Faults:The server is infiltrated. Intruders create self-run files, automatically create and execute files under/tmp, and automatically detect and disable iptables.Discovery process:1. log on to the server and run the netstat-anp | grep LIS command to find that an abnormal connection exists. 2. Run ps-aux to check that the process address corresponding to the abnormal connection pid is yums under/tmp ** * file 3. After yums is deleted and processes are deleted, yums * is re-created, the connection will be re-established.Solution:1. Write a script to automatically kill and delete related processes and files, and write a script to enable iptables once a minute to temporarily resolve the problem: 1. Self-built tmp File System defense Trojan (files under/tmp cannot be executed)
Dd if =/dev/zero of = /. tmpfs bs = 100 M count = 10mke2fs-j /. tmpfscp-av/tmp. oldmount-o loop, noexec, nosuid, rw /. tmpfs/tmpchmod 1777/tmpmv-f/tmp. old/*/tmp/rm-fr/tmp. old