返回
首页
业界
电商
创业
访谈
手机
移动
报告
运营
建站
互联网+
系统
教程
搜索

Linux服务器被黑以后的详细处理步骤

2019-01-16 22:37:05王旭

6.查看机器创建以来登陆过的用户,对应日志文件“/var/log/wtmp”,相关命令示例:

[<a href="/cdn-cgi/l/email-protection" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" data-cfemail="ec9e838398ac8480818f8982dad582df">[email protected]</a> ~]# last test01 pts/1 X.X.X.X Wed Sep 20 16:50 still logged in test01 pts/2 X.X.X.X Wed Sep 20 16:47 - 16:49 (00:02) stone pts/1 X.X.X.X Wed Sep 20 16:46 - 16:47 (00:01) stone pts/0 X.X.X.X Wed Sep 20 16:17 still logged in

7.查看机器所有用户的连接时间(小时),对应日志文件“/var/log/wtmp”,相关命令示例:

[<a href="/cdn-cgi/l/email-protection" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" data-cfemail="03716c6c77436b6f6e60666d353a6d30">[email protected]</a> ~]# ac -dp stone 11.98 Sep 15 total 11.98 stone 67.06 Sep 18 total 67.06 stone 1.27 test01 0.24 Today total 1.50

8.如果发现机器产生了异常流量,可以使用命令“tcpdump”抓取网络包查看流量情况或者使用工具”iperf”查看流量情况

9.可以查看/var/log/secure日志文件,尝试发现入侵者的信息,相关命令示例:

相关文章 大家在看
[<a href="/cdn-cgi/l/email-protection" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" data-cfemail="82f0ededf6c2eaeeefe1e7ecb4bbecb1">[email protected]</a> ~]# cat /var/log/secure | grep -i "accepted password" Sep 20 12:47:20 hlmcen69n3 sshd[37193]: Accepted password for stone from X.X.X.X port 15898 ssh2 Sep 20 16:17:47 hlmcen69n3 sshd[38206]: Accepted password for stone from X.X.X.X port 9140 ssh2 Sep 20 16:46:00 hlmcen69n3 sshd[38511]: Accepted password for stone from X.X.X.X port 2540 ssh2 Sep 20 16:47:16 hlmcen69n3 sshd[38605]: Accepted password for test01 from X.X.X.X port 10790 ssh2 Sep 20 16:50:04 hlmcen69n3 sshd[38652]: Accepted password for test01 from X.X.X.X port 28956 ssh2