教你判断linux服务器是否被攻击的常见手法
帮助文档 2023-03-02 14:38 10203

简介

判断linux服务器被攻击的方法有很多,常用的几种常见手法我这里列出来告诉大家,比如网口流量有异常,一般攻

击分这几种类型,如:大量发送 tcp syn, 发送 tcp rst包,发送udp包,发送icmp包等。下面我把具体的命令发出来挨个

举例说明

 

bceca707f9da3f0e8ca7a804f49633a3

教程

先来使用PS命令查看当前系统中正在运行的进程信息,有无异常进程

ps -auxf

root@ecsFmlYt:~# ps -auxf
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         2  0.0  0.0      0     0 ?        S    Feb18   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        I<   Feb18   0:00  \_ [rcu_gp]
root         4  0.0  0.0      0     0 ?        I<   Feb18   0:00  \_ [rcu_par_gp]
root         6  0.0  0.0      0     0 ?        I<   Feb18   0:00  \_ [kworker/0:0H-kblockd]
root         7  0.0  0.0      0     0 ?        I    Feb18   0:04  \_ [kworker/u2:0-events_unbound]
root         8  0.0  0.0      0     0 ?        I<   Feb18   0:00  \_ [mm_percpu_wq]
root         9  0.0  0.0      0     0 ?        S    Feb18   0:02  \_ [ksoftirqd/0]
root        10  0.0  0.0      0     0 ?        R    Feb18   0:27  \_ [rcu_sched]
root        11  0.0  0.0      0     0 ?        I    Feb18   0:00  \_ [rcu_bh]
root        12  0.0  0.0      0     0 ?        S    Feb18   0:00  \_ [migration/0]
root        14  0.0  0.0      0     0 ?        S    Feb18   0:00  \_ [cpuhp/0]
root        15  0.0  0.0      0     0 ?        S    Feb18   0:00  \_ [kdevtmpfs]
root        16  0.0  0.0      0     0 ?        I<   Feb18   0:00  \_ [netns]
root        17  0.0  0.0      0     0 ?        S    Feb18   0:00  \_ [kauditd]
root        18  0.0  0.0      0     0 ?        S    Feb18   0:00  \_ [khungtaskd]
root        19  0.0  0.0      0     0 ?        S    Feb18   0:00  \_ [oom_reaper]
root        20  0.0  0.0      0     0 ?        I<   Feb18   0:00  \_ [writeback]
root        21  0.0  0.0      0     0 ?        S    Feb18   0:00  \_ [kcompactd0]
root        22  0.0  0.0      0     0 ?        SN   Feb18   0:00  \_ [ksmd]
root        23  0.0  0.0      0     0 ?        SN   Feb18   0:07  \_ [khugepaged]
root        24  0.0  0.0      0     0 ?        I<   Feb18   0:00  \_ [crypto]
root        25  0.0  0.0      0     0 ?        I<   Feb18   0:00  \_ [kintegrityd]
root        26  0.0  0.0      0     0 ?        I<   Feb18   0:00  \_ [kblockd]
root        27  0.0  0.0      0     0 ?        S    Feb18   0:00  \_ [watchdogd]
root        28  0.0  0.0      0     0 ?        S    Feb18   0:02  \_ [kswapd0]
root        44  0.0  0.0      0     0 ?        I<   Feb18   0:00  \_ [kthrotld]
root        45  0.0  0.0      0     0 ?        I<   Feb18   0:00  \_ [ipv6_addrconf]
root        55  0.0  0.0      0     0 ?        I<   Feb18   0:00  \_ [kstrp]
root        97  0.0  0.0      0     0 ?        I<   Feb18   0:00  \_ [ata_sff]
root       102  0.0  0.0      0     0 ?        S    Feb18   0:00  \_ [scsi_eh_0]
root       104  0.0  0.0      0     0 ?        I<   Feb18   0:00  \_ [scsi_tmf_0]
root       105  0.0  0.0      0     0 ?        S    Feb18   0:00  \_ [scsi_eh_1]
root       107  0.0  0.0      0     0 ?        I<   Feb18   0:00  \_ [scsi_tmf_1]
root       148  0.0  0.0      0     0 ?        I<   Feb18   0:04  \_ [kworker/0:1H-kblockd]
root       151  0.0  0.0      0     0 ?        S    Feb18   0:00  \_ [scsi_eh_2]
root       152  0.0  0.0      0     0 ?        I<   Feb18   0:00  \_ [scsi_tmf_2]
root       166  0.0  0.0      0     0 ?        I<   Feb18   0:00  \_ [kworker/u3:0]
root       168  0.0  0.0      0     0 ?        S    Feb18   0:04  \_ [jbd2/vda1-8]
root       169  0.0  0.0      0     0 ?        I<   Feb18   0:00  \_ [ext4-rsv-conver]
root      1828  0.0  0.0      0     0 ?        I    Feb18   0:00  \_ [kworker/u2:2-events_unbound]
root     20212  0.0  0.0      0     0 ?        I    15:18   0:00  \_ [kworker/0:1-ata_sff]
root     20330  0.0  0.0      0     0 ?        I    15:24   0:00  \_ [kworker/0:2-ata_sff]
root     20407  0.0  0.0      0     0 ?        I    15:29   0:00  \_ [kworker/0:0-events_freezable_power_]
root         1  0.0  0.6 169360  6612 ?        Ss   Feb18   0:05 /sbin/init nosplash text
root       212  0.0  0.5  40472  5084 ?        Ss   Feb18   0:12 /lib/systemd/systemd-journald
root       253  0.0  0.2  19952  2836 ?        Ss   Feb18   0:00 /lib/systemd/systemd-udevd
root       415  0.0  0.4 223772  4372 ?        Ssl  Feb18   0:02 /usr/sbin/rsyslogd -n -iNONE
message+   417  0.0  0.1   8700  1988 ?        Ss   Feb18   0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --
ntp        427  0.0  0.1  76476  1620 ?        Ssl  Feb18   0:13 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 106:112
root       429  0.0  0.0  18588   392 ?        Ss   Feb18   0:00 nginx: master process /usr/local/nginx/sbin/nginx -c /usr/local/nginx/co
www        431  0.0  1.4  42276 14260 ?        S    Feb18   0:45  \_ nginx: worker process
root       430  0.0  0.1   8436  1732 ?        Ss   Feb18   0:00 /usr/sbin/cron -f
root       432  0.0  0.7  74988  7512 ?        Ss   Feb18   0:08 php-fpm: master process (/usr/local/php/etc/php-fpm.conf)
www      10674  0.5  3.8 170316 39164 ?        S    Feb19   8:08  \_ php-fpm: pool www
www      10677  0.5  6.4 196680 65628 ?        S    Feb19   7:59  \_ php-fpm: pool www
www      11085  0.6  5.9 190904 60056 ?        S    Feb19   7:49  \_ php-fpm: pool www
www      11284  0.5  6.2 195256 63312 ?        S    Feb19   7:08  \_ php-fpm: pool www
www      15737  0.4  6.3 195104 64032 ?        S    04:24   3:00  \_ php-fpm: pool www
www      15894  0.4  6.3 195064 64492 ?        S    04:36   3:03  \_ php-fpm: pool www
unscd      433  0.0  0.1   2512  1064 ?        Ss   Feb18   0:02 /usr/sbin/nscd -d
root       434  0.0  0.3  19440  3788 ?        Ss   Feb18   0:01 /lib/systemd/systemd-logind
root       465  0.0  0.0   2560   352 tty1     Ss+  Feb18   0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
root       467  0.0  0.0   5260   120 ttyS0    Ss+  Feb18   0:00 /sbin/agetty -o -p -- \u --keep-baud 115200,38400,9600 ttyS0 vt220
root       566  0.0  0.1   2384  1112 ?        S    Feb18   0:00 /bin/sh /usr/local/mariadb/bin/mysqld_safe --datadir=/usr/local/mariadb/
mariadb   1141  0.3  9.1 898436 93012 ?        Sl   Feb18  11:13  \_ /usr/local/mariadb/bin/mysqld --basedir=/usr/local/mariadb --datadir
root      1186  0.0  0.3  13728  3236 ?        Ss   Feb18   0:04 /usr/sbin/sshd -D
root     19795  0.0  0.7  14592  8008 ?        Ss   14:58   0:00  \_ sshd: root@pts/0
root     19810  0.0  0.4   7764  4484 pts/0    Ss   14:58   0:00      \_ -bash
root     20412  0.0  0.2  10640  2956 pts/0    R+   15:29   0:00      |   \_ ps -auxf
root     19819  0.0  0.0   2368   796 ?        Ss   14:58   0:00      \_ /usr/lib/openssh/sftp-server
root     19801  0.0  0.8  21032  8336 ?        Ss   14:58   0:00 /lib/systemd/systemd --user
root     19802  0.0  0.2 170324  2116 ?        S    14:58   0:00  \_ (sd-pam)

使用top或htop命令查看进程对CPU/内存的消耗情况,可以显示活跃进程列表,排查占用CPU和内存较大的异常进程

top

root@ecsFmlYt:~# top
top - 15:36:31 up 1 day, 23:09,  1 user,  load average: 0.10, 0.08, 0.02
Tasks:  72 total,   1 running,  71 sleeping,   0 stopped,   0 zombie
%Cpu(s):  0.7 us,  1.0 sy,  0.0 ni, 98.3 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
MiB Mem :    989.7 total,    169.2 free,    413.4 used,    407.0 buff/cache
MiB Swap:   1024.0 total,    990.1 free,     33.9 used.    421.1 avail Mem 

  PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND                                                             
20493 root      20   0       0      0      0 I   0.3   0.0   0:00.02 kworker/0:1-mm_percpu_wq                                            
    1 root      20   0  169360   6612   4712 S   0.0   0.7   0:05.64 systemd                                                             
    2 root      20   0       0      0      0 S   0.0   0.0   0:00.06 kthreadd                                                            
    3 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 rcu_gp                                                              
    4 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 rcu_par_gp                                                          
    6 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 kworker/0:0H-kblockd                                                
    7 root      20   0       0      0      0 I   0.0   0.0   0:04.52 kworker/u2:0-events_unbound                                         
    8 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 mm_percpu_wq                                                        
    9 root      20   0       0      0      0 S   0.0   0.0   0:02.66 ksoftirqd/0                                                         
   10 root      20   0       0      0      0 I   0.0   0.0   0:27.93 rcu_sched                                                           
   11 root      20   0       0      0      0 I   0.0   0.0   0:00.00 rcu_bh                                                              
   12 root      rt   0       0      0      0 S   0.0   0.0   0:00.73 migration/0                                                         
   14 root      20   0       0      0      0 S   0.0   0.0   0:00.00 cpuhp/0                                                             
   15 root      20   0       0      0      0 S   0.0   0.0   0:00.00 kdevtmpfs                                                           
   16 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 netns                                                               
   17 root      20   0       0      0      0 S   0.0   0.0   0:00.02 kauditd                                                             
   18 root      20   0       0      0      0 S   0.0   0.0   0:00.34 khungtaskd                                                          
   19 root      20   0       0      0      0 S   0.0   0.0   0:00.00 oom_reaper                                                          
   20 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 writeback                                                           
   21 root      20   0       0      0      0 S   0.0   0.0   0:00.00 kcompactd0                                                          
   22 root      25   5       0      0      0 S   0.0   0.0   0:00.00 ksmd         

使用netstat 命令查看本机各端口连接情况

netstat -aplunt

root@ecsFmlYt:~# netstat -aplunt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      1141/mysqld         
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      429/nginx: master p 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1186/sshd           
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      429/nginx: master p 
tcp        0    356 23.224.167.142:22       36.32.197.75:18247      ESTABLISHED 19795/sshd: root@pt 
tcp6       0      0 :::22                   :::*                    LISTEN      1186/sshd           
udp        0      0 23.224.167.142:123      0.0.0.0:*                           427/ntpd            
udp        0      0 0.0.0.0:123             0.0.0.0:*                           427/ntpd            
udp6       0      0 fe80::3c22:43ff:fe0:123 :::*                                427/ntpd            
udp6       0      0 :::123                  :::*                                427/ntpd            

使用last命令查看登录服务器的用户记录

last

root@ecsFmlYt:~# last
root     pts/0        11.12.197.71     Mon Feb 20 14:58   still logged in
root     pts/0        26.12.227.75     Mon Feb 20 14:52 - 14:52  (00:00)
root     pts/0        56.32.127.15     Sat Feb 18 17:04 - 17:20  (00:15)
root     pts/0        16.12.197.75     Sat Feb 18 17:00 - 17:01  (00:00)
reboot   system boot  4.19.0-20-cloud- Sat Feb 18 16:26   still running
reboot   system boot  4.19.0-20-cloud- Sat Feb 18 16:26 - 16:26  (00:00)
root     pts/0        16.32.127.75     Sat Feb 18 14:02 - 15:36  (01:34)
root     pts/0        16.32.127.113    Sat Feb 18 08:32 - 13:10  (04:37)

reboot   system boot  4.19.0-20-cloud- Sat Feb 11 10:56 - 16:25 (7+05:29)

wtmp begins Sat Feb 11 10:56:17 2023

使用who命令查看当前登录的用户

who -a

root@ecsFmlYt:~# who -a
           system boot  2023-02-18 16:26
           run-level 5  2023-02-18 16:26
LOGIN      ttyS0        2023-02-18 16:27               467 id=tyS0
LOGIN      tty1         2023-02-18 16:27               465 id=tty1
root     - pts/0        2023-02-20 14:58   .         19810 (16.12.127.71)

查看命令执行记录,查看当前帐户的操作命令。-n 200显示最近200条记录

tail -n 200 ~/.bash_history | more

#查看指定用户名为rusking的操作命令记录。 可以将rusking替换成其它用户

tail -n 200 /home/rusking/.bash_history | more

查看最近2天修改过的文件

find /etc /var -mtime -2

使用lsof命令查看打开的文件

lsof -i

lsof -p pid

root@ecsFmlYt:~#  lsof -i
COMMAND   PID    USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
ntpd      427     ntp   16u  IPv6  12211      0t0  UDP *:ntp 
ntpd      427     ntp   17u  IPv4  12214      0t0  UDP *:ntp 
ntpd      427     ntp   21u  IPv6  12229      0t0  UDP [fe80::3c22:43ff:fe00:6e]:ntp 
ntpd      427     ntp   25u  IPv4  14640      0t0  UDP 23.224.167.142:ntp 
nginx     429    root    7u  IPv4  12242      0t0  TCP *:http (LISTEN)
nginx     429    root    8u  IPv4  12243      0t0  TCP *:https (LISTEN)
nginx     431     www    7u  IPv4  12242      0t0  TCP *:http (LISTEN)
nginx     431     www    8u  IPv4  12243      0t0  TCP *:https (LISTEN)
mysqld   1141 mariadb   18u  IPv4  13786      0t0  TCP *:mysql (LISTEN)
sshd     1186    root    3u  IPv4  14196      0t0  TCP *:ssh (LISTEN)
sshd     1186    root    4u  IPv6  14207      0t0  TCP *:ssh (LISTEN)
sshd    19795    root    3u  IPv4 289217      0t0  TCP 13.224.127.122:ssh->16.22.227.75:18247 (ESTABLISHED)
root@ecsFmlYt:~# 

查看以下目录下是否有特殊文件

ls /tmp/ -la
ls /dev/shm -la
ls /var/tmp -la

查看cronjob配置文件是否有异常的job

查看以下所有目录下是否有异常文件,以及这些文件的内容是否被修改。

cron.d/ cron.daily/ cron.deny cron.hourly/ cron.monthly/ crontab cron.weekly/

crontab -l
cat /etc/crontab
ls /etc/cron