In the morning, I found that a Linux AS 4 host was hacked by Hacker and had a lot of scanssh processes. Intruders usually use password dictionary files such as passwd.txt of common Linux/unixapplication services such as oracle, sybase, nagios, tuxedo, and try to log on via ssh on port 22. Search for BOTs using weak passwords in the LAN and try to intrude into the hosts. Let's look at the process. There are many ssh-scan processes. It is estimated that the password is too simple to be hacked. Solution: Find the corresponding program file of the ssh-scan process and delete it. Check the scheduled task first. No abnormal scheduled task is displayed. The final steps are as follows: 1. ps-ef | grep ssh-scan (or ps-ajxf)
ps -ef|grep ssh500 8923 1 0 Jul02 ? 00:00:22 ./scanssh500 8928 1 0 Jul02 ? 00:00:22 ./scanssh500 8929 1 0 Jul02 ? 00:00:20 ./scanssh500 8937 1 0 Jul02 ? 00:00:18 ./scanssh500 8938 1 0 Jul02 ? 00:00:21 ./scanssh500 8939 1 0 Jul02 ? 00:00:21 ./scanssh500 8941 1 0 Jul02 ? 00:00:18 ./scanssh500 8948 1 0 Jul02 ? 00:00:17 ./scanssh500 8949 1 0 Jul02 ? 00:00:14 ./scanssh500 8953 1 0 Jul02 ? 00:00:21 ./scanssh500 8955 1 0 Jul02 ? 00:00:17 ./scanssh500 8957 1 0 Jul02 ? 00:00:27 ./scanssh500 8966 1 0 Jul02 ? 00:00:22 ./scanssh500 8967 1 0 Jul02 ? 00:00:22 ./scanssh500 8968 1 0 Jul02 ? 00:00:22 ./scanssh500 8969 1 0 Jul02 ? 00:00:10 ./scanssh500 8971 1 0 Jul02 ? 00:00:21 ./scanssh500 8975 1 0 Jul02 ? 00:00:00 ./scanssh500 8980 1 0 Jul02 ? 00:00:00 ./scanssh500 8984 1 0 Jul02 ? 00:00:18 ./scanssh500 8986 1 0 Jul02 ? 00:00:06 ./scanssh500 8996 1 0 Jul02 ? 00:00:03 ./scanssh500 9015 1 0 Jul02 ? 00:00:31 ./scanssh500 9016 1 0 Jul02 ? 00:00:21 ./scanssh500 9019 1 0 Jul02 ? 00:00:19 ./scanssh500 9025 1 0 Jul02 ? 00:00:21 ./scanssh500 9026 1 0 Jul02 ? 00:00:20 ./scanssh500 9031 1 0 Jul02 ? 00:00:37 ./scanssh500 9059 1 0 Jul02 ? 00:00:00 ./scanssh500 9061 1 0 Jul02 ? 00:00:00 ./scanssh500 9062 1 0 Jul02 ? 00:00:00 ./scanssh500 9066 1 0 Jul02 ? 00:00:20 ./scanssh500 9067 1 0 Jul02 ? 00:00:21 ./scanssh500 9077 1 0 Jul02 ? 00:00:20 ./scanssh500 18696 1 0 Jun28 ? 00:00:00 ./scanssh500 18697 1 0 Jun28 ? 00:00:00 ./scanssh500 18698 1 0 Jun28 ? 00:00:00 ./scanssh500 18699 1 0 Jun28 ? 00:00:00 ./scanssh500 18706 1 0 Jun28 ? 00:00:00 ./scanssh500 18715 1 0 Jun28 ? 00:00:00 ./scanssh500 18716 1 0 Jun28 ? 00:00:05 ./scanssh500 18727 1 0 Jun28 ? 00:00:00 ./scanssh500 18731 1 0 Jun28 ? 00:00:00 ./scanssh500 18733 1 0 Jun28 ? 00:00:00 ./scanssh500 18740 1 0 Jun28 ? 00:00:00 ./scanssh500 18741 1 0 Jun28 ? 00:00:02 ./scanssh500 18747 1 0 Jun28 ? 00:00:00 ./scanssh500 18760 1 0 Jun28 ? 00:00:04 ./scanssh500 18762 1 0 Jun28 ? 00:00:00 ./scanssh500 18767 1 0 Jun28 ? 00:00:00 ./scanssh500 18770 1 0 Jun28 ? 00:00:01 ./scanssh500 18789 1 0 Jun28 ? 00:00:00 ./scanssh500 18791 1 0 Jun28 ? 00:00:00 ./scanssh500 18800 1 0 Jun28 ? 00:00:00 ./scanssh500 18821 1 0 Jun28 ? 00:00:00 ./scanssh500 18822 1 0 Jun28 ? 00:00:00 ./scanssh500 18823 1 0 Jun28 ? 00:01:10 ./scanssh500 18824 1 0 Jun28 ? 00:00:00 ./scanssh500 18828 1 0 Jun28 ? 00:01:17 ./scanssh500 18829 1 0 Jun28 ? 00:00:04 ./scanssh500 18832 1 0 Jun28 ? 00:00:00 ./scanssh500 18833 1 0 Jun28 ? 00:00:00 ./scanssh500 18836 1 0 Jun28 ? 00:00:00 ./scanssh500 18838 1 0 Jun28 ? 00:00:00 ./scanssh500 18841 1 0 Jun28 ? 00:00:02 ./scanssh500 18842 1 0 Jun28 ? 00:00:03 ./scanssh500 18863 1 0 Jun28 ? 00:00:02 ./scanssh500 18866 1 0 Jun28 ? 00:00:00 ./scanssh500 18884 1 0 Jun28 ? 00:00:00 ./scanssh500 18896 1 0 Jun28 ? 00:00:02 ./scanssh500 18899 1 0 Jun28 ? 00:00:00 ./scanssh500 18902 1 0 Jun28 ? 00:00:00 ./scanssh500 18907 1 0 Jun28 ? 00:00:00 ./scanssh500 18916 1 0 Jun28 ? 00:00:16 ./scanssh500 18917 1 0 Jun28 ? 00:00:00 ./scanssh500 18938 1 0 Jun28 ? 00:00:04 ./scanssh500 18942 1 0 Jun28 ? 00:00:00 ./scanssh500 18943 1 0 Jun28 ? 00:00:02 ./scanssh500 18947 1 0 Jun28 ? 00:00:00 ./scanssh500 18951 1 0 Jun28 ? 00:00:00 ./scanssh500 18953 1 0 Jun28 ? 00:00:00 ./scanssh500 18969 1 0 Jun28 ? 00:00:00 ./scanssh500 18982 1 0 Jun28 ? 00:00:00 ./scanssh500 18988 1 0 Jun28 ? 00:00:00 ./scanssh500 19018 1 0 Jun28 ? 00:00:13 ./scanssh500 19027 1 0 Jun28 ? 00:00:00 ./scanssh500 19053 1 0 Jun28 ? 00:00:30 ./scanssh500 19061 1 0 Jun28 ? 00:00:00 ./scanssh500 19086 1 0 Jun28 ? 00:00:19 ./scanssh500 19095 1 0 Jun28 ? 00:00:00 ./scanssh500 19103 1 0 Jun28 ? 00:00:00 ./scanssh500 19111 1 0 Jun28 ? 00:00:00 ./scansshroot 24539 27230 0 11:32 ? 00:00:00 sshd: swzj [priv]swzj 24541 24539 0 11:32 ? 00:00:00 sshd: swzj@pts/6root 27230 1 0 Apr12 ? 00:01:34 /usr/sbin/sshdroot 27657 24598 0 13:28 pts/6 00:00:00 grep ssh
2. Find the PID of the process ID corresponding to ssh-scan. If one is 19061. 3. Go to the/proc/PID directory, cd/proc/19061 4, ls-al, view the options corresponding to cwd and exe, and find the directory where the application is located. 5. killall-9 scanssh after killing all of them and delete the corresponding directory. Or # ps-ef | grep-v grep | grep scanssh | awk '{print $2}' | xargs kill # ps-ef | grep-v grep | grep SCREEN | awk' {print $2} '| xargs kill 6. Change all user passwords. According to netstat-an | grep 22, there are still many connections, reboot servers, and the system runs normally. For more information, see: http://www.vvvk.net/archives/311#more-311 Appendix:/PROC directory introduction Original: http://www.freeos.com/articles/2879/ The translated by bugzilla_zhuProc file system is a real-time, memory-resident file system that tracks the running status of processes on your machine and the status of your system. You can learn a lot about the/proc file system. The most shocking thing about the/proc pseudo file system is that it does not actually exist on any media. /Proc file system is a pseudo file system that is resident in virtual memory and maintains dynamic data of the operating system. Most of the/proc file system information is updated in real time to be consistent with the current operating system status. /The content of the proc file system can be read by anyone with the corresponding permissions. However, a specific part of the/proc file system can only be read by the owner and root user of the process. The content of the/proc file system is obtained and displayed from a specific/proc Directory, which has many purposes. In linux, we have tools like lscpi, scanpci, and pnpdump, which help us detect a large number of PCI, ISA hardware chip settings, and help us with io, the dma and irq values are the best choices. By viewing the/proc file, the car's mother was planted and asked to take a strong shoot. The key was blown to the name of JI Yi, who was torn by moles, And the nose was stabbed. We used the dmesg command to give an example. Bash # dmesgDmesg helps us determine the device that has been detected and initialized by the kernel. We have tools like "ps" and "top" to give us an accurate snapshot, this snapshot is about the status of processes running on the machine and a list of sober and sleep processes running on the machine before. Have you ever thought about the exact sources of the information provided through the "ps" and "top" processes? The information of these processes comes from the/proc file system and is updated at any time when the process changes. Let's take a look at the list snapshot of the root directory of the linux machine.
drwxr-xr-x 14 root root 291 Oct 25 18:47 optdr-xr-xr-x 86 root root 0 Nov 30 2000 proc <--drwx--x--x 16 root root 841 Nov 20 00:10 rootdrwxr-xr-x 5 root root 4627 Oct 15 11:42 sbin
Because the/proc file system is a virtual file system with resident memory, it is re-created every time when your linux machine restarts. Take a look at the above root directory. The size of the proc directory is 0 and the last modification time is the current date. Use the/proc/sys file system to parse kernel parameters. Another important part of the/proc file system is the/proc/sys directory. In this directory, you can change the specified Kernel Parameters in real time. A good example is as follows. /Proc/sys/net/ipv4/ip_forward when you cat the content of this file, you can see that ip_forward in the above file has a default value of "0 ". This means that IP forwarding through this machine is not allowed. However, by changing the value in this file from "0" to "1", this configuration can be changed in real time. Then we can immediately forward IP addresses on our linux machines without restarting the system. The/proc file system content/proc directory list is as follows. The actual list is very long. The following is a short version.
1 114 1210 1211 1212 1227 133 137 148 160 161 163 167 168 169170 171 172 173 174 186 190 193 194 195 203 206 207 208 209210 211 220 221 222 223 224 225 226 227 229 230 234 246 253 279296 3 4 5 500 501 6 667 668 669 683 684 685 7 711 712 713 737 763764 765 766 773 774 775 782 79 88 92 asound bus cmdline config.gzcpuinfo devices dma fb filesystems fs ide interrupts ioportskcore kcore_elf kmsg ksyms loadavg locks lvm mdstat meminfomemstat misc modules mounts net partitions pci rtc scsi selfslabinfo stat swaps sys tty uptime version
In the preceding snapshot, each number and word you see is in the/proc directory. Let's learn more about the content named by numbers in this directory. Directory named by number
1 114 1210 1211 1212 1227 133 137 148 160 161 163 167 168 169170 171 172 173 174 186 190 193 194 195 203 206 207 208 209210 211 220 221 222 223 224 225 226 227 229 230 234 246 253 279296 3 4 5 500 501 6 667 668 669 683 684 685 7 711 712 713 737 763764 765 766 773 774 775 782 79 88 92
A large number of directories listed here are processes. They are running on your machine when we take a snapshot of the/proc file system. Let's take a look at the contents of the directory.
freeos:~ # cd /procfreeos:/proc # ls -la 114total 0dr-xr-xr-x 3 named named 0 Nov 30 12:20 .dr-xr-xr-x 89 root root 0 Nov 30 2000 ..-r--r--r-- 1 root root 0 Nov 30 12:20 cmdlinelrwx------ 1 root root 0 Nov 30 12:20 cwd -> /var/named-r-------- 1 root root 0 Nov 30 12:20 environlrwx------ 1 root root 0 Nov 30 12:20 exe -> /usr/sbin/nameddr-x------ 2 root root 0 Nov 30 12:20 fdpr--r--r-- 1 root root 0 Nov 30 12:20 maps-rw------- 1 root root 0 Nov 30 12:20 memlrwx------ 1 root root 0 Nov 30 12:20 root -> /-r--r--r-- 1 root root 0 Nov 30 12:20 stat-r--r--r-- 1 root root 0 Nov 30 12:20 statm-r--r--r-- 1 root root 0 Nov 30 12:20 status
Before executing the command, we need to log on as root, because a large number of processes running on the system may be owned by others. Generally, you only have the permission to access the processes you have enabled. After logging on as the root user, execute the above command on any directory and compare it with the above output. Have you noticed any similarities between the output and the content listed above? Yes, the contents of all directories that you choose to view are the same, because these directories contain a large number of process parameters and statuses, and their PID is the name of your current directory. Of course, the values and status information of each parameter vary depending on the process. See the first line output above. -R -- 1 root 0 Nov30 cmdline "cmdline", which contains the entire command line used to generate the process. The contents of this file are the command line parameters, including all the parameters passed to start the process. All information contained in this file is the command and each startup parameter, without any format and any spaces. Lrwx ------ 1 root 0 Nov 30 cwd->/var/named "cwd", as we can see above, this is a symbolic link that points to the current working directory of the process. -R -------- 1 root 0 Nov 30 environ "environ" includes all environment variables defined for this process in VARIABL = value. Like "cmdline", the command and parameter information contained in the file does not have any format or space. Lrwx ------ 1 root 0 Nov 30 exe->/usr/sbin/named "exe", which is a symbolic link pointing to the executable file that starts the current process. Dr-x ------ 2 root 0 Nov 30 fd "fd", this directory contains the file descriptor opened by the specified process. Pr -- r -- 1 root 0 Nov 30 maps "maps". When you type the content of the named pipeline, you can see the address space of the process, currently mapped to a file. This part is from left to right: the address space related to the ing, the permissions related to the ing, And the offset from the start of the file (that is, the place where the ing starts, the device where the ing file is located, the inode Number of the file, and the file name itself. "Root", this is a symbolic link pointing to the/proc directory of the process. -R -- 1 root 0 Nov 30 status "status", this file gives you information about the process name, its current status, sleep or awake, its PID, UID, PPID, and a large amount of other basic information. This information can be seen in a simpler and structured syntax by using tools such as "ps" and "top ". The basic information about a large number of/proc/* directories already exists in LASG, Chapter 3/proc file system. /Proc/cpuinfo about the processor, such as its type, origin, model, and performance. /Proc/devices driver list of the devices configured for the currently running kernel. /Proc/dma shows that the DMA channel is currently in use. /Proc/filesystems Kernel configuration file system. /Proc/interrupts indicates the interrupt in use, and the number of times each interrupt has been used/proc/ioports which I/O port is in use