第一章 应急响应-Linux日志分析
基础信息搜集
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
| hgbe02@pwn:~/temp$ ssh root@69.230.247.36
The authenticity of host '69.230.247.36 (69.230.247.36)' can't be established.
ED25519 key fingerprint is SHA256:YaKYCubzBNoPqUFqbT3FPvAWs34syoDa/ex4NYogZqw.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '69.230.247.36' (ED25519) to the list of known hosts.
root@69.230.247.36's password:
Linux ip-10-0-10-1 4.19.0-25-cloud-amd64 #1 SMP Debian 4.19.289-1 (2023-07-24) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Aug 1 07:50:37 2023 from 192.168.200.2
root@ip-10-0-10-1:~# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)
root@ip-10-0-10-1:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000
link/ether 02:58:04:2c:a8:90 brd ff:ff:ff:ff:ff:ff
inet 10.0.10.1/16 brd 10.0.255.255 scope global dynamic eth0
valid_lft 3541sec preferred_lft 3541sec
inet6 fe80::58:4ff:fe2c:a890/64 scope link
valid_lft forever preferred_lft forever
|
有多少IP在爆破主机ssh的root帐号
有多少IP在爆破主机ssh的root帐号,如果有多个使用”,”分割
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
| root@ip-10-0-10-1:~# cd /var/log
root@ip-10-0-10-1:/var/log# ls -la
total 2476
drwxr-xr-x 6 root root 4096 Jun 14 11:55 .
drwxr-xr-x 11 root root 4096 Nov 18 2022 ..
-rw-r--r-- 1 root root 0 Jun 14 11:55 alternatives.log
-rw-r--r-- 1 root root 31451 Aug 1 2023 alternatives.log.1
drwx------ 3 root root 4096 Aug 1 2023 amazon
drwxr-xr-x 2 root root 4096 Jun 14 11:55 apt
-rw-r----- 1 root adm 393 Jun 14 11:55 auth.log
-rw-r----- 1 root adm 17873 Jun 14 11:55 auth.log.1
-rw-r--r-- 1 root root 600 Aug 1 2023 aws114_ssm_agent_installation.log
-rw-r--r-- 1 root root 453632 Nov 18 2022 bootstrap.log
-rw-rw---- 1 root utmp 0 Jun 14 11:55 btmp
-rw-rw---- 1 root utmp 18432 Aug 1 2023 btmp.1
-rw-r--r-- 1 root adm 508488 Jun 14 11:55 cloud-init.log
-rw-r----- 1 root adm 44420 Jun 14 11:55 cloud-init-output.log
-rw-r----- 1 root adm 5181 Jun 14 11:56 daemon.log
-rw-r----- 1 root adm 144189 Jun 14 11:55 daemon.log.1
-rw-r----- 1 root adm 0 Jun 14 11:55 debug
-rw-r----- 1 root adm 43411 Jun 14 11:55 debug.1
-rw-r--r-- 1 root root 0 Jun 14 11:55 dpkg.log
-rw-r--r-- 1 root root 211484 Aug 1 2023 dpkg.log.1
-rw-r--r-- 1 root root 32064 Aug 1 2023 faillog
-rw-r----- 1 root adm 0 Jun 14 11:55 kern.log
-rw-r----- 1 root adm 241683 Jun 14 11:55 kern.log.1
-rw-rw-r-- 1 root utmp 292584 Jun 14 11:55 lastlog
-rw-r----- 1 root adm 991 Jun 14 11:55 messages
-rw-r----- 1 root adm 223852 Jun 14 11:55 messages.1
drwxr-xr-x 2 ntp ntp 4096 Mar 21 2019 ntpstats
drwx------ 2 root root 4096 Nov 26 2022 private
-rw-r----- 1 root adm 6326 Jun 14 11:56 syslog
-rw-r----- 1 root adm 412413 Jun 14 11:55 syslog.1
-rw-r----- 1 root adm 837 Jun 14 11:55 user.log
-rw-r----- 1 root adm 24221 Aug 1 2023 user.log.1
-rw-rw-r-- 1 root utmp 21504 Jun 14 11:55 wtmp
root@ip-10-0-10-1:/var/log# cat auth.log
Jun 14 11:55:54 ip-10-0-10-1 sshd[603]: Accepted password for root from 218.201.30.74 port 4614 ssh2
Jun 14 11:55:54 ip-10-0-10-1 sshd[603]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jun 14 11:55:54 ip-10-0-10-1 systemd-logind[428]: New session 1 of user root.
Jun 14 11:55:54 ip-10-0-10-1 systemd: pam_unix(systemd-user:session): session opened for user root by (uid=0)
root@ip-10-0-10-1:/var/log# head -n 20 auth.log.1
Aug 1 07:40:47 linux-rz sshd[7461]: Invalid user test1 from 192.168.200.35 port 33874
Aug 1 07:40:48 linux-rz sshd[7461]: pam_unix(sshd:auth): check pass; user unknown
Aug 1 07:40:48 linux-rz sshd[7461]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.35
Aug 1 07:40:50 linux-rz sshd[7461]: Failed password for invalid user test1 from 192.168.200.35 port 33874 ssh2
Aug 1 07:40:52 linux-rz sshd[7461]: Connection closed by invalid user test1 192.168.200.35 port 33874 [preauth]
Aug 1 07:40:58 linux-rz sshd[7465]: Invalid user test2 from 192.168.200.35 port 51640
Aug 1 07:41:01 linux-rz sshd[7465]: pam_unix(sshd:auth): check pass; user unknown
Aug 1 07:41:01 linux-rz sshd[7465]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.35
Aug 1 07:41:04 linux-rz sshd[7465]: Failed password for invalid user test2 from 192.168.200.35 port 51640 ssh2
Aug 1 07:41:07 linux-rz sshd[7465]: Connection closed by invalid user test2 192.168.200.35 port 51640 [preauth]
Aug 1 07:41:09 linux-rz sshd[7468]: Invalid user test3 from 192.168.200.35 port 48168
Aug 1 07:41:11 linux-rz sshd[7468]: pam_unix(sshd:auth): check pass; user unknown
Aug 1 07:41:11 linux-rz sshd[7468]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.35
Aug 1 07:41:13 linux-rz sshd[7468]: Failed password for invalid user test3 from 192.168.200.35 port 48168 ssh2
Aug 1 07:41:19 linux-rz sshd[7468]: Connection closed by invalid user test3 192.168.200.35 port 48168 [preauth]
Aug 1 07:42:30 linux-rz sshd[7471]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.32 user=root
Aug 1 07:42:32 linux-rz sshd[7471]: Failed password for root from 192.168.200.32 port 51888 ssh2
Aug 1 07:42:33 linux-rz sshd[7471]: Connection closed by authenticating user root 192.168.200.32 port 51888 [preauth]
Aug 1 07:42:49 linux-rz sshd[7288]: Received disconnect from 192.168.200.2 port 54682:11: disconnected by user
|
第一个短的文件,一看就是我本地登陆的记录,所以看/var/log/auth.log.1
1
2
3
4
| root@ip-10-0-10-1:/var/log# cat auth.log.1 | grep -a "Failed password for root" | awk '{print $11}' | sort | uniq -c
4 192.168.200.2
1 192.168.200.31
1 192.168.200.32
|
故flag为:
1
| flag{192.168.200.2,192.168.200.31,192.168.200.32}
|
ssh爆破成功登陆的IP是多少
ssh爆破成功登陆的IP是多少,如果有多个使用”,”分割
1
2
| root@ip-10-0-10-1:/var/log# cat auth.log.1 | grep -a "Accepted password for root" | awk '{print $11}' | sort | uniq -c
2 192.168.200.2
|
故flag为:
爆破用户名字典是什么?
爆破用户名字典是什么?如果有多个使用”,”分割
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
| root@ip-10-0-10-1:/var/log# cat auth.log.1 | grep "Failed password for"
Binary file (standard input) matches
root@ip-10-0-10-1:/var/log# cat auth.log.1 | grep -a "Failed password for"
Aug 1 07:40:50 linux-rz sshd[7461]: Failed password for invalid user test1 from 192.168.200.35 port 33874 ssh2
Aug 1 07:41:04 linux-rz sshd[7465]: Failed password for invalid user test2 from 192.168.200.35 port 51640 ssh2
Aug 1 07:41:13 linux-rz sshd[7468]: Failed password for invalid user test3 from 192.168.200.35 port 48168 ssh2
Aug 1 07:42:32 linux-rz sshd[7471]: Failed password for root from 192.168.200.32 port 51888 ssh2
Aug 1 07:46:41 linux-rz sshd[7475]: Failed password for invalid user user from 192.168.200.2 port 36149 ssh2
Aug 1 07:46:47 linux-rz sshd[7478]: Failed password for invalid user user from 192.168.200.2 port 44425 ssh2
Aug 1 07:46:50 linux-rz sshd[7480]: Failed password for invalid user user from 192.168.200.2 port 38791 ssh2
Aug 1 07:46:54 linux-rz sshd[7482]: Failed password for invalid user user from 192.168.200.2 port 37489 ssh2
Aug 1 07:46:56 linux-rz sshd[7484]: Failed password for invalid user user from 192.168.200.2 port 35575 ssh2
Aug 1 07:46:59 linux-rz sshd[7486]: Failed password for invalid user hello from 192.168.200.2 port 35833 ssh2
Aug 1 07:47:02 linux-rz sshd[7489]: Failed password for invalid user hello from 192.168.200.2 port 37653 ssh2
Aug 1 07:47:04 linux-rz sshd[7491]: Failed password for invalid user hello from 192.168.200.2 port 37917 ssh2
Aug 1 07:47:08 linux-rz sshd[7493]: Failed password for invalid user hello from 192.168.200.2 port 41957 ssh2
Aug 1 07:47:10 linux-rz sshd[7495]: Failed password for invalid user hello from 192.168.200.2 port 39685 ssh2
Aug 1 07:47:13 linux-rz sshd[7497]: Failed password for root from 192.168.200.2 port 34703 ssh2
Aug 1 07:47:18 linux-rz sshd[7499]: Failed password for root from 192.168.200.2 port 46671 ssh2
Aug 1 07:47:20 linux-rz sshd[7501]: Failed password for root from 192.168.200.2 port 39967 ssh2
Aug 1 07:47:22 linux-rz sshd[7503]: Failed password for root from 192.168.200.2 port 46647 ssh2
Aug 1 07:47:26 linux-rz sshd[7525]: Failed password for invalid user from 192.168.200.2 port 37013 ssh2
Aug 1 07:47:30 linux-rz sshd[7528]: Failed password for invalid user from 192.168.200.2 port 37545 ssh2
Aug 1 07:47:32 linux-rz sshd[7530]: Failed password for invalid user from 192.168.200.2 port 39111 ssh2
Aug 1 07:47:35 linux-rz sshd[7532]: Failed password for invalid user from 192.168.200.2 port 35173 ssh2
Aug 1 07:47:39 linux-rz sshd[7534]: Failed password for invalid user from 192.168.200.2 port 45807 ssh2
Aug 1 07:52:59 linux-rz sshd[7606]: Failed password for root from 192.168.200.31 port 40364 ssh2
root@ip-10-0-10-1:/var/log# cat auth.log.1 | grep -a "Failed password for" | awk '{print $9 $11}' | sort | uniq -c | sort -
nr
5 invaliduser
5 invalidhello
5 invalidfrom
4 root192.168.200.2
1 root192.168.200.32
1 root192.168.200.31
1 invalidtest3
1 invalidtest2
1 invalidtest1
|
故flag为:
1
| flag{user,hello,root,test3,test2,test1}
|
官方使用perl进行了解答,很优雅:
1
2
3
4
5
6
7
8
9
10
| root@ip-10-0-10-1:/var/log# cat auth.log.1 | grep -a "Failed password" | perl -e 'while($_=<>){ /for(.*?) from/; print "$1\n";}'| uniq -c | sort -nr
5 invalid user user
5 invalid user hello
5 invalid user
4 root
1 root
1 root
1 invalid user test3
1 invalid user test2
1 invalid user test1
|
perl -e 'while($_=<>){ /for(.*?) from/; print "$1\n";}': 这一部分使用 Perl 脚本。-e 选项表示在命令行中提供脚本代码。Perl 脚本的作用是遍历每一行,然后使用正则表达式 /for(.*?) from/ 捕获括号中的内容,即登录失败的用户名。捕获的内容由 $1 引用,然后通过 print "$1\n"; 打印出来,每个用户名占一行。sort -nr: 该部分使用 sort -nr 命令对计数结果进行排序,其中 -n 表示按数字顺序排序,-r 表示逆序(从高到低)排序。
登陆成功的IP共爆破了多少次
1
2
3
4
| root@ip-10-0-10-1:/var/log# cat auth.log.1 | grep -a "Failed password for root" | awk '{print $11}' | sort -n | uniq -c
4 192.168.200.2
1 192.168.200.31
1 192.168.200.32
|
192.168.200.2登录成功了,爆破了四次。故flag为:
黑客登陆主机后新建了一个后门用户,用户名是多少
1
2
3
4
5
6
7
| root@ip-10-0-10-1:/var/log# cat auth.log.1 |grep -a "/bin"
Aug 1 07:50:45 linux-rz useradd[7551]: new user: name=test2, UID=1000, GID=1000, home=/home/test2, shell=/bin/sh
Aug 1 08:18:27 ip-172-31-37-190 useradd[487]: new user: name=debian, UID=1001, GID=1001, home=/home/debian, shell=/bin/bash
Aug 1 08:18:27 ip-172-31-37-190 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/touch /var/log/aws114_ssm_agent_installation.log
root@ip-10-0-10-1:/var/log# cat auth.log.1 | grep -a "/bin/" | grep "sh"
Aug 1 07:50:45 linux-rz useradd[7551]: new user: name=test2, UID=1000, GID=1000, home=/home/test2, shell=/bin/sh
Aug 1 08:18:27 ip-172-31-37-190 useradd[487]: new user: name=debian, UID=1001, GID=1001, home=/home/debian, shell=/bin/bash
|
或者使用:
1
2
3
| root@ip-10-0-10-1:/var/log# cat /var/log/auth.log.1 | grep -a "new user"
Aug 1 07:50:45 linux-rz useradd[7551]: new user: name=test2, UID=1000, GID=1000, home=/home/test2, shell=/bin/sh
Aug 1 08:18:27 ip-172-31-37-190 useradd[487]: new user: name=debian, UID=1001, GID=1001, home=/home/debian, shell=/bin/bash
|
发现确实添加了用户test2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
| root@ip-10-0-10-1:/var/log# cat /etc/passwd | grep -v "nologin" | grep "sh"
root:x:0:0:root:/root:/bin/bash
test2:x:1000:1000::/home/test2:/bin/sh
debian:x:1001:1001:Debian:/home/debian:/bin/bash
root@ip-10-0-10-1:/var/log# ls -la /home
total 12
drwxr-xr-x 3 root root 4096 Aug 1 2023 .
drwxr-xr-x 18 root root 4096 Jun 14 11:55 ..
drwxr-xr-x 3 debian debian 4096 Aug 1 2023 debian
root@ip-10-0-10-1:/# cat /etc/shadow
root:$6$V5ItX87cUllL5G4h$yATBAGCLFnkAoW4erj4cBGT9mXg3kdqkItr8xX.64LJwsq48qDeukrTkOwoTE6TSYnaTDfSRvpWiq/BIMmhom/:19570:0:99999:7:::
daemon:*:19314:0:99999:7:::
bin:*:19314:0:99999:7:::
sys:*:19314:0:99999:7:::
sync:*:19314:0:99999:7:::
games:*:19314:0:99999:7:::
man:*:19314:0:99999:7:::
lp:*:19314:0:99999:7:::
mail:*:19314:0:99999:7:::
news:*:19314:0:99999:7:::
uucp:*:19314:0:99999:7:::
proxy:*:19314:0:99999:7:::
www-data:*:19314:0:99999:7:::
backup:*:19314:0:99999:7:::
list:*:19314:0:99999:7:::
irc:*:19314:0:99999:7:::
gnats:*:19314:0:99999:7:::
nobody:*:19314:0:99999:7:::
_apt:*:19314:0:99999:7:::
systemd-timesync:*:19314:0:99999:7:::
systemd-network:*:19314:0:99999:7:::
systemd-resolve:*:19314:0:99999:7:::
messagebus:*:19314:0:99999:7:::
unscd:*:19314:0:99999:7:::
ntp:*:19314:0:99999:7:::
sshd:*:19314:0:99999:7:::
systemd-coredump:!!:19322::::::
test2:$6$oIpMwQHVAWKNjsi1$kMV6ZNSOTZfqnNSxqMkl9tLj/1Y5KOJMZBzCu.qQgFxezvXrn..gHkt8lieFTDVCUI0PhVASNpZvKCJwsN3gH1:19570:0:99999:7:::
debian:!:19570:0:99999:7:::
|
所以flag为:
