入门日志分析

1 2 3 4 5 . . . . . s s h I P I P s I s P h r o o 使 t " , " 使 " , " 使 " , "

有多少IP在爆破主机ssh的root帐号

在linux中登入日志为

/var/auth.log 找到目录可以看到文件已经被备份为auth.log.1

cat /var/log/auth.log.1 | grep -a "root"

image.png

过滤Failed password for root得到

Aug  1 07:42:32 linux-rz sshd[7471]: Failed password for root from 192.168.200.32 port 51888 ssh2
Aug  1 07:47:13 linux-rz sshd[7497]: Failed password for root from 192.168.200.2 port 34703 ssh2
Aug  1 07:47:18 linux-rz sshd[7499]: Failed password for root from 192.168.200.2 port 46671 ssh2
Aug  1 07:47:20 linux-rz sshd[7501]: Failed password for root from 192.168.200.2 port 39967 ssh2
Aug  1 07:47:22 linux-rz sshd[7503]: Failed password for root from 192.168.200.2 port 46647 ssh2
Aug  1 07:52:59 linux-rz sshd[7606]: Failed password for root from 192.168.200.31 port 40364 ssh2

ssh爆破成功登陆的IP是多少

查看登入成功的

root@ip-10-0-10-3:/var/log# cat cat auth.log.1 | grep -a "password for root"
cat: cat: No such file or directory
Aug  1 07:42:32 linux-rz sshd[7471]: Failed password for root from 192.168.200.32 port 51888 ssh2
Aug  1 07:47:13 linux-rz sshd[7497]: Failed password for root from 192.168.200.2 port 34703 ssh2
Aug  1 07:47:18 linux-rz sshd[7499]: Failed password for root from 192.168.200.2 port 46671 ssh2
Aug  1 07:47:20 linux-rz sshd[7501]: Failed password for root from 192.168.200.2 port 39967 ssh2
Aug  1 07:47:22 linux-rz sshd[7503]: Failed password for root from 192.168.200.2 port 46647 ssh2
Aug  1 07:47:23 linux-rz sshd[7505]: Accepted password for root from 192.168.200.2 port 46563 ssh2
Aug  1 07:50:37 linux-rz sshd[7539]: Accepted password for root from 192.168.200.2 port 48070 ssh2
Aug  1 07:52:59 linux-rz sshd[7606]: Failed password for root from 192.168.200.31 port 40364 ssh2

flag{192.168.200.2}

爆破用户名字典是什么

过滤入侵ip 可以看到

image.png

找到关键字 过滤

root@ip-10-0-10-3:/var/log# cat auth.log.1 | grep -a "Failed password"
Aug  1 07:40:50 linux-rz sshd[7461]: Failed password for invalid user test1 from 192.168.200.35 port 33874 ssh2
Aug  1 07:41:04 linux-rz sshd[7465]: Failed password for invalid user test2 from 192.168.200.35 port 51640 ssh2
Aug  1 07:41:13 linux-rz sshd[7468]: Failed password for invalid user test3 from 192.168.200.35 port 48168 ssh2
Aug  1 07:42:32 linux-rz sshd[7471]: Failed password for root from 192.168.200.32 port 51888 ssh2
Aug  1 07:46:41 linux-rz sshd[7475]: Failed password for invalid user user from 192.168.200.2 port 36149 ssh2
Aug  1 07:46:47 linux-rz sshd[7478]: Failed password for invalid user user from 192.168.200.2 port 44425 ssh2
Aug  1 07:46:50 linux-rz sshd[7480]: Failed password for invalid user user from 192.168.200.2 port 38791 ssh2
Aug  1 07:46:54 linux-rz sshd[7482]: Failed password for invalid user user from 192.168.200.2 port 37489 ssh2
Aug  1 07:46:56 linux-rz sshd[7484]: Failed password for invalid user user from 192.168.200.2 port 35575 ssh2
Aug  1 07:46:59 linux-rz sshd[7486]: Failed password for invalid user hello from 192.168.200.2 port 35833 ssh2
Aug  1 07:47:02 linux-rz sshd[7489]: Failed password for invalid user hello from 192.168.200.2 port 37653 ssh2
Aug  1 07:47:04 linux-rz sshd[7491]: Failed password for invalid user hello from 192.168.200.2 port 37917 ssh2
Aug  1 07:47:08 linux-rz sshd[7493]: Failed password for invalid user hello from 192.168.200.2 port 41957 ssh2
Aug  1 07:47:10 linux-rz sshd[7495]: Failed password for invalid user hello from 192.168.200.2 port 39685 ssh2
Aug  1 07:47:13 linux-rz sshd[7497]: Failed password for root from 192.168.200.2 port 34703 ssh2
Aug  1 07:47:18 linux-rz sshd[7499]: Failed password for root from 192.168.200.2 port 46671 ssh2
Aug  1 07:47:20 linux-rz sshd[7501]: Failed password for root from 192.168.200.2 port 39967 ssh2
Aug  1 07:47:22 linux-rz sshd[7503]: Failed password for root from 192.168.200.2 port 46647 ssh2
Aug  1 07:47:26 linux-rz sshd[7525]: Failed password for invalid user  from 192.168.200.2 port 37013 ssh2
Aug  1 07:47:30 linux-rz sshd[7528]: Failed password for invalid user  from 192.168.200.2 port 37545 ssh2
Aug  1 07:47:32 linux-rz sshd[7530]: Failed password for invalid user  from 192.168.200.2 port 39111 ssh2
Aug  1 07:47:35 linux-rz sshd[7532]: Failed password for invalid user  from 192.168.200.2 port 35173 ssh2
Aug  1 07:47:39 linux-rz sshd[7534]: Failed password for invalid user  from 192.168.200.2 port 45807 ssh2
Aug  1 07:52:59 linux-rz sshd[7606]: Failed password for root from 192.168.200.31 port 40364 ssh2

没说清楚 得去尝试排列组合

flag{user,hello,root,test3,test2,test1}

登陆成功的IP共爆破了多少次

查看root的登入次数 四次

flag{4}

黑客登陆主机后新建了一个后门用户

常见的shel有bash,sh,zsh,在passwd中过滤一遍发现

root:x:0:0:root:/root:/bin/bash
sshd:x:107:65534::/run/sshd:/usr/sbin/nologin
test2:x:1000:1000::/home/test2:/bin/sh
debian:x:1001:1001:Debian:/home/debian:/bin/bash

test2