 \_ [netns] root 17 0.0 0.0 0 0 ? S Feb18 0:00 \_ [kauditd] root 18 0.0 0.0 0 0 ? S Feb18 0:00 \_ [khungtaskd] root 19 0.0 0.0 0 0 ? S Feb18 0:00 \_ [oom_reaper] root 20 0.0 0.0 0 0 ? I< Feb18 0:00 \_ [writeback] root 21 0.0 0.0 0 0 ? S Feb18 0:00 \_ [kcompactd0] root 22 0.0 0.0 0 0 ? SN Feb18 0:00 \_ [ksmd] root 23 0.0 0.0 0 0 ? SN Feb18 0:07 \_ [khugepaged] root 24 0.0 0.0 0 0 ? I< Feb18 0:00 \_ [crypto] root 25 0.0 0.0 0 0 ? I< Feb18 0:00 \_ [kintegrityd] root 26 0.0 0.0 0 0 ? I< Feb18 0:00 \_ [kblockd] root 27 0.0 0.0 0 0 ? S Feb18 0:00 \_ [watchdogd] root 28 0.0 0.0 0 0 ? S Feb18 0:02 \_ [kswapd0] root 44 0.0 0.0 0 0 ? I< Feb18 0:00 \_ [kthrotld] root 45 0.0 0.0 0 0 ? I< Feb18 0:00 \_ [ipv6_addrconf] root 55 0.0 0.0 0 0 ? I< Feb18 0:00 \_ [kstrp] root 97 0.0 0.0 0 0 ? I< Feb18 0:00 \_ [ata_sff] root 102 0.0 0.0 0 0 ? S Feb18 0:00 \_ [scsi_eh_0] root 104 0.0 0.0 0 0 ? I< Feb18 0:00 \_ [scsi_tmf_0] root 105 0.0 0.0 0 0 ? S Feb18 0:00 \_ [scsi_eh_1] root 107 0.0 0.0 0 0 ? I< Feb18 0:00 \_ [scsi_tmf_1] root 148 0.0 0.0 0 0 ? I< Feb18 0:04 \_ [kworker/0:1H-kblockd] root 151 0.0 0.0 0 0 ? S Feb18 0:00 \_ [scsi_eh_2] root 152 0.0 0.0 0 0 ? I< Feb18 0:00 \_ [scsi_tmf_2] root 166 0.0 0.0 0 0 ? I< Feb18 0:00 \_ [kworker/u3:0] root 168 0.0 0.0 0 0 ? S Feb18 0:04 \_ [jbd2/vda1-8] root 169 0.0 0.0 0 0 ? I< Feb18 0:00 \_ [ext4-rsv-conver] root 1828 0.0 0.0 0 0 ? I Feb18 0:00 \_ [kworker/u2:2-events_unbound] root 20212 0.0 0.0 0 0 ? I 15:18 0:00 \_ [kworker/0:1-ata_sff] root 20330 0.0 0.0 0 0 ? I 15:24 0:00 \_ [kworker/0:2-ata_sff] root 20407 0.0 0.0 0 0 ? I 15:29 0:00 \_ [kworker/0:0-events_freezable_power_] root 1 0.0 0.6 169360 6612 ? Ss Feb18 0:05 /sbin/init nosplash text root 212 0.0 0.5 40472 5084 ? Ss Feb18 0:12 /lib/systemd/systemd-journald root 253 0.0 0.2 19952 2836 ? Ss Feb18 0:00 /lib/systemd/systemd-udevd root 415 0.0 0.4 223772 4372 ? Ssl Feb18 0:02 /usr/sbin/rsyslogd -n -iNONE message+ 417 0.0 0.1 8700 1988 ? Ss Feb18 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile -- ntp 427 0.0 0.1 76476 1620 ? Ssl Feb18 0:13 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 106:112 root 429 0.0 0.0 18588 392 ? Ss Feb18 0:00 nginx: master process /usr/local/nginx/sbin/nginx -c /usr/local/nginx/co www 431 0.0 1.4 42276 14260 ? S Feb18 0:45 \_ nginx: worker process root 430 0.0 0.1 8436 1732 ? Ss Feb18 0:00 /usr/sbin/cron -f root 432 0.0 0.7 74988 7512 ? Ss Feb18 0:08 php-fpm: master process (/usr/local/php/etc/php-fpm.conf) www 10674 0.5 3.8 170316 39164 ? S Feb19 8:08 \_ php-fpm: pool www www 10677 0.5 6.4 196680 65628 ? S Feb19 7:59 \_ php-fpm: pool www www 11085 0.6 5.9 190904 60056 ? S Feb19 7:49 \_ php-fpm: pool www www 11284 0.5 6.2 195256 63312 ? S Feb19 7:08 \_ php-fpm: pool www www 15737 0.4 6.3 195104 64032 ? S 04:24 3:00 \_ php-fpm: pool www www 15894 0.4 6.3 195064 64492 ? S 04:36 3:03 \_ php-fpm: pool www unscd 433 0.0 0.1 2512 1064 ? Ss Feb18 0:02 /usr/sbin/nscd -d root 434 0.0 0.3 19440 3788 ? Ss Feb18 0:01 /lib/systemd/systemd-logind root 465 0.0 0.0 2560 352 tty1 Ss+ Feb18 0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux root 467 0.0 0.0 5260 120 ttyS0 Ss+ Feb18 0:00 /sbin/agetty -o -p -- \u --keep-baud 115200,38400,9600 ttyS0 vt220 root 566 0.0 0.1 2384 1112 ? S Feb18 0:00 /bin/sh /usr/local/mariadb/bin/mysqld_safe --datadir=/usr/local/mariadb/ mariadb 1141 0.3 9.1 898436 93012 ? Sl Feb18 11:13 \_ /usr/local/mariadb/bin/mysqld --basedir=/usr/local/mariadb --datadir root 1186 0.0 0.3 13728 3236 ? Ss Feb18 0:04 /usr/sbin/sshd -D root 19795 0.0 0.7 14592 8008 ? Ss 14:58 0:00 \_ sshd: root@pts/0 root 19810 0.0 0.4 7764 4484 pts/0 Ss 14:58 0:00 \_ -bash root 20412 0.0 0.2 10640 2956 pts/0 R+ 15:29 0:00 | \_ ps -auxf root 19819 0.0 0.0 2368 796 ? Ss 14:58 0:00 \_ /usr/lib/openssh/sftp-server root 19801 0.0 0.8 21032 8336 ? Ss 14:58 0:00 /lib/systemd/systemd --user root 19802 0.0 0.2 170324 2116 ? S 14:58 0:00 \_ (sd-pam)
使用top或htop命令查看进程对CPU/内存的消耗情况,可以显示活跃进程列表,排查占用CPU和内存较大的异常进程
top
root@ecsFmlYt:~# top top - 15:36:31 up 1 day, 23:09, 1 user, load average: 0.10, 0.08, 0.02 Tasks: 72 total, 1 running, 71 sleeping, 0 stopped, 0 zombie %Cpu(s): 0.7 us, 1.0 sy, 0.0 ni, 98.3 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st MiB Mem : 989.7 total, 169.2 free, 413.4 used, 407.0 buff/cache MiB Swap: 1024.0 total, 990.1 free, 33.9 used. 421.1 avail Mem PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 20493 root 20 0 0 0 0 I 0.3 0.0 0:00.02 kworker/0:1-mm_percpu_wq 1 root 20 0 169360 6612 4712 S 0.0 0.7 0:05.64 systemd 2 root 20 0 0 0 0 S 0.0 0.0 0:00.06 kthreadd 3 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 rcu_gp 4 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 rcu_par_gp 6 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 kworker/0:0H-kblockd 7 root 20 0 0 0 0 I 0.0 0.0 0:04.52 kworker/u2:0-events_unbound 8 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 mm_percpu_wq 9 root 20 0 0 0 0 S 0.0 0.0 0:02.66 ksoftirqd/0 10 root 20 0 0 0 0 I 0.0 0.0 0:27.93 rcu_sched 11 root 20 0 0 0 0 I 0.0 0.0 0:00.00 rcu_bh 12 root rt 0 0 0 0 S 0.0 0.0 0:00.73 migration/0 14 root 20 0 0 0 0 S 0.0 0.0 0:00.00 cpuhp/0 15 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kdevtmpfs 16 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 netns 17 root 20 0 0 0 0 S 0.0 0.0 0:00.02 kauditd 18 root 20 0 0 0 0 S 0.0 0.0 0:00.34 khungtaskd 19 root 20 0 0 0 0 S 0.0 0.0 0:00.00 oom_reaper 20 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 writeback 21 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kcompactd0 22 root 25 5 0 0 0 S 0.0 0.0 0:00.00 ksmd
使用netstat 命令查看本机各端口连接情况
netstat -aplunt
root@ecsFmlYt:~# netstat -aplunt Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1141/mysqld tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 429/nginx: master p tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1186/sshd tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 429/nginx: master p tcp 0 356 23.224.167.142:22 36.32.197.75:18247 ESTABLISHED 19795/sshd: root@pt tcp6 0 0 :::22 :::* LISTEN 1186/sshd udp 0 0 23.224.167.142:123 0.0.0.0:* 427/ntpd udp 0 0 0.0.0.0:123 0.0.0.0:* 427/ntpd udp6 0 0 fe80::3c22:43ff:fe0:123 :::* 427/ntpd udp6 0 0 :::123 :::* 427/ntpd
使用last命令查看登录服务器的用户记录
last
root@ecsFmlYt:~# last root pts/0 11.12.197.71 Mon Feb 20 14:58 still logged in root pts/0 26.12.227.75 Mon Feb 20 14:52 - 14:52 (00:00) root pts/0 56.32.127.15 Sat Feb 18 17:04 - 17:20 (00:15) root pts/0 16.12.197.75 Sat Feb 18 17:00 - 17:01 (00:00) reboot system boot 4.19.0-20-cloud- Sat Feb 18 16:26 still running reboot system boot 4.19.0-20-cloud- Sat Feb 18 16:26 - 16:26 (00:00) root pts/0 16.32.127.75 Sat Feb 18 14:02 - 15:36 (01:34) root pts/0 16.32.127.113 Sat Feb 18 08:32 - 13:10 (04:37) reboot system boot 4.19.0-20-cloud- Sat Feb 11 10:56 - 16:25 (7+05:29) wtmp begins Sat Feb 11 10:56:17 2023
使用who命令查看当前登录的用户
who -a
root@ecsFmlYt:~# who -a system boot 2023-02-18 16:26 run-level 5 2023-02-18 16:26 LOGIN ttyS0 2023-02-18 16:27 467 id=tyS0 LOGIN tty1 2023-02-18 16:27 465 id=tty1 root - pts/0 2023-02-20 14:58 . 19810 (16.12.127.71)
查看命令执行记录,查看当前帐户的操作命令。-n 200显示最近200条记录
#查看指定用户名为rusking的操作命令记录。 可以将ivpsr替换成其它用户
查看最近2天修改过的文件
使用lsof命令查看打开的文件
lsof -i
lsof -p pid
root@ecsFmlYt:~# lsof -i COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME ntpd 427 ntp 16u IPv6 12211 0t0 UDP *:ntp ntpd 427 ntp 17u IPv4 12214 0t0 UDP *:ntp ntpd 427 ntp 21u IPv6 12229 0t0 UDP [fe80::3c22:43ff:fe00:6e]:ntp ntpd 427 ntp 25u IPv4 14640 0t0 UDP 23.224.167.142:ntp nginx 429 root 7u IPv4 12242 0t0 TCP *:http (LISTEN) nginx 429 root 8u IPv4 12243 0t0 TCP *:https (LISTEN) nginx 431 www 7u IPv4 12242 0t0 TCP *:http (LISTEN) nginx 431 www 8u IPv4 12243 0t0 TCP *:https (LISTEN) mysqld 1141 mariadb 18u IPv4 13786 0t0 TCP *:mysql (LISTEN) sshd 1186 root 3u IPv4 14196 0t0 TCP *:ssh (LISTEN) sshd 1186 root 4u IPv6 14207 0t0 TCP *:ssh (LISTEN) sshd 19795 root 3u IPv4 289217 0t0 TCP 13.224.127.122:ssh->16.22.227.75:18247 (ESTABLISHED) root@ecsFmlYt:~#
查看以下目录下是否有特殊文件
查看cronjob配置文件是否有异常的job
查看以下所有目录下是否有异常文件,以及这些文件的内容是否被修改。
cron.d/ cron.daily/ cron.deny cron.hourly/ cron.monthly/ crontab cron.weekly/
版权声明:
作者:ivpsr.com
链接:https://ivpsr.com/3424.html
文章版权归作者所有,未经允许请勿转载。
THE END
0
分享
二维码
分享
二维码
打赏
分享海报
相关推荐
发表评论
您需要登录后评论
赶快来坐沙发