Linux下的应急工具

admin 2020年8月19日14:25:00评论186 views字数 7703阅读25分40秒阅读模式

   在Linux下,应急的查看点无非那个几个,一是看表现(宕机、高CPU、高内存、高IO、高网络通信),二看连接、三看进程、四看日志、五看文件(Linux一切皆文件),再者结合起来看。所以针对常见的应急操作自己写了两个小工具。目前支持CentOS和RedHat,其实由于基于Python,基本是跨平台,绝大部分功能支持其他发行版本的Linux甚至Windows。


工具的安装


#要求root权限git clone https://github.com/cisp/LinuxEmergency.gitcd LinuxEmergencysh ./install.sh


工具的使用


查看操作系统信息:

[root@centos emergency]# python emergency.py -o
内核版本 : Linux-3.10.0-514.26.2.el7.v7.4.qihoo.x86_64-x86_64-with-centos-7.2.1511-Core CORE数量 : 16 CPU数量 : 16 CPU使用率 : scputimes(user=1.0, nice=0.0, system=0.0, idle=15.0, iowait=0.0, irq=0.0, softirq=0.0, steal=0.0, guest=0.0, guest_nice=0.0) 内存总量 : 33736994816 内存使用率 : 5.1
[root@centos emergency]#


查看内核模块信息:

[root@centos emergency]# python emergency.py -k内核模块 : nfnetlink_queue  来源  :内核模块 : nfnetlink_log  来源  :内核模块 : nfnetlink  来源  :  nfnetlink_log,nfnetlink_queue内核模块 : bluetooth  来源  :


查看所有登录成功失败的IP地址:

[root@scentos emergency]# python emergency.py -l192.168.100.35  失败192.168.100.31  失败127.0.0.1  失败192.168.100.20  成功


查看登录成功和失败日志

#  成功的 -s[root@centos emergency]# python emergency.py -s | more账户 : emergency    时间 : 2017-08-09-11:20  来源 : (192.168.100.24)账户 : emergency    时间 : 2017-08-09-14:34  来源 : (192.168.100.24)账户 : root    时间 : 2017-09-28-12:38  来源 : (192.168.100.65)账户 : root    时间 : 2017-09-28-12:46  来源 : (192.168.100.65)账户 : root    时间 : 2017-09-28-13:13  来源 : (192.168.100.65)
# 失败的 -f[root@centos emergency]# python emergency.py -f | more账户 : emergency 时间 : 192.168.100.34 来源 : Jul-6-21:27---21:27账户 : emergency 时间 : 192.168.100.34 来源 : Jul-6-21:25---21:25账户 : admin 时间 : 127.0.0.1 来源 : Jul-5-15:32---15:32
# 如果需要指定IP 加-i参数 ,例如 -i 192.168.100.34;


查看进程列表和详细信息

#  列表信息[root@centos emergency]# python emergency.py -a***********************************************************************************************************进程ID号: 2     进程名称: kthreadd     进程用户: root     启动时间: 2018-06-16 07:40:48CPU占比: 0.0%     内存占比: 0.0%网络连接:**********************************************************************************************************************************************************************************************************************进程ID号: 3     进程名称: ksoftirqd/0     进程用户: root     启动时间: 2018-06-16 07:40:48CPU占比: 0.0%     内存占比: 0.0%网络连接:***********************************************************************************************************...
## 详细信息[root@centos emergency]# python emergency.py -p 28344***********************************************************************************************************进程ID号: 28344 进程名称: screen 进程用户: emergency 启动时间: 2018-06-22 13:25:30工作路径: /home/emergency/进程命令: SCREEN父母进程: 1亲子进程: [28345]CPU占比: 0.0% 内存占比: 0.0046135703802%网络连接:进程环境: 终端会话 : /bin/bash 安全会话 : 登录账户 : emergency 工作账户 : emergency 权限路径 : /usr/lib64/ccache:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/emergency/tools:/usr/local/bin:/usr/local/sbin:/usr/local/python3/bin:/home/emergency/.local/bin:/home/emergency/bin 用户目录 : /home/emergency
***********************************************************************************************************


添加virustotal基本查询功能

# 检查样本[root@centos emergency]# python virustotal.py -f ./LICENSE******************************************检测时间: 2018-07-09 07:31:04报毒数量: 0报毒引擎: []引擎总数: 59******************************************
# 检查URL[root@centos emergency]# python virustota.py -u http://1.1.1.2/bmi/docs.autodesk.com******************************************检测时间: 2018-07-09 16:33:29关联样本: 0关联连接: 0关联域名: 0******************************************
# 检查域名[root@centos emergency]# python virustota.py -d baidu.com******************************************检测时间: 2018-07-09 16:33:35关联样本: 202关联连接: 100关联域名: 8******************************************
# 检查IP[root@centos emergency]# python virustota.py -a 114.114.114.114******************************************检测时间: 2018-07-09 16:34:05关联样本: 135关联连接: 93关联域名: 592******************************************


增加查看whois信息的功能

[root@centos emergency]# python mywhois.py -d baidu.comDomain Name: baidu.comRegistry Domain ID: 11181110_DOMAIN_COM-VRSNRegistrar WHOIS Server: whois.markmonitor.comRegistrar URL: http://www.markmonitor.comUpdated Date: 2017-07-27T19:36:28-0700Creation Date: 1999-10-11T04:05:17-0700Registrar Registration Expiration Date: 2026-10-11T00:00:00-0700Registrar: MarkMonitor, Inc.Registrar IANA ID: 292Registrar Abuse Contact Email: [email protected]Registrar Abuse Contact Phone: +1.2083895740Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)Domain Status: serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited)Domain Status: serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited)Domain Status: serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited)Registrant Organization: Beijing Baidu Netcom Science Technology Co., Ltd.Registrant State/Province: BeijingRegistrant Country: CNAdmin Organization: Beijing Baidu Netcom Science Technology Co., Ltd.Admin State/Province: BeijingAdmin Country: CNTech Organization: Beijing Baidu Netcom Science Technology Co., Ltd.Tech State/Province: BeijingTech Country: CNName Server: ns4.baidu.comName Server: ns3.baidu.comName Server: dns.baidu.comName Server: ns2.baidu.comName Server: ns7.baidu.comDNSSEC: unsignedURL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/>>> Last update of WHOIS database: 2018-07-09T02:21:59-0700 <<<
If certain contact information is not shown for a Registrant, Administrative,or Technical contact, and you wish to send a message to these contacts, pleasesend your message to [email protected] and specify the domain name inthe subject line. We will forward that message to the underlying contact.
If you have a legitimate interest in viewing the non-public WHOIS details, sendyour request and the reasons for your request to [email protected]and specify the domain name in the subject line. We will review that request andmay ask for supporting documentation and explanation.
The Data in MarkMonitor.com's WHOIS database is provided by MarkMonitor.com forinformation purposes, and to assist persons in obtaining information about orrelated to a domain name registration record. MarkMonitor.com does not guaranteeits accuracy. By submitting a WHOIS query, you agree that you will use this Dataonly for lawful purposes and that, under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail (spam); or (2) enable high volume, automated, electronic processes that apply to MarkMonitor.com (or its systems).MarkMonitor.com reserves the right to modify these terms at any time.By submitting this query, you agree to abide by this policy.
MarkMonitor is the Global Leader in Online Brand Protection.
MarkMonitor Domain Management(TM)MarkMonitor Brand Protection(TM)MarkMonitor AntiPiracy(TM)MarkMonitor AntiFraud(TM)Professional and Managed Services
Visit MarkMonitor at http://www.markmonitor.comContact us at +1.8007459229In Europe, at +44.02032062220
For more information on Whois status codes, please visit https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en--


关于web攻击日志的检测


程序下载:

git clone https://github.com/cisp/AccessLogAnylast.git

关于使用:

    parser.add_option("-f", "--floder",dest="filepath",help="access log file path")    parser.add_option("-t", "--time",dest="accesstime",help="set search time")    parser.add_option("-d", "--date",dest="accessdate",help="set search date")    parser.add_option("-c", "--count",action='store_true',dest="count",help="show count information")    parser.add_option("-p", "--payload",dest="payload",help="set search payload")    parser.add_option("-a","--address",dest="ipaddress",help="set search ipaddress")    parser.add_option("-v", "--version",action='store_true',dest="version",help="show document")    parser.add_option("-i","--detail",action='store_true',dest="detail",help="show detail")    parser.add_option("-s","--shell",action='store_true',dest="webshell",help="show suspicious webshell")    parser.add_option("-g","--ipflag",dest="ipposition",help="ip position in logfile")    parser.add_option("-n","--name",dest="filename",help="filename flag")
原文链接:https://www.cnblogs.com/KevinGeorge/p/9285883.html


  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2020年8月19日14:25:00
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Linux下的应急工具http://cn-sec.com/archives/95216.html

发表评论

匿名网友 填写信息