#!/bin/bash
# 邮件接收人配置
EMAIL_RECIPIENT="[email protected]"
# 常见的网站根目录和日志目录
COMMON_WEBSITE_DIRS=(
"/var/www/html" # LAMP 默认网站根目录
"/usr/share/nginx/html" # Nginx 默认网站目录
"/srv/www" # OpenSUSE 默认目录
"/www/wwwroot" # 宝塔面板默认网站目录
)
COMMON_LOG_DIRS=(
"/var/log/apache2" # Apache 日志目录
"/var/log/httpd" # CentOS Apache 日志目录
"/var/log/nginx" # Nginx 日志目录
"/www/wwwlogs" # 宝塔面板日志目录
)
# 挂马检测特征
SUSPICIOUS_CODE_PATTERNS=(
"eval" "assert" "system" "exec" "passthru" "call_user_func"
"create_function" "base64_decode" "gzinflate" "str_rot13"
"shell_exec" "preg_replace" "file_put_contents" "include" "require"
"\$_GET" "\$_POST" "\$_REQUEST" "c99shell" "r57shell" "phpinfo"
)
# 异常请求特征
SUSPICIOUS_REQUEST_PATTERNS=(
"\.\./" "php?id=" "base64_encode" "wp-admin"
"eval(" "UNION SELECT" "\.php\.bak" "\.(sql|zip|tar|gz)$"
"POST.*multipart/form-data" "cmd=" "r57shell" "c99shell"
)
# 提权日志文件可能路径
PRIVILEGE_LOG_FILES=(
"/var/log/auth.log" # Ubuntu/Debian
"/var/log/secure" # CentOS/RedHat
)
# 汇总简报内容
SUMMARY_REPORT=""
# 动态显示进度
show_progress() {
local progress_msg="$1"
echo -ne "\r[正在处理] $progress_msg..."
sleep 1
}
# 自动查找目录
find_valid_dir() {
local dirs=("$@")
for dir in "${dirs[@]}"; do
if [[ -d "$dir" ]]; then
echo "$dir"
return
fi
done
echo ""
}
# 自动查找日志文件
find_log_file() {
local log_files=("$@")
for file in "${log_files[@]}"; do
if [[ -f "$file" ]]; then
echo "$file"
return
fi
done
echo ""
}
# 提权日志分析
check_privilege_logs() {
local log_file="$1"
if [[ -z "$log_file" ]]; then
SUMMARY_REPORT+="未找到提权日志文件。\n"
return
fi
show_progress "分析提权日志"
local suspicious_patterns=("sudo" "root login" "su " "FAILED LOGIN")
local alerts=""
while read -r line; do
for pattern in "${suspicious_patterns[@]}"; do
if [[ "$line" =~ $pattern ]]; then
alerts+="$line\n"
fi
done
done < "$log_file"
if [[ -n "$alerts" ]]; then
SUMMARY_REPORT+="[提权日志分析]\n$alerts\n"
else
SUMMARY_REPORT+="[提权日志分析]\n未发现可疑提权行为。\n"
fi
}
# 网站运行日志分析
analyze_access_logs() {
local log_dir="$1"
if [[ -z "$log_dir" ]]; then
SUMMARY_REPORT+="未找到有效的网站运行日志目录。\n"
return
fi
show_progress "分析网站运行日志"
local alerts=""
while read -r log_file; do
while read -r line; do
for pattern in "${SUSPICIOUS_REQUEST_PATTERNS[@]}"; do
if [[ "$line" =~ $pattern ]]; then
alerts+="可疑请求: $line 来自日志: $log_file\n"
fi
done
done < "$log_file"
done < <(find "$log_dir" -type f -name "*.log")
if [[ -n "$alerts" ]]; then
SUMMARY_REPORT+="[网站运行日志分析]\n$alerts\n"
else
SUMMARY_REPORT+="[网站运行日志分析]\n未发现异常请求。\n"
fi
}
# 挂马检测
scan_for_malware() {
local scan_dir="$1"
if [[ -z "$scan_dir" ]]; then
SUMMARY_REPORT+="未找到有效的网站目录。\n"
return
fi
show_progress "扫描网站目录中的文件挂马"
local alerts=""
while read -r file; do
if [[ -f "$file" ]]; then
for pattern in "${SUSPICIOUS_CODE_PATTERNS[@]}"; do
if grep -q -i "$pattern" "$file"; then
alerts+="发现可疑代码: $file 包含模式: $pattern\n"
fi
done
# 检查文件权限
local perms
perms=$(stat -c '%a' "$file")
if [[ "$perms" == "777" ]]; then
alerts+="发现权限异常的文件: $file 权限: $perms\n"
fi
fi
done < <(find "$scan_dir" -type f)
if [[ -n "$alerts" ]]; then
SUMMARY_REPORT+="[挂马检测]\n$alerts\n"
else
SUMMARY_REPORT+="[挂马检测]\n未发现可疑挂马行为。\n"
fi
}
# 邮件发送简报
send_summary_email() {
echo -e "$SUMMARY_REPORT" | mail -s "安全监测简报" "$EMAIL_RECIPIENT"
echo -e "\n简报已发送到: $EMAIL_RECIPIENT"
}
# 主函数
main() {
echo "[开始综合环境安全监测]"
local website_dir log_dir privilege_log
website_dir=$(find_valid_dir "${COMMON_WEBSITE_DIRS[@]}")
log_dir=$(find_valid_dir "${COMMON_LOG_DIRS[@]}")
privilege_log=$(find_log_file "${PRIVILEGE_LOG_FILES[@]}")
check_privilege_logs "$privilege_log"
analyze_access_logs "$log_dir"
scan_for_malware "$website_dir"
echo -e "\n[综合环境安全监测完成]\n"
echo -e "$SUMMARY_REPORT"
send_summary_email
}
# 执行脚本
main
这是一个可以监测常见的网站被挂马或者被提权的监测shell脚本
发表回复