# readme.md(For Emergency Response)

## readme.md

```
################README################

################Author################
Author:kayden
Mail:kayden@hscsec.cn
Website:www.hscsec.cn
######################################
Usage：
wget --http-user=er@hscsec.cn  --http-passwd=HSC2019   https://er.hscsec.cn/er.sh && chmod +777 er.sh && ./er.sh
Output:
result.log
################Other instructions################
其他说明
用户信息文件 /etc/passwd
root:x:0:0:root:/root:/bin/bash
account:password:UID:GID:GECOS:directory:shell
用户名：密码：用户ID：组ID：用户说明：家目录：登陆之后的 shell
注意：无密码只允许本机登陆，远程不允许登陆

影子文件 /etc/shadow
root:$6$oGs1PqhL2p3ZetrE$X7o7bzoouHQVSEmSgsYN5UD4.kMHx6qgbTqwNVC5oOAouXvcjQSt.Ft7ql1WpkopY0UV9ajBwUt1DpYxTCVvI/:16809:0:99999:7:::
用户名：加密密码：密码最后一次修改日期：两次密码的修改时间间隔：密码有效期：密码修改到期到的警告天数：密码过期之后的宽限天数：账号失效时间：保留

查询特权用户特权用户(uid 为0)
awk -F: '$3==0{print $1}' /etc/passwd
查询可以远程登录的帐号信息
awk '/\$1|\$6/{print $1}' /etc/shadow

禁用或删除多余及可疑的帐号
usermod -L user    禁用帐号，帐号无法登录，/etc/shadow 第二栏为 ! 开头
userdel user       删除 user 用户
userdel -r user    将删除 user 用户，并且将 /home 目录下的 user 目录一并删除

获取并记录进程的文件路径：
ls -l /proc/$PID/exe
file /proc/$PID/exe
杀进程
kill -9 $PID

下线用户
pkill -kill -t pts/1

################Rootkit查杀################
chkrootkit
http://www.chkrootkit.org](http://www.chkrootkit.org
使用方法：
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar zxvf chkrootkit.tar.gz
cd chkrootkit-0.52
make sense
#编译完成没有报错的话执行检查
./chkrootkit
################rkhunter################
rkhunter
http://rkhunter.sourceforge.net](http://rkhunter.sourceforge.net
使用方法：
Wget https://nchc.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.4/rkhunter-1.4.4.tar.gz
tar -zxvf rkhunter-1.4.4.tar.gz
cd rkhunter-1.4.4
./installer.sh --install
rkhunter -c
################2.2 病毒查杀################
Clamav
http://www.clamav.net/download.html](http://www.clamav.net/download.html
安装方式一：
1、安装 zlib：
wget http://nchc.dl.sourceforge.net/project/libpng/zlib/1.2.7/zlib-1.2.7.tar.gz 
tar -zxvf  zlib-1.2.7.tar.gz
cd zlib-1.2.7
#安装一下gcc编译环境： yum install gcc
CFLAGS="-O3 -fPIC" ./configure --prefix= /usr/local/zlib/
make && make install
2、添加用户组 clamav 和组成员 clamav：
groupadd clamav
useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav
3、安装 Clamav
tar –zxvf clamav-0.97.6.tar.gz
cd clamav-0.97.6
./configure --prefix=/opt/clamav --disable-clamav -with-zlib=/usr/local/zlib
make
make install
4、配置 Clamav
mkdir /opt/clamav/logs
mkdir /opt/clamav/updata
touch /opt/clamav/logs/freshclam.log
touch /opt/clamav/logs/clamd.log
cd /opt/clamav/logs
chown clamav:clamav clamd.log
chown clamav:clamav freshclam.log
5、ClamAV 使用：
 /opt/clamav/bin/freshclam 升级病毒库
./clamscan –h 查看相应的帮助信息
./clamscan -r /home  扫描所有用户的主目录就使用
./clamscan -r --bell -i /bin  扫描bin目录并且显示有问题的文件的扫描结果
安装方式二：
#安装
yum install -y clamav
#更新病毒库
freshclam
#扫描方法
clamscan -r /etc --max-dir-recursion=5 -l /root/etcclamav.log
clamscan -r /bin --max-dir-recursion=5 -l /root/binclamav.log
clamscan -r /usr --max-dir-recursion=5 -l /root/usrclamav.log
#扫描并杀毒
clamscan -r  --remove  /usr/bin/bsd-port
clamscan -r  --remove  /usr/bin/
clamscan -r --remove  /usr/local/zabbix/sbin
#查看日志发现
cat /root/usrclamav.log |grep FOUND
################2.3 webshell查杀################
mkdir -p /tmp/hm
cd /tmp/hm
wget https://dl.shellpub.com/hm/latest/hm-linux-amd64.tgz?version=1.8.2  -O /tmp/hm/hm-linux-amd64.tgz
tar xvf hm-linux-*.tgz
./hm scan <path>
################################################

```

### 如何下载

```
wget --http-user=er@hscsec.cn  --http-passwd=HSC2019   https://download.hscsec.cn/er.sh && chmod +777 er.sh && ./er.sh
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs-download.hscsec.cn/readme.md-for-emergency-response.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.