安全类和远程类shell脚本

批量杀php小马脚本

find /home/hatdot/ -name "*.php" |xargs egrep "phpspy|c99sh|milw0rm|eval\(gunerpress|eval\(base64_decoolcode|spider_bc">>/tmp/test.txt

grep -r -include=*.php '[^a-z]eval($_POST' . >> /tmp/test.txt

grep -r -include=*.php 'file_put_contents(.*$_POST\[ .*\ ]);' . >> /tmp/test.txt

find /home/hatdot/ -name "*.php" -type f -print 0 | xargs -0 egrep "(phpspy|c99sh|milw0rm|eval\(gzuncompress\(base64_decoolcode|eval\(base64_decoolcode|spider_bc|gzinflate)" | awk -F: '{print $1}' | sort | uniq >> /tmp/test.txt

python批量杀php小马

#!/usr/bin/python
# -*- coding: utf-8 -*-
#blog:www.sinesafe.com

import os
import sys
import re

rulelist = [
    '(\$_(GET|POST|REQUEST)\[.{0,15}\]\(\$_(GET|POST|REQUEST)\[.{0,15}\]\))',
    '(base64_decode\([\'"][\w\+/=]{200,}[\'"]\))',
    'eval\(base64_decode\(',
    '(eval\(\$_(POST|GET|REQUEST)\[.{0,15}\]\))',
    '(assert\(\$_(POST|GET|REQUEST)\[.{0,15}\]\))',
    '(\$[\w_]{0,15}\(\$_(POST|GET|REQUEST)\[.{0,15}\]\))',
    '(wscript\.shell)',
    '(gethostbyname\()',
    '(cmd\.exe)',
    '(shell\.application)',
    '(documents\s+and\s+settings)',
    '(system32)',
    '(serv-u)',
    '(提权)',
    '(phpspy)',
    '(后门)',
    '(webshell)',
    '(Program\s+Files)'
]

def Scan(path):
    for root,dirs,files in os.walk(path):
        for filespath in files:
            isover = False
            if '.' in filespath:
                ext = filespath[(filespath.rindex('.')+1):]
                if ext=='php':
                    file= open(os.path.join(root,filespath))
                    filestr = file.read()
                    file.close()
                    for rule in rulelist:
                        result = re.compile(rule).findall(filestr)
                        if result:
                            print '文件：'+os.path.join(root,filespath)
                            print '恶意代码：'+str(result[0])
                            print '\n\n'
                            break

if os.path.lexists(sys.argv[1]):
    print('\n\n开始扫描：'+sys.argv[1])
    print('               可疑文件                 ')
    print('########################################')
    Scan(sys.argv[1])
    print('提示：扫描完成-- O(∩_∩)O哈哈~')
else:
    print '提示：指定的扫描目录不存在---  我靠( \'o′)！！凸'

每两秒都监控是否有人ssh到你的机器，如果有人ssh上来，则把它kill掉，并且，使用iptables拒绝#它登录，2秒后，就被踢掉，并30分钟登录不了,但是会在30分钟后，取消对它的拒绝

版本1：

#!/bin/bash
echo "check ssh...."
while true
do
     who | awk -F"(" '{print $2}' | sed 's/.$//' |  while read ip
     do
         if [ `echo $ip | awk -F"." 'END{print NF}'` -eq 4 ]
         then
                echo "$ip ssh close"
                iptables -A INPUT -p tcp --dport 22 -s $ip -j REJECT
                ipssh=`who | awk  '{print $2}' | head -$i | tail -1`
                ipsshid=`ps -ef | grep "@$ipssh" | awk '{print $2}'`
                kill -9 $ipsshid 2> /dev/null
                echo iptables -D INPUT -p tcp --dport 22 -s $ip -j REJECT | at now + 30 minutes
         fi
     done
     sleep 2
done

版本2：

#!/bin/bash
while true
do
line=`who |grep -v "(:" |wc -l`

for i in `seq $line`
do
pts=`who |grep -v "(:" |awk '{print $2}' |head -$i |tail -1`
ip=`who |grep -v "(:" |awk -F"(" '{print $2}'|awk -F")" '{print $1}' |head -$i |tail -1`
pid=`ps -ef |grep $pts |grep sshd |grep -v grep |awk '{print $2}'`
kill -9 $pid
iptables -A INPUT -p tcp --dport 22 -s $ip -j REJECT
at now + 30 minutes << EOF > /dev/null 2>&1
iptables -D INPUT -p tcp --dport 22 -s $ip -j REJECT
EOF
done

sleep 2
done

rsync+ssh批量自动化部署：

#!/bin/bash
#-------------------------------------#
#         author by bossco            #
#        auto change server files     #
#           2015.12.24                #
#-------------------------------------#
#前提：先要做SSH等效性，让SSH远程登陆不需要输入密码
#ssh-keygen 回车回车回车
#ssh-copy-id -i /root/.ssh/id_rsa.pub 远程服务器IP

flush()
{
if [ ! f rsync.list ];then
	echo -e "\033[34mPlease Create rsync.list files,
	The rsync.list contents as follows! \033[0m"
cat <<EOF
192.168.10.128	src_dir		des_dir
192.168.10.129	src_dir		des_dir
EOF
	exit
fi
	rm -rf rsync.list.swp;cat rsync.list | grep -v "#" >rsync.list.swp
	COUNT=`cat rsync.list.swp | wc -l`
	NUM=0
while (($(NUM) < $COUNT))
do
	NUM=`expr $NUM + 1`
	LINE=`sed -n "$(NUM)p" rsync.list.swp`
	SRC=`echo $LINE | awk '{print $2}'`
	DES=`echo $LINE | awk '{print $3}'`
	IP=`echo $LINE | awk '{print $1}'`
	rsync -av $(SRC)/ root@$(IP):$(DES)/
done
}

restart ()
{
if [ ! f restart.list ];then
	echo -e "\033[34mPlease Create restart.list files,
	The restart.list contents as follows! \033[0m"
cat <<EOF
192.168.10.128	COMMAND
192.168.10.129	COMMAND
EOF
	exit
fi
	rm -rf restart.list.swp;cat restart.list | grep -v "#" >> restart.list.swap
	COUNT=`cat restart.list.swp | wc -l`
	NUM=0
while (($(NUM) < $COUNT))
do
	NUM=`expr $NUM + 1`
	LINE=`sed -n "$(NUM)p" restart.list.swp`
	COMMAND=`echo $LINE | awk '{print $2}'`
	IP=`echo $LINE | awk '{print $1}'`
	ssh -l root $IP
	"sh $COMMAND;echo -e '------------\nThe $IP Exec commands:sh $COMMAND success!'"
done
}

case $1 in
	flush )
	flush ;;
	restart )
	restart ;;
	*)
	echo -e "\033[31mUsage: $0 command,example{flush | restart} \033[0m"
esac	

批量远程执行命令：

#!/bin/bash
#-------------------------------------#
#         author by bossco            #
#        remote exec command          #
#           2015.12.24                #
#-------------------------------------#
#前提：先要做SSH等效性，让SSH远程登陆不需要输入密码
#ssh-keygen 回车回车回车
#ssh-copy-id -i /root/.ssh/id_rsa.pub 远程服务器IP
#把远程服务器的IP地址ip.txt文件里

if [ ! -f ip.txt ];then
	echo -e "\033[31m please create ip.txt\033[0m"
	exit
fi

if [ -z "$*" ];then
	echo -e "\033[32mUsage: $0 command,example{rm /tmp/test.txt | mkdir /tmp/20150505}\033[0m"
	exit
fi

count=`cat ip.txt | wc -l`
rm -rf ip.txt.swap
i=0
while ((i< $count))
do
i=`expr $i + 1`
sed "$(i)s/^/&$(i) /g" ip.txt >> ip.txt.swp
IP=`awk -v I="$i" '{if(I==$1)print $2}' ip.txt.swp`
ssh -q -l root $IP  "$*;echo -e '\033[35m-------------------\nThe $IP Exec Commands: $* success !';sleep 2"
done

批量拷贝文件或目录至远程服务器：

#!/bin/bash
#-------------------------------------#
#         author by bossco            #
#   cp file/dir to remote server      #
#           2015.12.24                #
#-------------------------------------#
#前提：先要做SSH等效性，让SSH远程登陆不需要输入密码
#ssh-keygen 回车回车回车
#ssh-copy-id -i /root/.ssh/id_rsa.pub 远程服务器IP
#把远程服务器的IP地址ip.txt文件里

if [ ! -f ip.txt ];then
	echo -e "\033[31m please create ip.txt\033[0m"
	exit
fi

if [ -z "$1" ];then
	echo -e "\033[32mUsage: $0 command,example{src_files|src_dir  des_dir}\033[0m"
	exit
fi

count=`cat ip.txt | wc -l`
rm -rf ip.txt.swap
i=0
while ((i< $count))
do
i=`expr $i + 1`
sed "$(i)s/^/&$(i) /g" ip.txt >> ip.txt.swp
IP=`awk -v I="$i" '{if(I==$1)print $2}' ip.txt.swp`
scp -r $1 root@${ip}:$2
#rsync -aP --delete $1 root${ip}:$2
done

自动阻止3次SSH远程登陆输入密码错误的恶意IP

#!/bin/bash
#auto drop ssh failed IP address
#-------------------------------------#
#         author by bossco            #
#   auto drop ssh failed IP address   #
#           2015.12.23                #
#-------------------------------------#
#定义变量
SEC_FILE=/var/log/secure
IP_ADDR=`tail -n 1000 /var/log/secure | grep "failed password" | egrep -o "([0-9]{1,3}\.){3}[0-9]{1,3}" | sort -nr | uniq -c | awk ' $1>=3 {print $2}'`
IPTABLE_CONF=/etc/sysconfig/iptables
echo
cat <<EOF
+++++++++++++++welcome to use ssh login drop failed ip +++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
EOF
for i in `echo IP_ADDR`
do
	cat $IPTABLE_CONF | grep $i >/dev/null
if
	[ $? -ne 0 ];then
	sed -i "/lo/a -A INPUT -s $i -m state --state NEW -p tcp --dport 22 -j DROP" $IPTABLE_CONF
else
	echo "$i is exists in iptalbes"
fi
done