Home>Programming related>Other source code
Download

LinuxCheck

Linux emergency response/information collection/vulnerability detection tool, supports basic configuration/network traffic/task plan/environment variables/user information/Services/bash/malicious files/kernel Rootkit/SSH/Webshell/mining files/mining process/supply 70+ inspections in 13 categories including chain/server risks

renew

Update log: April 20, 2024

  • Adjust output to Markdown report
  • Abandon ag and use the Linux native grep command to avoid additional installation
  • Optimize the code format, no longer need tee -a for every line
  • Update Webshell detection logic
  • Update authorized_keys detection logic
  • Server Risk Check adds JDWP and Python HTTP Server checks
  • Add Docker container detection
  • Add PAM backdoor detection
  • Add local report upload capability to deal with emergencies of batch machines.

Update log: August 5, 2022

  • Fix the problem of too many kernel module check logs

Update log: March 07, 2022

  • Add SSH soft connection backdoor detection

Update date: October 17, 2021

  • Added Ntpclient/WorkMiner/TeamTNT mining Trojan detection
  • Add Rootkit module detection logic
  • Add Python pip poisoning detection
  • Add $HOME/.profile to view
  • Add server risk check (Redis)

Function

  • Basic configuration check
    • System configuration change check
    • System information (IP address/user/boot time/system version/Hostname/server SN)
    • CPU usage
    • Login user information
    • CPU TOP 15
    • Memory TOP 15
    • Check remaining disk space
    • Hard drive mount
    • Commonly used software checks
    • /etc/hots
  • Network/traffic inspection
    • ifconfig
    • network traffic
    • Port listening
    • Open port
    • network connection
    • TCP connection status
    • routing table
    • Routing and forwarding
    • DNS Server
    • ARP
    • Network card promiscuous mode check
    • iptables firewall
  • Task plan check
    • Current user task plan
    • /etc/system task schedule
    • Task schedule file creation time
    • crontab backdoor troubleshooting
  • Environment variable check
    • env
    • path
    • LD_PRELOAD
    • LD_ELF_PRELOAD
    • LD_AOUT_PRELOAD
    • PROMPT_COMMAND
    • LD_LIBRARY_PATH
    • ld.so.preload
  • User information check
    • Users who can log in
    • passwd file modification date
    • sudoers
    • Login information (w/last/lastlog)
    • Historical login ip
  • Services check
    • SystemD run service
    • SystemD service creation time
  • bash check
    • History
    • History command audit
    • /etc/profile
    • $HOME/.profile
    • /etc/rc.local
    • ~/.bash_profile
    • ~/.bashrc
    • bash rebound shell
  • Document check
    • ...hidden files
    • System file modification time detection
    • Temporary file check (/tmp /var/tmp /dev/shm)
    • alias
    • suid special permission check
    • Process file not found
    • mtime of file changes in the past seven days
    • ctime of file changes in the past seven days
    • Large file >200mb
    • Sensitive file auditing (nmap/sqlmap/ew/frp/nps and other common tools for hackers)
    • Suspicious hacker files (programs such as wget/curl uploaded by hackers, or malicious programs changed to normal software such as nps files to mysql)
  • Kernel Rootkit Check
    • lsmod suspicious module
    • Kernel symbol table check
    • rootkit hunter check
    • rootkit .ko module check
  • SSH check
    • SSH blasting
    • SSHD detection
    • SSH backdoor configuration
    • SSH inetd backdoor check
    • SSH key
  • Webshell check
    • php webshell check
    • jsp webshell check
  • Mining file/process check
    • Mining file check
    • Mining process check
    • WorkMiner detection
    • Ntpclient detection
  • Supply chain poisoning inspection
    • Python PIP poisoning check
  • Server risk check
    • Redis weak password detection
    • JDWP service detection
    • Python http.server detection
  • Docker permission check

Usage

The first way: install through git clone 

git clone https://github.com/al0ne/LinuxCheck.git
chmod u+x LinuxCheck.sh
./LinuxCheck.sh

The second method: call directly online [you cannot use the report uploading ability if you call online] 

 bash -c "$(curl -sSL https://raw.githubusercontent.com/al0ne/LinuxCheck/master/LinuxCheck.sh)"

The file will be saved in the format ipaddr_hostname_username_timestamp.log

Reports are automatically uploaded

If it is delivered to batch machines, the script will be automatically submitted to a certain URL after execution. Change the webhook_url in the script to your own address. 

 # 报告上报的地址
webhook_url= ' http://localhost:5000/upload '

upload_report () {

  # 上传到指定接口
  if [[ -n $webhook_url ]] ; then
    curl -X POST -F " file=@ $filename " " $webhook_url "
  fi

}

Use Flask to start a service on your server to receive the Markdown report reported by the server. 

 from flask import Flask , request

app = Flask ( __name__ )

@ app . route ( '/upload' , methods = [ 'POST' ])
def upload_file ():
    if 'file' not in request . files :
        return "No file part" , 400
    file = request . files [ 'file' ]
    if file . filename == '' :
        return "No selected file" , 400
    if file :
        filename = file . filename
        file . save ( filename )
        return "File successfully uploaded" , 200

if __name__ == '__main__' :
    app . run ( debug = True , host = "0.0.0.0" , port = 9999 )

refer to

The writing of this tool mainly refers to the following tools/articles and is completed based on personal experience.

Linenum https://github.com/lis912/Evaluation_tools
https://ixyzero.com/blog/archives/4.html
https://github.com/T0xst/linux
https://github.com/grayddq/GScan

Expand
Additional Information
Related Applications
Recommended for You
Related Information All
User Comments