linux(inotify)目录实时监控和对并触发对新增修改的文件进行webshell扫描

下载安装 inotify

wget http://github.com/downloads/rvoicilas/inotify-tools/inotify-tools-3.14.tar.gz
tar -zxvf inotify-tools-3.14.tar.gz
cd inotify-tools-3.14
./configure --prefix=/usr/local/inotify
make
make install



echo "PATH=/usr/local/inotify/bin:$PATH" >>/etc/profile.d/inotify.sh
source /etc/profile.d/inotify.sh  
echo "/usr/local/inotify/lib" >/etc/ld.so.conf.d/inotify.conf
ln -s /usr/local/inotify/include  /usr/include/inotify



vim /etc/sysctl.conf 
fs.inotify.max_queued_events=99999999
fs.inotify.max_user_watches=99999999
fs.inotify.max_user_instances=65535

sysctl -p

编写监控脚本

#!/bin/bash
  inotifywait -mrq --timefmt '%d/%m/%y %H:%M' --format  '%T %w%f %e' --event modify,delete,create,attrib  /test | while read  date time file event
  do
      case $event in
          MODIFY|CREATE|MOVE|MODIFY,ISDIR|CREATE,ISDIR|MODIFY,ISDIR)
                  echo [`date '+%Y-%m-%d %H:%M:%S'] `$event'-'$file >> /file_monitor/file.log
                  python /file_monitor/check_webshell.py $file
              ;;

          MOVED_FROM|MOVED_FROM,ISDIR|DELETE|DELETE,ISDIR)
                  echo [`date '+%Y-%m-%d %H:%M:%S'] `$event'-'$file >> /file_monitor/file.log
              ;;
      esac
  done

#脚本加入开机自启动

chmod u+x /file_monitor/monitor.sh
echo "nohup /file_monitor/monitor.sh &" >> /etc/rc.d/rc.local
nohup /file_monitor/monitor.sh &

#经过反复测试,这个开机启动真是没成功,同时根据实际应用场景,
#如果开机后挂了呢,所以还是做一个crond吧,每秒检查一次进程中是否有运行这个监控,
#如果没有,就启动,如果有,则不做任何操作。

#!/bin/sh
pid=(`ps -ef|grep moni|awk '{print $0}'`)
has=false
for info in ${pid[@]};
do
        #echo $info
        if [ $info == '/file_monitor/monitor.sh' ]; then
                has=true
        fi
done
if [ $has == false ];then
        echo `date "+%Y-%m-%d %H:%M:%S"` 没有检查到监控进程,即将启动。>> /file_monitor/monitor_life.log
        /file_monitor/monitor.sh &

fi

编写扫描脚本

```python

#!/usr/bin/env python
#coding:utf-8
 
import os
import sys
import re
import shutil 
import time
#设置搜索特征码
rulelist = [
  '(\$_(GET|POST|REQUEST)\[.{0,15}\]\(\$_(GET|POST|REQUEST)\[.{0,15}\]\))',
  '(base64_decode\([\'"][\w\+/=]{200,}[\'"]\))',
  'eval\(base64_decode\(',
  '(eval\(\$_(POST|GET|REQUEST)\[.{0,15}\]\))',
  '(assert\(\$_(POST|GET|REQUEST)\[.{0,15}\]\))',
  '(\$[\w_]{0,15}\(\$_(POST|GET|REQUEST)\[.{0,15}\]\))',
  '(wscript\.shell)',
  '(gethostbyname\()',
  '(cmd\.exe)',
  '(shell\.application)',
  '(documents\s+and\s+settings)',
  '(system32)',
  '(serv-u)',
  '(提权)',
  '(phpspy)',
  '(后门)',
  '(webshell)',
  '(Program\s+Files)',
  'www.phpdp.com',
  'phpdp',
  'PHP神盾',
  'decryption',
  'Ca3tie1',
  'GIF89a',
  'IKFBILUvM0VCJD\/APDolOjtW0tgeKAwA',
  '\'e\'\.\'v\'\.\'a\'\.\'l\'',
]
file_path = sys.argv[1]
if os.path.isdir("nothing") == False:
    try:
        file= open(file_path)
        filestr = file.read()
        file.close()
        #print(filestr)
        for rule in rulelist:
            result = re.compile(rule).findall(filestr)
            if result:
                print("移除疑似木马")
                shutil.move(file_path,file_path+str(time.strftime('%Y-%m-%d_%H:%M:%S',time.localtime(time.time())))+".del")
    except:
        pass

```


标签: inotify, webshell, linux安全配置

非特殊说明,本博所有文章均为博主原创。

最新文章

发表评论