#!/bin/bash
#30 2 * * * /opt/sh/check-eval.sh > /dev/null 2>&1
#检查的WEB目录
check_path="/data/wwwroot"
#日志输出目录
check_log="/data/logs"
time=`date +%Y/%d/%m/%H:%M:%S`
find ${check_path} -name "*.php" -type f -print0|xargs -0 egrep "(phpspy|c99sh|milw0rm|eval(base64_decode|spider_bc)"|awk -F: '{print $1}'|sort|uniq > ${check_log}/check.log
status=$(grep php /data/logs/check.log > /dev/null 2>&1)
if [ $? -eq 0 ]; then
echo "check stauts: ${status} time:$time"
exit 0
else
echo not exist
exit 1
fi
2、服务器上查隐藏进程Linux Shell脚本
#!/bin/bash
#30 3 * * * /opt/sh/check-ps.sh > /dev/null 2>&1
#查隐藏进程
ps_pids="`ps -A | awk '{print $1}'`";
for i in /proc/[[:digit:]]*;
do
if echo "$ps_pids" | grep -qs `basename "$i"`;
then
:
#echo "no found"
else
echo "Rootkit's PID: $(basename "$i")";
fi
done
echo "Chechking Finished,Congratulations to you !!!No found
3、CC攻击导致服务器负载高,根据nginx日志分析单IP大量请求,攻击IP加入iptables防火墙Linux Shell脚本
tail www.aqzt.com.access.log -n 9999 |awk '{print $1}'|sort|uniq -c|sort -rn|awk '{if ($1>200){print $2}}' > /data/nginxlogs/block_attack_ips.log
/sbin/iptables -nL |grep DROP | awk '{print $4}' > /data/nginxlogs/iptables.log
filename=`cat /data/nginxlogs/block_attack_ips.log`
for ip in $filename
do
if [ `grep $ip /data/nginxlogs/iptables.log` ]
then
echo "Already exists"
else
echo "add"
/sbin/iptables -I INPUT -p tcp -s $ip --dport 80 -j DROP
fi
done
参考:公众号安全专题
