简介:启明星辰终端高级威胁检测与响应系统(简称EDR),帮忙快速构建新一代终端安全防护系统,依托全量终端运行信息采集和业务资产盘点为核心,应用“数据随动机制”对信息的输入、输出内容动态调整,让检测维度随阶段变化而变化、响应方法随威胁变化而变化、溯源视角随时间变化而变化,持续为终端提供威胁的检测与响应能力。通过将高危命令、恶意行为、单点威胁、恶意代码驻留进行安全矩阵映射,实现对高级持续性威胁的检测和响应,提前截断攻击链条。在攻击者视角帮助管理人员看到、看清、看全安全威胁发生过程,为安全威胁的处置及后续整改提供有力支撑。
天珣终端高级威胁检测与响应系统
春节期间,连续十余天未访问edr后台web界面,再次连接时出现 拒绝连接的情况
尝试telnet连接 不成功
telnet 192.168.0.59 8848
尝试ssh连接,成功! 说明主机并未宕机
但就是访问不了web页面
解决方法:
由于长时间未访问,导致tomcat假死。杀死tomcat进程即可
kill -9 6156
PS:附上问题解决过程代码
# ping 192.168.0.59
PING 192.168.0.59 (192.168.0.59) 56(84) bytes of data.
64 bytes from 192.168.0.59: icmp_seq=1 ttl=63 time=44.3 ms
64 bytes from 192.168.0.59: icmp_seq=2 ttl=63 time=0.521 ms
64 bytes from 192.168.0.59: icmp_seq=3 ttl=63 time=0.479 ms
64 bytes from 192.168.0.59: icmp_seq=4 ttl=63 time=2.17 ms
64 bytes from 192.168.0.59: icmp_seq=5 ttl=63 time=0.445 ms
64 bytes from 192.168.0.59: icmp_seq=6 ttl=63 time=0.531 ms
^C
--- 192.168.0.59 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5066ms
rtt min/avg/max/mdev = 0.445/8.078/44.327/16.222 ms
┌──(root㉿kali)-[~]
└─# telnet 192.168.0.59 8848
Trying 192.168.0.59...
telnet: Unable to connect to remote host: Connection refused
┌──(root㉿kali)-[~]
└─# ssh 192.168.0.59
[email protected]'s password:
Last failed login: Tue Jan 31 13:06:28 CST 2023 from 192.168.2.111 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Thu Aug 11 15:52:03 2022 from 192.168.8.141
[root@0-59-qimingxing ~]# w
13:12:38 up 147 days, 22:40, 1 user, load average: 0.54, 0.85, 0.96
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 192.168.2.111 13:09 6.00s 0.02s 0.01s w
您在 /var/spool/mail/root 中有新邮件
[root@0-59-qimingxing ~]# df -h
文件系统 容量 已用 可用 已用% 挂载点
/dev/mapper/VG-root 950G 43G 907G 5% /
devtmpfs 32G 0 32G 0% /dev
tmpfs 32G 0 32G 0% /dev/shm
tmpfs 32G 3.2G 29G 11% /run
tmpfs 32G 0 32G 0% /sys/fs/cgroup
/dev/sda1 1014M 133M 882M 14% /boot
tmpfs 6.3G 0 6.3G 0% /run/user/0
您在 /var/spool/mail/root 中有邮件
[root@0-59-qimingxing ~]# jps
10802 TaskManagerRunner
8917 Kafka
11206 EDRchannel.jar
24472 VFLinkRest
8329 Elasticsearch
31977 QuorumPeerMain
24922 Jps
10491 StandaloneSessionClusterEntrypoint
6156 Bootstrap
[root@0-59-qimingxing ~]# top
top - 13:35:26 up 147 days, 23:03, 1 user, load average: 0.84, 0.90, 0.96
Tasks: 242 total, 1 running, 241 sleeping, 0 stopped, 0 zombie
%Cpu(s): 9.4 us, 2.7 sy, 0.0 ni, 87.7 id, 0.0 wa, 0.0 hi, 0.1 si, 0.0 st
KiB Mem : 65974532 total, 609272 free, 57066560 used, 8298700 buff/cache
KiB Swap: 33030140 total, 23068136 free, 9962004 used. 5730276 avail Mem
Unknown command - try 'h' for help
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
8329 edr_es 20 0 44.2g 21.7g 17900 S 90.0 34.5 34921:57 java
6156 root 20 0 33.6g 14.7g 13740 S 47.5 23.4 4416:15 java
10802 root 20 0 16.6g 6.8g 7608 S 16.9 10.8 28057:09 java
8917 root 20 0 15.9g 3.2g 7272 S 8.0 5.1 17686:18 java
9062 rabbitmq 20 0 9918488 130436 2752 S 6.3 0.2 10214:03 beam.smp
7818 mysql 20 0 5407480 911784 4704 S 3.0 1.4 2205:10 mysqld
8554 root 20 0 210680 3436 908 S 3.0 0.0 1248:19 redis-server
28190 root 20 0 113180 1664 1396 S 2.3 0.0 0:00.07 kafka-run-cl
10491 root 20 0 11.4g 1.1g 6660 S 2.0 1.7 4553:17 java
31977 root 20 0 23.2g 308904 5976 S 2.0 0.5 171:55.08 java
24472 root 20 0 21.8g 492208 15568 S 1.0 0.7 47:03.45 java
1 root 20 0 126364 2372 1328 S 0.3 0.0 137:50.98 systemd
10 root 20 0 0 0 0 S 0.3 0.0 849:59.60 rcu_sched
19 root rt 0 0 0 0 S 0.3 0.0 47:07.53 migration/2
34 root rt 0 0 0 0 S 0.3 0.0 26:41.78 migration/5
8556 root 20 0 295672 4660 412 S 0.3 0.0 433:33.15 redis-server
27326 root 20 0 162136 2404 1596 R 0.3 0.0 0:00.11 top
28089 root 20 0 113444 1760 1356 S 0.3 0.0 0:00.01 EDR_CheckSer
2 root 20 0 0 0 0 S 0.0 0.0 0:20.48 kthreadd
3 root 20 0 0 0 0 S 0.0 0.0 19:29.05 ksoftirqd/0
5 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kworker/0:0H
6 root 20 0 0 0 0 S 0.0 0.0 9:53.80 kworker/u32:
8 root rt 0 0 0 0 S 0.0 0.0 30:27.92 migration/0
9 root 20 0 0 0 0 S 0.0 0.0 0:00.00 rcu_bh
11 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 lru-add-drai
您在 /var/spool/mail/root 中有邮件
[root@0-59-qimingxing ~]# df -h
文件系统 容量 已用 可用 已用% 挂载点
/dev/mapper/VG-root 950G 43G 907G 5% /
devtmpfs 32G 0 32G 0% /dev
tmpfs 32G 0 32G 0% /dev/shm
tmpfs 32G 3.2G 29G 11% /run
tmpfs 32G 0 32G 0% /sys/fs/cgroup
/dev/sda1 1014M 133M 882M 14% /boot
tmpfs 6.3G 0 6.3G 0% /run/user/0
[root@0-59-qimingxing ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor p
Active: inactive (dead)
Docs: man:firewalld(1)
[root@0-59-qimingxing ~]# ps -ef | grep tomcat
root 6156 1 11 1月04 ? 3-01:38:46 /opt/jdk/bin/java -Djava.util.ls -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Dlog4j2.for8 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catndorsed.dirs= -classpath /opt/tomcat/bin/bootstrap.jar:/opt/tomcat/bin/tomcat-jupt/tomcat -Djava.io.tmpdir=/opt/tomcat/temp org.apache.catalina.startup.Bootstra
root 17963 3698 0 13:59 pts/0 00:00:00 grep --color=auto tomcat
您在 /var/spool/mail/root 中有邮件
[root@0-59-qimingxing ~]# kill -9 6156
您在 /var/spool/mail/root 中有邮件
[root@0-59-qimingxing ~]# jps
10802 TaskManagerRunner
8917 Kafka
23765 Jps
11206 EDRchannel.jar
24472 VFLinkRest
8329 Elasticsearch
31977 QuorumPeerMain
10491 StandaloneSessionClusterEntrypoint
23836 FourLetterWordMain
[root@0-59-qimingxing ~]# ps -ef | grep tomcat
root 24358 1 99 14:02 ? 00:03:05 /opt/jdk/bin/java -Djava.util.lo -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Dlog4j2.form -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catadorsed.dirs= -classpath /opt/tomcat/bin/bootstrap.jar:/opt/tomcat/bin/tomcat-jult/tomcat -Djava.io.tmpdir=/opt/tomcat/temp org.apache.catalina.startup.Bootstrap
root 26320 3698 0 14:03 pts/0 00:00:00 grep --color=auto tomcat
您在 /var/spool/mail/root 中有邮件
[root@0-59-qimingxing ~]#