文章目录
- 1. 介绍
- 2. Systemctl and Services
- 3. Install and investigate Services
- 4. Disable application on port
- 5. Investigate Linux Users
- 6. 总结
1. 介绍
2. Systemctl and Services
root@node2:~# apt-get install snapd root@node2:~# systemctl start snapd root@node2:~# systemctl status snapd ● snapd.service - Snap Daemon Loaded: loaded (/lib/systemd/system/snapd.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2021-05-25 05:18:53 PDT; 1s ago Main PID: 16265 (snapd) Tasks: 9 (limit: 2333) CGroup: /system.slice/snapd.service └─16265 /usr/lib/snapd/snapd May 25 05:18:53 node2 systemd[1]: Starting Snap Daemon... May 25 05:18:53 node2 snapd[16265]: AppArmor status: apparmor is enabled and all features are available May 25 05:18:53 node2 snapd[16265]: patch.go:64: Patching system state level 6 to sublevel 1... May 25 05:18:53 node2 snapd[16265]: patch.go:64: Patching system state level 6 to sublevel 2... May 25 05:18:53 node2 snapd[16265]: patch.go:64: Patching system state level 6 to sublevel 3... May 25 05:18:53 node2 snapd[16265]: daemon.go:347: started snapd/2.49.2+18.04 (series 16; classic) ubuntu/16.04 (amd64) linux/4.4.0-142-generic. May 25 05:18:53 node2 snapd[16265]: daemon.go:440: adjusting startup timeout by 30s (pessimistic estimate of 30s plus 5s per snap) May 25 05:18:53 node2 systemd[1]: Started Snap Daemon. root@node2:~# systemctl list-units --type=service --state=running |grep snap snapd.service loaded active running Snap Daemon root@node2:~# systemctl stop snapd Warning: Stopping snapd.service, but it can still be activated by: snapd.socket root@node2:~# systemctl disable snapd Removed /etc/systemd/system/multi-user.target.wants/snapd.service.
3. Install and investigate Services
root@node2:~# apt-get install -y vsftpd samba root@node2:~# systemctl status vsftpd ● vsftpd.service - vsftpd FTP server Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2021-05-25 05:25:26 PDT; 47s ago Main PID: 26713 (vsftpd) Tasks: 1 (limit: 2333) CGroup: /system.slice/vsftpd.service └─26713 /usr/sbin/vsftpd /etc/vsftpd.conf May 25 05:25:26 node2 systemd[1]: Starting vsftpd FTP server... May 25 05:25:26 node2 systemd[1]: Started vsftpd FTP server. root@node2:~# systemctl status smbd ● smbd.service - Samba SMB Daemon Loaded: loaded (/lib/systemd/system/smbd.service; enabled; vendor preset: enabled) Active: inactive (dead) Docs: man:smbd(8) man:samba(7) man:smb.conf(5) root@node2:~# systemctl start smbd root@node2:~# systemctl status smbd ● smbd.service - Samba SMB Daemon Loaded: loaded (/lib/systemd/system/smbd.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2021-05-25 05:26:32 PDT; 1s ago Docs: man:smbd(8) man:samba(7) man:smb.conf(5) Main PID: 29800 (smbd) Status: "smbd: ready to serve connections..." Tasks: 4 (limit: 2333) CGroup: /system.slice/smbd.service ├─29800 /usr/sbin/smbd --foreground --no-process-group ├─29803 /usr/sbin/smbd --foreground --no-process-group ├─29804 /usr/sbin/smbd --foreground --no-process-group └─29805 /usr/sbin/smbd --foreground --no-process-group May 25 05:26:31 node2 systemd[1]: Starting Samba SMB Daemon... May 25 05:26:32 node2 systemd[1]: Started Samba SMB Daemon. root@node2:~# ps aux |grep vsftpd root 26713 0.0 0.1 27068 2860 ? Ss 05:25 0:00 /usr/sbin/vsftpd /etc/vsftpd.conf root 31002 0.0 0.0 14416 1124 pts/0 S+ 05:27 0:00 grep --color=auto vsftpd root@node2:~# ps aux |grep smbd root 29800 0.1 1.0 351556 20892 ? Ss 05:26 0:00 /usr/sbin/smbd --foreground --no-process-group root 29803 0.0 0.2 341808 5796 ? S 05:26 0:00 /usr/sbin/smbd --foreground --no-process-group root 29804 0.0 0.2 341800 4500 ? S 05:26 0:00 /usr/sbin/smbd --foreground --no-process-group root 29805 0.0 0.2 351556 5484 ? S 05:26 0:00 /usr/sbin/smbd --foreground --no-process-group root 31218 0.0 0.0 14416 1048 pts/0 S+ 05:27 0:00 grep --color=auto smbd root@node2:~# netstat -ntlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:10248 0.0.0.0:* LISTEN 9920/kubelet tcp 0 0 127.0.0.1:10249 0.0.0.0:* LISTEN 13541/kube-proxy tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 29800/smbd tcp 0 0 192.168.211.42:9099 0.0.0.0:* LISTEN 59899/calico-node tcp 0 0 0.0.0.0:179 0.0.0.0:* LISTEN 14549/bird tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 897/sshd tcp 0 0 192.168.211.42:36632 0.0.0.0:* LISTEN 9920/kubelet tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 29800/smbd tcp6 0 0 :::10250 :::* LISTEN 9920/kubelet tcp6 0 0 :::139 :::* LISTEN 29800/smbd tcp6 0 0 :::10256 :::* LISTEN 13541/kube-proxy tcp6 0 0 :::21 :::* LISTEN 26713/vsftpd tcp6 0 0 :::22 :::* LISTEN 897/sshd tcp6 0 0 :::445 :::* LISTEN 29800/smbd root@node2:~# vim /etc/samba/smb.conf interfaces = 127.0.0.0/8 eth0 #取消注释 bind interfaces only = yes #取消注释 root@node2:~# systemctl restart smbd.service #127.0.0.1绑定 root@node2:~# netstat -ntlp |grep smbd tcp 0 0 127.0.0.1:139 0.0.0.0:* LISTEN 36416/smbd tcp 0 0 127.0.0.1:445 0.0.0.0:* LISTEN 36416/smbd
4. Disable application on port
root@node2:~# netstat -nltp |grep 21 tcp 0 0 192.168.211.42:9099 0.0.0.0:* LISTEN 59899/calico-node tcp 0 0 192.168.211.42:36632 0.0.0.0:* LISTEN 9920/kubelet tcp6 0 0 :::21 :::* LISTEN 26713/vsftpd root@node2:~# lsof -i :21 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME vsftpd 26713 root 3u IPv6 19811710 0t0 TCP *:ftp (LISTEN) root@node2:~# systemctl list-units --type service |grep ftp vsftpd.service loaded active running vsftpd FTP server root@node2:~# systemctl status vsftpd ● vsftpd.service - vsftpd FTP server Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2021-05-25 05:25:26 PDT; 8min ago Main PID: 26713 (vsftpd) Tasks: 1 (limit: 2333) CGroup: /system.slice/vsftpd.service └─26713 /usr/sbin/vsftpd /etc/vsftpd.conf May 25 05:25:26 node2 systemd[1]: Starting vsftpd FTP server... May 25 05:25:26 node2 systemd[1]: Started vsftpd FTP server. root@node2:~# systemctl stop vsftpd root@node2:~# systemctl status vsftpd ● vsftpd.service - vsftpd FTP server Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled) Active: inactive (dead) since Tue 2021-05-25 05:34:07 PDT; 2s ago Process: 26713 ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf (code=killed, signal=TERM) Main PID: 26713 (code=killed, signal=TERM) May 25 05:25:26 node2 systemd[1]: Starting vsftpd FTP server... May 25 05:25:26 node2 systemd[1]: Started vsftpd FTP server. May 25 05:34:07 node2 systemd[1]: Stopping vsftpd FTP server... May 25 05:34:07 node2 systemd[1]: Stopped vsftpd FTP server. root@node2:~# netstat -nltp |grep 21 tcp 0 0 192.168.211.42:9099 0.0.0.0:* LISTEN 59899/calico-node tcp 0 0 192.168.211.42:36632 0.0.0.0:* LISTEN 9920/kubelet
5. Investigate Linux Users
root@node2:~# whoami root root@node2:~# tail /etc/passwd systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false messagebus:x:106:110::/var/run/dbus:/bin/false uuidd:x:107:111::/run/uuidd:/bin/false spectre:x:1000:1000:ubuntu64,,,:/home/spectre:/bin/bash sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin grafana:x:1001:1001::/home/grafana: ftp:x:103:105:ftp daemon,,,:/srv/ftp:/bin/false root@node2:~# su ubuntu No passwd entry for user 'ubuntu' root@node2:~# su - ubuntu No passwd entry for user 'ubuntu' root@node2:~# useradd test root@node2:~# passwd test Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully root@node2:~# su test test@node2:/root$ whoami test test@node2:/root$ exit exit root@node2:~# ps aux |grep bash root 49317 0.0 0.0 14416 1068 pts/0 S+ 05:40 0:00 grep --color=auto bash spectre 62942 0.0 0.2 22708 5016 pts/0 Ss May24 0:00 -bash root 63061 0.0 0.2 23060 5736 pts/0 S May24 0:00 -bash root@node2:~# su test test@node2:/root$ ps aux |grep bash test 49440 0.0 0.1 21384 3936 pts/0 S 05:40 0:00 bash test 49555 0.0 0.0 14416 1128 pts/0 S+ 05:40 0:00 grep bash spectre 62942 0.0 0.2 22708 5016 pts/0 Ss May24 0:00 -bash root 63061 0.0 0.2 23060 5736 pts/0 S May24 0:00 -bash
6. 总结