【玄机】第一章 应急响应-Linux日志分析WP

于 2025-01-24 17:08:11 发布
阅读量678 收藏 17
点赞数
文章标签: linux 服务器 java 网络安全 web安全 安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/weixin_67997381/article/details/145342057
版权

目录

题目

/var/log/auth.log.1日志文件内容

前言

1.有多少IP在爆破主机ssh的root帐号,如果有多个使用","分割 小到大排序 例如flag{192.168.200.1,192.168.200.2}

表格筛选

命令筛选

2.ssh爆破成功登陆的IP是多少,如果有多个使用","分割

表格筛选

命令筛选

3.爆破用户名字典是什么?如果有多个使用","分割

表格筛选

命令筛选

4.登陆成功的IP共爆破了多少次

表格筛选

命令筛选

5.黑客登陆主机后新建了一个后门用户,用户名是多少

表格筛选

命令筛选

题目

账号root密码linuxrz
ssh root@IP
1.有多少IP在爆破主机ssh的root帐号,如果有多个使用","分割
2.ssh爆破成功登陆的IP是多少,如果有多个使用","分割
3.爆破用户名字典是什么?如果有多个使用","分割
4.登陆成功的IP共爆破了多少次
5.黑客登陆主机后新建了一个后门用户,用户名是多少

/var/log/auth.log.1日志文件内容

Aug  1 07:40:47 linux-rz sshd[7461]: Invalid user test1 from 192.168.200.35 port 33874
Aug  1 07:40:48 linux-rz sshd[7461]: pam_unix(sshd:auth): check pass; user unknown
Aug  1 07:40:48 linux-rz sshd[7461]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.35 
Aug  1 07:40:50 linux-rz sshd[7461]: Failed password for invalid user test1 from 192.168.200.35 port 33874 ssh2
Aug  1 07:40:52 linux-rz sshd[7461]: Connection closed by invalid user test1 192.168.200.35 port 33874 [preauth]
Aug  1 07:40:58 linux-rz sshd[7465]: Invalid user test2 from 192.168.200.35 port 51640
Aug  1 07:41:01 linux-rz sshd[7465]: pam_unix(sshd:auth): check pass; user unknown
Aug  1 07:41:01 linux-rz sshd[7465]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.35 
Aug  1 07:41:04 linux-rz sshd[7465]: Failed password for invalid user test2 from 192.168.200.35 port 51640 ssh2
Aug  1 07:41:07 linux-rz sshd[7465]: Connection closed by invalid user test2 192.168.200.35 port 51640 [preauth]
Aug  1 07:41:09 linux-rz sshd[7468]: Invalid user test3 from 192.168.200.35 port 48168
Aug  1 07:41:11 linux-rz sshd[7468]: pam_unix(sshd:auth): check pass; user unknown
Aug  1 07:41:11 linux-rz sshd[7468]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.35 
Aug  1 07:41:13 linux-rz sshd[7468]: Failed password for invalid user test3 from 192.168.200.35 port 48168 ssh2
Aug  1 07:41:19 linux-rz sshd[7468]: Connection closed by invalid user test3 192.168.200.35 port 48168 [preauth]
Aug  1 07:42:30 linux-rz sshd[7471]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.32  user=root
Aug  1 07:42:32 linux-rz sshd[7471]: Failed password for root from 192.168.200.32 port 51888 ssh2
Aug  1 07:42:33 linux-rz sshd[7471]: Connection closed by authenticating user root 192.168.200.32 port 51888 [preauth]
Aug  1 07:42:49 linux-rz sshd[7288]: Received disconnect from 192.168.200.2 port 54682:11: disconnected by user
Aug  1 07:42:49 linux-rz sshd[7288]: Disconnected from user root 192.168.200.2 port 54682
Aug  1 07:42:49 linux-rz sshd[7288]: pam_unix(sshd:session): session closed for user root
Aug  1 07:42:49 linux-rz systemd-logind[440]: Session 6 logged out. Waiting for processes to exit.
Aug  1 07:42:49 linux-rz systemd-logind[440]: Removed session 6.
Aug  1 07:46:39 linux-rz sshd[7475]: Invalid user user from 192.168.200.2 port 36149
Aug  1 07:46:39 linux-rz sshd[7475]: pam_unix(sshd:auth): check pass; user unknown
Aug  1 07:46:39 linux-rz sshd[7475]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2 
Aug  1 07:46:41 linux-rz sshd[7475]: Failed password for invalid user user from 192.168.200.2 port 36149 ssh2
Aug  1 07:46:45 linux-rz sshd[7475]: Connection closed by invalid user user 192.168.200.2 port 36149 [preauth]
Aug  1 07:46:45 linux-rz sshd[7478]: Invalid user user from 192.168.200.2 port 44425
Aug  1 07:46:45 linux-rz sshd[7478]: pam_unix(sshd:auth): check pass; user unknown
Aug  1 07:46:45 linux-rz sshd[7478]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2 
Aug  1 07:46:47 linux-rz sshd[7478]: Failed password for invalid user user from 192.168.200.2 port 44425 ssh2
Aug  1 07:46:48 linux-rz sshd[7478]: Connection closed by invalid user user 192.168.200.2 port 44425 [preauth]
Aug  1 07:46:48 linux-rz sshd[7480]: Invalid user user from 192.168.200.2 port 38791
Aug  1 07:46:48 linux-rz sshd[7480]: pam_unix(sshd:auth): check pass; user unknown
Aug  1 07:46:48 linux-rz sshd[7480]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2 
Aug  1 07:46:50 linux-rz sshd[7480]: Failed password for invalid user user from 192.168.200.2 port 38791 ssh2
Aug  1 07:46:52 linux-rz sshd[7480]: Connection closed by invalid user user 192.168.200.2 port 38791 [preauth]
Aug  1 07:46:52 linux-rz sshd[7482]: Invalid user user from 192.168.200.2 port 37489
Aug  1 07:46:52 linux-rz sshd[7482]: pam_unix(sshd:auth): check pass; user unknown
Aug  1 07:46:52 linux-rz sshd[7482]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2 
Aug  1 07:46:54 linux-rz sshd[7482]: Failed password for invalid user user from 192.168.200.2 port 37489 ssh2
Aug  1 07:46:54 linux-rz sshd[7482]: Connection closed by invalid user user 192.168.200.2 port 37489 [preauth]
Aug  1 07:46:54 linux-rz sshd[7484]: Invalid user user from 192.168.200.2 port 35575
Aug  1 07:46:54 linux-rz sshd[7484]: pam_unix(sshd:auth): check pass; user unknown
Aug  1 07:46:54 linux-rz sshd[7484]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2 
Aug  1 07:46:56 linux-rz sshd[7484]: Failed password for invalid user user from 192.168.200.2 port 35575 ssh2
Aug  1 07:46:57 linux-rz sshd[7484]: Connection closed by invalid user user 192.168.200.2 port 35575 [preauth]
Aug  1 07:46:57 linux-rz sshd[7486]: Invalid user hello from 192.168.200.2 port 35833
Aug  1 07:46:57 linux-rz sshd[7486]: pam_unix(sshd:auth): check pass; user unknown
Aug  1 07:46:57 linux-rz sshd[7486]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2 
Aug  1 07:46:59 linux-rz sshd[7486]: Failed password for invalid user hello from 192.168.200.2 port 35833 ssh2
Aug  1 07:46:59 linux-rz sshd[7486]: Connection closed by invalid user hello 192.168.200.2 port 35833 [preauth]
Aug  1 07:47:00 linux-rz sshd[7489]: Invalid user hello from 192.168.200.2 port 37653
Aug  1 07:47:00 linux-rz sshd[7489]: pam_unix(sshd:auth): check pass; user unknown
Aug  1 07:47:00 linux-rz sshd[7489]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2 
Aug  1 07:47:02 linux-rz sshd[7489]: Failed password for invalid user hello from 192.168.200.2 port 37653 ssh2
Aug  1 07:47:02 linux-rz sshd[7489]: Connection closed by invalid user hello 192.168.200.2 port 37653 [preauth]
Aug  1 07:47:02 linux-rz sshd[7491]: Invalid user hello from 192.168.200.2 port 37917
Aug  1 07:47:02 linux-rz sshd[7491]: pam_unix(sshd:auth): check pass; user unknown
Aug  1 07:47:02 linux-rz sshd[7491]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2 
Aug  1 07:47:04 linux-rz sshd[7491]: Failed password for invalid user hello from 192.168.200.2 port 37917 ssh2
Aug  1 07:47:05 linux-rz sshd[7491]: Connection closed by invalid user hello 192.168.200.2 port 37917 [preauth]
Aug  1 07:47:05 linux-rz sshd[7493]: Invalid user hello from 192.168.200.2 port 41957
Aug  1 07:47:05 linux-rz sshd[7493]: pam_unix(sshd:auth): check pass; user unknown
Aug  1 07:47:05 linux-rz sshd[7493]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2 
Aug  1 07:47:08 linux-rz sshd[7493]: Failed password for invalid user hello from 192.168.200.2 port 41957 ssh2
Aug  1 07:47:08 linux-rz sshd[7493]: Connection closed by invalid user hello 192.168.200.2 port 41957 [preauth]
Aug  1 07:47:08 linux-rz sshd[7495]: Invalid user hello from 192.168.200.2 port 39685
Aug  1 07:47:08 linux-rz sshd[7495]: pam_unix(sshd:auth): check pass; user unknown
Aug  1 07:47:08 linux-rz sshd[7495]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2 
Aug  1 07:47:10 linux-rz sshd[7495]: Failed password for invalid user hello from 192.168.200.2 port 39685 ssh2
Aug  1 07:47:11 linux-rz sshd[7495]: Connection closed by invalid user hello 192.168.200.2 port 39685 [preauth]
Aug  1 07:47:11 linux-rz sshd[7497]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2  user=root
Aug  1 07:47:13 linux-rz sshd[7497]: Failed password for root from 192.168.200.2 port 34703 ssh2
Aug  1 07:47:15 linux-rz sshd[7497]: Connection closed by authenticating user root 192.168.200.2 port 34703 [preauth]
Aug  1 07:47:16 linux-rz sshd[7499]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2  user=root
Aug  1 07:47:18 linux-rz sshd[7499]: Failed password for root from 192.168.200.2 port 46671 ssh2
Aug  1 07:47:18 linux-rz sshd[7499]: Connection closed by authenticating user root 192.168.200.2 port 46671 [preauth]
Aug  1 07:47:18 linux-rz sshd[7501]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2  user=root
Aug  1 07:47:20 linux-rz sshd[7501]: Failed password for root from 192.168.200.2 port 39967 ssh2
Aug  1 07:47:20 linux-rz sshd[7501]: Connection closed by authenticating user root 192.168.200.2 port 39967 [preauth]
Aug  1 07:47:20 linux-rz sshd[7503]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2  user=root
Aug  1 07:47:22 linux-rz sshd[7503]: Failed password for root from 192.168.200.2 port 46647 ssh2
Aug  1 07:47:23 linux-rz sshd[7503]: Connection closed by authenticating user root 192.168.200.2 port 46647 [preauth]
Aug  1 07:47:23 linux-rz sshd[7505]: Accepted password for root from 192.168.200.2 port 46563 ssh2
Aug  1 07:47:23 linux-rz sshd[7505]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug  1 07:47:23 linux-rz systemd-logind[440]: New session 7 of user root.
Aug  1 07:47:23 linux-rz sshd[7525]: Invalid user  from 192.168.200.2 port 37013
Aug  1 07:47:23 linux-rz sshd[7525]: pam_unix(sshd:auth): check pass; user unknown
Aug  1 07:47:23 linux-rz sshd[7525]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2 
Aug  1 07:47:26 linux-rz sshd[7525]: Failed password for invalid user  from 192.168.200.2 port 37013 ssh2
Aug  1 07:47:28 linux-rz sshd[7525]: Connection closed by invalid user  192.168.200.2 port 37013 [preauth]
Aug  1 07:47:28 linux-rz sshd[7528]: Invalid user  from 192.168.200.2 port 37545
Aug  1 07:47:28 linux-rz sshd[7528]: pam_unix(sshd:auth): check pass; user unknown
Aug  1 07:47:28 linux-rz sshd[7528]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2 
Aug  1 07:47:30 linux-rz sshd[7528]: Failed password for invalid user  from 192.168.200.2 port 37545 ssh2
Aug  1 07:47:30 linux-rz sshd[7528]: Connection closed by invalid user  192.168.200.2 port 37545 [preauth]
Aug  1 07:47:30 linux-rz sshd[7530]: Invalid user  from 192.168.200.2 port 39111
Aug  1 07:47:30 linux-rz sshd[7530]: pam_unix(sshd:auth): check pass; user unknown
Aug  1 07:47:30 linux-rz sshd[7530]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2 
Aug  1 07:47:32 linux-rz sshd[7530]: Failed password for invalid user  from 192.168.200.2 port 39111 ssh2
Aug  1 07:47:32 linux-rz sshd[7530]: Connection closed by invalid user  192.168.200.2 port 39111 [preauth]
Aug  1 07:47:33 linux-rz sshd[7532]: Invalid user  from 192.168.200.2 port 35173
Aug  1 07:47:33 linux-rz sshd[7532]: pam_unix(sshd:auth): check pass; user unknown
Aug  1 07:47:33 linux-rz sshd[7532]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2 
Aug  1 07:47:35 linux-rz sshd[7532]: Failed password for invalid user  from 192.168.200.2 port 35173 ssh2
Aug  1 07:47:37 linux-rz sshd[7532]: Connection closed by invalid user  192.168.200.2 port 35173 [preauth]
Aug  1 07:47:37 linux-rz sshd[7534]: Invalid user  from 192.168.200.2 port 45807
Aug  1 07:47:37 linux-rz sshd[7534]: pam_unix(sshd:auth): check pass; user unknown
Aug  1 07:47:37 linux-rz sshd[7534]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2 
Aug  1 07:47:39 linux-rz sshd[7534]: Failed password for invalid user  from 192.168.200.2 port 45807 ssh2
Aug  1 07:47:41 linux-rz sshd[7534]: Connection closed by invalid user  192.168.200.2 port 45807 [preauth]
Aug  1 07:50:29 linux-rz sshd[7505]: pam_unix(sshd:session): session closed for user root
Aug  1 07:50:29 linux-rz systemd-logind[440]: Session 7 logged out. Waiting for processes to exit.
Aug  1 07:50:29 linux-rz systemd-logind[440]: Removed session 7.
Aug  1 07:50:37 linux-rz sshd[7539]: Accepted password for root from 192.168.200.2 port 48070 ssh2
Aug  1 07:50:37 linux-rz sshd[7539]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug  1 07:50:37 linux-rz systemd-logind[440]: New session 8 of user root.
Aug  1 07:50:45 linux-rz useradd[7551]: new group: name=test2, GID=1000
Aug  1 07:50:45 linux-rz useradd[7551]: new user: name=test2, UID=1000, GID=1000, home=/home/test2, shell=/bin/sh
Aug  1 07:50:52 linux-rz passwd[7563]: pam_unix(passwd:chauthtok): password changed for test2
Aug  1 07:50:56 linux-rz sshd[7539]: Received disconnect from 192.168.200.2 port 48070:11: disconnected by user
Aug  1 07:50:56 linux-rz sshd[7539]: Disconnected from user root 192.168.200.2 port 48070
Aug  1 07:50:56 linux-rz sshd[7539]: pam_unix(sshd:session): session closed for user root
Aug  1 07:50:56 linux-rz systemd-logind[440]: Session 8 logged out. Waiting for processes to exit.
Aug  1 07:50:56 linux-rz systemd-logind[440]: Removed session 8.
Aug  1 07:52:57 linux-rz sshd[7606]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.31  user=root
Aug  1 07:52:59 linux-rz sshd[7606]: Failed password for root from 192.168.200.31 port 40364 ssh2
Aug  1 07:53:01 linux-rz sshd[7606]: Connection closed by authenticating user root 192.168.200.31 port 40364 [preauth]
Aug  1 08:01:26 linux-rz sshd[748]: Received disconnect from 192.168.200.2 port 50378:11: disconnected by user
Aug  1 08:01:26 linux-rz sshd[748]: Disconnected from user root 192.168.200.2 port 50378
Aug  1 08:01:26 linux-rz sshd[748]: pam_unix(sshd:session): session closed for user root
Aug  1 08:01:26 linux-rz systemd-logind[440]: Session 3 logged out. Waiting for processes to exit.
Aug  1 08:01:26 linux-rz systemd-logind[440]: Removed session 3.
Aug  1 08:18:27 ip-172-31-37-190 useradd[487]: new group: name=debian, GID=1001
Aug  1 08:18:27 ip-172-31-37-190 useradd[487]: new user: name=debian, UID=1001, GID=1001, home=/home/debian, shell=/bin/bash
Aug  1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to group 'adm'
Aug  1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to group 'dialout'
Aug  1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to group 'cdrom'
Aug  1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to group 'floppy'
Aug  1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to group 'sudo'
Aug  1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to group 'audio'
Aug  1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to group 'dip'
Aug  1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to group 'video'
Aug  1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to group 'plugdev'
Aug  1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to group 'netdev'
Aug  1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to shadow group 'adm'
Aug  1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to shadow group 'dialout'
Aug  1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to shadow group 'cdrom'
Aug  1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to shadow group 'floppy'
Aug  1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to shadow group 'sudo'
Aug  1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to shadow group 'audio'
Aug  1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to shadow group 'dip'
Aug  1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to shadow group 'video'
Aug  1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to shadow group 'plugdev'
Aug  1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to shadow group 'netdev'
Aug  1 08:18:27 ip-172-31-37-190 passwd[493]: password for 'debian' changed by 'root'
Aug  1 08:18:27 ip-172-31-37-190 sudo:     root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/touch /var/log/aws114_ssm_agent_installation.log
Aug  1 08:18:27 ip-172-31-37-190 sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Aug  1 08:18:27 ip-172-31-37-190 sudo: pam_unix(sudo:session): session closed for user root
Aug  1 08:18:27 ip-172-31-37-190 sshd[544]: Server listening on 0.0.0.0 port 22.
Aug  1 08:18:27 ip-172-31-37-190 systemd-logind[503]: Watching system buttons on /dev/input/event1 (Power Button)
Aug  1 08:18:27 ip-172-31-37-190 sshd[544]: Server listening on :: port 22.
Aug  1 08:18:27 ip-172-31-37-190 systemd-logind[503]: Watching system buttons on /dev/input/event2 (Sleep Button)
Aug  1 08:18:27 ip-172-31-37-190 systemd-logind[503]: Watching system buttons on /dev/input/event0 (AT Translated Set 2 keyboard)
Aug  1 08:18:27 ip-172-31-37-190 systemd-logind[503]: New seat seat0.
Jan 24 07:31:32 ip-10-0-10-4 passwd[416]: password for 'debian' changed by 'root'
Jan 24 07:31:33 ip-10-0-10-4 systemd-logind[428]: Watching system buttons on /dev/input/event1 (Power Button)
Jan 24 07:31:33 ip-10-0-10-4 systemd-logind[428]: Watching system buttons on /dev/input/event2 (Sleep Button)
Jan 24 07:31:33 ip-10-0-10-4 systemd-logind[428]: Watching system buttons on /dev/input/event0 (AT Translated Set 2 keyboard)
Jan 24 07:31:33 ip-10-0-10-4 systemd-logind[428]: New seat seat0.
Jan 24 07:31:33 ip-10-0-10-4 sshd[466]: Server listening on 0.0.0.0 port 22.
Jan 24 07:31:33 ip-10-0-10-4 sshd[466]: Server listening on :: port 22.

前言

记得刚接触应急响应分析日志的时候,不会使用命令筛选数据,总是放在excel表格里手动筛选......

虽然有点傻傻的,但是对于刚接触日志分析,不熟练命令筛选,但是又很紧急的情况下可以尝试一下。

今天就来一次表格筛选+命令筛选吧。

1.有多少IP在爆破主机ssh的root帐号,如果有多个使用","分割 小到大排序 例如flag{192.168.200.1,192.168.200.2}

表格筛选

我的步骤是把日志信息存储为csv文件,注意分隔符需要修改为空格,或者把空格替换为默认分隔符逗号,直接打开即可。

筛选一下Failed字段,后面就会出现对应的IP地址。

命令筛选

cat auth.log.1 | grep -a "Failed password for root" | awk '{print $(NF-3)}' | sort | uniq -c | sort -nr | more

这里解释一下:

awk '{print $(NF-3)}':NF是awk的内置变量,NF指的是总字段。

uniq -c:统计每个唯一IP地址出现的次数。

sort -nr:按统计次数降序排序。

more:分页显示结果,每次显示一屏内容。

题目中提到了按照小到大排序,所以最后flag为:flag{192.168.200.2,192.168.200.31,192.168.200.32}

2.ssh爆破成功登陆的IP是多少,如果有多个使用","分割

表格筛选

直接筛选Accepted字段,结果一下就出来了。

命令筛选

cat auth.log.1 | grep -a "Accepted password" | awk '{print $(NF-3)}' | sort | uniq -c | sort -nr | more

因此flag为:

flag{192.168.200.2}

3.爆破用户名字典是什么?如果有多个使用","分割

表格筛选

依旧筛选Failed字段,但是,注意注意注意,一开始忽略了root,只把另外几个放进去了。即使是表格筛选也容易忽略,一定要看仔细哦~

命令筛选

cat auth.log.1 | grep -a "Failed password" |perl -e 'while($_=<>){ /for(.*?) from/; print "$1\n";}'|uniq -c|sort -nr

解释一下:

perl -e 'while($_=<>){ /for(.*?) from/; print "$1\n";}

perl:Perl 脚本。

while($_=<>):从标准输入逐行读取内容,每一行存储在$_中。

/for(.*?) from/:使用正则表达式从每一行中匹配for和from之间的内容。

print "$1\n":打印正则表达式中第一个捕获组的值。

所以flag为:

flag{root,user,hello,test3,test2,test1}

4.登陆成功的IP共爆破了多少次

表格筛选

第二题做出来这道题的答案也就出来了,数一下次数即可。

命令筛选

cat auth.log.1 | grep -a "Accepted password" | awk '{print $(NF-3)}' | sort | uniq -c | sort -nr | more

5.黑客登陆主机后新建了一个后门用户,用户名是多少

表格筛选

筛选new字段。但是这里出现了两个,怎么才能确定哪一个才是黑客登陆后新建的呢?

无法确定的话我们可以定位到黑客登陆的地方,然后挨着分析,最后确定是test2。

命令筛选

cat auth.log.1 |grep -a "new user"

同样是筛选出了两个,依旧是翻日志,结合上下文来确定。

所以flag为:

flag{test2}

小白勇闯网安圈,如有错误欢迎各位大佬指正~~~

青青很OK
关注
玄机应急响应-Linux日志分析
qq_40923603的博客
02-23 4973
1.有多少IP在爆破主机ssh的root帐号,如果有多个使用","分割。2.ssh爆破成功登陆的IP是多少,如果有多个使用","分割。3.爆破用户名字典是什么?如果有多个使用","分割。5.黑客登陆主机后新建了一个后门用户,用户名是多少。4.登陆成功的IP共爆破了多少次。
玄机靶场应急响应第一章webshell查杀WP
qq_46343633的博客
06-04 2109
靶机账号密码 root xjwebshell1.黑客webshell里面的flag flag{xxxxx-xxxx-xxxx-xxxx-xxxx}2.黑客使用的什么工具的shell github地址的md5 flag{md5}3.黑客隐藏shell的完整路径的md5 flag{md5} 注 : /xxx/xxx/xxx/xxx/xxx.xxx4.黑客免杀马完整路径 md5 flag{md5}
SSH密钥失败
V_wenmao的博客
10-09 1162
今天遇到一个问题,Jenkins构建失败,查看问题是SSH拷贝时失败,经过一步步排查,错误为: #1、先查看ssh日志: [root@Miwanzo ~]# tail -f /var/log/secure #2、根据报错信息定位问题,由于权限问题,更改目录权限 Oct 9 16:05:15 jingshuo-dev sshd[3835]: Authentication refused: bad ...
服务器的简易安全设置
Angindem博客
11-14 536
购买云服务器之后,我们也应该注意一下关乎我们云服务器安全问题。在这里介绍一下简易的安全配置。环境是Ubuntu 22.04 LTS当你购买云服务器,并且放行ssh连接端口的一刻,一些寻找肉鸡的坏人就会开始对你的云服务器开始扫描了,我们还没开始仔细研究,就被扫了这么多次。还是要留意下安全问题的。
ssh 配置 authorized_keys 后无法免密登录
Gaoithe的博客
05-25 469
查看日志:可以看到可能是用户目录所有权出错,或者用户目录权限不正确:即可连接。
解决ssh中的”Connection closed by 10.0.0.21“问题
热门推荐
sunyoop的博客
12-19 6万+
解决ssh中的”Connection closed by 10.0.0.21“问题 debug1: SSH2_MSG_KEXINIT sent Connection closed by 10.0.0.21 sudo dpkg-reconfigure openssh-server sudo service ssh restart
记录一次 ssh登录错误
xing
02-21 2万+
tail -f /var/log/secure 日志如下 Feb 21 14:20:34 coinsbank-me sshd[314704]: Authentication refused: bad ownership or modes for file /home/baixing/.ssh/authorized_keys Feb 21 14:20:34 coinsbank-me sshd[314704]: Connection closed by authenticating user baixin
网络工程师案例之安全攻击案例
ducanwang的博客
04-28 579
利用木马级联控制渗透的方式,向***内部网络深度渗透,先后控制运维网、办公网的核心网络设备、服务器及终端,并获取了部分***内部路由器、交换机等重要网络节点设备的控制权,窃取身份验证数据,并进一步实施渗透拓展,最终达成了对***内部网络的隐蔽控制。1、某单位 RAID 技术进行数据冗余,RAID 组中包含 4 块 2T 和 2 块 1T 硬盘,其实包含 1 块热备盘,最终可用空间是 3T,则使用的是(2),最多可以坏(3)个磁盘。李工怀疑有黑客在攻击该系统,可能遭受了(1)攻击,攻击是否成功?
用ssh远程连接阿里云服务器报错:error: Received disconnect from 223.85.53.101 port 50896:14: No supported....
qq_62687476的博客
12-08 3105
解决办法:修改配置文件。
玄机-第一章 应急响应-Linux日志分析的测试报告
ccc_9wy的博客
01-09 1929
对靶机进行应急响应排查;玄机-应急响应靶场复盘;write up;Linux日志分析;auth.log;黑客入侵;awk;perl;grep。
玄机第一章 应急响应-Linux日志分析
qq_46343633的博客
06-04 1902
1.有多少IP在爆破主机ssh的root帐号,如果有多个使用",“分割2.ssh爆破成功登陆的IP是多少,如果有多个使用”,“分割3.爆破用户名字典是什么?如果有多个使用”,"分割4.登陆成功的IP共爆破了多少次5.黑客登陆主机后新建了一个后门用户,用户名是多少这次靶场是用来确定攻击者的相关信息,以便于后期的溯源和编写应急响应报告。
ssh配置免密登录失败的几种情况
HRay's blog
11-21 1万+
1.最常见的,权限问题,.ssh目前权限要为700,authorized_keys权限要600 2.部分操作系统里新创建的用户默认是锁定的,这种情况下认证失败在/var/log/secure中会看到如下错误 Nov 21 11:04:26 host-xxxxx sshd[14011]: User test not allowed because account is locked Nov 21...
ssh无密码登录报错‘Connection closed by ::1’ 问题
hello_junz的专栏
06-19 3507
对应普通用户(非root用户)
Linux 日志系统
平步青云的博客
09-06 3543
日志数据可以是有价值的信息宝库,也可以是毫无价值的数据泥潭。它可以记录下系统产生的所有行为,并按照某种规范表达出来。可以使用日志系统所记录的信息为系统进行排错,优化系统的性能,或者根据这些信息调整系统的行为。收集你想要的数据,分析出有价值的信息,可以提高系统、产品的安全性,还可以帮助开发完善代码,优化产品。日志会成为在事故发生后查明“发生了什么”的一个很好的“取证”信息来源。日志可以为审计进行审计...
日志提权 /var/log/auth.log
m0_57221101的博客
03-27 4069
首先介绍一下这个日志,这个是ssh的登陆日志,会记录下ssh登录,sudo,su等命令的相关信息,这里需要重点提及的是,会记录下ssh登录时的用户名。 这个文件的权限一般是310所以不会被除root用户外的其他用户直接写入,一般也不能被除root组外的其他用户读取,但是一旦可以被读取,就可以在这上面下文章了 . ## 利用方法 之前说过auth日志会保存尝试ssh登录的用户名而不去校验这个用户名是否合法或在本地存在 那么我们就可以在用户名处注入可以被执行的脚本然后尝试访问他就可以实现RCE命令执
root突然无法使用publickey登录
Ancondc的专栏
03-21 2362
原因是使用了gogs,用了root启动,造成了问题。 排查了很久,比如pam.d等问题 最终还是看了日志解决: Mar 21 19:22:54 c1 sshd[560941]: Authentication refused: bad ownership or modes for directory /root Mar 21 19:22:54 c1 sshd[560941]: Connection closed by authenticating user root 192.168.3.28 port
SSH解决密钥匹配且有权限的Permission denied (publickey).
love_kiki的博客
04-17 2382
SSH 连接尝试使用了一些无效的用户名,比如 "demo", "git", "dmdba", "hadoop", "bigdata", "flink", "tomcat"。如果你仍然无法解决问题,你可能需要联系远程主机的管理员或技术支持团队,以获取更进一步的帮助和调试。文件中,并且私钥文件的权限也正确设置,但仍然无法连接,那么可能有一些其他问题导致了连接失败。你的私钥文件可能具有不正确的权限。你的私钥可能与远程主机上的公钥不匹配。确保你的公钥文件的格式正确,并且每个公钥都以正确的格式添加到远程主机的。
玄机----第一章 应急响应-Linux日志分析
a666666688的博客
09-26 1246
auth.log.1 文件,是因为系统的一个日志轮换机制,当日志文件达到一定大小或满足特定的时间条件时,auth.log 文件会轮转,旧的文件会被重命名为auth.log.1。linux登录相关的日志存储在**/var/log路径下的secure或auth.log**中。1.有多少IP在爆破主机ssh的root账号,如果有多个使用","分割。1.有多少IP在爆破主机ssh的root账号,如果有多个使用","分割。2.ssh爆破成功登陆的IP是多少,如果有多个使用","分割。如果有多个使用","分割。
玄机linux应急第一章
最新发布
01-23
### Linux应急处理 第一章 内容 #### 1. 环境介绍 在进行Linux应急响应时,首先要确认当前系统的环境。对于Debian系统而言,可以通过命令`lsb_release -a`来查看发行版的具体信息[^1]。 ```bash root@ip-10-0-10-2:~# lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 10 (buster) Release: 10 Codename: buster ``` #### 2. 日志分析基础 日志文件是应急响应中的重要资源之一,在Linux系统中尤其如此。除了常见的syslog外,还存在专门用于记录认证事件的日志文件——`/var/log/auth.log`。此文件不仅限于保存用户的登录尝试情况,还包括了更多类型的账户活动详情[^2]。 为了防止因二进制数据导致的错误输出,在使用工具如`grep`读取这些特殊格式的日志条目时应加上选项`-a`以确保正常解析文本内容: ```bash cat /var/log/auth.log | grep -a "关键词" ``` #### 3. 安全审计案例研究 针对特定场景下的安全审查工作,比如检测是否存在暴力破解攻击行为,则可以利用shell脚本组合多个命令实现自动化统计功能。例如计算某个时间段内成功登陆次数最多的IP地址及其对应的访问频率: ```bash cat /var/log/auth.log* | grep -a "Accepted" | awk '{print $11}' | sort -nr | uniq -c ``` 上述指令将会筛选出所有成功的SSH连接请求,并按照远程主机名或公网IPv4地址分组计数显示出来[^4]。 #### 4. 实战练习提示 当面对实际问题时,可能会遇到各种意外状况,像之前提到过的由于未正确设置参数而引起的程序异常终止等问题都属于常见挑战的一部分。因此建议读者多加实践并熟悉常用调试技巧,以便能够在真实环境中快速定位并解决问题。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值