一个在Linux系统下的入侵响应案例

yudi2006

就是不错！加精吧

牛人！！！

achlice

好贴，加  jing ba !

bolix

顶一下
D
D
D

coldrainsunc

讲到安全，送大家一个文件完整性检查的脚本。
此脚本用于可保文件内容的md5校验和及以文件stat信息以及与生成的校验数据进行对比，找好更动过的文件。脚本如下：

#!/usr/bin/perl # #用法: #genmd5.pl --basedir=/etc --chksumfile=etc-chksum.dat #genmd5.pl --basedir /private/etc --compare use strict; use Digest::MD5; use IO::File; use File::Find (); use Getopt::Long; #设置默认值 my $chksumfile = 'chksums.dat'; my $compare = 0; my $basedir = '/etc'; use vars qw/*name *dir *prune/; *name   = *File::Find::name; *dir    = *File::Find::dir; *prune  = *File::Find::prune; GetOptions("chksumfile=s" => \$chksumfile,            "compare" => \$compare,            "basedir=s" => \$basedir); my $chksumdata = {}; if ($compare) {     loadchksumdata($chksumfile); } my $outfile = ''; if (!$compare) {     $outfile = IO::File->new($chksumfile,"w"); } File::Find::find({wanted => \&wanted}, $basedir); if ($compare) {     foreach my $file (keys %{$chksumdata})     {         print STDERR "Couldn't find $file, but have the info on record\n";     } } sub loadchksumdata {     my ($file) = @_;     open(DATA,$file) or die "Cannot open check sum file $file: $!\n";     while(<DATA>)     {         chomp;         my ($filename,$rest) = split(/:/,$_,2);         $chksumdata->{$filename} = $_;     }     close(DATA); } sub wanted {     next unless (-f $name);     my $fileinfo = genchksuminfo($name);     if ($compare)     {         if (exists($chksumdata->{$name}))         {             if ($chksumdata->{$name} ne $fileinfo)             {                 print STDERR "Warning: $name differs from that on record\n";                 gendiffreport($chksumdata->{$name}, $fileinfo);             }             delete($chksumdata->{$name});         }         else         {             print STDERR "Warning: Couldn't find $name in existing records\n";         }     }     else     {         printf $outfile ("%s\n",$fileinfo);     } } sub gendiffreport {     my ($orig,$curr) = @_;     my @fields = qw/filename chksum device inode mode nlink uid gid size mtime ctime/;     my @origfields = split(/:/,$orig);     my @currfields = split(/:/,$curr);     for(my $i=0;$i<scalar @origfields;$i++)     {         if ($origfields[$i] ne $currfields[$i])         {             print STDERR "\t$fields[$i] differ; was $origfields[$i],                              now $currfields[$i]\n";         }     } } sub genchksuminfo {     my ($file) = @_;     my $chk = Digest::MD5->new();     my (@statinfo) = stat($file);     $chk->add(@statinfo[0,1,2,3,4,5,7,9,10]);     $chk->addfile(IO::File->new($file));     return sprintf("%s:%s:%s",                    $file,$chk->hexdigest,                    join(':',@statinfo[0,1,2,3,4,5,9,10])); }

用以下命令生成校验数据:
[root@supersun securety]# ./getsum.pl --basedir=/etc/ --chksumfile=etc-chksum.dat
etc-chksum.dat格式如下:
/etc/bluetooth/hcid.conf:c3fb848b5e2f57e3cd65ecd8dd766724:769:1627930:33188:1:0:0:1153336356:1163469800
/etc/bluetooth/pin:81bdf50f2025f988490024cfbd36ffb8:769:1627931:33152:1:0:0:1153336356:1163469800
校验文件：
[root@supersun securety]# ./getsum.pl --basedir=/etc --compare --chksumfile=etc-chksum.dat
Warning: /etc/fstab differs from that on record
        chksum differ; was 253f53fef12b9e6fa7bc2cb3556427de,
                             now a8506e1f2ff5e5dcb08d93b64b1be235
        inode differ; was 1629160,
                             now 1627820
        size differ; was 1187075582,
                             now 1190012212
        mtime differ; was 1187075582,
                             now 1190012212
原文请参见:http://www.ibm.com/developerworks/aix/library/au-satsystemvalidity/index.html
                                                                                           Tags: 系统管理　linux perl 文件完整性  校验

[ 本帖最后由 coldrainsunc 于 2007-9-27 16:34 编辑 ]

coldrainsunc

记得安装模块啊：
cpan Digest::MD5;

kedechuan

写的好棒

yuntianfei2000

鼎一下楼主~~~~~~~

孤独的鹰

又是一个被蠕虫给做掉的倒霉蛋

chameleon

恩，不错，希望以后多一些这样的实际案例文章．．．

wushengwei

顶
强人哪
好好学习