\u5728\u7f51\u7edc\u5b89\u5168\u5e94\u6025\u54cd\u5e94\uff08Incident Response\uff09\u4e2d\uff0c\u73b0\u573a\u73af\u5883\u5f80\u5f80\u590d\u6742\u4e14\u53d7\u9650\u3002\u5b89\u5168\u5de5\u7a0b\u5e08\u9700\u8981\u5728\u4e0d\u7834\u574f\u73b0\u573a\u8bc1\u636e\u7684\u524d\u63d0\u4e0b\uff0c\u5feb\u901f\u6536\u96c6\u7cfb\u7edf\u72b6\u6001\u3001\u5206\u6790\u65e5\u5fd7\u5e76\u5b9a\u4f4d\u6076\u610f\u6587\u4ef6\u3002<\/p>\n\n\n\n
\u867d\u7136\u6709\u8bb8\u591a\u6210\u719f\u7684 EDR \u548c\u5546\u4e1a\u5de5\u5177\uff0c\u4f46\u5728\u7d27\u6025\u60c5\u51b5\u4e0b\uff0c\u8f7b\u91cf\u7ea7\u3001\u53ef\u5b9a\u5236\u7684 Python \u6216 Shell \u811a\u672c\u5f80\u5f80\u662f\u6700\u597d\u7528\u7684\u201c\u745e\u58eb\u519b\u5200\u201d\u3002\u672c\u6587\u63d0\u4f9b\u4e09\u4e2a\u5e94\u6025\u54cd\u5e94\u4e2d\u6700\u5e38\u7528\u7684\u5b9e\u6218\u811a\u672c\u793a\u4f8b\u3002<\/p>\n\n\n\n
\u76ee\u6807<\/strong>\uff1a\u5feb\u901f\u83b7\u53d6\u5f53\u524d\u7cfb\u7edf\u7684\u8fdb\u7a0b\u5217\u8868\u3001\u7f51\u7edc\u8fde\u63a5\u3001\u7528\u6237\u4fe1\u606f\u548c\u8ba1\u5212\u4efb\u52a1\uff0c\u7528\u4e8e\u540e\u7eed\u79bb\u7ebf\u5206\u6790\u3002 \u7279\u70b9<\/strong>\uff1a\u4f7f\u7528 Python \u6807\u51c6\u5e93 \u76ee\u6807<\/strong>\uff1a\u4ece\u6d77\u91cf\u7684 Web \u8bbf\u95ee\u65e5\u5fd7\uff08Apache\/Nginx\uff09\u4e2d\u7b5b\u9009\u51fa SQL \u6ce8\u5165\u3001XSS \u6216 Webshell \u8fde\u63a5\u7684\u75d5\u8ff9\u3002 \u7279\u70b9<\/strong>\uff1a\u57fa\u4e8e\u6b63\u5219\u5339\u914d\uff0c\u5feb\u901f\u5b9a\u4f4d\u653b\u51fb\u6e90 IP\u3002<\/p>\n\n\n \u76ee\u6807<\/strong>\uff1a\u626b\u63cf Web \u76ee\u5f55\uff0c\u627e\u51fa\u6700\u8fd1\u88ab\u4fee\u6539\u7684\u6587\u4ef6\uff08\u53ef\u80fd\u662f\u653b\u51fb\u8005\u4e0a\u4f20\u7684\u9a6c\uff09\u4ee5\u53ca\u5305\u542b\u5371\u9669\u51fd\u6570\u7684\u6587\u4ef6\u3002 \u7279\u70b9<\/strong>\uff1a\u7ed3\u5408\u65f6\u95f4\u6233\u548c\u6587\u4ef6\u5185\u5bb9\u7279\u5f81\u3002<\/p>\n\n\n \u9664\u4e86\u4e0a\u8ff0\u81ea\u7f16\u811a\u672c\uff0c\u4ee5\u4e0b\u73b0\u6210\u5de5\u5177\u4e5f\u662f\u5e94\u6025\u54cd\u5e94\u7684\u6807\u51c6\u914d\u7f6e\uff1a<\/p>\n\n\n\n \u5de5\u5177\u53ea\u662f\u8f85\u52a9\uff0c\u6838\u5fc3\u5728\u4e8e\u5206\u6790\u601d\u8def<\/strong>\u3002\u5728\u6267\u884c\u4e0a\u8ff0\u811a\u672c\u65f6\uff0c\u8bf7\u52a1\u5fc5\u6ce8\u610f\uff1a<\/p>\n\n\n\nsubprocess<\/code>\uff0c\u65e0\u9700\u5b89\u88c5 psutil<\/code>\uff0c\u517c\u5bb9\u6027\u5f3a\u3002<\/p>\n\n\n\nimport subprocess\nimport os\nimport datetime\n\ndef run_command(cmd, description):\n print(f"[*] \u6b63\u5728\u6536\u96c6: {description}...")\n try:\n # \u4f7f\u7528 shell=True \u5141\u8bb8\u4f7f\u7528\u7ba1\u9053\u7b26\uff0c\u4f46\u9700\u6ce8\u610f\u5b89\u5168\u98ce\u9669\uff08\u6b64\u5904\u4e3a\u5185\u90e8\u5de5\u5177\uff0c\u76f8\u5bf9\u53ef\u63a7\uff09\n result = subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)\n return f"\\n=== {description} ===\\n" + result.decode('utf-8', errors='ignore')\n except subprocess.CalledProcessError as e:\n return f"\\n=== {description} (ERROR) ===\\n" + str(e.output)\n\ndef collect_linux_info():\n report = f"\u7cfb\u7edf\u4fe1\u606f\u6536\u96c6\u62a5\u544a - \u65f6\u95f4: {datetime.datetime.now()}\\n"\n \n # 1. \u5f53\u524d\u767b\u5f55\u7528\u6237\n report += run_command("w", "\u5f53\u524d\u767b\u5f55\u7528\u6237")\n \n # 2. \u5f02\u5e38\u7f51\u7edc\u8fde\u63a5 (\u5173\u6ce8 ESTABLISHED \u548c LISTEN)\n # -p: \u663e\u793a\u8fdb\u7a0bPID, -n: \u4e0d\u89e3\u6790\u57df\u540d (\u52a0\u901f)\n report += run_command("netstat -antlp", "\u7f51\u7edc\u8fde\u63a5\u4e0e\u5bf9\u5e94\u8fdb\u7a0b")\n \n # 3. \u8fdb\u7a0b\u5217\u8868 (\u6309 CPU\/\u5185\u5b58\u6392\u5e8f)\n report += run_command("ps -aux --sort=-pcpu | head -20", "Top 20 CPU \u5360\u7528\u8fdb\u7a0b")\n \n # 4. \u68c0\u67e5\u5b9a\u65f6\u4efb\u52a1\n report += run_command("cat \/etc\/crontab", "\u7cfb\u7edf\u7ea7 Crontab")\n report += run_command("ls -la \/var\/spool\/cron\/", "\u7528\u6237\u7ea7 Crontab \u76ee\u5f55")\n \n # 5. \u68c0\u67e5\u6700\u8fd1\u4fee\u6539\u7684\u654f\u611f\u6587\u4ef6 (\u5982 \/etc\/passwd, \/etc\/shadow)\n # \u67e5\u627e 7 \u5929\u5185\u4fee\u6539\u8fc7\u7684 \/etc \u4e0b\u7684\u6587\u4ef6\n report += run_command("find \/etc -type f -mtime -7 2>\/dev\/null", "\u6700\u8fd17\u5929\u4fee\u6539\u7684\u914d\u7f6e")\n\n # \u4fdd\u5b58\u62a5\u544a\n filename = f"ir_report_{datetime.datetime.now().strftime('%Y%m%d_%H%M%S')}.txt"\n with open(filename, "w") as f:\n f.write(report)\n print(f"\\n[+] \u6536\u96c6\u5b8c\u6210\uff0c\u62a5\u544a\u5df2\u4fdd\u5b58\u81f3: {filename}")\n\nif __name__ == "__main__":\n if os.name == 'posix':\n collect_linux_info()\n else:\n print("\u6b64\u793a\u4f8b\u811a\u672c\u4e3b\u8981\u9488\u5bf9 Linux \u73af\u5883\uff0cWindows \u5efa\u8bae\u4f7f\u7528 PowerShell \u6216 WMIC\u3002")\n\n<\/pre><\/div>\n\n\n\u573a\u666f\u4e8c\uff1aWeb \u65e5\u5fd7\u653b\u51fb\u7279\u5f81\u5206\u6790 (Log Analyzer)<\/h2>\n\n\n\n
\nimport re\nimport sys\n\n# \u5b9a\u4e49\u5e38\u89c1\u7684\u653b\u51fb\u7279\u5f81\u6b63\u5219\nATTACK_PATTERNS = {\n 'SQL_Injection': r"(union.*select|select.*from|information_schema|waitfor.*delay|sleep\\()",\n 'XSS': r"(<script>|alert\\(|javascript:|onerror=)",\n 'Webshell_Connect': r"(cmd=|eval\\(|whoami|exec\\(|system\\()",\n 'Directory_Traversal': r"(\\.\\.\/\\.\\.\/|\/etc\/passwd|c:\\\\windows)",\n 'Struts2_RCE': r"(org\\.apache\\.struts2|ognl)"\n}\n\ndef analyze_log(log_file):\n print(f"[*] \u5f00\u59cb\u5206\u6790\u65e5\u5fd7\u6587\u4ef6: {log_file}")\n \n suspicious_count = 0\n ip_stats = {}\n \n try:\n with open(log_file, 'r', encoding='utf-8', errors='ignore') as f:\n for line in f:\n # \u7b80\u5355\u7684 Nginx\/Apache \u65e5\u5fd7\u89e3\u7801\n # \u5047\u8bbe\u683c\u5f0f: IP - - [Date] "Request" Status Bytes ...\n # \u8fd9\u91cc\u53ea\u505a\u7b80\u5355\u7684\u5168\u6587\u5339\u914d\uff0c\u5b9e\u9645\u573a\u666f\u53ef\u7cbe\u7ec6\u5316\u89e3\u6790\n \n is_suspicious = False\n for attack_type, pattern in ATTACK_PATTERNS.items():\n if re.search(pattern, line, re.IGNORECASE):\n print(f"[!] \u53d1\u73b0\u7591\u4f3c {attack_type} \u653b\u51fb:")\n print(f" {line.strip()[:200]}...") # \u53ea\u6253\u5370\u524d200\u5b57\u7b26\n is_suspicious = True\n suspicious_count += 1\n break # \u4e00\u884c\u53ea\u62a5\u4e00\u6b21\n \n if is_suspicious:\n # \u5c1d\u8bd5\u63d0\u53d6 IP (\u7b80\u5355\u6b63\u5219\uff0c\u5339\u914d\u884c\u9996 IP)\n ip_match = re.match(r"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})", line)\n if ip_match:\n ip = ip_match.group(1)\n ip_stats[ip] = ip_stats.get(ip, 0) + 1\n\n except FileNotFoundError:\n print("[-] \u9519\u8bef\uff1a\u627e\u4e0d\u5230\u65e5\u5fd7\u6587\u4ef6\u3002")\n return\n\n print(f"\\n[*] \u5206\u6790\u7ed3\u675f\u3002\u5171\u53d1\u73b0 {suspicious_count} \u6761\u53ef\u7591\u8bb0\u5f55\u3002")\n if ip_stats:\n print("\\n[+] \u53ef\u7591 IP TOP 5:")\n sorted_ips = sorted(ip_stats.items(), key=lambda x: x[1], reverse=True)[:5]\n for ip, count in sorted_ips:\n print(f" IP: {ip} - \u89e6\u53d1\u6b21\u6570: {count}")\n\nif __name__ == "__main__":\n # \u4f7f\u7528\u65b9\u5f0f: python log_analyzer.py \/var\/log\/nginx\/access.log\n if len(sys.argv) < 2:\n print("Usage: python log_analyzer.py <logfile_path>")\n else:\n analyze_log(sys.argv[1])\n\n<\/pre><\/div>\n\n\n\u573a\u666f\u4e09\uff1aWebshell \u4e0e\u53d8\u52a8\u6587\u4ef6\u626b\u63cf (File Scanner)<\/h2>\n\n\n\n
\nimport os\nimport time\n\n# \u914d\u7f6e\u626b\u63cf\u76ee\u5f55\u548c\u654f\u611f\u6269\u5c55\u540d\nSCAN_DIR = "\/var\/www\/html" # \u4fee\u6539\u4e3a\u5b9e\u9645 Web \u6839\u76ee\u5f55\nEXTENSIONS = ['.php', '.jsp', '.asp', '.aspx']\n\n# \u5371\u9669\u51fd\u6570\u7279\u5f81 (PHP\u793a\u4f8b)\nWEBSHELL_SIGNATURES = [\n b'eval($_POST', \n b'system($_GET', \n b'shell_exec', \n b'base64_decode', \n b'assert('\n]\n\ndef scan_files(directory):\n print(f"[*] \u5f00\u59cb\u626b\u63cf\u76ee\u5f55: {directory}")\n print(f"[*] \u67e5\u627e\u6700\u8fd1 24 \u5c0f\u65f6\u5185\u4fee\u6539\u8fc7\u7684\u811a\u672c\u6587\u4ef6...")\n \n now = time.time()\n one_day_ago = now - (24 * 60 * 60)\n \n for root, dirs, files in os.walk(directory):\n for filename in files:\n filepath = os.path.join(root, filename)\n _, ext = os.path.splitext(filename)\n \n if ext.lower() not in EXTENSIONS:\n continue\n \n try:\n # 1. \u68c0\u67e5\u6587\u4ef6\u4fee\u6539\u65f6\u95f4 (mtime)\n file_stats = os.stat(filepath)\n mtime = file_stats.st_mtime\n \n if mtime > one_day_ago:\n print(f"[Time] \u6700\u8fd1\u4fee\u6539: {filepath} (\u65f6\u95f4: {time.ctime(mtime)})")\n \n # 2. \u68c0\u67e5\u6587\u4ef6\u5185\u5bb9\u7279\u5f81\n with open(filepath, 'rb') as f:\n content = f.read()\n for sig in WEBSHELL_SIGNATURES:\n if sig in content:\n print(f"[Danger] \u53d1\u73b0\u5371\u9669\u7279\u5f81 '{sig.decode()}': {filepath}")\n break\n \n except Exception as e:\n print(f"[-] \u65e0\u6cd5\u8bfb\u53d6\u6587\u4ef6: {filepath} - {e}")\n\nif __name__ == "__main__":\n if os.path.exists(SCAN_DIR):\n scan_files(SCAN_DIR)\n else:\n print(f"[-] \u76ee\u5f55\u4e0d\u5b58\u5728: {SCAN_DIR}")\n\n<\/pre><\/div>\n\n\n\u5e94\u6025\u54cd\u5e94\u5de5\u5177\u7bb1\u63a8\u8350<\/h2>\n\n\n\n
\n
\n
Process Explorer<\/code>: \u67e5\u770b\u8fdb\u7a0b\u5c42\u7ea7\u3001\u52a0\u8f7d\u7684 DLL\u3002<\/li>\n\n\n\nAutoruns<\/code>: \u6700\u5168\u7684\u542f\u52a8\u9879\u68c0\u67e5\u5de5\u5177\u3002<\/li>\n\n\n\nTCPView<\/code>: \u5b9e\u65f6\u67e5\u770b\u7aef\u53e3\u8fde\u63a5\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n\n
ls<\/code>, ps<\/code>\uff09\u88ab\u690d\u5165 rootkit \u66ff\u6362\u4e86\uff0c\u4e0a\u4f20\u4e00\u4e2a\u9759\u6001\u7f16\u8bd1\u7684 busybox \u53ef\u4ee5\u4f7f\u7528\u5e72\u51c0\u7684\u6307\u4ee4\u96c6\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n\n
\n
\u7ed3\u8bed<\/h2>\n\n\n\n
\n