玄机靶场--第一章 应急响应-Linux日志分析

第一章 应急响应-Linux日志分析

题目简介

账号root密码linuxrz
ssh root@IP
1.有多少IP在爆破主机ssh的root帐号，如果有多个使用","分割
2.ssh爆破成功登陆的IP是多少，如果有多个使用","分割
3.爆破用户名字典是什么？如果有多个使用","分割
4.登陆成功的IP共爆破了多少次
5.黑客登陆主机后新建了一个后门用户，用户名是多少

1.有多少IP在爆破主机ssh的root帐号，如果有多个使用","分割

root@ip-10-0-10-3:~# cd /var/log
root@ip-10-0-10-3:/var/log# ls
alternatives.log    auth.log.1                         cloud-init.log         debug.1     kern.log.1  private     wtmp
alternatives.log.1  aws114_ssm_agent_installation.log  cloud-init-output.log  dpkg.log    lastlog     syslog
amazon              bootstrap.log                      daemon.log             dpkg.log.1  messages    syslog.1
apt                 btmp                               daemon.log.1           faillog     messages.1  user.log
auth.log            btmp.1                             debug                  kern.log    ntpstats    user.log.1

在 auth.log 中记录了认证相关的日志，如 SSH 登录、sudo 使用、用户验证等（SSH 登录成功与失败的记录、sudo 命令的执行记录等）。

爆破 SSH 登录的失败尝试会以 Failed password for root 进行记录，可以结合grep命令进行过滤。

root@ip-10-0-10-3:/var/log# cat auth.log.1 | grep -a "Failed password for root"
Aug  1 07:42:32 linux-rz sshd[7471]: Failed password for root from 192.168.200.32 port 51888 ssh2
Aug  1 07:47:13 linux-rz sshd[7497]: Failed password for root from 192.168.200.2 port 34703 ssh2
Aug  1 07:47:18 linux-rz sshd[7499]: Failed password for root from 192.168.200.2 port 46671 ssh2
Aug  1 07:47:20 linux-rz sshd[7501]: Failed password for root from 192.168.200.2 port 39967 ssh2
Aug  1 07:47:22 linux-rz sshd[7503]: Failed password for root from 192.168.200.2 port 46647 ssh2
Aug  1 07:52:59 linux-rz sshd[7606]: Failed password for root from 192.168.200.31 port 40364 ssh2

如果数量少可以直接过滤登录失败的行(如上)，数量多还是建议利用多个命令组合进行过滤(如下)。

root@ip-10-0-10-3:/var/log# cat auth.log.1 | grep -a "Failed password for root" | awk '{print $11}' | sort | uniq -c | sort -nr | more
      4 192.168.200.2
      1 192.168.200.32
      1 192.168.200.31

命令解析：

cat auth.log.1 | grep -a "Failed password for root" | awk '{print $11}' | sort | uniq -c | sort -nr | more

• cat auth.log.1：读取auth.log.1文件中的内容。
• grep -a "Failed password for root：过滤出所有包含 “Failed password for root” 的行。
• awk '{print $11}'：从每行中提取出第 11 列（即 IP 地址）。
• sort：对提取出来的 IP 地址按字典序排序。
• uniq -c：对排序后的 IP 地址进行去重，并统计每个 IP 地址出现的次数。
• sort -nr：按频率降序排列（-n 表示数值排序，-r 表示逆序）。

flag{192.168.200.2,192.168.200.31,192.168.200.32}

2.ssh爆破成功登陆的IP是多少，如果有多个使用","分割

SSH成功登录的记录通常包含 Accepted password 字样，使用grep命令过滤该字段即可。

root@ip-10-0-10-3:/var/log# cat auth.log.1|grep -a "Accepted "
Aug  1 07:47:23 linux-rz sshd[7505]: Accepted password for root from 192.168.200.2 port 46563 ssh2
Aug  1 07:50:37 linux-rz sshd[7539]: Accepted password for root from 192.168.200.2 port 48070 ssh2

flag{192.168.200.2}

3.爆破用户名字典是什么？如果有多个使用","分割

要寻找用户名字典，过滤Failed password字段即可。

root@ip-10-0-10-3:/var/log# cat auth.log.1|grep -a "Failed password"
Aug  1 07:40:50 linux-rz sshd[7461]: Failed password for invalid user test1 from 192.168.200.35 port 33874 ssh2
 Aug  1 07:41:04 linux-rz sshd[7465]: Failed password for invalid user test2 from 192.168.200.35 port 51640 ssh2
 Aug  1 07:41:13 linux-rz sshd[7468]: Failed password for invalid user test3 from 192.168.200.35 port 48168 ssh2
 Aug  1 07:42:32 linux-rz sshd[7471]: Failed password for root from 192.168.200.32 port 51888 ssh2
 Aug  1 07:46:41 linux-rz sshd[7475]: Failed password for invalid user user from 192.168.200.2 port 36149 ssh2
 Aug  1 07:46:47 linux-rz sshd[7478]: Failed password for invalid user user from 192.168.200.2 port 44425 ssh2
 Aug  1 07:46:50 linux-rz sshd[7480]: Failed password for invalid user user from 192.168.200.2 port 38791 ssh2
 Aug  1 07:46:54 linux-rz sshd[7482]: Failed password for invalid user user from 192.168.200.2 port 37489 ssh2
 Aug  1 07:46:56 linux-rz sshd[7484]: Failed password for invalid user user from 192.168.200.2 port 35575 ssh2
 Aug  1 07:46:59 linux-rz sshd[7486]: Failed password for invalid user hello from 192.168.200.2 port 35833 ssh2
 Aug  1 07:47:02 linux-rz sshd[7489]: Failed password for invalid user hello from 192.168.200.2 port 37653 ssh2
 Aug  1 07:47:04 linux-rz sshd[7491]: Failed password for invalid user hello from 192.168.200.2 port 37917 ssh2
 Aug  1 07:47:08 linux-rz sshd[7493]: Failed password for invalid user hello from 192.168.200.2 port 41957 ssh2
 Aug  1 07:47:10 linux-rz sshd[7495]: Failed password for invalid user hello from 192.168.200.2 port 39685 ssh2
 Aug  1 07:47:13 linux-rz sshd[7497]: Failed password for root from 192.168.200.2 port 34703 ssh2
 Aug  1 07:47:18 linux-rz sshd[7499]: Failed password for root from 192.168.200.2 port 46671 ssh2
 Aug  1 07:47:20 linux-rz sshd[7501]: Failed password for root from 192.168.200.2 port 39967 ssh2
 Aug  1 07:47:22 linux-rz sshd[7503]: Failed password for root from 192.168.200.2 port 46647 ssh2
 Aug  1 07:47:26 linux-rz sshd[7525]: Failed password for invalid user  from 192.168.200.2 port 37013 ssh2
 Aug  1 07:47:30 linux-rz sshd[7528]: Failed password for invalid user  from 192.168.200.2 port 37545 ssh2
 Aug  1 07:47:32 linux-rz sshd[7530]: Failed password for invalid user  from 192.168.200.2 port 39111 ssh2
 Aug  1 07:47:35 linux-rz sshd[7532]: Failed password for invalid user  from 192.168.200.2 port 35173 ssh2
 Aug  1 07:47:39 linux-rz sshd[7534]: Failed password for invalid user  from 192.168.200.2 port 45807 ssh2
 Aug  1 07:52:59 linux-rz sshd[7606]: Failed password for root from 192.168.200.31 port 40364 ssh2

但数据太多了，还需要再过滤一下。可以匹配for和from间的字段，即为用户名。

过滤法一：

root@ip-10-0-10-3:/var/log# cat auth.log.1|grep -a "Failed password"| grep -o 'for .* from'|uniq -c|sort -nr
      5 for invalid user user from
      5 for invalid user hello from
      5 for invalid user  from
      4 for root from
      1 for root from
      1 for root from
      1 for invalid user test3 from
      1 for invalid user test2 from
      1 for invalid user test1 from

过滤法二：

root@ip-10-0-10-3:/var/log# cat auth.log.1|grep -a "Failed password" cat auth.log.1 | grep -a "Failed password" |perl -e 'while($_=<>){ /for(.*?) from/; print "$1\n";}'|uniq -c|sort -nr
grep: cat: No such file or directory
      5  invalid user user
      5  invalid user hello
      5  invalid user 
      4  root
      1  root
      1  root
      1  invalid user test3
      1  invalid user test2
      1  invalid user test1

命令解析：

cat auth.log.1|grep -a "Failed password"| grep -o 'for .* from'|uniq -c|sort -nr

• cat auth.log.1：读取auth.log.1文件中的内容。
• grep -a "Failed password for root：过滤出所有包含 “Failed password” 的行。
• grep -o 'for .* from'：使用 grep 提取所有包含 "for ... from" 的部分，-o 选项表示只输出匹配的部分。
• uniq -c：对得到的内容去重，并统计出现的次数。
• sort -nr：按频率降序排列（-n 表示数值排序，-r 表示逆序）。

cat auth.log.1|grep -a "Failed password" cat auth.log.1 | grep -a "Failed password" |perl -e 'while($_=<>){ /for(.*?) from/; print "$1\n";}'|uniq -c|sort -nr

• cat auth.log.1：读取auth.log.1文件中的内容。
• grep -a "Failed password for root：过滤出所有包含 “Failed password” 的行。
• perl -e 'while($_=<>){ /for(.*?) from/; print "$1\n"; }'：使用perl命令结合正则匹配
  • while($_=<>)：逐行读取标准输入（即前面 grep 的输出）。
  • /for(.*?) from/：使用正则表达式匹配 for <内容> from，提取 <内容>。
  • print "$1\n";：将匹配的结果 $1（第一个捕获组）输出。
• uniq -c：对得到的内容去重，并统计出现的次数。
• sort -nr：按频率降序排列（-n 表示数值排序，-r 表示逆序）。

flag{user,hello,root,test3,test2,test1}

4.登陆成功的IP共爆破了多少次

由第二问得到登录成功的ip为192.168.200.2，直接过滤一下这个ip和登录的用户即可

root@ip-10-0-10-3:/var/log# cat auth.log.1|grep -a "192.168.200.2"|grep "for root"
Aug  1 07:47:13 linux-rz sshd[7497]: Failed password for root from 192.168.200.2 port 34703 ssh2
Aug  1 07:47:18 linux-rz sshd[7499]: Failed password for root from 192.168.200.2 port 46671 ssh2
Aug  1 07:47:20 linux-rz sshd[7501]: Failed password for root from 192.168.200.2 port 39967 ssh2
Aug  1 07:47:22 linux-rz sshd[7503]: Failed password for root from 192.168.200.2 port 46647 ssh2

或者题目一也可看到该内容。

flag{4}

5.黑客登陆主机后新建了一个后门用户，用户名是多少

使用 grep 命令过滤创建用户相关的关键字new user即可

root@ip-10-0-10-3:/var/log# cat auth.log.1|grep -a "new user"
Aug  1 07:50:45 linux-rz useradd[7551]: new user: name=test2, UID=1000, GID=1000, home=/home/test2, shell=/bin/sh
Aug  1 08:18:27 ip-172-31-37-190 useradd[487]: new user: name=debian, UID=1001, GID=1001, home=/home/debian, shell=/bin/bash

或者查看/etc/passwd也可以找到

root@ip-10-0-10-3:/var/log# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:105::/nonexistent:/usr/sbin/nologin
unscd:x:105:109::/var/lib/unscd:/usr/sbin/nologin
ntp:x:106:112::/nonexistent:/usr/sbin/nologin
sshd:x:107:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
test2:x:1000:1000::/home/test2:/bin/sh
debian:x:1001:1001:Debian:/home/debian:/bin/bash
root@ip-10-0-10-3:/var/log

flag{test2}