记录linux服务器公网出宽带跑高解决过程(病毒入侵服务器被肉鸡)
背景:
突然手机收到腾讯云发来的违规提醒,看了一下站内信说我的服务器在攻击其他服务器
服务器状态:
1、出站宽带跑高
2、ssh远程登录超时或者反映慢
3、cpu异常
排查:
1、通过top命令查找异常进程
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
12489 root 20 0 84464 796 396 S 100.0 0.0 1:26.77 getty
1281 root 20 0 3569856 673000 24676 S 0.7 17.8 1:58.55 java
1928 polkitd 20 0 1793020 456940 17892 S 0.7 12.1 1:17.46 mysqld
7593 root 20 0 962460 40696 17372 S 0.7 1.1 2:03.76 YDService
发现getty进程几乎占用了全部的cpu
2、通过netstat -antlp命令查找异常ip连接
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1258/sshd: /usr/sbi
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1850/docker-proxy
tcp 0 0 10.0.24.11:41246 169.254.0.55:5574 ESTABLISHED 3043/YDService
tcp 0 0 10.0.24.11:53554 169.254.0.138:8186 ESTABLISHED 1221/tat_agent
tcp 0 1 10.0.24.11:41244 xx.xx.x.x:5574 SYN SENT 15076/./getty
tcp 0 96 10.0.24.11:22 113.0.251.107:63277 ESTABLISHED 13076/sshd: root@pt
tcp6 0 0 :::22 :::* LISTEN 1258/sshd: /usr/sbi
再次发现getty进程,将进程kill掉之后出站宽带跑高的情况突然就没有了,但是过一段时间后还会是会出现,再次排查发现这个getty进程有死会复燃了
3、查找异常启动项
进入/etc/rc.d 目录 查看rc.d文件目录是否有修改
$ cd /etc/rc.d
$ ll -art
total 52
drwxr-xr-x. 2 root root 4096 Feb 3 2023 rc0.d
drwxr-xr-x. 2 root root 4096 Feb 3 2023 rc6.d
-rwxr-xr-x 1 root root 914 Nov 15 09:57 rc.local
drwxr-xr-x. 10 root root 4096 Nov 15 13:26 .
drwxr-xr-x. 2 root root 4096 Nov 15 14:12 init.d
drwxr-xr-x. 2 root root 4096 Nov 15 14:12 rc1.d
drwxr-xr-x. 2 root root 4096 Nov 15 14:12 rc2.d
drwxr-xr-x. 2 root root 4096 Nov 15 14:12 rc3.d
drwxr-xr-x. 2 root root 4096 Nov 15 14:12 rc4.d
drwxr-xr-x. 2 root root 4096 Nov 15 14:12 rc5.d
发现从init.d 到rc5.d都有更改并且每个目录中都存在异常启动项
lrwxrwxrwx 1 root root 25 Nov 10 19:26 S97DbSecuritySpt -> /etc/init.d/DbSecuritySpt
lrwxrwxrwx 1 root root 19 Nov 10 19:26 S99selinux -> /etc/init.d/selinux
4、查找异常文件
$ find / -size -1223124c -size +1223122c -exec ls -id {} \;
529599 /bin/ps
524140/bin/netstat
659226 /usr/bin/bsd-port/getty
659230 /usr/bin/dpkgd/ps
278271 /usr/bin/.sshd
271230 /usr/sbin/ss
284915 /usr/sbin/lsof
find: ‘/proc/20483/task/20483/fd/6’: No such file or directory
find: ‘/proc/20483/task/20483/fdinfo/6’: No such file or directory
find: ‘/proc/20483/fd/5’: No such file or directory
find: ‘/proc/20483/fdinfo/5’: No such file or directory
清理病毒
1、清楚病毒文件及目录
rm -rf /usr/bin/dpkgd
rm -rf /usr/bin/bsd-port
rm -f /usr/bin/.sshd
rm -f /tmp/gates.lod
rm -f /tmp/moni.lod
rm -f /etc/rc.d/init.d/DbSecuritySpt
rm -f /etc/rc.d/rc1.d/S97DbSecuritySpt
rm -f /etc/rc.d/rc2.d/S97DbSecuritySpt
rm -f /etc/rc.d/rc3.d/S97DbSecuritySpt
rm -f /etc/rc.d/rc4.d/S97DbSecuritySpt
rm -f /etc/rc.d/rc5.d/S97DbSecuritySpt
rm -f /etc/rc.d/init.d/selinux
rm -f /etc/rc.d/rc1.d/S99selinux
rm -f /etc/rc.d/rc2.d/S99selinux
rm -f /etc/rc.d/rc3.d/S99selinux
rm -f /etc/rc.d/rc4.d/S99selinux
rm -f /etc/rc.d/rc5.d/S99selinux
2、删除被篡改的ps等命令
rm -rf /bin/ps
rm -rf /bin/netstat
rm -rf /usr/bin/.sshd
rm -rf /usr/sbin/ss
rm -rf /usr/sbin/lsof
其他服务器未必是这些目录具体参照find / -size -1223124c -size +1223122c -exec ls -id {} ;命令查找出的路径(ps、netstat、 ss、 lsof、 .sshd)
3、重新安装命令
$ yum -y reinstall procps
$ yum -y reinstall net-tools
$ yum -y reinstall lsof
$ yum -y reinstall iproute