假设入侵者将/var/log/secure文件删除掉了,尝试将/var/log/secure文件恢复的方法可以参考如下:
a.查看/var/log/secure文件,发现已经没有该文件
| [<a href="/cdn-cgi/l/email-protection" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" data-cfemail="20524f4f5460484c4d43454e16194e13">[email protected]</a> ~]# ll /var/log/secure ls: cannot access /var/log/secure: No such file or directory |
b.使用lsof命令查看当前是否有进程打开/var/log/secure,
| [<a href="/cdn-cgi/l/email-protection" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" data-cfemail="deacb1b1aa9eb6b2b3bdbbb0e8e7b0ed">[email protected]</a> ~]# lsof | grep /var/log/secure rsyslogd 1264 root 4w REG 8,1 3173904 263917 /var/log/secure (deleted) |
c.从上面的信息可以看到 PID 1264(rsyslogd)打开文件的文件描述符为4。同时还可以看到/var/log/ secure已经标记为被删除了。因此我们可以在/proc/1264/fd/4(fd下的每个以数字命名的文件表示进程对应的文件描述符)中查看相应的信息,如下:
| [<a href="/cdn-cgi/l/email-protection" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" rel="external nofollow" data-cfemail="9deff2f2e9ddf5f1f0fef8f3aba4f3ae">[email protected]</a> ~]# tail /proc/1264/fd/4 Sep 20 16:47:21 hlmcen69n3 sshd[38511]: pam_unix(sshd:session): session closed for user stone Sep 20 16:47:21 hlmcen69n3 su: pam_unix(su-l:session): session closed for user root Sep 20 16:49:30 hlmcen69n3 sshd[38605]: pam_unix(sshd:session): session closed for user test01 Sep 20 16:50:04 hlmcen69n3 sshd[38652]: reverse mapping checking getaddrinfo for 190.78.120.106.static.bjtelecom.net [106.120.78.190] failed - POSSIBLE BREAK-IN ATTEMPT! Sep 20 16:50:04 hlmcen69n3 sshd[38652]: Accepted password for test01 from 106.120.78.190 port 28956 ssh2 Sep 20 16:50:05 hlmcen69n3 sshd[38652]: pam_unix(sshd:session): session opened for user test01 by (uid=0) Sep 20 17:18:51 hlmcen69n3 unix_chkpwd[38793]: password check failed for user (root) Sep 20 17:18:51 hlmcen69n3 sshd[38789]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=51.15.81.90 user=root Sep 20 17:18:52 hlmcen69n3 sshd[38789]: Failed password for root from 51.15.81.90 port 47014 ssh2 Sep 20 17:18:52 hlmcen69n3 sshd[38790]: Connection closed by 51.15.81.90 |
