A small linux information collection script is mainly used for emergency response. It can be used under Debian or Centos.
Features
- CPU TOP10, memory TOP10
- CPU usage
- boot time
- Hard disk space information
- User information, passwd information
- Environmental variable detection
- Service list
- System program changes (debsums -e and rpm -va)
- Network traffic statistics
- Network connection, listening port
- Open port
- Routing table information
- Route forwarding
- ARP
- DNS Server
- SSH login information
- SSH login IP
- iptables information
- SSH key detection
- SSH burst IP
- Crontab detection
- Crontab backdoor detection
- Find common configuration files
- Find common software
- Audit history files
- Querying HOSTS files
- lsmod exception kernel module
- Anomaly file detection (nc, tunnel, proxy common hacker tools)
- Large file detection (some large files packaged)
- Free space, hard disk mount
- Open port
- LD_PRELOAD detection
- LD_LIBRARY_PATH
- ld.so.preload
- NIC promiscuous mode
- Most used software
- Change the file mtime in the last 7 days
- Change the file ctime in the last 7 days
- View SUID file
- Find: hidden files
- Find sensitive files (nc, nmap, tunnel)
- alias
- LSOF -L1
- SSHD
- Find bash bounce shell
- php webshell scan
- jsp webshell scan
- asp / aspx webshell scan
- Detection of mining process
- rkhunter scan
Usage
Networking status:
- apt-get install silversearcher-ag
- yum -y install the_silver_searcher
- Debian:dpkg -i silversearcher-ag_2.2.0-1+b1_amd64.deb
- Centos:rpm -ivh the_silver_searcher-2.1.0-1.el7.x86_64.rpm
chmod u+x LinuxCheck.sh
./LinuxCheck.sh
If you have installed ag and rkhunter, you can directly use the following command:
bash -c "$(curl -sSL https://raw.githubusercontent.com/al0ne/LinuxCheck/master/LinuxCheck.sh)"
The file will be saved in the format ipaddr_hostname_username_timestamp.log
References
Linenum
https://github.com/lis912/Evaluation_tools
https://ixyzero.com/blog/archives/4.html
https://github.com/T0xst/linux
https://github.com/grayddq/GScan