跳到主要内容

第一章 应急响应 - Linux日志分析

1

有多少IP在爆破主机ssh的root帐号,如果有多个使用","分割

(remote) root@ip-10-0-10-2:/root# cat /var/log/auth.log* | grep -a "Failed password for root" | awk '{print $11}' | sort -n | uniq | tr '\n' ','
192.168.200.2,192.168.200.31,192.168.200.32
flag{192.168.200.2,192.168.200.31,192.168.200.32}

2

ssh爆破成功登陆的IP是多少,如果有多个使用","分割

(remote) root@ip-10-0-10-2:/root# cat /var/log/auth.log* | grep -a "Accepted " | awk '{print $11}' | sort -n | uniq -c
      2 192.168.200.2
      1 218.106.157.103

排除掉自己的IP即可

flag{192.168.200.2}

3

爆破用户名字典是什么?如果有多个使用","分割

筛选登陆失败的用户名记录

(remote) root@ip-10-0-10-2:/root# cat /var/log/auth.log* | grep -a "Failed password"
Aug  1 07:40:50 linux-rz sshd[7461]: Failed password for invalid user test1 from 192.168.200.35 port 33874 ssh2
Aug  1 07:41:04 linux-rz sshd[7465]: Failed password for invalid user test2 from 192.168.200.35 port 51640 ssh2
Aug  1 07:41:13 linux-rz sshd[7468]: Failed password for invalid user test3 from 192.168.200.35 port 48168 ssh2
Aug  1 07:42:32 linux-rz sshd[7471]: Failed password for root from 192.168.200.32 port 51888 ssh2
Aug  1 07:46:41 linux-rz sshd[7475]: Failed password for invalid user user from 192.168.200.2 port 36149 ssh2
Aug  1 07:46:47 linux-rz sshd[7478]: Failed password for invalid user user from 192.168.200.2 port 44425 ssh2
Aug  1 07:46:50 linux-rz sshd[7480]: Failed password for invalid user user from 192.168.200.2 port 38791 ssh2
Aug  1 07:46:54 linux-rz sshd[7482]: Failed password for invalid user user from 192.168.200.2 port 37489 ssh2
Aug  1 07:46:56 linux-rz sshd[7484]: Failed password for invalid user user from 192.168.200.2 port 35575 ssh2
Aug  1 07:46:59 linux-rz sshd[7486]: Failed password for invalid user hello from 192.168.200.2 port 35833 ssh2
Aug  1 07:47:02 linux-rz sshd[7489]: Failed password for invalid user hello from 192.168.200.2 port 37653 ssh2
Aug  1 07:47:04 linux-rz sshd[7491]: Failed password for invalid user hello from 192.168.200.2 port 37917 ssh2
Aug  1 07:47:08 linux-rz sshd[7493]: Failed password for invalid user hello from 192.168.200.2 port 41957 ssh2
Aug  1 07:47:10 linux-rz sshd[7495]: Failed password for invalid user hello from 192.168.200.2 port 39685 ssh2
Aug  1 07:47:13 linux-rz sshd[7497]: Failed password for root from 192.168.200.2 port 34703 ssh2
Aug  1 07:47:18 linux-rz sshd[7499]: Failed password for root from 192.168.200.2 port 46671 ssh2
Aug  1 07:47:20 linux-rz sshd[7501]: Failed password for root from 192.168.200.2 port 39967 ssh2
Aug  1 07:47:22 linux-rz sshd[7503]: Failed password for root from 192.168.200.2 port 46647 ssh2
Aug  1 07:47:26 linux-rz sshd[7525]: Failed password for invalid user  from 192.168.200.2 port 37013 ssh2
Aug  1 07:47:30 linux-rz sshd[7528]: Failed password for invalid user  from 192.168.200.2 port 37545 ssh2
Aug  1 07:47:32 linux-rz sshd[7530]: Failed password for invalid user  from 192.168.200.2 port 39111 ssh2
Aug  1 07:47:35 linux-rz sshd[7532]: Failed password for invalid user  from 192.168.200.2 port 35173 ssh2
Aug  1 07:47:39 linux-rz sshd[7534]: Failed password for invalid user  from 192.168.200.2 port 45807 ssh2
Aug  1 07:52:59 linux-rz sshd[7606]: Failed password for root from 192.168.200.31 port 40364 ssh2

对结果进行清洗

备注

这题的清洗有点问题,顺序不是很好确定,这里附上官方的题解

grep -a "Failed password"  /var/log/auth.log.2|perl -e 'while($_=<>){ /for(.*?) from/; print "$1\n";}'|uniq -c|sort -nr
(remote) root@ip-10-0-10-2:/root# cat /var/log/auth.log* | grep -a "Failed password" | awk -F 'for ' '{print $2}' | awk -F ' from' '{print $1}' | sed 's/invalid user//g' | sed 's/^[ \t]*//;s/[ \t]*$//' | grep -v '^$' | uniq -c | sort -nr
      5 user
      5 root
      5 hello
      1 test3
      1 test2
      1 test1
      1 root
flag{user,hello,root,test3,test2,test1}

4

登陆成功的IP共爆破了多少次

(remote) root@ip-10-0-10-2:/root# cat /var/log/auth.log* | grep -a "Failed password for root" | awk '{print $11}' | sort -n | uniq -c
      4 192.168.200.2
      1 192.168.200.31
      1 192.168.200.32
flag{4}

5

黑客登陆主机后新建了一个后门用户,用户名是多少

(remote) root@ip-10-0-10-2:/root# cat /var/log/auth.log* | grep -a "useradd" | grep -a "linux-rz"
Aug  1 07:50:45 linux-rz useradd[7551]: new group: name=test2, GID=1000
Aug  1 07:50:45 linux-rz useradd[7551]: new user: name=test2, UID=1000, GID=1000, home=/home/test2, shell=/bin/sh
flag{test2}