教你判断linux服务器是否被攻击的常见手法
帮助文档
2023-03-02 14:38
10203
简介
判断linux服务器被攻击的方法有很多,常用的几种常见手法我这里列出来告诉大家,比如网口流量有异常,一般攻
击分这几种类型,如:大量发送 tcp syn, 发送 tcp rst包,发送udp包,发送icmp包等。下面我把具体的命令发出来挨个
举例说明
教程
先来使用PS命令查看当前系统中正在运行的进程信息,有无异常进程
ps -auxf
root@ecsFmlYt:~# ps -auxf
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 2 0.0 0.0 0 0 ? S Feb18 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? I< Feb18 0:00 \_ [rcu_gp]
root 4 0.0 0.0 0 0 ? I< Feb18 0:00 \_ [rcu_par_gp]
root 6 0.0 0.0 0 0 ? I< Feb18 0:00 \_ [kworker/0:0H-kblockd]
root 7 0.0 0.0 0 0 ? I Feb18 0:04 \_ [kworker/u2:0-events_unbound]
root 8 0.0 0.0 0 0 ? I< Feb18 0:00 \_ [mm_percpu_wq]
root 9 0.0 0.0 0 0 ? S Feb18 0:02 \_ [ksoftirqd/0]
root 10 0.0 0.0 0 0 ? R Feb18 0:27 \_ [rcu_sched]
root 11 0.0 0.0 0 0 ? I Feb18 0:00 \_ [rcu_bh]
root 12 0.0 0.0 0 0 ? S Feb18 0:00 \_ [migration/0]
root 14 0.0 0.0 0 0 ? S Feb18 0:00 \_ [cpuhp/0]
root 15 0.0 0.0 0 0 ? S Feb18 0:00 \_ [kdevtmpfs]
root 16 0.0 0.0 0 0 ? I< Feb18 0:00 \_ [netns]
root 17 0.0 0.0 0 0 ? S Feb18 0:00 \_ [kauditd]
root 18 0.0 0.0 0 0 ? S Feb18 0:00 \_ [khungtaskd]
root 19 0.0 0.0 0 0 ? S Feb18 0:00 \_ [oom_reaper]
root 20 0.0 0.0 0 0 ? I< Feb18 0:00 \_ [writeback]
root 21 0.0 0.0 0 0 ? S Feb18 0:00 \_ [kcompactd0]
root 22 0.0 0.0 0 0 ? SN Feb18 0:00 \_ [ksmd]
root 23 0.0 0.0 0 0 ? SN Feb18 0:07 \_ [khugepaged]
root 24 0.0 0.0 0 0 ? I< Feb18 0:00 \_ [crypto]
root 25 0.0 0.0 0 0 ? I< Feb18 0:00 \_ [kintegrityd]
root 26 0.0 0.0 0 0 ? I< Feb18 0:00 \_ [kblockd]
root 27 0.0 0.0 0 0 ? S Feb18 0:00 \_ [watchdogd]
root 28 0.0 0.0 0 0 ? S Feb18 0:02 \_ [kswapd0]
root 44 0.0 0.0 0 0 ? I< Feb18 0:00 \_ [kthrotld]
root 45 0.0 0.0 0 0 ? I< Feb18 0:00 \_ [ipv6_addrconf]
root 55 0.0 0.0 0 0 ? I< Feb18 0:00 \_ [kstrp]
root 97 0.0 0.0 0 0 ? I< Feb18 0:00 \_ [ata_sff]
root 102 0.0 0.0 0 0 ? S Feb18 0:00 \_ [scsi_eh_0]
root 104 0.0 0.0 0 0 ? I< Feb18 0:00 \_ [scsi_tmf_0]
root 105 0.0 0.0 0 0 ? S Feb18 0:00 \_ [scsi_eh_1]
root 107 0.0 0.0 0 0 ? I< Feb18 0:00 \_ [scsi_tmf_1]
root 148 0.0 0.0 0 0 ? I< Feb18 0:04 \_ [kworker/0:1H-kblockd]
root 151 0.0 0.0 0 0 ? S Feb18 0:00 \_ [scsi_eh_2]
root 152 0.0 0.0 0 0 ? I< Feb18 0:00 \_ [scsi_tmf_2]
root 166 0.0 0.0 0 0 ? I< Feb18 0:00 \_ [kworker/u3:0]
root 168 0.0 0.0 0 0 ? S Feb18 0:04 \_ [jbd2/vda1-8]
root 169 0.0 0.0 0 0 ? I< Feb18 0:00 \_ [ext4-rsv-conver]
root 1828 0.0 0.0 0 0 ? I Feb18 0:00 \_ [kworker/u2:2-events_unbound]
root 20212 0.0 0.0 0 0 ? I 15:18 0:00 \_ [kworker/0:1-ata_sff]
root 20330 0.0 0.0 0 0 ? I 15:24 0:00 \_ [kworker/0:2-ata_sff]
root 20407 0.0 0.0 0 0 ? I 15:29 0:00 \_ [kworker/0:0-events_freezable_power_]
root 1 0.0 0.6 169360 6612 ? Ss Feb18 0:05 /sbin/init nosplash text
root 212 0.0 0.5 40472 5084 ? Ss Feb18 0:12 /lib/systemd/systemd-journald
root 253 0.0 0.2 19952 2836 ? Ss Feb18 0:00 /lib/systemd/systemd-udevd
root 415 0.0 0.4 223772 4372 ? Ssl Feb18 0:02 /usr/sbin/rsyslogd -n -iNONE
message+ 417 0.0 0.1 8700 1988 ? Ss Feb18 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --
ntp 427 0.0 0.1 76476 1620 ? Ssl Feb18 0:13 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 106:112
root 429 0.0 0.0 18588 392 ? Ss Feb18 0:00 nginx: master process /usr/local/nginx/sbin/nginx -c /usr/local/nginx/co
www 431 0.0 1.4 42276 14260 ? S Feb18 0:45 \_ nginx: worker process
root 430 0.0 0.1 8436 1732 ? Ss Feb18 0:00 /usr/sbin/cron -f
root 432 0.0 0.7 74988 7512 ? Ss Feb18 0:08 php-fpm: master process (/usr/local/php/etc/php-fpm.conf)
www 10674 0.5 3.8 170316 39164 ? S Feb19 8:08 \_ php-fpm: pool www
www 10677 0.5 6.4 196680 65628 ? S Feb19 7:59 \_ php-fpm: pool www
www 11085 0.6 5.9 190904 60056 ? S Feb19 7:49 \_ php-fpm: pool www
www 11284 0.5 6.2 195256 63312 ? S Feb19 7:08 \_ php-fpm: pool www
www 15737 0.4 6.3 195104 64032 ? S 04:24 3:00 \_ php-fpm: pool www
www 15894 0.4 6.3 195064 64492 ? S 04:36 3:03 \_ php-fpm: pool www
unscd 433 0.0 0.1 2512 1064 ? Ss Feb18 0:02 /usr/sbin/nscd -d
root 434 0.0 0.3 19440 3788 ? Ss Feb18 0:01 /lib/systemd/systemd-logind
root 465 0.0 0.0 2560 352 tty1 Ss+ Feb18 0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
root 467 0.0 0.0 5260 120 ttyS0 Ss+ Feb18 0:00 /sbin/agetty -o -p -- \u --keep-baud 115200,38400,9600 ttyS0 vt220
root 566 0.0 0.1 2384 1112 ? S Feb18 0:00 /bin/sh /usr/local/mariadb/bin/mysqld_safe --datadir=/usr/local/mariadb/
mariadb 1141 0.3 9.1 898436 93012 ? Sl Feb18 11:13 \_ /usr/local/mariadb/bin/mysqld --basedir=/usr/local/mariadb --datadir
root 1186 0.0 0.3 13728 3236 ? Ss Feb18 0:04 /usr/sbin/sshd -D
root 19795 0.0 0.7 14592 8008 ? Ss 14:58 0:00 \_ sshd: root@pts/0
root 19810 0.0 0.4 7764 4484 pts/0 Ss 14:58 0:00 \_ -bash
root 20412 0.0 0.2 10640 2956 pts/0 R+ 15:29 0:00 | \_ ps -auxf
root 19819 0.0 0.0 2368 796 ? Ss 14:58 0:00 \_ /usr/lib/openssh/sftp-server
root 19801 0.0 0.8 21032 8336 ? Ss 14:58 0:00 /lib/systemd/systemd --user
root 19802 0.0 0.2 170324 2116 ? S 14:58 0:00 \_ (sd-pam)
使用top或htop命令查看进程对CPU/内存的消耗情况,可以显示活跃进程列表,排查占用CPU和内存较大的异常进程
top
root@ecsFmlYt:~# top
top - 15:36:31 up 1 day, 23:09, 1 user, load average: 0.10, 0.08, 0.02
Tasks: 72 total, 1 running, 71 sleeping, 0 stopped, 0 zombie
%Cpu(s): 0.7 us, 1.0 sy, 0.0 ni, 98.3 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
MiB Mem : 989.7 total, 169.2 free, 413.4 used, 407.0 buff/cache
MiB Swap: 1024.0 total, 990.1 free, 33.9 used. 421.1 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
20493 root 20 0 0 0 0 I 0.3 0.0 0:00.02 kworker/0:1-mm_percpu_wq
1 root 20 0 169360 6612 4712 S 0.0 0.7 0:05.64 systemd
2 root 20 0 0 0 0 S 0.0 0.0 0:00.06 kthreadd
3 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 rcu_gp
4 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 rcu_par_gp
6 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 kworker/0:0H-kblockd
7 root 20 0 0 0 0 I 0.0 0.0 0:04.52 kworker/u2:0-events_unbound
8 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 mm_percpu_wq
9 root 20 0 0 0 0 S 0.0 0.0 0:02.66 ksoftirqd/0
10 root 20 0 0 0 0 I 0.0 0.0 0:27.93 rcu_sched
11 root 20 0 0 0 0 I 0.0 0.0 0:00.00 rcu_bh
12 root rt 0 0 0 0 S 0.0 0.0 0:00.73 migration/0
14 root 20 0 0 0 0 S 0.0 0.0 0:00.00 cpuhp/0
15 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kdevtmpfs
16 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 netns
17 root 20 0 0 0 0 S 0.0 0.0 0:00.02 kauditd
18 root 20 0 0 0 0 S 0.0 0.0 0:00.34 khungtaskd
19 root 20 0 0 0 0 S 0.0 0.0 0:00.00 oom_reaper
20 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 writeback
21 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kcompactd0
22 root 25 5 0 0 0 S 0.0 0.0 0:00.00 ksmd
使用netstat 命令查看本机各端口连接情况
netstat -aplunt
root@ecsFmlYt:~# netstat -aplunt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1141/mysqld
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 429/nginx: master p
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1186/sshd
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 429/nginx: master p
tcp 0 356 23.224.167.142:22 36.32.197.75:18247 ESTABLISHED 19795/sshd: root@pt
tcp6 0 0 :::22 :::* LISTEN 1186/sshd
udp 0 0 23.224.167.142:123 0.0.0.0:* 427/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 427/ntpd
udp6 0 0 fe80::3c22:43ff:fe0:123 :::* 427/ntpd
udp6 0 0 :::123 :::* 427/ntpd
使用last命令查看登录服务器的用户记录
last
root@ecsFmlYt:~# last
root pts/0 11.12.197.71 Mon Feb 20 14:58 still logged in
root pts/0 26.12.227.75 Mon Feb 20 14:52 - 14:52 (00:00)
root pts/0 56.32.127.15 Sat Feb 18 17:04 - 17:20 (00:15)
root pts/0 16.12.197.75 Sat Feb 18 17:00 - 17:01 (00:00)
reboot system boot 4.19.0-20-cloud- Sat Feb 18 16:26 still running
reboot system boot 4.19.0-20-cloud- Sat Feb 18 16:26 - 16:26 (00:00)
root pts/0 16.32.127.75 Sat Feb 18 14:02 - 15:36 (01:34)
root pts/0 16.32.127.113 Sat Feb 18 08:32 - 13:10 (04:37)
reboot system boot 4.19.0-20-cloud- Sat Feb 11 10:56 - 16:25 (7+05:29)
wtmp begins Sat Feb 11 10:56:17 2023
使用who命令查看当前登录的用户
who -a
root@ecsFmlYt:~# who -a
system boot 2023-02-18 16:26
run-level 5 2023-02-18 16:26
LOGIN ttyS0 2023-02-18 16:27 467 id=tyS0
LOGIN tty1 2023-02-18 16:27 465 id=tty1
root - pts/0 2023-02-20 14:58 . 19810 (16.12.127.71)
查看命令执行记录,查看当前帐户的操作命令。-n 200显示最近200条记录
tail -n 200 ~/.bash_history | more
#查看指定用户名为rusking的操作命令记录。 可以将rusking替换成其它用户
tail -n 200 /home/rusking/.bash_history | more
查看最近2天修改过的文件
find /etc /var -mtime -2
使用lsof命令查看打开的文件
lsof -i
lsof -p pid
root@ecsFmlYt:~# lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ntpd 427 ntp 16u IPv6 12211 0t0 UDP *:ntp
ntpd 427 ntp 17u IPv4 12214 0t0 UDP *:ntp
ntpd 427 ntp 21u IPv6 12229 0t0 UDP [fe80::3c22:43ff:fe00:6e]:ntp
ntpd 427 ntp 25u IPv4 14640 0t0 UDP 23.224.167.142:ntp
nginx 429 root 7u IPv4 12242 0t0 TCP *:http (LISTEN)
nginx 429 root 8u IPv4 12243 0t0 TCP *:https (LISTEN)
nginx 431 www 7u IPv4 12242 0t0 TCP *:http (LISTEN)
nginx 431 www 8u IPv4 12243 0t0 TCP *:https (LISTEN)
mysqld 1141 mariadb 18u IPv4 13786 0t0 TCP *:mysql (LISTEN)
sshd 1186 root 3u IPv4 14196 0t0 TCP *:ssh (LISTEN)
sshd 1186 root 4u IPv6 14207 0t0 TCP *:ssh (LISTEN)
sshd 19795 root 3u IPv4 289217 0t0 TCP 13.224.127.122:ssh->16.22.227.75:18247 (ESTABLISHED)
root@ecsFmlYt:~#
查看以下目录下是否有特殊文件
ls /tmp/ -la
ls /dev/shm -la
ls /var/tmp -la
查看cronjob配置文件是否有异常的job
查看以下所有目录下是否有异常文件,以及这些文件的内容是否被修改。
cron.d/ cron.daily/ cron.deny cron.hourly/ cron.monthly/ crontab cron.weekly/
crontab -l
cat /etc/crontab
ls /etc/cron