如何使用auditlog

时间:2018-03-28 15:04:51

标签: php webserver

我的apache web服务器中的一个php文件,一直被重命名为php.suspected。特定文件是:

/home/apache/www/html/nextcloud/3rdparty/nikic/php-parser/lib/PhpParser/Node/Expr/Eval_.php.suspected

我尝试通过使用auditlog找出了哪个进程,并且能够获得以下信息。它给了我pid和ppid号码,但我无法搜索进程的名称。有人能帮助我吗?谢谢。

sudo ausearch -f /home/apache/www/html/nextcloud
----
time->Thu Mar 15 06:28:55 2018
type=PATH msg=audit(1521109735.929:32994): item=0 name="/home/apache/www/html/nextcloud/3rdparty/nikic/php-parser/lib/PhpParser/Node/Expr/Eval_.php" inode=1617455 dev=00:29 mode=0100444 ouid=1001 ogid=1001 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1521109735.929:32994):  cwd="/home/apache/www/html/piwigo/language/km_KH"
type=SYSCALL msg=audit(1521109735.929:32994): arch=c000003e syscall=2 success=yes exit=31 a0=7ffcca222310 a1=0 a2=1b6 a3=7ffcca21f35c items=1 ppid=4585 pid=17890 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)
----
time->Thu Mar 15 06:28:56 2018
type=PATH msg=audit(1521109736.565:32997): item=0 name="/home/apache/www/html/nextcloud/3rdparty/rackspace/php-opencloud/lib/OpenCloud/LoadBalancer/Resource/ContentCaching.php" inode=258612 dev=00:29 mode=0100644 ouid=1001 ogid=1001 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1521109736.565:32997):  cwd="/home/apache/www/html/piwigo/language/km_KH"
type=SYSCALL msg=audit(1521109736.565:32997): arch=c000003e syscall=2 success=yes exit=31 a0=7ffcca222310 a1=0 a2=1b6 a3=1 items=1 ppid=4585 pid=17890 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)
----
time->Thu Mar 15 06:29:07 2018
type=PATH msg=audit(1521109747.461:32998): item=0 name="/home/apache/www/html/nextcloud/3rdparty/rackspace/php-opencloud/lib/OpenCloud/LoadBalancer/Resource/ContentCaching.php" inode=258612 dev=00:29 mode=0100644 ouid=1001 ogid=1001 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1521109747.461:32998):  cwd="/home/apache/www/html/piwigo/language/km_KH"
type=SYSCALL msg=audit(1521109747.461:32998): arch=c000003e syscall=2 success=yes exit=31 a0=7ffcca222310 a1=0 a2=1b6 a3=1 items=1 ppid=4585 pid=17890 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)
----
time->Thu Mar 15 06:30:25 2018
type=PATH msg=audit(1521109825.005:33011): item=0 name="/home/apache/www/html/nextcloud/3rdparty/rackspace/php-opencloud/lib/OpenCloud/LoadBalancer/Resource/ContentCaching.php" inode=258612 dev=00:29 mode=0100644 ouid=1001 ogid=1001 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1521109825.005:33011):  cwd="/home/apache/www/html/components/com_wrapper"
type=SYSCALL msg=audit(1521109825.005:33011): arch=c000003e syscall=2 success=yes exit=31 a0=7ffcca222310 a1=0 a2=1b6 a3=1 items=1 ppid=4585 pid=17890 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)
----
time->Thu Mar 15 06:30:36 2018
type=PATH msg=audit(1521109836.473:33012): item=0 name="/home/apache/www/html/nextcloud/3rdparty/rackspace/php-opencloud/lib/OpenCloud/LoadBalancer/Resource/ContentCaching.php" inode=258612 dev=00:29 mode=0100644 ouid=1001 ogid=1001 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1521109836.473:33012):  cwd="/home/apache/www/html/components/com_wrapper"
type=SYSCALL msg=audit(1521109836.473:33012): arch=c000003e syscall=2 success=yes exit=31 a0=7ffcca222310 a1=0 a2=1b6 a3=1 items=1 ppid=4585 pid=17890 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)
----
time->Fri Mar 16 05:01:11 2018
type=PATH msg=audit(1521190871.159:37515): item=0 name="/home/apache/www/html/nextcloud/3rdparty/nikic/php-parser/lib/PhpParser/Node/Expr/Eval_.php" inode=1617455 dev=00:29 mode=0100444 ouid=1001 ogid=1001 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1521190871.159:37515):  cwd="/"
type=SYSCALL msg=audit(1521190871.159:37515): arch=c000003e syscall=2 success=yes exit=3 a0=7ffd47ee2edc a1=0 a2=1b6 a3=0 items=1 ppid=15352 pid=15354 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="md5sum" exe="/usr/bin/md5sum" key=(null)
----
time->Fri Mar 16 05:01:11 2018
type=PATH msg=audit(1521190871.619:37516): item=0 name="/home/apache/www/html/nextcloud/3rdparty/nikic/php-parser/lib/PhpParser/Node/Expr/Eval_.php" inode=1617455 dev=00:29 mode=0100444 ouid=1001 ogid=1001 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1521190871.619:37516):  cwd="/"
type=SYSCALL msg=audit(1521190871.619:37516): arch=c000003e syscall=2 success=yes exit=3 a0=7fff46f40ee4 a1=0 a2=1b6 a3=0 items=1 ppid=4437 pid=15356 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="od" exe="/usr/bin/od" key=(null)

0 个答案:

没有答案
相关问题
最新问题