Linux下应急工具

Linux下的应急工具

---

在Linux下，应急的查看点无非那个几个，一是看表现（宕机、高CPU、高内存、高IO、高网络通信），二看连接、三看进程、四看日志、五看文件（Linux一切皆文件），再者结合起来看。所以针对常见的应急操作自己写了两个小工具。目前支持CentOS和RedHat，其实由于基于Python，基本是跨平台，绝大部分功能支持其他发行版本的Linux甚至Windows。

工具的安装

---

#要求root权限
git clone https://github.com/cisp/LinuxEmergency.git
cd LinuxEmergency
sh ./install.sh

工具的使用

---

查看操作系统信息：

---

[root@centos emergency]# python emergency.py -o

        内核版本 : Linux-3.10.0-514.26.2.el7.v7.4.qihoo.x86_64-x86_64-with-centos-7.2.1511-Core
        CORE数量 : 16
        CPU数量 : 16
        CPU使用率 : scputimes(user=1.0, nice=0.0, system=0.0, idle=15.0, iowait=0.0, irq=0.0, softirq=0.0, steal=0.0, guest=0.0, guest_nice=0.0)
        内存总量  : 33736994816
        内存使用率 : 5.1

[root@centos emergency]#

查看内核模块信息：

---

[root@centos emergency]# python emergency.py -k
内核模块 : nfnetlink_queue  来源  :
内核模块 : nfnetlink_log  来源  :
内核模块 : nfnetlink  来源  :  nfnetlink_log,nfnetlink_queue
内核模块 : bluetooth  来源  :

查看所有登录成功失败的IP地址：

---

[root@scentos emergency]# python emergency.py -l
192.168.100.35  失败
192.168.100.31  失败
127.0.0.1  失败
192.168.100.20  成功

查看登录成功和失败日志

---

#  成功的 -s
[root@centos emergency]# python emergency.py -s | more
账户 : emergency    时间 : 2017-08-09-11:20  来源 : (192.168.100.24)
账户 : emergency    时间 : 2017-08-09-14:34  来源 : (192.168.100.24)
账户 : root    时间 : 2017-09-28-12:38  来源 : (192.168.100.65)
账户 : root    时间 : 2017-09-28-12:46  来源 : (192.168.100.65)
账户 : root    时间 : 2017-09-28-13:13  来源 : (192.168.100.65)

# 失败的 -f
[root@centos emergency]# python emergency.py -f | more
账户 : emergency    时间 : 192.168.100.34  来源 : Jul-6-21:27---21:27
账户 : emergency    时间 : 192.168.100.34  来源 : Jul-6-21:25---21:25
账户 : admin    时间 : 127.0.0.1  来源 : Jul-5-15:32---15:32

#  如果需要指定IP 加-i参数 ，例如 -i 192.168.100.34；

查看进程列表和详细信息

---

#  列表信息
[root@centos emergency]# python emergency.py -a
***********************************************************************************************************
进程ID号: 2     进程名称: kthreadd     进程用户: root     启动时间: 2018-06-16 07:40:48
CPU占比: 0.0%     内存占比: 0.0%
网络连接:
***********************************************************************************************************
***********************************************************************************************************
进程ID号: 3     进程名称: ksoftirqd/0     进程用户: root     启动时间: 2018-06-16 07:40:48
CPU占比: 0.0%     内存占比: 0.0%
网络连接:
***********************************************************************************************************
...

##  详细信息
[root@centos emergency]# python emergency.py -p 28344
***********************************************************************************************************
进程ID号: 28344     进程名称: screen     进程用户: emergency     启动时间: 2018-06-22 13:25:30
工作路径: /home/emergency/
进程命令: SCREEN
父母进程: 1
亲子进程: [28345]
CPU占比: 0.0%     内存占比: 0.0046135703802%
网络连接:
进程环境:
        终端会话    :  /bin/bash
        安全会话    :
        登录账户    :  emergency
        工作账户    :  emergency
        权限路径    :  /usr/lib64/ccache:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/emergency/tools:/usr/local/bin:/usr/local/sbin:/usr/local/python3/bin:/home/emergency/.local/bin:/home/emergency/bin
        用户目录    :  /home/emergency

***********************************************************************************************************

添加virustotal基本查询功能

---

# 检查样本
[root@centos emergency]# python virustotal.py -f ./LICENSE
******************************************
检测时间: 2018-07-09 07:31:04
报毒数量: 0
报毒引擎: []
引擎总数: 59
******************************************

# 检查URL
[root@centos emergency]# python virustota.py -u http://1.1.1.2/bmi/docs.autodesk.com
******************************************
检测时间: 2018-07-09 16:33:29
关联样本: 0
关联连接: 0
关联域名: 0
******************************************

# 检查域名
[root@centos emergency]# python virustota.py -d baidu.com
******************************************
检测时间: 2018-07-09 16:33:35
关联样本: 202
关联连接: 100
关联域名: 8
******************************************

# 检查IP
[root@centos emergency]# python virustota.py -a 114.114.114.114
******************************************
检测时间: 2018-07-09 16:34:05
关联样本: 135
关联连接: 93
关联域名: 592
******************************************

增加查看whois信息的功能

---

[root@centos emergency]# python mywhois.py -d baidu.com
Domain Name: baidu.com
Registry Domain ID: 11181110_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2017-07-27T19:36:28-0700
Creation Date: 1999-10-11T04:05:17-0700
Registrar Registration Expiration Date: 2026-10-11T00:00:00-0700
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)
Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
Domain Status: serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited)
Domain Status: serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited)
Domain Status: serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited)
Registrant Organization: Beijing Baidu Netcom Science Technology Co., Ltd.
Registrant State/Province: Beijing
Registrant Country: CN
Admin Organization: Beijing Baidu Netcom Science Technology Co., Ltd.
Admin State/Province: Beijing
Admin Country: CN
Tech Organization: Beijing Baidu Netcom Science Technology Co., Ltd.
Tech State/Province: Beijing
Tech Country: CN
Name Server: ns4.baidu.com
Name Server: ns3.baidu.com
Name Server: dns.baidu.com
Name Server: ns2.baidu.com
Name Server: ns7.baidu.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2018-07-09T02:21:59-0700 <<<

If certain contact information is not shown for a Registrant, Administrative,
or Technical contact, and you wish to send a message to these contacts, please
send your message to whoisrelay@markmonitor.com and specify the domain name in
the subject line. We will forward that message to the underlying contact.

If you have a legitimate interest in viewing the non-public WHOIS details, send
your request and the reasons for your request to abusecomplaints@markmonitor.com
and specify the domain name in the subject line. We will review that request and
may ask for supporting documentation and explanation.

The Data in MarkMonitor.com's WHOIS database is provided by MarkMonitor.com for
information purposes, and to assist persons in obtaining information about or
related to a domain name registration record.  MarkMonitor.com does not guarantee
its accuracy.  By submitting a WHOIS query, you agree that you will use this Data
only for lawful purposes and that, under no circumstances will you use this Data to:
 (1) allow, enable, or otherwise support the transmission of mass unsolicited,
     commercial advertising or solicitations via e-mail (spam); or
 (2) enable high volume, automated, electronic processes that apply to
     MarkMonitor.com (or its systems).
MarkMonitor.com reserves the right to modify these terms at any time.
By submitting this query, you agree to abide by this policy.

MarkMonitor is the Global Leader in Online Brand Protection.

MarkMonitor Domain Management(TM)
MarkMonitor Brand Protection(TM)
MarkMonitor AntiPiracy(TM)
MarkMonitor AntiFraud(TM)
Professional and Managed Services

Visit MarkMonitor at http://www.markmonitor.com
Contact us at +1.8007459229
In Europe, at +44.02032062220

For more information on Whois status codes, please visit
 https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en
--

关于web攻击日志的检测

---

程序下载：

---

git clone https://github.com/cisp/AccessLogAnylast.git

关于使用：

---

    parser.add_option("-f", "--floder",dest="filepath",help="access log file path")
    parser.add_option("-t", "--time",dest="accesstime",help="set search time")
    parser.add_option("-d", "--date",dest="accessdate",help="set search date")
    parser.add_option("-c", "--count",action='store_true',dest="count",help="show count information")
    parser.add_option("-p", "--payload",dest="payload",help="set search payload")
    parser.add_option("-a","--address",dest="ipaddress",help="set search ipaddress")
    parser.add_option("-v", "--version",action='store_true',dest="version",help="show document")
    parser.add_option("-i","--detail",action='store_true',dest="detail",help="show detail")
    parser.add_option("-s","--shell",action='store_true',dest="webshell",help="show suspicious webshell")
    parser.add_option("-g","--ipflag",dest="ipposition",help="ip position in logfile")
    parser.add_option("-n","--name",dest="filename",help="filename flag")