#!/bin/bash
# Linux 后门自动排查脚本(文件版)
# 使用方法:chmod +x check.sh && sudo ./check.sh
WHITELIST_IPS=(
"127.0.0.1" "::1" "192.168." "10." "172.16." "172.17." "172.18." "172.19."
"172.20." "172.21." "172.22." "172.23." "172.24." "172.25." "172.26." "172.27."
"172.28." "172.29." "172.30." "172.31." "120.27.157.31"
)
WHITELIST_PORTS=(
"22" "80" "443" "3306" "5432" "6379" "27017" "8080" "8443" "8888"
"29000" "29400" "29401" "29200" "29702" "34816" "888" "29301" "29712"
)
SUSPECT_KEYWORDS=("curl" "wget" "nc " "bash -i" "perl -e" "python -c" "ruby -e" "php -r" "base64 -d" "/dev/tcp" "/dev/udp")
MINER_KEYWORDS=("minerd" "xmrig" "cpuminer" "cryptonight" "stratum" "kdevtmpfsi" "kinsing")
log_info() { echo -e "\033[32m[INFO]\033[0m $1"; }
log_warn() { echo -e "\033[33m[WARN]\033[0m $1"; }
log_error() { echo -e "\033[31m[ERROR]\033[0m $1"; }
is_ip_whitelisted() { local ip=$1; for w in "${WHITELIST_IPS[@]}"; do [[ "$ip" == "$w"* ]] && return 0; done; return 1; }
is_port_whitelisted() { local port=$1; for p in "${WHITELIST_PORTS[@]}"; do [[ "$port" == "$p" ]] && return 0; done; return 1; }
echo "==================== Linux 后门自动排查报告 ===================="
echo "时间: $(date) | 主机: $(hostname)"
echo ""
errors=(); warnings=()
cpu_idle=$(top -bn1 | grep "%Cpu" | awk -F 'id' '{print $1}' | awk '{print $NF}')
cpu_idle_int=${cpu_idle%.*}
if [[ $cpu_idle_int -lt 70 ]]; then log_warn "CPU 空闲率仅 ${cpu_idle_int}%"; warnings+=("CPU过高"); else log_info "CPU 空闲率 ${cpu_idle_int}%"; fi
miner_procs=$(ps aux | grep -E "$(IFS='|'; echo "${MINER_KEYWORDS[*]}")" | grep -v grep)
if [[ -n "$miner_procs" ]]; then log_error "发现疑似挖矿进程"; errors+=("挖矿进程"); echo "$miner_procs"; else log_info "无挖矿进程"; fi
suspect_procs=$(ps aux | grep -E "$(IFS='|'; echo "${SUSPECT_KEYWORDS[*]}")" | grep -v grep)
if [[ -n "$suspect_procs" ]]; then log_warn "发现可疑命令行"; warnings+=("可疑进程命令"); echo "$suspect_procs"; else log_info "无可疑进程命令"; fi
echo ""; echo "--- 外部连接 ---"
external=$(lsof -i -P -n 2>/dev/null | grep -v "127.0.0.1\|::1" | grep ESTABLISHED)
if [[ -z "$external" ]]; then log_info "无外部 ESTABLISHED 连接"; else
suspicious_conn=0
while IFS= read -r line; do
target=$(echo "$line" | awk '{print $NF}' | awk -F'->' '{print $2}')
if [[ -n "$target" ]]; then
ip=$(echo "$target" | cut -d: -f1)
if ! is_ip_whitelisted "$ip"; then
log_error "非白名单连接: $target"
errors+=("外部连接 $target")
suspicious_conn=1
else
log_info "白名单连接: $target"
fi
fi
done <<< "$external"
if [[ $suspicious_conn -eq 0 ]]; then log_info "所有外部连接均在白名单内"; fi
fi
echo ""; echo "--- 监听端口 ---"
listening_ports=$(netstat -antlp 2>/dev/null | grep LISTEN | grep -v "127.0.0.1\|::1" | awk '{print $4}' | sed 's/.*://' | sort -u)
for port in $listening_ports; do
if ! is_port_whitelisted "$port"; then
log_warn "非常规监听端口: $port"
warnings+=("监听端口$port")
fi
done
if [[ -z "$listening_ports" ]]; then log_info "无监听端口(或全部过滤)"; fi
echo ""; echo "--- 可疑进程路径 ---"
suspicious_paths=""
for pid in $(ps -e -o pid=); do
if [[ -d /proc/$pid ]]; then
exe=$(ls -l /proc/$pid/exe 2>/dev/null | awk '{print $NF}')
if [[ "$exe" == "/tmp/"* || "$exe" == "/dev/shm/"* || "$exe" == *"/..."* || "$exe" == " (deleted)" ]]; then
cmd=$(cat /proc/$pid/cmdline 2>/dev/null | tr '\0' ' ')
suspicious_paths+="PID:$pid EXE:$exe CMD:$cmd\n"
fi
fi
done
if [[ -n "$suspicious_paths" ]]; then log_error "发现可疑进程路径"; errors+=("可疑路径"); echo -e "$suspicious_paths"; else log_info "所有进程路径正常"; fi
echo ""; echo "--- 计划任务 ---"
cron_suspect=""
for user in $(cut -f1 -d: /etc/passwd); do
cron_suspect+=$(crontab -u $user -l 2>/dev/null)
done
cron_suspect+=$(cat /etc/crontab 2>/dev/null)
cron_suspect+=$(cat /etc/cron.d/* 2>/dev/null | grep -v "^#")
if echo "$cron_suspect" | grep -qE "$(IFS='|'; echo "${SUSPECT_KEYWORDS[*]}")"; then
log_error "计划任务中存在可疑命令"; errors+=("cron可疑"); echo "$cron_suspect" | grep -E "$(IFS='|'; echo "${SUSPECT_KEYWORDS[*]}")"
else
log_info "计划任务无异常"
fi
echo ""; echo "--- SSH authorized_keys ---"
if [[ -s /root/.ssh/authorized_keys ]]; then log_warn "SSH authorized_keys 非空,请人工确认"; warnings+=("authorized_keys非空"); cat /root/.ssh/authorized_keys; else log_info "无 SSH authorized_keys 后门"; fi
echo ""; echo "--- LD_PRELOAD ---"
if [[ -s /etc/ld.so.preload ]]; then log_error "ld.so.preload 存在"; errors+=("ld.so.preload"); cat /etc/ld.so.preload; else log_info "ld.so.preload 正常"; fi
echo ""; echo "--- 登录记录 ---"
last_output=$(last -20 | grep -v "still logged in")
known_ips=$(echo "$last_output" | awk '{print $3}' | grep -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' | sort -u)
for ip in $known_ips; do
if ! is_ip_whitelisted "$ip"; then
log_error "非白名单IP登录: $ip"
errors+=("登录IP $ip")
fi
done
if [[ ${#errors[@]} -eq 0 ]]; then log_info "所有登录IP均在白名单内"; fi
echo ""; echo "--- SSH 暴力破解迹象 ---"
if [[ -f /var/log/secure ]]; then
fail_count=$(grep "Failed password" /var/log/secure 2>/dev/null | wc -l)
elif [[ -f /var/log/auth.log ]]; then
fail_count=$(grep "Failed password" /var/log/auth.log 2>/dev/null | wc -l)
else
fail_count=0
fi
if [[ $fail_count -gt 100 ]]; then log_warn "SSH失败尝试次数较多 ($fail_count)"; warnings+=("暴力破解迹象"); else log_info "SSH失败尝试较少 ($fail_count)"; fi
echo ""; echo "==================== 综合结论 ===================="
if [[ ${#errors[@]} -gt 0 ]]; then
echo -e "\033[31m❌ 检测到明确恶意迹象!请立即处理。\033[0m"
printf " - %s\n" "${errors[@]}"
echo "建议:封禁IP、杀进程、删文件、改密码,必要时重装系统。"
elif [[ ${#warnings[@]} -gt 0 ]]; then
echo -e "\033[33m⚠️ 发现可疑迹象,建议人工复核。\033[0m"
printf " - %s\n" "${warnings[@]}"
else
echo -e "\033[32m✅ 未发现明显后门迹象。系统基本安全。\033[0m"
fi直接在root目录下新建文件check.sh,贴入上面内容
回到根目录运行
./check.sh显示结果参考
[root@ah-ipv6 ~]# ./check.sh
==================== Linux 后门自动排查报告 ====================
时间: 2026年 05月 21日 星期四 15:02:39 CST | 主机: ah-ipv6
[INFO] CPU 空闲率 96%
[INFO] 无挖矿进程
[INFO] 无可疑进程命令
--- 外部连接 ---
[INFO] 所有外部连接均在白名单内
--- 监听端口 ---
--- 可疑进程路径 ---
[INFO] 所有进程路径正常
--- 计划任务 ---
[INFO] 计划任务无异常
--- SSH authorized_keys ---
[INFO] 无 SSH authorized_keys 后门
--- LD_PRELOAD ---
[INFO] ld.so.preload 正常
--- 登录记录 ---
[INFO] 所有登录IP均在白名单内
--- SSH 暴力破解迹象 ---
[INFO] SSH失败尝试较少 (0)
==================== 综合结论 ====================
✅ 未发现明显后门迹象。系统基本安全。
[root@ah-ipv6 ~]#
评论 (0)