线上病毒处理

产生原因 服务器出口流量爆满

查看ps netstat都被系统替换了，

先用iftop查出流量最大的，drop掉

-A INPUT -s 140.205.81.26/32 -j DROP

在查找走的udp协议 先吧udp禁止

-A OUTPUT -d 10.0.80.11/32 -p udp -m udp --sport 53 -j ACCEPT

-A OUTPUT -d 10.0.80.12/32 -p udp -m udp --sport 53 -j ACCEPT

-A OUTPUT -p udp -j DROP

最后替换掉被改的配置文件

ls /etc/rc.d/rc2.d/

rm -f  /usr/local/zabbix/sbin/conf.n

rm -f  /usr/bin/.sshd

rm -f  /usr/bin/sshd

rm -f  /root/cmd.n

rm -f  /root/conf.n

rm -f  /root/IP

rm -f  /tmp/gates.lod  

rm -f  /tmp/moni.lod

rm -f  /tmp/notify.file

rm -rf /usr/bin/bsd-port

rm -rf /usr/bin/dpkgd

rm -f  /etc/rc.d/rc1.d/S97DbSecuritySpt

rm -f  /etc/rc.d/rc2.d/S97DbSecuritySpt

rm -f  /etc/rc.d/rc3.d/S97DbSecuritySpt

rm -f  /etc/rc.d/rc4.d/S97DbSecuritySpt

rm -f  /etc/rc.d/rc5.d/S97DbSecuritySpt

rm -f  /etc/rc.d/init.d/selinux

rm -f  /etc/rc.d/init.d/DbSecuritySpt

rm -f  /tmp/gates.lock

rm -f  /etc/rc.d/rc1.d/S99selinux

rm -f  /etc/rc.d/rc2.d/S99selinux

rm -f  /etc/rc.d/rc3.d/S99selinux

rm -f  /etc/rc.d/rc4.d/S99selinux

rm -f  /etc/rc.d/rc5.d/S99selinux

/root/ps aux |grep -i jul30

/root/ps aux |grep -i jul31

/root/ps aux |grep sshd

/root/ps aux |grep ps

/root/ps aux |grep getty

/root/ps aux |grep netstat

/root/ps aux |grep lsof

/root/ps aux |grep ss

/root/ps aux |grep zabbix_Agetntd

/root/ps aux |grep .dbus

ps -ef | grep ssd

ps -ef | grep sshd

chattr  -i -a /bin/ps && rm /bin/ps -f

yum reinstall procps -y

/etc/init.d/iptables stop

chattr  -i -a /bin/ps && rm /bin/ps -f

yum reinstall procps -y

chattr -i -a /bin/netstat && rm /bin/netstat -f

yum reinstall net-tools    -y

chattr  -i -a /bin/lsof && rm /usr/sbin/lsof -f

yum reinstall lsof -y

chattr  -i -a /usr/sbin/ss && rm /usr/sbin/ss -f

yum -y reinstall iproute

yum -y install clamav*

rm -rf /etc/init.d/sshd

yum reinstall openssh*

ip addr

/etc/init.d/sshd restart

/etc/init.d/iptables restart

iftop -i eth1

ps -ef | grep sshd

ps -ef | grep ssh

kill -9 /usr/sbin/sshd

kill -9 27663

kill -9 20789

kill -9 300

kill -9 32598

ps -ef | grep ssh

rm -rf /usr/bin/.sshd

rm -rf /usr/sbin/sshd

ps -ef | grep /usr/sbin/sshd

ps aux |grep getty

kill -9 20764

rm -rf /usr/bin/bsd-port

ps aux |grep netstat

ps aux |grep ss

kill -9 20741

kill -9 23764

ps aux |grep ss

rm -rf /usr/bin/dpkgd

/etc/init.d/sshd restart

rm -rf /etc/init.d/sshd

yum reinstall openssh*

/etc/init.d/iptables stop

yum reinstall openssh*

/etc/init.d/sshd restart

/etc/init.d/iptables restart

转载于:https://blog.51cto.com/3177002/1717337