释放双眼,带上耳机,听听看~!
1、服务器WEB目录php后门检查Linux Shell脚本
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | #!/bin/bash #30 2 * * * /opt/sh/check-eval.sh > /dev/null 2>&1 #检查的WEB目录 check_path="/data/wwwroot" #日志输出目录 check_log="/data/logs" time=`date +%Y/%d/%m/%H:%M:%S` find ${check_path} -name "*.php" -type f -print0|xargs -0 egrep "(phpspy|c99sh|milw0rm|eval\(base64_decode|spider_bc)"|awk -F: '{print $1}'|sort|uniq > ${check_log}/check.log status=$(grep php /data/logs/check.log > /dev/null 2>&1) if [ $? -eq 0 ]; then echo "check stauts: ${status} time:$time" exit 0 else echo not exist exit 1 fi |
2、服务器上查隐藏进程Linux Shell脚本
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | #!/bin/bash #30 3 * * * /opt/sh/check-ps.sh > /dev/null 2>&1 #查隐藏进程 ps_pids="`ps -A | awk '{print $1}'`"; for i in /proc/[[:digit:]]*; do if echo "$ps_pids" | grep -qs `basename "$i"`; then : #echo "no found" else echo "Rootkit's PID: $(basename "$i")"; fi done echo "Chechking Finished,Congratulations to you !!!No found" |
3、CC攻击导致服务器负载高,根据nginx日志分析单IP大量请求,攻击IP加入iptables防火墙Linux Shell脚本
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | tail www.aqzt.com.access.log -n 9999 |awk '{print $1}'|sort|uniq -c|sort -rn|awk '{if ($1>200){print $2}}' > /data/nginxlogs/block_attack_ips.log /sbin/iptables -nL |grep DROP | awk '{print $4}' > /data/nginxlogs/iptables.log filename=`cat /data/nginxlogs/block_attack_ips.log` for ip in $filename do if [ `grep $ip /data/nginxlogs/iptables.log` ] then echo "Already exists" else echo "add" /sbin/iptables -I INPUT -p tcp -s $ip --dport 80 -j DROP fi done |
如果大家还有其他好的建议和想法,欢迎留言!
欢迎加入运维交流QQ群:7652650(快捷运维)
