• 用shell脚本检查服务器是否被注入
    时间:2009-09-20   作者:开源吧   出处:www.kaiyuanba.cn

    写程序难免出现漏洞,偶尔懒时,用一些开源的东东,其中漏洞更不好说,有些所谓的黑客发现网站漏洞肯定会欣喜若狂,于是乎把你的网站折腾的底朝天,传一些网页木马之类的东西,你的网站就不能清净了,为了避免这种情况,写了以下脚本,供大家享用!

    为了尽量减少网站被注入的可能,注意一下三点:

    1、尽可能不用开源的东西,开源的东西可以借鉴一下好的地方,但是不要全部搬过来

    2、自己写程序时,尽量细心,不要给自己的网站留有被黑的可能,这个还是去研究一下SQL注入吧

    3、经常检查web服务器日志和自己的程序文件,看看有没有被尝试注入和可疑文件。

    前两者好说,现在把监控服务器脚本共享给大家,有意见请联系:kaiyuanba@163.com,一起探讨

    #check hacker and warn
    #by alei
    function urlencode(){
            echo -n "$1" | od -t x1 -A n -w1000|tr " " "%"
    }

    function md5(){
            md5str=`echo -n $1|md5sum`
            echo ${md5str%%\ *}
    }
    #get date by ...
    function getDateHourBefore(){
            a=`date +%s`;
            b=`echo "$a - 3600*$2"|bc`;
            c=`date -d "1970-01-01 UTC $b seconds" +"$1"`;
            echo $c
    }
    #$1=log file array,$2=search key,$3=log file
    function checkLogs(){
        result="0"
        files=$1
        i=0;
            #dateLastHour=`getDateHourBefore "%d/%b/%Y:%H" 1`
            #dateHour=`getDateHourBefore "%d/%b/%Y:%H" 0`
        for file in ${files[*]}
            do
            for j in $file*
            do
                if [ -e "$j" ]
                then
                    #res=`cat "$j"|sed -n "/$2/p"`
                                    #res=`cat $j| tr 'A-Z' 'a-z'|sed -n "/$2/p"|grep -iE "$dateLastHour|$dateHour"`
                    res=`cat $j| tr 'A-Z' 'a-z'|sed -n "/$2/p"`
                    if [ "$res" ]
                    then
                        result="1"
                        echo -e "start in $j\n$res\nend\n" >> $3
                    fi
                else
                    echo -e "$j not exists\n" >> $3
                fi
            done
        done
        echo $result
    }
    #$1=file path array,$2=key array $3=log file
    function checkVitrualFies(){
        result="0"
        i=0
        paths=$1
        keys=$2
        for path in ${paths[*]}
        do
            if [ -e "$path" ]
            then
                for key in ${keys[*]}
                do
                    res=`find $path  -name "*.php" -exec grep -iH "$key" {} \;`
                    if [ "$res" ]
                    then
                        result="1"
                        echo -e "start in $path\n$res\nend\n">>$3
                    fi
                done
            else
                echo -e "$path not exists\n" >> $3
            fi
        done
        echo $result;
    }
    year=`date +%Y`
    month=`date +%m`
    date=`date +%d`
    hour=`date +%H`
    #hacker tag
    checkResult="0";
    logFile="/opt/www/logs/checkHacker/newcheck.log"
    echo -e "=================================start at $year-$month-$date $hour:"`date +%M:%S`"=================================" >> $logFile
    echo -e "starting check log...">> $logFile
    #key
    searchkey="union.*select"
    #log file
    logs[0]=/var/lib/www/logs/$year/$month/$date"_"$hour
    #lastHour=`getDateHourBefore %H 1`
    #logs[1]=/var/lib/www/logs/$year/$month/$date"_"$lastHour
    logs[1]="/var/lib/www/logs/"`getDateHourBefore %Y/%m/%d_%H 1`
    #echo "${logs[*]}";exit 0
    #check logs
    checkResult=`checkLogs "${logs[*]}" "$searchkey" "$logFile"`
    #check vitrual file
    echo -e "starting check vitrual files ...">> $logFile
    #check files
    vitrualPaths[0]="/var/lib/www/dd.kaiyuanba.cn"
    vitrualPaths[1]="/var/lib/www/www.tt.kaiyuanba.cn"
    vitrualPaths[2]="/var/lib/www/in.erkaiyuanba.cn"
    vitrualPaths[3]="/var/lib/www/gt.kaiyuanba.cn"
    vitrualPaths[4]="/var/lib/www/in.sg.kaiyuanba.cn"
    vitrualPaths[5]="/var/lib/www/www.pet.kaiyuanba.cn"
    vitrualPaths[6]="/var/lib/www/in.rr.kaiyuanba.cn"
    vitrualPaths[7]="/var/lib/www/www.kaiyuanba.cn"
    vitrualKeys[0]="Sniper"
    vitrualKeys[1]="4ngel"
    if [ "$checkResult" = "1" ]
    then
        checkVitrualFies "${vitrualPaths[*]}" "${vitrualKeys[*]}" "$logFile"
    else
        checkResult=`checkVitrualFies "${vitrualPaths[*]}" "${vitrualKeys[*]}" "$logFile"`
    fi

    #check tag and send mail or message
    if [ "$checkResult" = "1" ]
    then
            key="xxxx"
            msg="xxx was hacking"
            mobile="12345678911"
            email="kaiyuanba@163.com"
            auth=`md5 "$msg$mobile$email$key"`


            emsg=`urlencode "$msg"`
            emobile=`urlencode "$mobile"`
            eemail=`urlencode "$email"`
            eauth=`urlencode "$auth"`

            content="c="$emsg"&m="$emobile"&e="$eemail"&a="$eauth
            curl "http://www.kaiyuanba.cn/warn.php?"$content
    else
        echo "not send message"
    fi

    这段脚本会把又被注入现象的日志输入到一个文本文件,可以的文件路径以及文件名称也会输入到一个文件,同时可以调用接口给技术人员发邮件和短信报警,技术同学便可以及时查询,或许一场很大的事故因此而避免了,恭喜!!

    呈现给大家另一段程序,只是是日志文件格式不同

    #check hacker and warn
    #by alei
    function urlencode(){
            echo -n "$1" | od -t x1 -A n -w1000|tr " " "%"
    }

    function md5(){
            md5str=`echo -n $1|md5sum`
            echo ${md5str%%\ *}
    }
    #get date by ...
    function getDateHourBefore(){
            a=`date +%s`;
            b=`echo "$a - 3600*$2"|bc`;
            c=`date -d "1970-01-01 UTC $b seconds" +"$1"`;
            echo $c
    }
    #$1=log file array,$2=search key,$3=log file
    function checkLogs(){
            result="0"
            files=$1
            i=0;
            #dateLastHour=`getDateHourBefore "%d/%b/%Y:%H" 1`
            #dateHour=`getDateHourBefore "%d/%b/%Y:%H" 0`
            for file in ${files[*]}
            do
                    for j in $file*
                    do
                            if [ -e "$j" ]
                            then
                                    #res=`cat $j|sed -n "/$2/p"`
                                    #res=`cat $j| tr 'A-Z' 'a-z'|sed -n "/$2/p"|grep -iE "$dateLastHour|$dateHour"`
                    res=`cat $j| tr 'A-Z' 'a-z'|sed -n "/$2/p"`
                                    if [ "$res" ]
                                    then
                                            result="1"
                                            echo -e "start in $j\n$res\nend\n" >> $3
                                    fi
                            else
                                    echo -e "$j not exists\n" >> $3
                            fi
                    done
            done
            echo $result
    }

    #$1=file path array,$2=key array $3=log file
    function checkVitrualFies(){
            result="0"
            i=0
            paths=$1
            keys=$2
            for path in ${paths[*]}
            do
                    if [ -e "$path" ]
                    then
                            for key in ${keys[*]}
                            do
                                    res=`find $path  -name "*.php" -exec grep -iH "$key" {} \;`
                                    if [ "$res" ]
                                    then
                                            result="1"
                                            echo -e "start in $path\n$res\nend\n">>$3
                                    fi
                            done
                    else
                            echo -e "$path not exists\n" >> $3
                    fi
            done
            echo $result;
    }
    year=`date +%Y`
    month=`date +%m`
    date=`date +%d`
    hour=`date +%H`
    #hacker tag
    checkResult="0";
    logFile="/opt/www/logs/checkHacker/newcheck.log"
    #logFile="newcheck.log";
    echo -e "=================================start at $year-$month-$date $hour:"`date +%M:%S`"=================================" >> $logFile
    echo -e "starting check log...">> $logFile
    #key
    searchkey="union.*select"

    #log file
    logs[0]=/data/logs/access/$year$month$date"_"$hour
    #lastHour=`getDateHourBefore %H 1`
    #logs[1]=/data/logs/access/$year$month$date"_"$lastHour
    logs[1]="/data/logs/access/"`getDateHourBefore %Y%m%d_%H 1`
    #echo "${logs[*]}";exit 0
    #check logs
    checkResult=`checkLogs "${logs[*]}" "$searchkey" "$logFile"`
    #check vitrual file
    echo -e "starting check vitrual files ...">> $logFile
    #check files
    vitrualPaths[0]="/data/KKWWW/www"
    vitrualPaths[1]="/data/KKWWW/in.kaiyuanba.cn"
    vitrualPaths[2]="/data/xdrj"
    vitrualPaths[3]="/data/tlf"
    vitrualPaths[4]="/data/KKWWW/pub"
    vitrualKeys[0]="Sniper"
    vitrualKeys[1]="4ngel"
    if [ "$checkResult" = "1" ]
    then
            checkVitrualFies "${vitrualPaths[*]}" "${vitrualKeys[*]}" "$logFile"
    else
            checkResult=`checkVitrualFies "${vitrualPaths[*]}" "${vitrualKeys[*]}" "$logFile"`
    fi

    #check tag and send mail or message
    if [ "$checkResult" = "1" ]
    then
            key="xxxx"
            msg="xxx was hacking"
            mobile="12345678911"
            email="kaiyuanba@163.com"
            auth=`md5 "$msg$mobile$email$key"`


            emsg=`urlencode "$msg"`
            emobile=`urlencode "$mobile"`
            eemail=`urlencode "$email"`
            eauth=`urlencode "$auth"`

            content="c="$emsg"&m="$emobile"&e="$eemail"&a="$eauth
            curl "http://www.kaiyuanba.cn/warn.php?"$content
    else
            echo "not send message"
    fi

    网友留言/评论

    我要留言/评论