Skip to content
R-CSIRT Linux Triage tool
Shell PHP
Branch: master
Clone or download

Latest commit

r-csirt v2.0
author delete
Latest commit faef286 Jun 28, 2018


Type Name Latest commit message Commit time
Failed to load latest commit information.
options first commit Dec 15, 2017 v2.0 Jun 25, 2018 v2.0 Jun 28, 2018

R-CSIRT Linux Triage tool

Linux Server Triage tool written in Shell Script.


Linux Server Triage tool for CSIRT.

  • Collect not only 'log files' but also 'config file' and "web server's script files"
  • Find Suspicious Script and Binary on Web Server.
  • Include : Backup function of Web Server All Contents on DOCUMENT_ROOT
  • [2018.06.20] AUTO Web server's DOCUMENT_ROOT and WEB CONFIG Directories. ( httpd,apache2,nginx support checked)
  • [2018.06.20] LOG Archive SCOPE: Automatically from 1 year ago to TODAY when this executed.

Operation Check :
Linux : Ubuntu 14.04, 16.04, Ubuntu Server, CentOS 7.0, 7.5


No Requirement for Default Usage.
If you use ClamAV and RKhunter scan,
Please put these installers into option directory.
clamav-0.99.2 and rkhunter-1.4.4 had already set.

 ## Usage

  1. Set the and options folder in the same directory which Linux server you want to do triage in.

  2. Check configs(const variable) on shell script top.

  3. Excluded Folders
    Edit and Add it in ./options/excludes.txt
    Last LF(\n) doesn't need.

  4. Execute
    $ sudo bash

  5. Pull tar.gz file created.
    Output files : Please See source code in detail.
    Output files tree LOG => 1_OUTPUT-TREE.txt

Recruit-CSIRT does not assume any responsibility about using this tool.
you can take advantage on Self-responsibility




Tatsuya Ichida (icchida)
Ref: r-csirt (r-csirt)

Refer Other Triage Tools and Thanks

And Others some tools. /options/backdoorscan.php was got from Internet, We didn't develop it by ourselves.

You can’t perform that action at this time.