Hardware: HP380 2U
OS: redhat6.1
Middleware: tomcat
JSP website.
A company's e-commerce website system has been abnormal
The system always runs out of resources and then the system crashes.
Refer to the website service fault description:
Http://blog.csdn.net/huzia/article/details/18941767
Observe the log and find that the email log is abnormal, and the intrusion virus keeps sending it to an email receiver of Yahoo!
Send email
Jan 31 10:36:29 ZMESCMDZSW01 postfix/qmgr [3574]: 07997200A4E: from = , Size = 13065, nrcpt = 1 (queue active)
Jan 31 10:36:29 ZMESCMDZSW01 postfix/qmgr [3574]: C1E8A200A59: from = , Size = 25541, nrcpt = 1 (queue active)
Jan 31 10:36:29 ZMESCMDZSW01 postfix/smtp [50358]: C1E8A200A59: to = , Relay = none, delay = 378402, delays = 378402/0. 01/0/0, dsn = 4.4.3, status = deferred (Host or domain name not found. name service error for name = yahoo.com type = MX: Host not found, try again)
Jan 31 10:36:29 ZMESCMDZSW01 postfix/smtp [50340]: 07997200A4E: to = , Relay = none, delay = 378402, delays = 378402/0. 06/0/0, dsn = 4.4.3, status = deferred (Host or domain name not found. name service error for name = yahoo.com type = MX: Host not found, try again)
Jan 31 11:46:29 ZMESCMDZSW01 postfix/qmgr [3574]: 07997200A4E: from = , Size = 13065, nrcpt = 1 (queue active)
Jan 31 11:46:29 ZMESCMDZSW01 postfix/qmgr [3574]: C1E8A200A59: from = , Size = 25541, nrcpt = 1 (queue active)
Jan 31 11:46:29 ZMESCMDZSW01 postfix/smtp [5180]: C1E8A200A59: to = , Relay = none, delay = 382603, delays = 382603/0. 03/0/0, dsn = 4.4.3, status = deferred (Host or domain name not found. name service error for name = yahoo.com type = MX: Host not found, try again)
Jan 31 11:46:29 ZMESCMDZSW01 postfix/smtp [5133]: 07997200A4E: to = , Relay = none, delay = 382603, delays = 382603/0. 16/0/0, dsn = 4.4.3, status = deferred (Host or domain name not found. name service error for name = yahoo.com type = MX: Host not found, try again)
Jan 31 12:56:29 ZMESCMDZSW01 postfix/qmgr [3574]: 07997200A4E: from = , Size = 13065, nrcpt = 1 (queue active)
Jan 31 12:56:29 ZMESCMDZSW01 postfix/qmgr [3574]: C1E8A200A59: from = , Size = 25541, nrcpt = 1 (queue active)
Jan 31 12:56:29 ZMESCMDZSW01 postfix/smtp [45070]: C1E8A200A59: to = , Relay = none, delay = 386803, delays = 386803/0. 01/0/0, dsn = 4.4.3, status = deferred (Host or domain name not found. name service error for name = yahoo.com type = MX: Host not found, try again)
Jan 31 12:56:29 ZMESCMDZSW01 postfix/smtp [45054]: 07997200A4E: to = , Relay = none, delay = 386803, delays = 386803/0. 03/0/0, dsn = 4.4.3, status = deferred (Host or domain name not found. name service error for name = yahoo.com type = MX: Host not found, try again)
Jan 31 14:06:29 ZMESCMDZSW01 postfix/qmgr [3574]: 07997200A4E: from = , Size = 13065, nrcpt = 1 (queue active)
Jan 31 14:06:30 ZMESCMDZSW01 postfix/qmgr [3574]: C1E8A200A59: from = , Size = 25541, nrcpt = 1 (queue active)
Jan 31 14:06:30 ZMESCMDZSW01 postfix/smtp [10303]: C1E8A200A59: to = , Relay = none, delay = 391003, delays = 391003/0. 04/0. 02/0, dsn = 4.4.3, status = deferred (Host or domain name not found. name service error for name = yahoo.com type = MX: Host not found, try again)
^ C
Check whether any scheduled task is abnormal.
[Root @ ZMESCMDZSW01 log] # crontab-l
1 1 10 **~ /. Sysdbs
1 24 ** perl ~ /. Sysync. pl
1 24 ** perl ~ /. Sysync. pl
1 1 10 **~ /. Sysdbs
Damn it, the perl process that is started abnormally is a ghost of these guys.
The problem is quite clear.
Log out of these automatic startup processes
[Root @ ESCMDZSW01 ~] # Crontab-e
#1 1 10 **~ /. Sysdbs
#1 24 ** perl ~ /. Sysync. pl
#1 24 ** perl ~ /. Sysync. pl
#1 1 10 **~ /. Sysdbs
~
~
[Root @ ZMESCMDZSW01 log] #
Root @ ZMESCMDZSW01 ~] # Cat/etc/passwd
Root: x: 0: 0: root:/bin/bash
Bin: x: 1: 1: bin:/sbin/nologin -------------- correct
Daemon: x: 2: 2: daemon:/sbin/nologin
Adm: x: 3: 4: adm:/var/adm:/sbin/nologin
Lp: x: 4: 7: lp:/var/spool/lpd:/sbin/nologin
Sync: x: 5: 0: sync:/sbin:/bin/sync
Shutdown: x: 6: 0: shutdown:/sbin/shutdown
Halt: x: 7: 0: halt:/sbin/halt
Mail: x: 8: 12: mail:/var/spool/mail:/sbin/nologin
Uucp: x: 10: 14: uucp:/var/spool/uucp:/sbin/nologin
Operator: x: 11: 0: operator:/root:/sbin/nologin
Games: x: 12: 100: games:/usr/games:/sbin/nologin
Gopher: x: 13: 30: gopher:/var/gopher:/sbin/nologin
Ftp: x: 14: 50: FTP User:/var/ftp:/sbin/nologin
Nobody: x: 99: 99: Nobody: // sbin/nologin
Messages: x: 81: 81: System message bus: // sbin/nologin
Usbmuxd: x: 113: 113: usbmuxd user: // sbin/nologin
Avahi-autoipd: x: 170: 170: Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
Vcsa: x: 69: 69: virtual console memory owner:/dev:/sbin/nologin
Rpc: x: 32: 32: Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
Rtkit: x: 499: 496: RealtimeKit:/proc:/sbin/nologin
Abrt: x: 173: 173:/etc/abrt:/sbin/nologin
Apache: x: 48: 48: Apache:/var/www:/sbin/nologin
Haldaemon: x: 68: 68: HAL daemon: // sbin/nologin
Ntp: x: 38: 38:/etc/ntp:/sbin/nologin
Saslauth: x: 498: 495: "Saslauthd user":/var/empty/saslauth:/sbin/nologin
Postfix: x: 89: 89:/var/spool/postfix:/sbin/nologin
Avahi: x: 70: 70: Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
Rpcuser: x: 29: 29: RPC Service User:/var/lib/nfs:/sbin/nologin
Nfsnobody: x: 65534: 65534: Anonymous NFS User:/var/lib/nfs:/sbin/nologin
Pulse: x: 497: 494: PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
TPD: x: 42: 42:/var/lib/TPD:/sbin/nologin
Webalizer: x: 67: 67: Webalizer:/var/www/usage:/sbin/nologin
Sshd: x: 74: 74: Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
Tcpdump: x: 72: 72: // sbin/nologin
Oprofile: x: 16: 16: Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
[Root @ ZMESCMDZSW01 ~] #
Top output
Pm up 1 day, 2 users, load average: 0.04, 0.13, 0.30
874 processes: 873 sleeping, 1 running, 0 zombie, 0 stopped
CPU states: 0.0% user, 0.2% system, 0.0% nice, 0.5% idle
Mem: 32843076 K av, 3715880 K used, 29127196 K free, 0 K shrd, 269536 K buff
Swap: 35078136 K av, 0 K used, 35078136 K free 963532 K cached
Pid user pri ni size rss share stat lib % CPU % MEM TIME COMMAND
32004 root 20 0 2924 1532 R 0 844 5.7 0: 00 top
258 root 20 0 0 0 SW 0 0.9 0.0 0: 16 ata/21
3177 root 20 0 4060 308 220 S 0 0.9 cpuspeed
3181 root 20 0 4060 304 216 S 0 0.9 cpuspeed
3185 root 20 0 4060 304 216 S 0 0.9 cpuspeed
3191 root 20 0 4060 304 216 S 0 0.9 cpuspeed
3209 root 20 0 4060 304 216 S 0 0.9 cpuspeed
3212 root 20 0 4060 304 216 S 0 0.9 cpuspeed
3214 root 20 0 4060 304 216 S 0 0.9 cpuspeed
3217 root 20 0 4060 304 216 S 0 0.9 cpuspeed
3300 running 20 0 98252 2340 S 0 952 0: 32 running-daemon
12680 root 20 0 1485 M 322 M 16916 S 0 0.9 43: 19 java
50326 root 20 0 9432 1308 1012 S 0 0.9 0: 07 gam_server
1 root 20 0 19328 1512 1212 S 0 0.0 0: 04 init
2 root 20 0 0 0 SW 0 0.0 0.0 0: 00 kthreadd
3 root 0 K 0 0 0 SW 0 0.0 0.0 0: 00 migration/0
4 root 20 0 0 0 SW 0 0.0 0.0 ksoftirqd/0
5 root 0 K 0 0 0 SW 0 0.0 0.0 0: 00 migration/0
6 root 0 K 0 0 0 SW 0 0.0 0.0 0: 00 watchdog/0
7 root 0 K 0 0 0 SW 0 0.0 0.0 0: 00 migration/1
8 root 0 K 0 0 0 SW 0 0.0 0.0 0: 00 migration/1
9 root 20 0 0 0 SW 0 0.0 0.0 ksoftirqd/1
10 root 0 K 0 0 0 SW 0 0.0 0.0 0: 00 watchdog/1
11 root 0 K 0 0 0 SW 0 0.0 0.0 0: 00 migration/2
12 root 0 K 0 0 0 SW 0 0.0 0.0 0: 00 migration/2
13 root 20 0 0 0 SW 0 0.0 0.0 ksoftirqd/2
14 root 0 K 0 0 0 SW 0 0.0 0.0 0: 00 watchdog/2
15 root 0 K 0 0 0 SW 0 0.0 0.0 0: 00 migration/3
16 root 0 K 0 0 0 SW 0 0.0 0.0 0: 00 migration/3
17 root 20 0 0 0 SW 0 0.0 0.0 ksoftirqd/3
18 root 0 K 0 0 0 SW 0 0.0 0.0 0: 00 watchdog/3
19 root 0 K 0 0 0 SW 0 0.0 0.0 0: 00 migration/4
20 root 0 K 0 0 0 SW 0 0.0 0.0 0: 00 migration/4
21 root 20 0 0 0 SW 0 0.0 0.0 ksoftirqd/4
22 root 0 K 0 0 0 SW 0 0.0 0.0 0: 00 watchdog/4
The following is a normal top output. the above and below are obviously incorrect.
[Root @ ZMESCMDZSW01 ~] # Top
Top-18:51:49 up 1 day, 2 users, load average: 0.17, 0.40, 0.43
Task: 823 total, 1 running, 822 sleeping, 0 stopped, 0 zombie
Cpu (s): 0.0% us, 0.2% sy, 0.0% ni, 99.6% id, 0.2% wa, 0.0% hi, 0.0% si, 0.0% st
Mem: 32843076 k total, 1445164 k used, 31397912 k free, 95348 k buffers
Swap: 35078136 k total, 0 k used, 35078136 k free, 232384 k cached
Pid user pr ni virt res shr s % CPU % mem time + COMMAND
56598 root 20 0 15548 1692 R 820 4.7. 16 top
3133 root 20 0 4060 276 180 S 1.6. 02 cpuspeed
3134 root 20 0 4060 312 216 S 1.6. 69 cpuspeed
3140 root 20 0 4060 276 180 S 1.6. 39 cpuspeed
3144 root 20 0 4060 276 180 S 1.6. 30 cpuspeed
3146 root 20 0 4060 312 216 S 1.6. 32 cpuspeed
3149 root 20 0 4060 312 216 S 1.6. 16 cpuspeed
3155 root 20 0 4060 312 216 S 1.6. 39 cpuspeed
3167 root 20 0 4060 276 180 S 1.6. 86 cpuspeed
1 root 20 0 19324 1512 S 1212 0.0. 17 init
2 root 20 0 0 0 S 0.0 0.0. 02 kthreadd
3 root RT 0 0 0 S 0.0 0.0. 01 migration/0
4 root 20 0 0 0 S 0.0 0.0. 00 ksoftirqd/0
5 root RT 0 0 0 S 0.0 0.0. 00 migration/0
6 root RT 0 0 0 S 0.0 0.0. 00 watchdog/0
7 root RT 0 0 0 S 0.0 0.0. 01 migration/1
8 root RT 0 0 0 S 0.0 0.0. 00 migration/1
9 root 20 0 0 0 S 0.0 0.0. 00 ksoftirqd/1
10 root RT 0 0 0 S 0.0 0.0. 00 watchdog/1
11 root RT 0 0 0 S 0.0 0.0. 01 migration/2
12 root RT 0 0 0 S 0.0 0.0. 00 migration/2
13 root 20 0 0 0 S 0.0 0.0. 00 ksoftirqd/2
14 root RT 0 0 0 S 0.0 0.0. 01 watchdog/2
15 root RT 0 0 0 S 0.0 0.0. 02 migration/3
16 root RT 0 0 0 S 0.0 0.0. 00 migration/3
17 root 20 0 0 0 S 0.0 0.0. 00 ksoftirqd/3
18 root RT 0 0 0 S 0.0 0.0. 02 watchdog/3
19 root RT 0 0 0 S 0.0 0.0. 01 migration/4
20 root RT 0 0 0 S 0.0 0.0. 00 migration/4
21 root 20 0 0 0 S 0.0 0.0. 00 ksoftirqd/4
22 root RT 0 0 0 S 0.0 0.0. 01 watchdog/4
23 root RT 0 0 0 S 0.0 0.0. 00 migration/5
24 root RT 0 0 0 S 0.0 0.0. 00 migration/5
25 root 20 0 0 0 S 0.0 0.0. 00 ksoftirqd/5
26 root RT 0 0 0 S 0.0 0.0. 09 watchdog/5
[Root @ ZMESCMDZSW02 log] #
First line: there is a space in front
Row 3: cpu display
Row 5: swap display
There is also a font, and the above and below process display is not a font at all
It immediately occurred that the system commands were replaced.
View top command information
-Rwxr-xr-x 1 122 114 33992 Mar 31 2010/usr/bin/top
The owner and group are all so strange. 122 users like this are generally owned by the uploaded files
Take a look at the file size.
[Root @ ZMESCMDZSW01 ~] # Ll-ha/usr/bin/top
Ls: invalid option -- h
Try 'ls -- help' for more information.
[Root @ ZMESCMDZSW01 ~] #
Find/-user122 | xargs ls-l
[Root @ ZMESCMDZSW01 ~] # Find/-user122 | xargs ls-l
Find: "/proc/33319/task/33319/fd/5": the file or directory does not exist.
Find: "/proc/33319/task/33319/fdinfo/5": the file or directory does not exist.
Find: "/proc/33319/fd/5": the file or directory does not exist.
Find: "/proc/33319/fdinfo/5": the file or directory does not exist.
-Rwxr-xr-x 1 122 114 39696 Mar 10 2011/bin/ls
-Rwxr-xr-x 1 122 114 54152 Mar 15 2011/bin/netstat
-Rwxr-xr-x 1 122 114 62920 Mar 17 2011/bin/ps
-Rwx ------ 1 122 114 525 Apr 17 2003/lib/libsh. so/shhk
-Rwx ------ 1 122 114 329 Apr 17 2003/lib/libsh. so/shhk. pub
-Rwx ------ 1 122 114 Jan 27/lib/libsh. so/shrs
-Rwxr-xr-x 1 122 114 31504 Mar 15 2011/sbin/ifconfig
-Rwxr-xr-x 1 122 114 212747 Mar 10 2011/sbin/ttyload
-Rwxrwxr-x 1 122 114 93476 Mar 10 2011/sbin/ttymon
-Rwxr-xr-x 1 122 114 39696 Mar 10 2011/usr/bin/dir
-Rwxr-xr-x 1 122 114 59536 Jun 16 2010/usr/bin/find
-Rwxr-xr-x 1 122 114 31452 Mar 10 2011/usr/bin/md5sum
-Rwxr-xr-x 1 122 114 12340 Jan 12 2011/usr/bin/pstree
-Rwxr-xr-x 1 122 114 33992 Mar 17 2011/usr/bin/top
-Rwxr-xr-x 1 122 114 1206 Apr 18 2003/usr/lib/libsh/. bashrc
-Rwxr-xr-x 1 122 114 7578 Mar 10 2011/usr/lib/libsh/. sniff/shp
-Rwxr-xr-x 1 122 114 16070 Mar 10 2011/usr/lib/libsh/. sniff/shsniff
-Rwxr-xr-x 1 122 114 2000 Mar 10 2011/usr/lib/libsh/hide
-Rwxr-xr-x 1 122 114 1345 Mar 10 2011/usr/lib/libsh/shsb
-Rwxr-xr-x 1 122 114 82628 Jun 28 2010/usr/sbin/lsof
[Root @ ZMESCMDZSW01 ~] #
Find/-user122 | xargs lsattr
[Root @ ZMESCMDZSW01 ~] # Cd/bin/ls
-Bash: cd:/bin/ls: not a directory
[Root @ ZMESCMDZSW01 ~] # Cd/bin
[Root @ ZMESCMDZSW01 bin] # mv ls ls_bak
[Root @ ZMESCMDZSW01 bin] # cd/sbin/ttyload
-Bash: cd:/sbin/ttyload: not a directory
[Root @ ZMESCMDZSW01 bin] # cd/sbin
[Root @ ZMESCMDZSW01 sbin] # mv ttyload ttyload20140208
[Root @ ZMESCMDZSW01 sbin] # mv ttyload ttymon20140208
Mv: unable to get the "ttyload" file status (stat): no file or directory
[Root @ ZMESCMDZSW01 sbin] # mv ttyload ttymon20140208
Mv: unable to get the "ttyload" file status (stat): no file or directory
[Root @ ZMESCMDZSW01 sbin] # ls tty *
-Bash:/bin/ls: the file or directory does not exist.
[Root @ ZMESCMDZSW01 sbin] # ls *
-Bash:/bin/ls: the file or directory does not exist.
[Root @ ZMESCMDZSW01 sbin] # cd/bin
[Root @ ZMESCMDZSW01 bin] # sftp root@192.168.1.72
Connecting to 192.168.1.72...
Root@192.168.1.72's password:
Sftp> cd bin
Couldn't canonicalise: No such file or directory
Sftp> cd/bin
Sftp> get ls
Fetching/bin/ls to ls
/Bin/ls 100% 114KB 114.3KB/s
Sftp> exit
[Root @ ZMESCMDZSW01 bin] # ls
Alsaunmute csh env kill mv rvi traceroute6
Arch cut ex link nano rview true
Awk dash false ln netstat sed ulockmgr_server
Basename date fgrep loadkeys nice setfont umount
Bash prepare-cleanup-sockets find login nisdomainname setserial uname
Cat login-daemon findmnt ls ping sh unicode_start
Cgclassify benchmark-monitor fusermount ls_bak ping6 sleep unicode_stop
Cgcreate transaction-send gawk lsblk plymouth Uth sort unlink
Cgdelete upload-uuidgen gettext lscgroup ps stty usleep
Cgexec dd grep lssubsys pwd su vi
Cgget df gtar mail raw sync view
Cgset dmesg gunzip mailx readlink tar ypdomainname
Cgsnapshot dnsdomainname gzip mkdir red taskset zcat
Chgrp domainname hostname mknod redhat_lsb_init tcsh
Chmod dumpkeys ipcalc mktemp rm touch
Chown echo iptables-xml more rmdir tracepath
Cp ed kbd_mode mount rnano tracepath6
Cpio egrep keyctl mountpoint rpm traceroute
The ls command is fixed as follows.
[Root @ ZMESCMDZSW01 bin] # ls
Alsaunmute csh env kill mv rvi traceroute6
Arch cut ex link nano rview true
Awk dash false ln netstat sed ulockmgr_server
Basename date fgrep loadkeys nice setfont umount
Bash prepare-cleanup-sockets find login nisdomainname setserial uname
Cat login-daemon findmnt ls ping sh unicode_start
Cgclassify benchmark-monitor fusermount ls_bak ping6 sleep unicode_stop
Cgcreate transaction-send gawk lsblk plymouth Uth sort unlink
Cgdelete upload-uuidgen gettext lscgroup ps stty usleep
Cgexec dd grep lssubsys pwd su vi
Cgget df gtar mail raw sync view
Cgset dmesg gunzip mailx readlink tar ypdomainname
Cgsnapshot dnsdomainname gzip mkdir red taskset zcat
Chgrp domainname hostname mknod redhat_lsb_init tcsh
Chmod dumpkeys ipcalc mktemp rm touch
Chown echo iptables-xml more rmdir tracepath
Cp ed kbd_mode mount rnano tracepath6
Cpio egrep keyctl mountpoint rpm traceroute
Root @ ZMESCMDZSW01 bin] # ls-alt ls
-Rwxr-xr-x. 1 root 117024 February 13 19:01 ls
[Root @ ZMESCMDZSW01 bin] #
The ls command has returned to normal
Top fix command
[Root @ ZMESCMDZSW01 bin] # sftp root@192.168.1.72
Connecting to 192.168.1.72...
Root@192.168.1.72's password:
Sftp> cd/usr/bin
Sftp> get top
Fetching/usr/bin/top to top
/Usr/bin/top 100% 67KB 66.8KB/s
Sftp> exit
[Root @ ZMESCMDZSW01 bin] # top --- fixed the following:
Top-19:06:03 up 1 day, 2 users, load average: 0.08, 0.20, 0.23
Task: 874 total, 2 running, 872 sleeping, 0 stopped, 0 zombie
Cpu (s): 0.1% us, 0.3% sy, 0.0% ni, 99.6% id, 0.0% wa, 0.0% hi, 0.0% si, 0.0% st
Mem: 32843076 k total, 3720472 k used, 29122604 k free, 269876 k buffers
Swap: 35078136 k total, 0 k used, 35078136 k free, 964400 k cached
Pid user pr ni virt res shr s % CPU % mem time + COMMAND
12680 root 20 0 1486 m 322 m 16 m S 1.3 1.0 43: 38.99 java
35593 root 20 0 15552 1884 R 952 1.3. 11 top
242 root 20 0 0 0 S 0.3 0.0. 04 ata/5
835 root 20 0 0 0 S 0.3 0.0. 63 scsi_eh_1
3172 root 20 0 4060 304 216 S 0.3. 42 cpuspeed
3175 root 20 0 4060 304 216 S 0.3. 21 cpuspeed
3176 root 20 0 4060 304 216 S 0.3. 23 cpuspeed
3179 root 20 0 4060 304 216 S 0.3. 07 cpuspeed
3181 root 20 0 4060 304 216 S 0.3. 50 cpuspeed
3183 root 20 0 4060 304 216 S 0.3. 16 cpuspeed
3185 root 20 0 4060 304 216 S 0.3. 56 cpuspeed
3188 root 20 0 4060 304 216 S 0.3. 85 cpuspeed
3191 root 20 0 4060 304 216 S 0.3. 31 cpuspeed
3192 root 20 0 4060 304 216 S 0.3. 38 cpuspeed
3196 root 20 0 4060 304 216 S 0.3. 70 cpuspeed
3208 root 20 0 4060 304 216 S 0.3. 21 cpuspeed
3211 root 20 0 4060 304 216 S 0.3. 61 cpuspeed
3212 root 20 0 4060 304 216 S 0.3. 69 cpuspeed
3213 root 20 0 4060 304 216 S 0.3. 78 cpuspeed
3215 root 20 0 4060 304 216 S 0.3. 38 cpuspeed
3216 root 20 0 4060 304 216 S 0.3. 55 cpuspeed
3217 root 20 0 4060 304 216 S 0.3. 61 cpuspeed
3218 root 20 0 4060 304 216 S 0.3. 26 cpuspeed
3219 root 20 0 4060 304 216 S 0.3. 76 cpuspeed
3222 root 20 0 4060 304 216 S 0.3. 65 cpuspeed
3223 root 20 0 4060 304 216 S 0.3. 19 cpuspeed
3936 root 18-2 12532 2844 584 S 0.3. 98 udevd
26162 root 20 0 97636 3724 S 2892 0.3. 41 sshd
39219 root 20 0 11.6g 260 m 20 m S 0.3 0: 48. 77 java
1 root 20 0 19328 1512 S 1212 0.0. 12 init
2 root 20 0 0 0 S 0.0 0.0. 17 kthreadd
3 root RT 0 0 0 S 0.0 0.0. 00 migration/0
4 root 20 0 0 0 S 0.0 0.0. 21 ksoftirqd/0
5 root RT 0 0 0 S 0.0 0.0. 00 migration/0
6 root RT 0 0 0 S 0.0 0.0. 00 watchdog/0
[Root @ ZMESCMDZSW01 bin] #
Destroy these two virus commands
[Root @ ZMESCMDZSW01 bin] # cd/sbin
[Root @ ZMESCMDZSW01 sbin] # ls tty *
Ttyload20140208 ttymon
[Root @ ZMESCMDZSW01 sbin] # ls-alt tty *
-Rwxr-xr-x. 1 122 114 212747 March 10 2011 ttyload20140208
-Rwxrwxr-x. 1 122 114 93476 2011 ttymon
[Root @ ZMESCMDZSW01 sbin] # mv ttymon ttymon20140208
[Root @ ZMESCMDZSW01 sbin] # l
-Bash: l: command not found
[Root @ ZMESCMDZSW01 sbin] #
Find/-user122 | xargs chown root: root
Other commands have been fixed. wait for observation.
The corresponding security policies are still being considered and formulated.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
