确认系统登入的用户
w
注意:w命令从utmp/wtmp日志中获取信息,如果黑客修改了这些日志,所获的信息的就不准确.
也可以输出单用户 w kikihu
[root@test2 ~]# w
00:54:35 up 3 min, 2 users, load average: 0.27, 0.44, 0.19
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 - 00:52 1:49 0.02s 0.02s -bash
root pts/0 192.168.5.119 00:53 0.00s 0.03s 0.00s w
记录文件修改,访问时间以及inode更改时间
ls -alRu / >/floppy/atime(访问时间)
ls -alRc / >/floppy/ctime(修改时间)
ls -alR / >/floppy/mtime(更改时间)
确定打开端口相关的应用程序
netstat -nap
例子netstat -na |grep 22
[root@test2 ~]# netstat -nap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:32768 0.0.0.0:* LISTEN 1824/rpc.statd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1805/portmap
tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN 1932/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2026/sendmail: acce
tcp 0 0 :::22 :::* LISTEN 1994/sshd
tcp 0 0 ::ffff:192.168.5.113:22 ::ffff:192.168.5.119:2974 ESTABLISHED 2590/0
udp 0 0 0.0.0.0:32768 0.0.0.0:* 1824/rpc.statd
udp 0 0 0.0.0.0:69 0.0.0.0:* 2007/xinetd
udp 0 0 0.0.0.0:728 0.0.0.0:* 1824/rpc.statd
udp 0 0 0.0.0.0:111 0.0.0.0:* 1805/portmap
udp 0 0 0.0.0.0:631 0.0.0.0:* 1932/cupsd
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 4510 1923/acpid /var/run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 4895 2072/htt_server /var/run/iiim/.iiimp-unix/9010
unix 2 [ ACC ] STREAM LISTENING 4983 2131/dbus-daemon-1 /var/run/dbus/system_bus_socket
unix 12 [ ] DGRAM 4219 1784/syslogd /dev/log
unix 2 [ ACC ] STREAM LISTENING 4927 2105/xfs /tmp/.font-unix/fs7100
unix 2 [ ACC ] STREAM LISTENING 6120 2590/0 /tmp/ssh-PjlpoL2590/agent.2590
unix 2 [ ] DGRAM 5034 2151/hald @/var/run/hal/hotplug_socket
unix 2 [ ] DGRAM 2482 974/udevd @udevd
unix 2 [ ACC ] STREAM LISTENING 4804 2044/gpm /dev/gpmctl
unix 3 [ ] STREAM CONNECTED 5033 2131/dbus-daemon-1 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 5032 2151/hald
unix 2 [ ] DGRAM 5008 2142/rhnsd
unix 3 [ ] STREAM CONNECTED 4990 2131/dbus-daemon-1
unix 3 [ ] STREAM CONNECTED 4989 2131/dbus-daemon-1
unix 2 [ ] DGRAM 4942 2114/anacron
列出当前和最近的连接
[root@test2 ~]# netstat -na
[root@test2 home]# netstat -na
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:32768 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 :::22 :::* LISTEN
tcp 0 128 ::ffff:192.168.5.113:22 ::ffff:192.168.5.119:2974 ESTABLISHED
udp 0 0 0.0.0.0:32768 0.0.0.0:*
udp 0 0 0.0.0.0:69 0.0.0.0:*
udp 0 0 0.0.0.0:728 0.0.0.0:*
udp 0 0 0.0.0.0:111 0.0.0.0:*
udp 0 0 0.0.0.0:631 0.0.0.0:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 4510 /var/run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 4895 /var/run/iiim/.iiimp-unix/9010
unix 2 [ ACC ] STREAM LISTENING 4983 /var/run/dbus/system_bus_socket
unix 11 [ ] DGRAM 4219 /dev/log
unix 2 [ ACC ] STREAM LISTENING 4927 /tmp/.font-unix/fs7100
unix 2 [ ACC ] STREAM LISTENING 6120 /tmp/ssh-PjlpoL2590/agent.2590
unix 2 [ ] DGRAM 5034 @/var/run/hal/hotplug_socket
unix 2 [ ] DGRAM 2482 @udevd
unix 2 [ ACC ] STREAM LISTENING 4804 /dev/gpmctl
unix 3 [ ] STREAM CONNECTED 5033 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 5032
unix 2 [ ] DGRAM 5008
记录系统时间
date
记录所进行的操作
script history vi
script /scripts.txt
[root@test2 home]# script /home/script.txt
Script started, file is /home/script.txt
记录加密校验和
md5sum * > md5sums.txt
进行深入的现场相应:
dd,cat,netcat与des或cryptcat命令来获取日志文件,配置文件以及其他相关文件.
最高级的rootkit是可装载核心模块(LKM);LKM是系统启动后可动态链接到那和中的程序
lsof程序可显示当前打开的所有常规文件,目录,库,unix流和网络文件,已经打开他们的响应进程.
[root@test2 home]# rpm -ivh lsof-4.72-2.2.src.rpm
warning: lsof-4.72-2.2.src.rpm: V3 DSA signature: NOKEY, key ID 4f2a6fd2
1:lsof ########################################### [100%]
[root@test2 home]# lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
portmap 1805 rpc 3u IPv4 4256 UDP *:sunrpc
portmap 1805 rpc 4u IPv4 4260 TCP *:sunrpc (LISTEN)
rpc.statd 1824 rpcuser 4u IPv4 4294 UDP *:32768
rpc.statd 1824 rpcuser 5u IPv4 4283 UDP *:728
rpc.statd 1824 rpcuser 6u IPv4 4298 TCP *:32768 (LISTEN)
cupsd 1932 root 0u IPv4 4602 TCP *:ipp (LISTEN)
cupsd 1932 root 2u IPv4 4603 UDP *:ipp
sshd 1994 root 3u IPv6 4675 TCP *:ssh (LISTEN)
xinetd 2007 root 5u IPv4 4755 UDP *:tftp
sendmail 2026 root 4u IPv4 4777 TCP test2.tiancity.com:smtp (LISTEN)
sshd 2590 root 3u IPv6 6092 TCP 192.168.5.113:ssh->192.168.5.119:2974 (ESTABLISHED)
确定正在运行的进程
ps -aux freebsd/linux
ps -eaf solaris
关注start字段,查出攻击时间.
[root@test2 home]# ps -aux
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.3/FAQ
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.1 2692 560 ? S 00:51 0:00 init [3]
root 2 0.0 0.0 0 0 ? SN 00:51 0:00 [ksoftirqd/0]
root 3 0.0 0.0 0 0 ? S< 00:51 0:00 [events/0]
root 4 0.0 0.0 0 0 ? S< 00:51 0:00 [khelper]
root 5 0.0 0.0 0 0 ? S< 00:51 0:00 [kacpid]
root 18 0.0 0.0 0 0 ? S< 00:51 0:00 [kblockd/0]
root 28 0.0 0.0 0 0 ? S 00:51 0:00 [pdflush]
root 29 0.0 0.0 0 0 ? S 00:51 0:00 [pdflush]
root 31 0.0 0.0 0 0 ? S< 00:51 0:00 [aio/0]
root 19 0.0 0.0 0 0 ? S 00:51 0:00 [khubd]
root 30 0.0 0.0 0 0 ? S 00:51 0:00 [kswapd0]
root 105 0.0 0.0 0 0 ? S 00:51 0:00 [kseriod]
root 176 0.0 0.0 0 0 ? S 00:51 0:00 [scsi_eh_0]
阅读(1680) | 评论(0) | 转发(0) |
