Centos system poisoning (sfewfesfs) process records
On October 11, October 16, 2014, today is my class. when I took over the course, I encountered a problem that I never encountered before, that is, the server was poisoned and continuously sending packets out, this server is our cloud platform manager. Its poisoning not only affected its own cloud host but also affected the entire platform. As an O & M personnel, I was at a loss for a while, however, when the problem always needs to be solved by others, the specific troubleshooting steps are as follows:
1. Use the top performance analysis tool to view the resource usage of each process and the usage of system memory.
See http://wenku.baidu.com/linkurl=PrK5_UqLyRbmhSXMG2WrUWWnl4zYJx7EH3h1gakfuULv1j6UTVoQItZdGtM u_hxcbdaubno8934icquknxaddiiqqyyufqayuykus6vr9aq
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/4C/92/wKiom1RAfNOzdEDRAAFMcjWZC78027.jpg "Title =" %5r_5%'238ozhypme8p%'24.jpg "alt =" wkiom1rafnozdedraafmc%zc78027.jpg "/>
2. Run the following command to view the occupied port
Netstat-lantp | more650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/4C/93/wKiom1RAgFTzM86hAAUGMPSmiQs682.jpg "Title =" P) 'H @ R9 @ % 4 ~ 86_ngow.zfd@6.jpg "alt =" wkiom1ragftzm86haaugmpsmiqs682.jpg "/>
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/4C/93/wKiom1RAgoLC05_fAAIp3XXaMvs555.jpg "Title =" yw1_tp2ub71_qf0n_hil1_oqrp.jpg "alt =" wkiom1ragolc05_faaip3xxamvs555.jpg "/>
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/4C/93/wKiom1RAhSWQtVzRAAK928DuByQ632.jpg "Title =" hgw.'kk508a08jdww.w.z(6rgp.jpg "alt =" wkiom1rahswqtvzraak928dubyq632.jpg "/> 650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/4C/93/wKiom1RAhXywlf8CAACzt0bxuA8145.jpg "Title =" m1hk4pp111ujh9g ~) YY2@SB.jpg "alt =" wkiom1rahxywlf8caaczt0bxua8145.jpg "/>
View port number process 650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/4C/94/wKioL1RAiMqT4kSFAAEsmqkgL3A859.jpg "Title =" n1_bb1_c8q2ob28a62snpvk9u.jpg "alt =" wkiol1raimqt4ksfaaesmqkgl3a859.jpg "/>
3. Check whether the process can be killed.
PS-Ef | grep sfewfesfs: the file path is displayed when you execute this command.
Kill-9 32097
PS-Ef | grep sshd
Kill-9 3172
The process has ended! But when you view it again, you will find that the process will restart again! Therefore, you must find the location where the process file is located and delete the process file!
Delete Virus files
Chattr-I/etc/sfewfesfs
Rm-RF/etc/sfewfesfs
Delete suspicious files
Rm-RF gfhjrtfyhuf Rm-RF smarvtd Rm-RF gdmorpen Rm-RF/tmp/. sshdd141 *
Rm-RF/etc/. SSH2
Delete a scheduled task
Grep-V "#" root.1 | grep-V "^ $"
Rm-RF/var/spool/cron/root.1
This article is from the "excellent army" blog, please be sure to keep this source http://wxj121.blog.51cto.com/7136845/1565084
Centos system poisoning (sfewfesfs) process records