1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

#!/bin/bash
ssh_root_proc=`ps -ef|grep "[s]shd"|awk '{ if ( $3 == "1" ) print $2 }'`
echo "已发现 SSH 守护进程 PID: $ssh_root_proc"
echo "请核对下面的输出以确认该 PID 是否正常"
echo
ps -ef|grep "[s]shd"
echo
echo "如果正常请按 y/Y，否则输入正常的 PID 后按回车，注意是带 -D 选项的进程，按 Ctrl-C 退出"
read ssh_pid
if [ "$ssh_pid" = "y" -o "$ssh_pid" = "Y" ]
then
    ssh_pid=$ssh_root_proc
elif [ -z "$ssh_pid" ]
then
    echo "未输入正常的 PID"
    exit 1
fi
user_grep=`awk -F":" '{ if ( $3 > 100) print $1}' /etc/passwd | xargs -ivar echo -n "var|"|sed 's/$/password/'`
strace -f -e trace=execve -s 256 -p $ssh_pid 2>&1 | while read SSH
do
    cmd_test=`echo $SSH | grep execve`
    if [ $? -eq 0 ]; then
        # 获取 PID
        pid=$(echo $SSH | awk '{print $2}' | sed 's/\[\|\]//g')
        # 检查 /proc/<pid>/status 文件中是否存在
        if [ -r "/proc/$pid/status" ]; then
          # 获取用户名
          username=$(awk '/^Uid:/ { uid=$2 } END { while ((getline < "/etc/passwd") >0) { split($0, a, ":"); if (a[3] == uid) { print a[1]; exit } } }' /proc/$pid/status)
        else
          username="unknown"
        fi
        # 获取当前时间戳
        current_time=$(date "+%Y-%m-%d %H:%M:%S")
        # 输出包含时间、用户名、和命令的信息
        echo "[$current_time] EXECUTED COMMAND by $username: $SSH"
    fi
done