linux下用netstat和lsof发现恶意进程和链接并匹配grep出公网外网ip地址

Linux命令

The malicious files are being identified by the two powerful commands given below.

1)Netstat:

-The command # netstat –an is used to show the all the current network connections currently in use along with the port numbers. Make sure to execute the command in root privilege.

2)Lsof:

lsof is one of the best useful utility to find unusual activities as it provides the relationship between an open network port and actual file on the computer's disk.

The command below when executed with root privilege will show the process that is responsible for that network connection.

# lsof –RPni :8813

Where 8813 is the TCP port on the other server on to which the netstat command shows a network connection is going out.

Please execute the below command to find what files are being used for that process.

# lsof –Pnp <pid>

where pid is the process id.

匹配ip地址:
grep -P '(?<=[^0-9.]|^)[1-9][0-9]{0,2}(\.([0-9]{0,3})){3}(?=[^0-9.]|$)' youfile

匹配ip地址的列
grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" youfile

匹配公网地址
grep -P '\b(?!(10|172\.(1[6-9]|2[0-9]|3[0-2])|192\.168))(?:(?:2(?:[0-4][0-9]|5[0-5])|[0-1]?[0-9]?[0-9])\.){3}(?:(?:2([0-4][0-9]|5[0-5])|[0-1]?[0-9]?[0-9]))\b' youfile