{"id":13538009,"url":"https://github.com/al0ne/linuxcheck","last_synced_at":"2025-04-11T16:38:51.214Z","repository":{"id":39098228,"uuid":"162132748","full_name":"al0ne/LinuxCheck","owner":"al0ne","description":"Linux应急处置/信息搜集/漏洞检测工具，支持基础配置/网络流量/任务计划/环境变量/用户信息/Services/bash/恶意文件/内核Rootkit/SSH/Webshell/挖矿文件/挖矿进程/供应链/服务器风险等13类70+项检查","archived":false,"fork":false,"pushed_at":"2024-06-19T02:13:41.000Z","size":542,"stargazers_count":1902,"open_issues_count":1,"forks_count":406,"subscribers_count":49,"default_branch":"master","last_synced_at":"2025-04-03T20:08:53.324Z","etag":null,"topics":["check","linux","rkhunter","shell-script"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/al0ne.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-12-17T13:13:16.000Z","updated_at":"2025-04-03T04:18:43.000Z","dependencies_parsed_at":"2024-01-16T15:41:03.895Z","dependency_job_id":"4cf82b6f-236b-42f4-9c5a-07d349a898a5","html_url":"https://github.com/al0ne/LinuxCheck","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/al0ne%2FLinuxCheck","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/al0ne%2FLinuxCheck/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/al0ne%2FLinuxCheck/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/al0ne%2FLinuxCheck/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/al0ne","download_url":"https://codeload.github.com/al0ne/LinuxCheck/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248441881,"owners_count":21104093,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["check","linux","rkhunter","shell-script"],"created_at":"2024-08-01T09:01:05.740Z","updated_at":"2025-04-11T16:38:51.187Z","avatar_url":"https://github.com/al0ne.png","language":"Shell","funding_links":[],"categories":["\u003ca id=\"9eee96404f868f372a6cbc6769ccb7f8\"\u003e\u003c/a\u003e工具","\u003ca id=\"9eee96404f868f372a6cbc6769ccb7f8\"\u003e\u003c/a\u003e新添加的"],"sub_categories":["\u003ca id=\"31185b925d5152c7469b963809ceb22d\"\u003e\u003c/a\u003e新添加的"],"readme":"# LinuxCheck\n\nLinux应急处置/信息搜集/漏洞检测工具，支持基础配置/网络流量/任务计划/环境变量/用户信息/Services/bash/恶意文件/内核Rootkit/SSH/Webshell/挖矿文件/挖矿进程/供应链/服务器风险等13类70+项检查\n\n## 更新\n\n更新日志：2024年4月20日\n\n- 调整输出为Markdown报告\n- 弃用ag，还是使用Linux原生的grep命令，避免额外安装\n- 优化代码格式，不在每条都要tee -a\n- 更新Webshell检测逻辑\n- 更新authorized_keys检测逻辑\n- 服务器风险检查添加JDWP和Python HTTP Server检查\n- 添加Docker 容器检测\n- 添加PAM后门检测\n- 添加本地报告上传能力，应对批量机器应急的情况。\n\n更新日志：2022年08月05日\n\n- 修复内核模块检查日志过多问题\n\n更新日志：2022年03月07日\n\n- 添加SSH软连接后门检测\n\n更新日期：2021年10月17日\n\n- 添加Ntpclient/WorkMiner/TeamTNT挖矿木马检测\n- 添加Rootkit模块检测逻辑\n- 添加Python pip投毒检测\n- 添加$HOME/.profile查看\n- 添加服务器风险检查(Redis)\n\n## 功能\n\n* 基础配置检查\n    * 系统配置改动检查\n    * 系统信息（IP地址/用户/开机时间/系统版本/Hostname/服务器SN）\n    * CPU使用率\n    * 登录用户信息\n    * CPU TOP 15\n    * 内存 TOP 15\n    * 磁盘剩余空间检查\n    * 硬盘挂载\n    * 常用软件检查\n    * /etc/hots\n* 网络/流量检查\n    * ifconfig\n    * 网络流量\n    * 端口监听\n    * 对外开放端口\n    * 网络连接\n    * TCP连接状态\n    * 路由表\n    * 路由转发\n    * DNS Server\n    * ARP\n    * 网卡混杂模式检查\n    * iptables 防火墙\n* 任务计划检查\n    * 当前用户任务计划\n    * /etc/系统任务计划\n    * 任务计划文件创建时间\n    * crontab 后门排查\n* 环境变量检查\n    * env\n    * path\n    * LD_PRELOAD\n    * LD_ELF_PRELOAD\n    * LD_AOUT_PRELOAD\n    * PROMPT_COMMAND\n    * LD_LIBRARY_PATH\n    * ld.so.preload\n* 用户信息检查\n    * 可登陆用户\n    * passwd文件修改日期\n    * sudoers\n    * 登录信息（w/last/lastlog）\n    * 历史登陆ip\n* Services 检查\n    * SystemD运行服务\n    * SystemD服务创建时间\n* bash检查\n    * History\n    * History命令审计\n    * /etc/profile\n    * $HOME/.profile\n    * /etc/rc.local\n    * ~/.bash_profile\n    * ~/.bashrc\n    * bash反弹shell\n* 文件检查\n    * ...隐藏文件\n    * 系统文件修改时间检测\n    * 临时文件检查（/tmp /var/tmp /dev/shm）\n    * alias\n    * suid特殊权限检查\n    * 进程存在文件未找到\n    * 近七天文件改动 mtime\n    * 近七天文件改动 ctime\n    * 大文件\u003e200mb\n    * 敏感文件审计（nmap/sqlmap/ew/frp/nps等黑客常用工具）\n    * 可疑黑客文件（黑客上传的wget/curl等程序，或者将恶意程序改成正常软件例如nps文件改为mysql）\n* 内核Rootkit 检查\n    * lsmod 可疑模块\n    * 内核符号表检查\n    * rootkit hunter 检查\n    * rootkit .ko模块检查\n* SSH检查\n    * SSH 爆破\n    * SSHD 检测\n    * SSH 后门配置\n    * SSH inetd后门检查\n    * SSH key\n* Webshell 检查\n    * php webshell检查\n    * jsp webshell检查\n* 挖矿文件/进程检查\n    * 挖矿文件检查\n    * 挖矿进程检查\n    * WorkMiner检测\n    * Ntpclient检测\n* 供应链投毒检查\n    * Python PIP 投毒检查\n* 服务器风险检查\n    * Redis弱密码检测\n    * JDWP 服务检测\n    * Python http.server 检测\n* Docker 权限检查\n\n## Usage\n\n第一种方式：通过git clone 安装\n\n```bash\ngit clone https://github.com/al0ne/LinuxCheck.git\nchmod u+x LinuxCheck.sh\n./LinuxCheck.sh  \n```\n第二种方式：直接在线调用【在线调用就没办法使用报告上传的能力】\n\n```\nbash -c \"$(curl -sSL https://raw.githubusercontent.com/al0ne/LinuxCheck/master/LinuxCheck.sh)\"  \n```\n\n文件会保存成ipaddr_hostname_username_timestamp.log 这种格式\n\n### 报告自动上传\n\n如果是批量机器下发，脚本执行后会自动提交到某一个url下，将脚本里面的webhook_url 改成你自己的地址\n\n```shell\n# 报告上报的地址\nwebhook_url='http://localhost:5000/upload'\n\nupload_report() {\n\n  # 上传到指定接口\n  if [[ -n $webhook_url ]]; then\n    curl -X POST -F \"file=@$filename\" \"$webhook_url\"\n  fi\n\n}\n```\n\n在你的服务器上用Flask起一个服务，接收服务器上报的Markdown报告。\n\n```python\nfrom flask import Flask, request\n\napp = Flask(__name__)\n\n@app.route('/upload', methods=['POST'])\ndef upload_file():\n    if 'file' not in request.files:\n        return \"No file part\", 400\n    file = request.files['file']\n    if file.filename == '':\n        return \"No selected file\", 400\n    if file:\n        filename = file.filename\n        file.save(filename)\n        return \"File successfully uploaded\", 200\n\nif __name__ == '__main__':\n    app.run(debug=True, host=\"0.0.0.0\", port=9999)\n```\n\n\n\n## 参考\n\n此工具的编写主要参考了以下几款工具/文章并结合个人经验完成\n\nLinenum\nhttps://github.com/lis912/Evaluation_tools  \nhttps://ixyzero.com/blog/archives/4.html  \nhttps://github.com/T0xst/linux   \nhttps://github.com/grayddq/GScan  \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fal0ne%2Flinuxcheck","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fal0ne%2Flinuxcheck","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fal0ne%2Flinuxcheck/lists"}