Linux下的应急工具

  • A+
所属分类:安全工具

   在Linux下,应急的查看点无非那个几个,一是看表现(宕机、高CPU、高内存、高IO、高网络通信),二看连接、三看进程、四看日志、五看文件(Linux一切皆文件),再者结合起来看。所以针对常见的应急操作自己写了两个小工具。目前支持CentOS和RedHat,其实由于基于Python,基本是跨平台,绝大部分功能支持其他发行版本的Linux甚至Windows。


工具的安装



#要求root权限git clone https://github.com/cisp/LinuxEmergency.gitcd LinuxEmergencysh ./install.sh


工具的使用


查看操作系统信息:

[[email protected] emergency]# python emergency.py -o
内核版本 : Linux-3.10.0-514.26.2.el7.v7.4.qihoo.x86_64-x86_64-with-centos-7.2.1511-Core CORE数量 : 16 CPU数量 : 16 CPU使用率 : scputimes(user=1.0, nice=0.0, system=0.0, idle=15.0, iowait=0.0, irq=0.0, softirq=0.0, steal=0.0, guest=0.0, guest_nice=0.0) 内存总量 : 33736994816 内存使用率 : 5.1
[[email protected] emergency]#


查看内核模块信息:

[[email protected] emergency]# python emergency.py -k内核模块 : nfnetlink_queue  来源  :内核模块 : nfnetlink_log  来源  :内核模块 : nfnetlink  来源  :  nfnetlink_log,nfnetlink_queue内核模块 : bluetooth  来源  :


查看所有登录成功失败的IP地址:

[[email protected] emergency]# python emergency.py -l192.168.100.35  失败192.168.100.31  失败127.0.0.1  失败192.168.100.20  成功


查看登录成功和失败日志

#  成功的 -s[[email protected] emergency]# python emergency.py -s | more账户 : emergency    时间 : 2017-08-09-11:20  来源 : (192.168.100.24)账户 : emergency    时间 : 2017-08-09-14:34  来源 : (192.168.100.24)账户 : root    时间 : 2017-09-28-12:38  来源 : (192.168.100.65)账户 : root    时间 : 2017-09-28-12:46  来源 : (192.168.100.65)账户 : root    时间 : 2017-09-28-13:13  来源 : (192.168.100.65)
# 失败的 -f[[email protected] emergency]# python emergency.py -f | more账户 : emergency 时间 : 192.168.100.34 来源 : Jul-6-21:27---21:27账户 : emergency 时间 : 192.168.100.34 来源 : Jul-6-21:25---21:25账户 : admin 时间 : 127.0.0.1 来源 : Jul-5-15:32---15:32
# 如果需要指定IP 加-i参数 ,例如 -i 192.168.100.34;


查看进程列表和详细信息

#  列表信息[[email protected] emergency]# python emergency.py -a***********************************************************************************************************进程ID号: 2     进程名称: kthreadd     进程用户: root     启动时间: 2018-06-16 07:40:48CPU占比: 0.0%     内存占比: 0.0%网络连接:**********************************************************************************************************************************************************************************************************************进程ID号: 3     进程名称: ksoftirqd/0     进程用户: root     启动时间: 2018-06-16 07:40:48CPU占比: 0.0%     内存占比: 0.0%网络连接:***********************************************************************************************************...
## 详细信息[[email protected] emergency]# python emergency.py -p 28344***********************************************************************************************************进程ID号: 28344 进程名称: screen 进程用户: emergency 启动时间: 2018-06-22 13:25:30工作路径: /home/emergency/进程命令: SCREEN父母进程: 1亲子进程: [28345]CPU占比: 0.0% 内存占比: 0.0046135703802%网络连接:进程环境: 终端会话 : /bin/bash 安全会话 : 登录账户 : emergency 工作账户 : emergency 权限路径 : /usr/lib64/ccache:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/emergency/tools:/usr/local/bin:/usr/local/sbin:/usr/local/python3/bin:/home/emergency/.local/bin:/home/emergency/bin 用户目录 : /home/emergency
***********************************************************************************************************


添加virustotal基本查询功能

# 检查样本[[email protected] emergency]# python virustotal.py -f ./LICENSE******************************************检测时间: 2018-07-09 07:31:04报毒数量: 0报毒引擎: []引擎总数: 59******************************************
# 检查URL[[email protected] emergency]# python virustota.py -u http://1.1.1.2/bmi/docs.autodesk.com******************************************检测时间: 2018-07-09 16:33:29关联样本: 0关联连接: 0关联域名: 0******************************************
# 检查域名[[email protected] emergency]# python virustota.py -d baidu.com******************************************检测时间: 2018-07-09 16:33:35关联样本: 202关联连接: 100关联域名: 8******************************************
# 检查IP[[email protected] emergency]# python virustota.py -a 114.114.114.114******************************************检测时间: 2018-07-09 16:34:05关联样本: 135关联连接: 93关联域名: 592******************************************


增加查看whois信息的功能

[[email protected] emergency]# python mywhois.py -d baidu.comDomain Name: baidu.comRegistry Domain ID: 11181110_DOMAIN_COM-VRSNRegistrar WHOIS Server: whois.markmonitor.comRegistrar URL: http://www.markmonitor.comUpdated Date: 2017-07-27T19:36:28-0700Creation Date: 1999-10-11T04:05:17-0700Registrar Registration Expiration Date: 2026-10-11T00:00:00-0700Registrar: MarkMonitor, Inc.Registrar IANA ID: 292Registrar Abuse Contact Email: [email protected]Registrar Abuse Contact Phone: +1.2083895740Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)Domain Status: serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited)Domain Status: serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited)Domain Status: serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited)Registrant Organization: Beijing Baidu Netcom Science Technology Co., Ltd.Registrant State/Province: BeijingRegistrant Country: CNAdmin Organization: Beijing Baidu Netcom Science Technology Co., Ltd.Admin State/Province: BeijingAdmin Country: CNTech Organization: Beijing Baidu Netcom Science Technology Co., Ltd.Tech State/Province: BeijingTech Country: CNName Server: ns4.baidu.comName Server: ns3.baidu.comName Server: dns.baidu.comName Server: ns2.baidu.comName Server: ns7.baidu.comDNSSEC: unsignedURL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/>>> Last update of WHOIS database: 2018-07-09T02:21:59-0700 <<<
If certain contact information is not shown for a Registrant, Administrative,or Technical contact, and you wish to send a message to these contacts, pleasesend your message to [email protected] and specify the domain name inthe subject line. We will forward that message to the underlying contact.
If you have a legitimate interest in viewing the non-public WHOIS details, sendyour request and the reasons for your request to [email protected]and specify the domain name in the subject line. We will review that request andmay ask for supporting documentation and explanation.
The Data in MarkMonitor.com's WHOIS database is provided by MarkMonitor.com forinformation purposes, and to assist persons in obtaining information about orrelated to a domain name registration record. MarkMonitor.com does not guaranteeits accuracy. By submitting a WHOIS query, you agree that you will use this Dataonly for lawful purposes and that, under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail (spam); or (2) enable high volume, automated, electronic processes that apply to MarkMonitor.com (or its systems).MarkMonitor.com reserves the right to modify these terms at any time.By submitting this query, you agree to abide by this policy.
MarkMonitor is the Global Leader in Online Brand Protection.
MarkMonitor Domain Management(TM)MarkMonitor Brand Protection(TM)MarkMonitor AntiPiracy(TM)MarkMonitor AntiFraud(TM)Professional and Managed Services
Visit MarkMonitor at http://www.markmonitor.comContact us at +1.8007459229In Europe, at +44.02032062220
For more information on Whois status codes, please visit https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en--


关于web攻击日志的检测


程序下载:

git clone https://github.com/cisp/AccessLogAnylast.git

关于使用:

    parser.add_option("-f", "--floder",dest="filepath",help="access log file path")    parser.add_option("-t", "--time",dest="accesstime",help="set search time")    parser.add_option("-d", "--date",dest="accessdate",help="set search date")    parser.add_option("-c", "--count",action='store_true',dest="count",help="show count information")    parser.add_option("-p", "--payload",dest="payload",help="set search payload")    parser.add_option("-a","--address",dest="ipaddress",help="set search ipaddress")    parser.add_option("-v", "--version",action='store_true',dest="version",help="show document")    parser.add_option("-i","--detail",action='store_true',dest="detail",help="show detail")    parser.add_option("-s","--shell",action='store_true',dest="webshell",help="show suspicious webshell")    parser.add_option("-g","--ipflag",dest="ipposition",help="ip position in logfile")    parser.add_option("-n","--name",dest="filename",help="filename flag")
原文链接:https://www.cnblogs.com/KevinGeorge/p/9285883.html


发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: