首页 > 代码库 > 再续服务器被肉鸡的经历-- struts2漏洞
再续服务器被肉鸡的经历-- struts2漏洞
[root@app130-33 ~]# cat myout.file YAM - Yet Another Miner by yvg1900 yam M7v-linux64-core2/yvg1900 ********************************************************************************************************** * Supported coins: PTS MMC MAX GRS DMD DVK MYR BCN QCN FCN XMR * * Author: yvg1900 (Twitter @yvg1900) * * XPT protocol: jh (http://ypool.net) * * * * Addresses for Thanks and Donations: * * PTS: PZxsEQoiMeB6tHcW2ZySBEiCPio1WkxbEL * * XPM: AW2388DEWNEfMH4rP9kcj9yKcMq1QywYT4 * * DTC: D6PmUogMigWvXurgFTqm5VLxQeVpXdYQj3 * * MMC: MVk7PuJCa9o6qTYeiQRJDd3uHxKXMrQuU6 * * LTC: Lby4YjhcAxhmbsdHFb4nYydrwGoiJezZt1 * * BTC: 1FxekeK5La7AuF3oxiLzPKnjXyLMrux6VT * * NMC: N9KXqmzEqP7gB2dGHpEZiRMgFjUHNM38FR * * MAX: mTEsqg9dp3U9YXwduKxhhhDx1TRPBcNRvA * * NRS: 9qwyC34MCZ9XGopaNDNTnaMBtjAZhHvBd3 * * GRS: FpHaQNJ2nMUc2kgBbzYue13E9VUfL8YbQp * * DMD: dEQZa7W7AczvUsjJkvWWrim1j8ZtgbAwXv * * DVK: D9o66V4h75JzWNpsaPidmKFVgwEf2DcDAX * * MYR: MFDpLPThL6D6vtWW42XobFNBpPdrJFPQb6 * * XMR: 45w9aqVA6iVeMJ6jVHZPEyPqgVnBEAGhBBqGAW9ncXp44qbZy9vXkd2KpqYwcyVTQHF1kaSJm97GyceP3Y2dRMd7E9gyuZf * * BCN: 2AcGMZmmNWTiLvAg5n7ywMCAxXTxysYGsi1xzba2ok4UPccWTLqRyKN7EnQYUpEWpqBw1c9EVZrqo2CUG8f8mbjG5NA9njF * * QCN: 1V6wZP6aycYPbeafHxPcvaQfGs4M5kabHDQoTEsyCTT3HjccMyQbvEVNPoJuRc79XrPRYWESiAezyipWojpZ8bii3kczNgW * * FCN: 6rNjXkY5YQzWiTMmDUbL5gYTWx9UTdUMSA98S1G3cTmhZN9Xp6kq4woGeoK5Q8B3fPZV6TFKs36zdHpZnYxA4BFK3fLpJzW * ********************************************************************************************************** Can not load config file [x] Miner version: yam M7v-linux64-core2/yvg1900 Checking target [stratum+tcp://47CunEQ4v8FPVNnw9mDgNZeaiSo6SVDydB3AZM341ZtdYpBYNmYeqhh4mpU1X6RSmgBTfC8xqaAtUGC2DArotyaKSz1LJyj.f2bec1df3c6bf9a03c8ce785d333ff96bc65f9a2df0189a8635878d6d26ae814:x@moria.dwarfpool.com:8005:8050:8080:8100/xmr]... Target OK Checking XMR optimizations compatibility... OK: XMR optimizations are compatible Monero: Determine Algorithm Variation by finetuning Using 16 CPU mining threads Will mine 96 rounds for miner developers to support development of the next version Follow @yvg1900 on Twitter to get information on new version availability on time Monero Aggregated Hash/sec: ?; Rounds Complete/Incomplete: 0/0, Donated Complete/Incomplete: 0/0; Config/Worker Hash/sec: ?/? on 0 rounds with AV=1, ART=? ms; Fine-tuning: IN PROGRESS, AV/RT: 1/0, Best AV/RT: 1/0 moria.dwarfpool.com: Connecting, Shares Submitted 0, Accepted 0 STRATUM-RPC2: Logged in with 47CunEQ4v8FPVNnw9mDgNZeaiSo6SVDydB3AZM341ZtdYpBYNmYeqhh4mpU1X6RSmgBTfC8xqaAtUGC2DArotyaKSz1LJyj.f2bec1df3c6bf9a03c8ce785d333ff96bc65f9a2df0189a8635878d6d26ae814 New Monero Block nTime 1489470304 New Monero Block nTime 1489470309 Monero Aggregated Hash/sec: ?; Rounds Complete/Incomplete: 0/0, Donated Complete/Incomplete: 0/0; Config/Worker Hash/sec: ?/? on 0 rounds with AV=1, ART=? ms; Fine-tuning: IN PROGRESS, AV/RT: 1/0, Best AV/RT: 1/0 moria.dwarfpool.com: On-line, Shares Submitted 0, Accepted 0 Monero Aggregated Hash/sec: ?; Rounds Complete/Incomplete: 16/0, Donated Complete/Incomplete: 0/0; Config/Worker Hash/sec: ?/21 on 16 rounds with AV=1, ART=12474 ms; Fine-tuning: IN PROGRESS, AV/RT: 1/0, Best AV/RT: 1/0 moria.dwarfpool.com: On-line, Shares Submitted 0, Accepted 0 Share found while mining for developers
处理过程:
服务: [root@app130-33 bin]# date -u 2017年 03月 14日 星期二 06:15:29 UTC [root@app130-33 bin]# date -R Tue, 14 Mar 2017 14:18:03 +0800 [root@app130-33 bin]# ifconfig eth0 Link encap:Ethernet HWaddr 00:50:56:B6:38:21 inet addr:192.168.130.33 Bcast:192.168.130.255 Mask:255.255.255.0 inet6 addr: fe80::250:56ff:feb6:3821/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1064663029 errors:0 dropped:0 overruns:0 frame:0 TX packets:902352525 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:507233208569 (472.3 GiB) TX bytes:634865464079 (591.2 GiB) 查看服务硬件 [root@app130-33 bin]# lspci 00:18.4 PCI bridge: VMware PCI Express Root Port (rev 01) 00:18.5 PCI bridge: VMware PCI Express Root Port (rev 01) 00:18.6 PCI bridge: VMware PCI Express Root Port (rev 01) 00:18.7 PCI bridge: VMware PCI Express Root Port (rev 01) 显示为VMware的虚拟机 看进程 [root@app130-33 bin]# ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.0 19364 1628 ? Ss 2016 0:52 /sbin/init root 2 0.0 0.0 0 0 ? S 2016 0:00 [kthreadd] root 3 0.0 0.0 0 0 ? S 2016 0:42 [migration/0] root 4 0.0 0.0 0 0 ? S 2016 0:56 [ksoftirqd/0] root 5 0.0 0.0 0 0 ? S 2016 0:00 [migration/0] root 6 0.0 0.0 0 0 ? S 2016 0:24 [watchdog/0] root 7 0.0 0.0 0 0 ? S 2016 0:10 [migration/1] root 8 0.0 0.0 0 0 ? S 2016 0:00 [migration/1] root 9 0.0 0.0 0 0 ? S 2016 1:02 [ksoftirqd/1] root 10 0.0 0.0 0 0 ? S 2016 0:15 [watchdog/1] root 11 0.0 0.0 0 0 ? S 2016 0:01 [migration/2] root 12 0.0 0.0 0 0 ? S 2016 0:00 [migration/2] root 13 0.0 0.0 0 0 ? S 2016 0:42 [ksoftirqd/2] root 14 0.0 0.0 0 0 ? S 2016 0:15 [watchdog/2] root 15 0.0 0.0 0 0 ? S 2016 0:00 [migration/3] root 16 0.0 0.0 0 0 ? S 2016 0:00 [migration/3] root 17 0.0 0.0 0 0 ? S 2016 0:37 [ksoftirqd/3] root 18 0.0 0.0 0 0 ? S 2016 0:16 [watchdog/3] root 19 0.0 0.0 0 0 ? S 2016 0:40 [migration/4] root 20 0.0 0.0 0 0 ? S 2016 0:00 [migration/4] root 21 0.0 0.0 0 0 ? S 2016 1:08 [ksoftirqd/4] root 22 0.0 0.0 0 0 ? S 2016 0:25 [watchdog/4] root 23 0.0 0.0 0 0 ? S 2016 0:08 [migration/5] root 24 0.0 0.0 0 0 ? S 2016 0:00 [migration/5] root 25 0.0 0.0 0 0 ? S 2016 1:04 [ksoftirqd/5] root 26 0.0 0.0 0 0 ? S 2016 0:16 [watchdog/5] root 27 0.0 0.0 0 0 ? S 2016 0:02 [migration/6] root 28 0.0 0.0 0 0 ? S 2016 0:00 [migration/6] root 29 0.0 0.0 0 0 ? S 2016 0:47 [ksoftirqd/6] root 30 0.0 0.0 0 0 ? S 2016 0:16 [watchdog/6] root 31 0.0 0.0 0 0 ? S 2016 0:00 [migration/7] root 32 0.0 0.0 0 0 ? S 2016 0:00 [migration/7] root 33 0.0 0.0 0 0 ? S 2016 0:38 [ksoftirqd/7] root 34 0.0 0.0 0 0 ? S 2016 0:16 [watchdog/7] root 35 0.0 0.0 0 0 ? S 2016 0:15 [migration/8] root 36 0.0 0.0 0 0 ? S 2016 0:00 [migration/8] root 37 0.0 0.0 0 0 ? S 2016 0:44 [ksoftirqd/8] root 38 0.0 0.0 0 0 ? S 2016 0:23 [watchdog/8] root 39 0.0 0.0 0 0 ? S 2016 0:10 [migration/9] root 40 0.0 0.0 0 0 ? S 2016 0:00 [migration/9] root 41 0.0 0.0 0 0 ? S 2016 0:42 [ksoftirqd/9] root 42 0.0 0.0 0 0 ? S 2016 0:16 [watchdog/9] root 43 0.0 0.0 0 0 ? S 2016 0:00 [migration/10] root 44 0.0 0.0 0 0 ? S 2016 0:00 [migration/10] root 45 0.0 0.0 0 0 ? S 2016 0:26 [ksoftirqd/10] root 46 0.0 0.0 0 0 ? S 2016 0:16 [watchdog/10] root 47 0.0 0.0 0 0 ? S 2016 0:00 [migration/11] root 48 0.0 0.0 0 0 ? S 2016 0:00 [migration/11] root 49 0.0 0.0 0 0 ? S 2016 0:20 [ksoftirqd/11] root 50 0.0 0.0 0 0 ? S 2016 0:16 [watchdog/11] root 51 0.0 0.0 0 0 ? S 2016 0:20 [migration/12] root 52 0.0 0.0 0 0 ? S 2016 0:00 [migration/12] root 53 0.0 0.0 0 0 ? S 2016 0:59 [ksoftirqd/12] root 54 0.0 0.0 0 0 ? S 2016 0:23 [watchdog/12] root 55 0.0 0.0 0 0 ? S 2016 0:12 [migration/13] root 56 0.0 0.0 0 0 ? S 2016 0:00 [migration/13] root 57 0.0 0.0 0 0 ? S 2016 0:40 [ksoftirqd/13] root 58 0.0 0.0 0 0 ? S 2016 0:16 [watchdog/13] root 59 0.0 0.0 0 0 ? S 2016 0:00 [migration/14] root 60 0.0 0.0 0 0 ? S 2016 0:00 [migration/14] root 61 0.0 0.0 0 0 ? S 2016 0:23 [ksoftirqd/14] root 62 0.0 0.0 0 0 ? S 2016 0:16 [watchdog/14] root 63 0.0 0.0 0 0 ? S 2016 0:00 [migration/15] root 64 0.0 0.0 0 0 ? S 2016 0:00 [migration/15] root 65 0.0 0.0 0 0 ? S 2016 0:19 [ksoftirqd/15] root 66 0.0 0.0 0 0 ? S 2016 0:16 [watchdog/15] root 67 0.0 0.0 0 0 ? S 2016 8:48 [events/0] root 68 0.0 0.0 0 0 ? S 2016 6:58 [events/1] root 69 0.0 0.0 0 0 ? S 2016 6:32 [events/2] root 70 0.0 0.0 0 0 ? S 2016 6:57 [events/3] root 71 0.0 0.0 0 0 ? S 2016 10:55 [events/4] root 72 0.0 0.0 0 0 ? S 2016 7:47 [events/5] root 73 0.0 0.0 0 0 ? S 2016 8:01 [events/6] root 74 0.0 0.0 0 0 ? S 2016 9:40 [events/7] root 75 0.0 0.0 0 0 ? S 2016 11:13 [events/8] root 76 0.0 0.0 0 0 ? S 2016 8:43 [events/9] root 77 0.0 0.0 0 0 ? S 2016 6:50 [events/10] root 78 0.0 0.0 0 0 ? S 2016 6:50 [events/11] root 79 0.0 0.0 0 0 ? S 2016 13:46 [events/12] root 80 0.0 0.0 0 0 ? S 2016 8:43 [events/13] root 81 0.0 0.0 0 0 ? S 2016 7:17 [events/14] root 82 0.0 0.0 0 0 ? S 2016 14:48 [events/15] root 83 0.0 0.0 0 0 ? S 2016 0:00 [cgroup] root 84 0.0 0.0 0 0 ? S 2016 0:00 [khelper] root 85 0.0 0.0 0 0 ? S 2016 0:00 [netns] root 86 0.0 0.0 0 0 ? S 2016 0:00 [async/mgr] root 87 0.0 0.0 0 0 ? S 2016 0:00 [pm] root 88 0.0 0.0 0 0 ? S 2016 0:47 [sync_supers] root 89 0.0 0.0 0 0 ? S 2016 1:00 [bdi-default] root 90 0.0 0.0 0 0 ? S 2016 0:00 [kintegrityd/0] root 91 0.0 0.0 0 0 ? S 2016 0:00 [kintegrityd/1] root 92 0.0 0.0 0 0 ? S 2016 0:00 [kintegrityd/2] root 93 0.0 0.0 0 0 ? S 2016 0:00 [kintegrityd/3] root 94 0.0 0.0 0 0 ? S 2016 0:00 [kintegrityd/4] root 95 0.0 0.0 0 0 ? S 2016 0:00 [kintegrityd/5] root 96 0.0 0.0 0 0 ? S 2016 0:00 [kintegrityd/6] root 97 0.0 0.0 0 0 ? S 2016 0:00 [kintegrityd/7] root 98 0.0 0.0 0 0 ? S 2016 0:00 [kintegrityd/8] root 99 0.0 0.0 0 0 ? S 2016 0:00 [kintegrityd/9] root 100 0.0 0.0 0 0 ? S 2016 0:00 [kintegrityd/10] root 101 0.0 0.0 0 0 ? S 2016 0:00 [kintegrityd/11] root 102 0.0 0.0 0 0 ? S 2016 0:00 [kintegrityd/12] root 103 0.0 0.0 0 0 ? S 2016 0:00 [kintegrityd/13] root 104 0.0 0.0 0 0 ? S 2016 0:00 [kintegrityd/14] root 105 0.0 0.0 0 0 ? S 2016 0:00 [kintegrityd/15] root 106 0.0 0.0 0 0 ? S 2016 11:41 [kblockd/0] root 107 0.0 0.0 0 0 ? S 2016 1:18 [kblockd/1] root 108 0.0 0.0 0 0 ? S 2016 0:36 [kblockd/2] root 109 0.0 0.0 0 0 ? S 2016 0:20 [kblockd/3] root 110 0.0 0.0 0 0 ? S 2016 9:38 [kblockd/4] root 111 0.0 0.0 0 0 ? S 2016 1:07 [kblockd/5] root 112 0.0 0.0 0 0 ? S 2016 0:30 [kblockd/6] root 113 0.0 0.0 0 0 ? S 2016 0:16 [kblockd/7] root 114 0.0 0.0 0 0 ? S 2016 6:15 [kblockd/8] root 115 0.0 0.0 0 0 ? S 2016 0:45 [kblockd/9] root 116 0.0 0.0 0 0 ? S 2016 0:18 [kblockd/10] root 117 0.0 0.0 0 0 ? S 2016 0:11 [kblockd/11] root 118 0.0 0.0 0 0 ? S 2016 7:02 [kblockd/12] root 119 0.0 0.0 0 0 ? S 2016 1:06 [kblockd/13] root 120 0.0 0.0 0 0 ? S 2016 0:21 [kblockd/14] root 121 0.0 0.0 0 0 ? S 2016 0:08 [kblockd/15] root 122 0.0 0.0 0 0 ? S 2016 0:00 [kacpid] root 123 0.0 0.0 0 0 ? S 2016 0:00 [kacpi_notify] root 124 0.0 0.0 0 0 ? S 2016 0:00 [kacpi_hotplug] root 125 0.0 0.0 0 0 ? S 2016 0:00 [ata_aux] root 126 0.0 0.0 0 0 ? S 2016 0:00 [ata_sff/0] root 127 0.0 0.0 0 0 ? S 2016 0:00 [ata_sff/1] root 128 0.0 0.0 0 0 ? S 2016 0:00 [ata_sff/2] root 129 0.0 0.0 0 0 ? S 2016 0:00 [ata_sff/3] root 130 0.0 0.0 0 0 ? S 2016 0:00 [ata_sff/4] root 131 0.0 0.0 0 0 ? S 2016 0:00 [ata_sff/5] root 132 0.0 0.0 0 0 ? S 2016 0:00 [ata_sff/6] root 133 0.0 0.0 0 0 ? S 2016 0:00 [ata_sff/7] root 134 0.0 0.0 0 0 ? S 2016 0:00 [ata_sff/8] root 135 0.0 0.0 0 0 ? S 2016 0:00 [ata_sff/9] root 136 0.0 0.0 0 0 ? S 2016 0:00 [ata_sff/10] root 137 0.0 0.0 0 0 ? S 2016 0:00 [ata_sff/11] root 138 0.0 0.0 0 0 ? S 2016 0:00 [ata_sff/12] root 139 0.0 0.0 0 0 ? S 2016 0:00 [ata_sff/13] root 140 0.0 0.0 0 0 ? S 2016 0:00 [ata_sff/14] root 141 0.0 0.0 0 0 ? S 2016 0:00 [ata_sff/15] root 142 0.0 0.0 0 0 ? S 2016 0:00 [ksuspend_usbd] root 143 0.0 0.0 0 0 ? S 2016 0:00 [khubd] root 144 0.0 0.0 0 0 ? S 2016 0:00 [kseriod] root 145 0.0 0.0 0 0 ? S 2016 0:00 [md/0] root 146 0.0 0.0 0 0 ? S 2016 0:00 [md/1] root 147 0.0 0.0 0 0 ? S 2016 0:00 [md/2] root 148 0.0 0.0 0 0 ? S 2016 0:00 [md/3] root 149 0.0 0.0 0 0 ? S 2016 0:00 [md/4] root 150 0.0 0.0 0 0 ? S 2016 0:00 [md/5] root 151 0.0 0.0 0 0 ? S 2016 0:00 [md/6] root 152 0.0 0.0 0 0 ? S 2016 0:00 [md/7] root 153 0.0 0.0 0 0 ? S 2016 0:00 [md/8] root 154 0.0 0.0 0 0 ? S 2016 0:00 [md/9] root 155 0.0 0.0 0 0 ? S 2016 0:00 [md/10] root 156 0.0 0.0 0 0 ? S 2016 0:00 [md/11] root 157 0.0 0.0 0 0 ? S 2016 0:00 [md/12] root 158 0.0 0.0 0 0 ? S 2016 0:00 [md/13] root 159 0.0 0.0 0 0 ? S 2016 0:00 [md/14] root 160 0.0 0.0 0 0 ? S 2016 0:00 [md/15] root 161 0.0 0.0 0 0 ? S 2016 0:00 [md_misc/0] root 162 0.0 0.0 0 0 ? S 2016 0:00 [md_misc/1] root 163 0.0 0.0 0 0 ? S 2016 0:00 [md_misc/2] root 164 0.0 0.0 0 0 ? S 2016 0:00 [md_misc/3] root 165 0.0 0.0 0 0 ? S 2016 0:00 [md_misc/4] root 166 0.0 0.0 0 0 ? S 2016 0:00 [md_misc/5] root 167 0.0 0.0 0 0 ? S 2016 0:00 [md_misc/6] root 168 0.0 0.0 0 0 ? S 2016 0:00 [md_misc/7] root 169 0.0 0.0 0 0 ? S 2016 0:00 [md_misc/8] root 170 0.0 0.0 0 0 ? S 2016 0:00 [md_misc/9] root 171 0.0 0.0 0 0 ? S 2016 0:00 [md_misc/10] root 172 0.0 0.0 0 0 ? S 2016 0:00 [md_misc/11] root 173 0.0 0.0 0 0 ? S 2016 0:00 [md_misc/12] root 174 0.0 0.0 0 0 ? S 2016 0:00 [md_misc/13] root 175 0.0 0.0 0 0 ? S 2016 0:00 [md_misc/14] root 176 0.0 0.0 0 0 ? S 2016 0:00 [md_misc/15] root 177 0.0 0.0 0 0 ? S 2016 0:00 [linkwatch] root 178 0.0 0.0 0 0 ? S 2016 0:15 [khungtaskd] root 179 0.0 0.0 0 0 ? S 2016 0:00 [kswapd0] root 180 0.0 0.0 0 0 ? S 2016 0:00 [kswapd1] root 181 0.0 0.0 0 0 ? S 2016 0:00 [kswapd2] root 182 0.0 0.0 0 0 ? S 2016 0:00 [kswapd3] root 183 0.0 0.0 0 0 ? SN 2016 0:00 [ksmd] root 184 0.0 0.0 0 0 ? SN 2016 0:47 [khugepaged] root 185 0.0 0.0 0 0 ? S 2016 0:00 [aio/0] root 186 0.0 0.0 0 0 ? S 2016 0:00 [aio/1] root 187 0.0 0.0 0 0 ? S 2016 0:00 [aio/2] root 188 0.0 0.0 0 0 ? S 2016 0:00 [aio/3] root 189 0.0 0.0 0 0 ? S 2016 0:00 [aio/4] root 190 0.0 0.0 0 0 ? S 2016 0:00 [aio/5] root 191 0.0 0.0 0 0 ? S 2016 0:00 [aio/6] root 192 0.0 0.0 0 0 ? S 2016 0:00 [aio/7] root 193 0.0 0.0 0 0 ? S 2016 0:00 [aio/8] root 194 0.0 0.0 0 0 ? S 2016 0:00 [aio/9] root 195 0.0 0.0 0 0 ? S 2016 0:00 [aio/10] root 196 0.0 0.0 0 0 ? S 2016 0:00 [aio/11] root 197 0.0 0.0 0 0 ? S 2016 0:00 [aio/12] root 198 0.0 0.0 0 0 ? S 2016 0:00 [aio/13] root 199 0.0 0.0 0 0 ? S 2016 0:00 [aio/14] root 200 0.0 0.0 0 0 ? S 2016 0:00 [aio/15] root 201 0.0 0.0 0 0 ? S 2016 0:00 [crypto/0] root 202 0.0 0.0 0 0 ? S 2016 0:00 [crypto/1] root 203 0.0 0.0 0 0 ? S 2016 0:00 [crypto/2] root 204 0.0 0.0 0 0 ? S 2016 0:00 [crypto/3] root 205 0.0 0.0 0 0 ? S 2016 0:00 [crypto/4] root 206 0.0 0.0 0 0 ? S 2016 0:00 [crypto/5] root 207 0.0 0.0 0 0 ? S 2016 0:00 [crypto/6] root 208 0.0 0.0 0 0 ? S 2016 0:00 [crypto/7] root 209 0.0 0.0 0 0 ? S 2016 0:00 [crypto/8] root 210 0.0 0.0 0 0 ? S 2016 0:00 [crypto/9] root 211 0.0 0.0 0 0 ? S 2016 0:00 [crypto/10] root 212 0.0 0.0 0 0 ? S 2016 0:00 [crypto/11] root 213 0.0 0.0 0 0 ? S 2016 0:00 [crypto/12] root 214 0.0 0.0 0 0 ? S 2016 0:00 [crypto/13] root 215 0.0 0.0 0 0 ? S 2016 0:00 [crypto/14] root 216 0.0 0.0 0 0 ? S 2016 0:00 [crypto/15] root 221 0.0 0.0 0 0 ? S 2016 0:00 [kthrotld/0] root 222 0.0 0.0 0 0 ? S 2016 0:00 [kthrotld/1] root 223 0.0 0.0 0 0 ? S 2016 0:00 [kthrotld/2] root 224 0.0 0.0 0 0 ? S 2016 0:00 [kthrotld/3] root 225 0.0 0.0 0 0 ? S 2016 0:00 [kthrotld/4] root 226 0.0 0.0 0 0 ? S 2016 0:00 [kthrotld/5] root 227 0.0 0.0 0 0 ? S 2016 0:00 [kthrotld/6] root 228 0.0 0.0 0 0 ? S 2016 0:00 [kthrotld/7] root 229 0.0 0.0 0 0 ? S 2016 0:00 [kthrotld/8] root 230 0.0 0.0 0 0 ? S 2016 0:00 [kthrotld/9] root 231 0.0 0.0 0 0 ? S 2016 0:00 [kthrotld/10] root 232 0.0 0.0 0 0 ? S 2016 0:00 [kthrotld/11] root 233 0.0 0.0 0 0 ? S 2016 0:00 [kthrotld/12] root 234 0.0 0.0 0 0 ? S 2016 0:00 [kthrotld/13] root 235 0.0 0.0 0 0 ? S 2016 0:00 [kthrotld/14] root 236 0.0 0.0 0 0 ? S 2016 0:00 [kthrotld/15] root 237 0.0 0.0 0 0 ? S 2016 0:00 [pciehpd] root 239 0.0 0.0 0 0 ? S 2016 0:00 [kpsmoused] root 240 0.0 0.0 0 0 ? S 2016 0:00 [usbhid_resumer] root 270 0.0 0.0 0 0 ? S 2016 0:00 [kstriped] root 336 0.0 0.0 94660 4988 ? Ssl 13:31 0:01 ./zou root 375 0.0 0.0 0 0 ? S 2016 0:00 [scsi_eh_0] root 376 0.0 0.0 0 0 ? S 2016 0:00 [scsi_eh_1] root 415 0.0 0.0 11716 604 ? Ssl 13:31 0:00 /usr/bin/.sshd root 463 0.0 0.0 0 0 ? S 2016 0:00 [scsi_eh_2] root 464 0.0 0.0 0 0 ? S 2016 0:00 [vmw_pvscsi_wq_2] root 506 0.0 0.0 0 0 ? S 2016 53:20 [jbd2/sda1-8] root 507 0.0 0.0 0 0 ? S 2016 0:00 [ext4-dio-unwrit] root 539 0.0 0.0 888 276 ? Ss 13:31 0:02 /etc/.zl root 592 0.0 0.0 11296 1384 ? S<s 2016 0:00 /sbin/udevd -d root 785 0.0 0.0 0 0 ? S 2016 4:08 [vmmemctl] root 975 0.0 0.0 111244 1372 ? Sl 13:32 0:01 /etc/.System root 976 0.0 0.0 1776 204 ? S 13:32 0:00 /etc/.System root 980 0.0 0.0 3932 484 ? S 13:32 0:00 ./dbuspm-session /etc/.System RunByP975 root 1250 0.0 0.0 11292 1412 ? S< 2016 0:00 /sbin/udevd -d root 1251 0.0 0.0 11292 1376 ? S< 2016 0:00 /sbin/udevd -d root 1315 0.0 0.0 0 0 ? S 2016 79:04 [flush-8:0] root 1331 0.0 0.0 0 0 ? S 2016 0:13 [kauditd] root 1665 0.1 0.0 179240 4468 ? S 2016 161:04 /usr/sbin/vmtoolsd root 1767 0.0 0.0 93200 912 ? S<sl 2016 0:58 auditd root 1785 0.0 0.0 6160 576 ? Ss 2016 0:00 /sbin/portreserve root 1792 0.0 0.0 251592 4444 ? Sl 2016 0:19 /sbin/rsyslogd -i /var/run/syslogd.pid root 1804 0.0 0.0 10948 672 ? Ss 2016 61:22 irqbalance --pid=/var/run/irqbalance.dbus 1812 0.0 0.0 21556 1004 ? Ss 2016 0:00 dbus-daemon --system root 1842 0.0 0.0 6260 300 ? Ss 2016 0:00 /usr/sbin/mcelog --daemon root 1854 0.0 0.0 66604 1236 ? Ss 2016 0:00 /usr/sbin/sshd root 1862 0.0 0.0 22180 972 ? Ss 2016 0:00 xinetd -stayalive -pidfile /var/run/xinetd.root 1895 0.0 0.0 110316 1008 ? Ss 2016 0:00 /usr/sbin/abrtd zabbix 1916 0.0 0.0 18760 752 ? S 2016 0:00 /usr/local/zabbix/sbin/zabbix_agentd zabbix 1921 0.0 0.0 18760 1872 ? S 2016 88:18 /usr/local/zabbix/sbin/zabbix_agentd: zabbix 1922 0.0 0.0 18760 1116 ? S 2016 1:34 /usr/local/zabbix/sbin/zabbix_agentd: zabbix 1923 0.0 0.0 18760 1116 ? S 2016 1:32 /usr/local/zabbix/sbin/zabbix_agentd: zabbix 1924 0.0 0.0 18760 1116 ? S 2016 1:34 /usr/local/zabbix/sbin/zabbix_agentd: zabbix 1925 0.0 0.0 18768 876 ? S 2016 14:03 /usr/local/zabbix/sbin/zabbix_agentd: root 1932 0.0 0.0 21540 480 ? Ss 2016 0:00 /usr/sbin/atd root 1945 0.0 0.0 104016 584 ? Ss 2016 0:00 /usr/bin/rhsmcertd root 1961 0.0 0.1 717856 40416 ? Sl 2016 99:14 /usr/bin/python /usr/bin/salt-minion root 1972 0.0 0.0 62332 596 ? Ss 2016 0:13 /usr/sbin/certmonger -S -p /var/run/certmonger.root 1983 0.4 0.5 689444 197164 ? S<sl 2016 705:18 mfsmount /data/ -H 193.167.10.11 root 2007 0.0 0.0 4064 532 tty2 Ss+ 2016 0:00 /sbin/mingetty /dev/tty2 root 2009 0.0 0.0 4064 536 tty3 Ss+ 2016 0:00 /sbin/mingetty /dev/tty3 root 2011 0.0 0.0 4064 532 tty4 Ss+ 2016 0:00 /sbin/mingetty /dev/tty4 root 2013 0.0 0.0 4064 532 tty5 Ss+ 2016 0:00 /sbin/mingetty /dev/tty5 root 2015 0.0 0.0 4064 532 tty6 Ss+ 2016 0:00 /sbin/mingetty /dev/tty6 root 2962 0.0 0.0 106096 1300 ? S Mar09 0:00 /bin/sh /jboss-4.2.3/bin/run3.sh -b root 2971 1.4 7.7 13756408 2560144 ? Sl Mar09 104:30 /usr/local/jdk1.6.0_45/bin/java -Dprogram.root 3651 0.0 0.0 106096 1304 ? S Mar09 0:00 /bin/sh /jboss-4.2.3/bin/run4.sh -b 查看网络监听 root 3660 2.8 5.0 13091608 1654588 ? Sl Mar09 201:23 /usr/local/jdk1.6.0_45/bin/java -Dprogram.root 6260 0.0 0.0 100540 4440 ? Ss 13:42 0:00 sshd: root@pts/0 root 6271 0.0 0.0 108680 2124 pts/0 Ss+ 13:42 0:00 -bash root 7601 1486 0.2 1417564 83392 ? Sl 13:45 519:56 /etc/.yam -c x -M stratum+tcp://47CunEQ4v8FPVNnw9mDgNZeaiSo6SVDydB3AZM341ZtdYpBYNmYeqhh4mpU1X6RSmgBTfC8xqaAtUGC2DArotyaKSz1LJyj.nagios 7941 0.0 0.0 39340 1352 ? Ss 2016 3:10 /usr/local/nagios/bin/nrpe -c /etc/nagios/root 8228 0.0 0.0 100844 4648 ? Ss 13:46 0:00 sshd: root@pts/1 root 8232 0.0 0.0 108544 1984 pts/1 Ss 13:46 0:00 -bash root 10037 0.0 0.0 106096 1304 pts/0 S 13:49 0:00 /bin/sh /jboss-4.2.3/bin/run2.sh -b root 10046 15.1 8.1 13130424 2674088 pts/0 Sl 13:49 4:39 /usr/local/jdk1.6.0_45/bin/java -Dprogram.root 15332 0.0 0.0 100364 4160 ? Ss 13:58 0:00 sshd: root@pts/3 root 15336 0.0 0.0 108424 1868 pts/3 Ss+ 13:58 0:00 -bash root 16805 0.0 0.0 100364 4060 ? Ss 14:00 0:00 sshd: wclog [priv] wclog 16828 0.0 0.0 100364 1776 ? S 14:00 0:00 sshd: wclog@pts/4 wclog 16829 0.0 0.0 108464 1864 pts/4 Ss+ 14:00 0:00 -bash root 17018 0.0 0.0 117328 1340 ? Ss Jan21 0:51 crond root 18785 0.0 0.0 93636 912 ? Ssl 14:03 0:00 /jboss-4.2.3/bin/zou root 18894 0.0 0.0 11716 552 ? Ssl 14:03 0:00 /usr/bin/.sshd root 19895 0.0 0.0 100364 4168 ? Ss 14:05 0:00 sshd: root@pts/6 root 19915 0.0 0.0 108468 1980 pts/6 Ss+ 14:05 0:00 -bash root 22608 0.0 0.0 100364 4224 ? Ss 14:08 0:00 sshd: root@pts/8 root 23619 0.0 0.0 108432 1964 pts/8 Ss 14:10 0:00 -bash root 23720 0.0 0.0 41868 504 ? Ssl 14:10 0:00 /tmp/.lz1489471809 root 26477 0.0 0.0 105444 848 pts/1 S+ 14:14 0:00 less root 27728 0.0 0.0 4116540 3412 ? Sl 09:48 0:00 /usr/sbin/console-kit-daemon --no-daemon root 28464 0.0 0.0 100364 4072 ? Ss 10:03 0:00 sshd: wclog [priv] wclog 28466 0.0 0.0 100364 1804 ? S 10:03 0:01 sshd: wclog@pts/5 wclog 28467 0.0 0.0 108468 1928 pts/5 Ss+ 10:03 0:00 -bash root 29128 0.0 0.0 4064 528 tty1 Ss+ 10:18 0:00 /sbin/mingetty /dev/tty1 root 31228 0.0 0.0 1484 700 pts/8 S+ 14:19 0:00 ps aux root 31229 1.0 0.0 110232 1136 pts/8 R+ 14:19 0:00 /usr/bin/dpkgd/ps aux [root@app130-33 bin]# [root@app130-33 bin]# netstat -tnpl Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 192.168.130.33:28939 0.0.0.0:* LISTEN 10046/java tcp 0 0 0.0.0.0:21099 0.0.0.0:* LISTEN 10046/java tcp 0 0 192.168.130.33:48939 0.0.0.0:* LISTEN 3660/java tcp 0 0 0.0.0.0:41099 0.0.0.0:* LISTEN 3660/java tcp 0 0 0.0.0.0:49709 0.0.0.0:* LISTEN 3660/java tcp 0 0 192.168.130.33:21198 0.0.0.0:* LISTEN 10046/java tcp 0 0 192.168.130.33:41198 0.0.0.0:* LISTEN 3660/java tcp 0 0 192.168.130.33:35566 0.0.0.0:* LISTEN 2971/java tcp 0 0 192.168.130.33:21199 0.0.0.0:* LISTEN 10046/java tcp 0 0 192.168.130.33:41199 0.0.0.0:* LISTEN 3660/java tcp 0 0 0.0.0.0:2863 0.0.0.0:* LISTEN 3660/java tcp 0 0 192.168.130.33:34544 0.0.0.0:* LISTEN 2971/java tcp 0 0 0.0.0.0:31888 0.0.0.0:* LISTEN 2971/java tcp 0 0 0.0.0.0:17872 0.0.0.0:* LISTEN 2971/java tcp 0 0 127.0.0.1:35536 0.0.0.0:* LISTEN 1983/mfsmount tcp 0 0 192.168.130.33:38193 0.0.0.0:* LISTEN 2971/java tcp 0 0 192.168.130.33:34545 0.0.0.0:* LISTEN 2971/java tcp 0 0 192.168.130.33:29010 0.0.0.0:* LISTEN 10046/java tcp 0 0 192.168.130.33:49010 0.0.0.0:* LISTEN 3660/java tcp 0 0 0.0.0.0:24212 0.0.0.0:* LISTEN 10046/java tcp 0 0 192.168.130.33:33973 0.0.0.0:* LISTEN 2971/java tcp 0 0 0.0.0.0:25622 0.0.0.0:* LISTEN 3660/java tcp 0 0 192.168.130.33:35446 0.0.0.0:* LISTEN 2971/java tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1854/sshd tcp 0 0 192.168.130.33:28183 0.0.0.0:* LISTEN 10046/java tcp 0 0 192.168.130.33:48183 0.0.0.0:* LISTEN 3660/java 除了zabbix_agentd, nagios nrpe 和 mfsmount ,sshd 其他都是java业务进程监听端口 查看可疑进程的详细情况 梳理的可疑进程列表 详细情况 tcp 0 0 0.0.0.0:8888 0.0.0.0:* LISTEN 10046/java tcp 0 0 0.0.0.0:2459 0.0.0.0:* LISTEN 3660/java tcp 0 0 192.168.130.33:38939 0.0.0.0:* LISTEN 2971/java tcp 0 0 0.0.0.0:31099 0.0.0.0:* LISTEN 2971/java tcp 0 0 0.0.0.0:24637 0.0.0.0:* LISTEN 10046/java tcp 0 0 192.168.130.33:25566 0.0.0.0:* LISTEN 10046/java tcp 0 0 192.168.130.33:45566 0.0.0.0:* LISTEN 3660/java tcp 0 0 0.0.0.0:50782 0.0.0.0:* LISTEN 2971/java tcp 0 0 192.168.130.33:31198 0.0.0.0:* LISTEN 2971/java tcp 0 0 0.0.0.0:46591 0.0.0.0:* LISTEN 10046/java tcp 0 0 0.0.0.0:2559 0.0.0.0:* LISTEN 3660/java tcp 0 0 192.168.130.33:31199 0.0.0.0:* LISTEN 2971/java tcp 0 0 192.168.130.33:24544 0.0.0.0:* LISTEN 10046/java tcp 0 0 192.168.130.33:44544 0.0.0.0:* LISTEN 3660/java tcp 0 0 192.168.130.33:28193 0.0.0.0:* LISTEN 10046/java tcp 0 0 192.168.130.33:24545 0.0.0.0:* LISTEN 10046/java tcp 0 0 192.168.130.33:48193 0.0.0.0:* LISTEN 3660/java tcp 0 0 192.168.130.33:44545 0.0.0.0:* LISTEN 3660/java tcp 0 0 0.0.0.0:37409 0.0.0.0:* LISTEN 2971/java tcp 0 0 0.0.0.0:38721 0.0.0.0:* LISTEN 2971/java tcp 0 0 192.168.130.33:39010 0.0.0.0:* LISTEN 2971/java tcp 0 0 0.0.0.0:5666 0.0.0.0:* LISTEN 7941/nrpe tcp 0 0 0.0.0.0:10050 0.0.0.0:* LISTEN 1916/zabbix_agentd tcp 0 0 0.0.0.0:42180 0.0.0.0:* LISTEN 3660/java tcp 0 0 192.168.130.33:23973 0.0.0.0:* LISTEN 10046/java tcp 0 0 192.168.130.33:43973 0.0.0.0:* LISTEN 3660/java tcp 0 0 192.168.130.33:25446 0.0.0.0:* LISTEN 10046/java tcp 0 0 192.168.130.33:45446 0.0.0.0:* LISTEN 3660/java tcp 0 0 192.168.130.33:38183 0.0.0.0:* LISTEN 2971/java tcp 0 0 0.0.0.0:49705 0.0.0.0:* LISTEN 10046/java tcp 0 0 0.0.0.0:19049 0.0.0.0:* LISTEN 3660/java tcp 0 0 0.0.0.0:21482 0.0.0.0:* LISTEN 10046/java tcp 0 0 :::22 :::* LISTEN 1854/sshd tcp 0 0 :::5666 :::* LISTEN 7941/nrpe root 336 0.0 0.0 94660 4988 ? Ssl 13:31 0:01 ./zou root 415 0.0 0.0 11716 604 ? Ssl 13:31 0:00 /usr/bin/.sshd root 539 0.0 0.0 888 276 ? Ss 13:31 0:02 /etc/.zl root 975 0.0 0.0 111244 1372 ? Sl 13:32 0:01 /etc/.System root 976 0.0 0.0 1776 204 ? S 13:32 0:00 /etc/.System root 980 0.0 0.0 3932 484 ? S 13:32 0:00 ./dbuspm-session /etc/.System RunByP975 root 7601 1486 0.2 1417564 83392 ? Sl 13:45 519:56 /etc/.yam -c x -M stratum+tcp:/ root 18785 0.0 0.0 93636 912 ? Ssl 14:03 0:00 /jboss-4.2.3/bin/zou root 18894 0.0 0.0 11716 552 ? Ssl 14:03 0:00 /usr/bin/.sshd root 23720 0.0 0.0 41868 504 ? Ssl 14:10 0:00 /tmp/.lz1489471809 [root@app130-33 bin]# lsof -p 336 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME zou 336 root cwd DIR 8,1 4096 1835318 /jboss-4.2.3/bin zou 336 root rtd DIR 8,1 4096 2 / zou 336 root txt REG 8,1 1223123 1840013 /jboss-4.2.3/bin/zou (deleted) zou 336 root 0u CHR 1,3 0t0 3968 /dev/null zou 336 root 1u CHR 1,3 0t0 3968 /dev/null zou 336 root 2u CHR 1,3 0t0 3968 /dev/null zou 336 root 3uW REG 8,1 3 1704074 /tmp/gates.lod (deleted) [root@app130-33 bin]# lsof -p 415 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME .sshd 415 root cwd DIR 8,1 4096 1835318 /jboss-4.2.3/bin .sshd 415 root rtd DIR 8,1 4096 2 / .sshd 415 root txt REG 8,1 1223123 298307 /usr/bin/.sshd (deleted) .sshd 415 root 0u CHR 1,3 0t0 3968 /dev/null .sshd 415 root 1u CHR 1,3 0t0 3968 /dev/null .sshd 415 root 2u CHR 1,3 0t0 3968 /dev/null .sshd 415 root 3uW REG 8,1 3 1704082 /tmp/moni.lod (deleted) [root@app130-33 bin]# lsof -p 539 ‘COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME .zl 539 root cwd DIR 8,1 4096 1835318 /jboss-4.2.3/bin .zl 539 root rtd DIR 8,1 4096 2 / .zl 539 root txt REG 8,1 727556 1450898 /etc/.zl .zl 539 root 0r CHR 1,3 0t0 3968 /dev/null .zl 539 root 1w FIFO 0,8 0t0 91799092 pipe .zl 539 root 2w FIFO 0,8 0t0 91799092 pipe [root@app130-33 bin]# lsof -p 976 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME .System 976 root cwd DIR 8,1 3514368 1703937 /tmp .System 976 root rtd DIR 8,1 4096 2 / .System 976 root txt REG 8,1 1820918 1450903 /etc/.System .System 976 root 0u sock 0,6 0t0 91808256 can‘t identify protocol [root@app130-33 bin]# [root@app130-33 bin]# lsof -p 980 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME dbuspm-se 980 root cwd DIR 8,1 3514368 1703937 /tmp dbuspm-se 980 root rtd DIR 8,1 4096 2 / dbuspm-se 980 root txt REG 8,1 10464 1704085 /tmp/dbuspm-session (deleted) dbuspm-se 980 root mem REG 8,1 156928 796038 /lib64/ld-2.12.so dbuspm-se 980 root mem REG 8,1 1926800 796039 /lib64/libc-2.12.so dbuspm-se 980 root 0r CHR 1,3 0t0 3968 /dev/null zou 336 root 3uW REG 8,1 3 1704074 /tmp/gates.lod (deleted) zou 336 root 4u IPv4 92239745 0t0 TCP app130-33:5535->122.192.218.121:7759 (ESTABLISHED) [root@app130-33 bin]# lsof -p 975 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME .System 975 root cwd DIR 8,1 3514368 1703937 /tmp .System 975 root rtd DIR 8,1 4096 2 / .System 975 root txt REG 8,1 1820918 1450903 /etc/.System .System 975 root mem REG 8,1 156928 796038 /lib64/ld-2.12.so .System 975 root mem REG 8,1 1926800 796039 /lib64/libc-2.12.so .System 975 root mem REG 8,1 113952 796046 /lib64/libresolv-2.12.so .System 975 root mem REG 8,1 27424 786460 /lib64/libnss_dns-2.12.so .System 975 root mem REG 8,1 65928 786462 /lib64/libnss_files-2.12.so .System 975 root 0u IPv4 91810515 0t0 TCP app130-33:52331->123.135.128.178:29135 (ESTABLISHED) [root@app130-33 bin]# lsof -p 7601 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME .yam 7601 root cwd DIR 8,1 4096 1179649 /root .yam 7601 root rtd DIR 8,1 4096 2 / .yam 7601 root txt REG 8,1 3867096 1450905 /etc/.yam .yam 7601 root mem REG 8,1 156928 796038 /lib64/ld-2.12.so [root@app130-33 bin]# lsof -p 18894 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME .sshd 18894 root cwd DIR 8,1 4096 1835318 /jboss-4.2.3/bin .sshd 18894 root rtd DIR 8,1 4096 2 / .sshd 18894 root txt REG 8,1 1223123 298354 /usr/bin/.sshd .sshd 18894 root 0u CHR 1,3 0t0 3968 /dev/null .sshd 18894 root 1u CHR 1,3 0t0 3968 /dev/null .sshd 18894 root 2u CHR 1,3 0t0 3968 /dev/null .sshd 18894 root 3uW REG 8,1 5 1703947 /tmp/moni.lod 服务登陆记录 [root@app130-33 bin]# last root pts/2 193.167.10.47 Tue Mar 14 14:36 still logged in root pts/8 193.167.10.86 Tue Mar 14 14:10 still logged in root pts/7 193.167.10.47 Tue Mar 14 14:07 - 14:13 (00:05) root pts/6 10.8.0.118 Tue Mar 14 14:05 still logged in root pts/6 10.8.0.118 Tue Mar 14 14:00 - 14:04 (00:04) wclog pts/4 10.8.1.158 Tue Mar 14 14:00 - 14:30 (00:30) root pts/3 10.8.0.6 Tue Mar 14 13:58 still logged in root pts/1 10.8.0.14 Tue Mar 14 13:46 still logged in root pts/0 10.8.0.242 Tue Mar 14 13:42 still logged in wclog pts/0 10.8.1.158 Tue Mar 14 12:19 - 12:49 (00:30) wclog pts/0 10.8.1.158 Tue Mar 14 11:49 - 12:19 (00:30) wclog pts/0 10.8.1.158 Tue Mar 14 11:19 - 11:49 (00:30) .yam 7601 root mem REG 8,1 1926800 796039 /lib64/libc-2.12.so .yam 7601 root mem REG 8,1 113952 796046 /lib64/libresolv-2.12.so .yam 7601 root mem REG 8,1 27424 786460 /lib64/libnss_dns-2.12.so .yam 7601 root mem REG 8,1 65928 786462 /lib64/libnss_files-2.12.so .yam 7601 root 0r CHR 1,3 0t0 3968 /dev/null .yam 7601 root 1w REG 8,1 76373 1190862 /root/myout.file .yam 7601 root 2w REG 8,1 76373 1190862 /root/myout.file .yam 7601 root 3u REG 0,9 0 3966 [eventfd] .yam 7601 root 4u REG 0,9 0 3966 [eventpoll] .yam 7601 root 5u REG 0,9 0 3966 [timerfd] .yam 7601 root 6u IPv4 92265271 0t0 TCP app130-33:22516->ns377151.ip-94-23-55.eu:mxi .yam 7601 root 7r FIFO 0,8 0t0 91921852 pipe .yam 7601 root 8w FIFO 0,8 0t0 91921852 pipe [root@app130-33 bin]# lsof -p 18785 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME zou 18785 root cwd DIR 8,1 4096 1835318 /jboss-4.2.3/bin zou 18785 root rtd DIR 8,1 4096 2 / zou 18785 root txt REG 8,1 1223123 1839010 /jboss-4.2.3/bin/zou zou 18785 root 0u CHR 1,3 0t0 3968 /dev/null zou 18785 root 1u CHR 1,3 0t0 3968 /dev/null zou 18785 root 2u CHR 1,3 0t0 3968 /dev/null zou 18785 root 3uW REG 8,1 5 1703940 /tmp/gates.lod zou 18785 root 4u IPv4 92281673 0t0 TCP app130-33:6097->122.192.218.121:7759 (SYN_SENT) [root@app130-33 bin]# lsof -p 23720 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME .lz148947 23720 root cwd DIR 8,1 4096 1835318 /jboss-4.2.3/bin .lz148947 23720 root rtd DIR 8,1 4096 2 / .lz148947 23720 root txt REG 8,1 727556 1703943 /tmp/.lz1489471809 .lz148947 23720 root 0r CHR 1,3 0t0 3968 /dev/null .lz148947 23720 root 1w FIFO 0,8 0t0 91799092 pipe .lz148947 23720 root 2w FIFO 0,8 0t0 91799092 pipe .lz148947 23720 root 3r IPv4 92165385 0t0 TCP app130-33:ewctsp->222.186.59.156:exp1 服务登陆记录 [root@app130-33 bin]# last root pts/2 193.167.10.47 Tue Mar 14 14:36 still logged in root pts/8 193.167.10.86 Tue Mar 14 14:10 still logged in root pts/7 193.167.10.47 Tue Mar 14 14:07 - 14:13 (00:05) root pts/6 10.8.0.118 Tue Mar 14 14:05 still logged in root pts/6 10.8.0.118 Tue Mar 14 14:00 - 14:04 (00:04) wclog pts/4 10.8.1.158 Tue Mar 14 14:00 - 14:30 (00:30) root pts/3 10.8.0.6 Tue Mar 14 13:58 still logged in root pts/1 10.8.0.14 Tue Mar 14 13:46 still logged in root pts/0 10.8.0.242 Tue Mar 14 13:42 still logged in wclog pts/0 10.8.1.158 Tue Mar 14 12:19 - 12:49 (00:30) wclog pts/0 10.8.1.158 Tue Mar 14 11:49 - 12:19 (00:30) wclog pts/0 10.8.1.158 Tue Mar 14 11:19 - 11:49 (00:30) root pts/1 10.8.0.6 Tue Mar 14 11:08 - 11:38 (00:30) wclog pts/2 10.8.0.90 Tue Mar 14 10:51 - 14:13 (03:21) wclog pts/2 10.8.0.90 Tue Mar 14 10:50 - 10:51 (00:00) wclog pts/0 10.8.1.158 Tue Mar 14 10:49 - 11:19 (00:30) wclog pts/0 10.8.1.158 Tue Mar 14 10:19 - 10:49 (00:30) root pts/1 10.8.0.118 Tue Mar 14 10:12 - 10:56 (00:43) wclog pts/6 10.8.0.90 Tue Mar 14 10:04 - 10:52 (00:48) wclog pts/5 10.8.0.26 Tue Mar 14 10:03 - 14:31 (04:27) root pts/4 10.8.0.242 Tue Mar 14 10:00 - 10:21 (00:21) root pts/3 10.8.0.6 Tue Mar 14 09:55 - 10:25 (00:30) wclog pts/0 10.8.1.158 Tue Mar 14 09:48 - 10:18 (00:30) root tty1 Tue Mar 14 09:48 - 10:18 (00:30) wclog pts/2 10.8.0.38 Tue Mar 14 09:43 - 10:13 (00:30) root pts/1 10.8.0.14 Tue Mar 14 09:40 - 10:10 (00:30) wclog pts/0 10.8.1.158 Tue Mar 14 09:18 - 09:48 (00:30) wclog pts/0 10.8.1.158 Tue Mar 14 08:48 - 09:18 (00:30) wclog pts/0 10.8.1.158 Tue Mar 14 08:18 - 08:48 (00:30) wclog pts/0 10.8.1.158 Tue Mar 14 07:48 - 08:18 (00:30) wclog pts/0 10.8.1.158 Tue Mar 14 07:18 - 07:48 (00:30) wclog pts/0 10.8.1.158 Tue Mar 14 06:48 - 07:18 (00:30) wclog pts/0 10.8.1.158 Tue Mar 14 06:18 - 06:48 (00:30) wclog pts/0 10.8.1.158 Tue Mar 14 05:48 - 06:18 (00:30) wclog pts/0 10.8.1.158 Tue Mar 14 05:17 - 05:48 (00:30) wclog pts/0 10.8.1.158 Tue Mar 14 04:47 - 05:17 (00:30) wclog pts/0 10.8.1.158 Tue Mar 14 04:17 - 04:47 (00:30) wclog pts/0 10.8.1.158 Tue Mar 14 03:47 - 04:17 (00:30) wclog pts/0 10.8.1.158 Tue Mar 14 03:17 - 03:47 (00:30) wclog pts/0 10.8.1.158 Tue Mar 14 02:47 - 03:17 (00:30) wclog pts/0 10.8.1.158 Tue Mar 14 02:17 - 02:47 (00:30) wclog pts/0 10.8.1.158 Tue Mar 14 01:47 - 02:17 (00:30) wclog pts/0 10.8.1.158 Tue Mar 14 01:17 - 01:47 (00:30) wclog pts/0 10.8.1.158 Tue Mar 14 00:47 - 01:17 (00:30) wclog pts/0 10.8.1.158 Tue Mar 14 00:17 - 00:47 (00:30) sshd在线情况 [root@app130-33 bin]# w 14:38:45 up 105 days, 2:57, 6 users, load average: 11.31, 12.82, 13.96 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 10.8.0.242 13:42 26.00s 6:01 0.39s -bash root pts/1 10.8.0.14 13:46 3:15 0.11s 0.11s -bash root pts/2 193.167.10.47 14:36 2.00s 0.03s 0.03s -bash root pts/3 10.8.0.6 13:58 41.00s 0.06s 0.06s -bash root pts/6 10.8.0.118 14:05 2:46 0.30s 0.30s -bash root pts/8 193.167.10.86 14:10 0.00s 0.30s 0.00s w 杀掉可以进程,中断黑客活动 [root@app130-33 bin]# kill -9 336 415 539 975 976 980 7601 18785 18894 23720 查黑客文件的时间 [root@app130-33 tmp]# stat .lz1489471809 File: ".lz1489471809" Size: 727556 Blocks: 1424 IO Block: 4096 普通文件 Device: 801h/2049d Inode: 1703943 Links: 1 Access: (0777/-rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2017-03-14 14:10:11.719101612 +0800 Modify: 2017-03-11 20:27:26.000000000 +0800 Change: 2017-03-14 14:10:11.701101612 +0800 [root@app130-33 tmp]# stat /jboss-4.2.3/bin/zou File: "/jboss-4.2.3/bin/zou" Size: 1223123 Blocks: 2392 IO Block: 4096 普通文件 Device: 801h/2049d Inode: 1839010 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2017-03-14 14:03:13.938101936 +0800 Modify: 2017-03-14 14:03:12.907101936 +0800 Change: 2017-03-14 14:44:23.231100024 +0800 [root@app130-33 tmp]# stat /usr/bin/.sshd File: "/usr/bin/.sshd" Size: 1223123 Blocks: 2392 IO Block: 4096 普通文件 Device: 801h/2049d Inode: 298354 Links: 1 Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2017-03-14 14:03:22.632101929 +0800 Modify: 2017-03-14 14:03:21.593101930 +0800 Change: 2017-03-14 14:03:21.593101930 +0800 [root@app130-33 tmp]# stat /tmp/moni.lod File: "/tmp/moni.lod" Size: 5 Blocks: 8 IO Block: 4096 普通文件 Device: 801h/2049d Inode: 1703947 Links: 1 Access: (0777/-rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2017-03-14 14:26:49.952100839 +0800 Modify: 2017-03-14 14:03:23.011101928 +0800 Change: 2017-03-14 14:10:09.624101613 +0800 [root@app130-33 tmp]# stat /etc/.zl File: "/etc/.zl" Size: 727556 Blocks: 1424 IO Block: 4096 普通文件 Device: 801h/2049d Inode: 1450898 Links: 1 Access: (0777/-rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2017-03-14 13:31:28.539103410 +0800 Modify: 2017-03-11 20:27:26.000000000 +0800 Change: 2017-03-14 13:31:28.489103410 +0800 [root@app130-33 tmp]# stat /etc/.System File: "/etc/.System" Size: 1820918 Blocks: 3560 IO Block: 4096 普通文件 Device: 801h/2049d Inode: 1450903 Links: 1 Access: (0777/-rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2017-03-14 13:32:05.150103382 +0800 Modify: 2017-03-14 01:30:04.000000000 +0800 Change: 2017-03-14 13:32:05.149103382 +0800 [root@app130-33 tmp]# stat /tmp/dbuspm-session stat: 无法获取"/tmp/dbuspm-session" 的文件状态(stat): 没有那个文件或目录 [root@app130-33 tmp]# stat /etc/.yam File: "/etc/.yam" Size: 3867096 Blocks: 7560 IO Block: 4096 普通文件 Device: 801h/2049d Inode: 1450905 Links: 1 Access: (0777/-rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2017-03-14 13:45:01.844102781 +0800 Modify: 2017-02-23 03:24:45.000000000 +0800 Change: 2017-03-14 13:44:44.652102794 +0800 [root@app130-33 tmp]# stat /root/myout.file File: "/root/myout.file" Size: 21706 Blocks: 56 IO Block: 4096 普通文件 Device: 801h/2049d Inode: 1190862 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2017-03-14 14:38:03.267100318 +0800 Modify: 2017-03-14 14:47:42.544099870 +0800 Change: 2017-03-14 14:47:42.544099870 +0800 [root@app130-33 tmp]# stat /tmp/gates.lod File: "/tmp/gates.lod" Size: 5 Blocks: 8 IO Block: 4096 普通文件 Device: 801h/2049d Inode: 1703940 Links: 1 Access: (0777/-rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2017-03-14 14:03:16.205101934 +0800 Modify: 2017-03-14 14:03:16.205101934 +0800 Change: 2017-03-14 14:10:09.624101613 +0800
问题分析:已经确认漏洞点是在struts2,在几个确定的版本中,struts2会执行http请求header的content-type中的代码,
攻击者可以直接利用这个漏洞在应用所在的服务器上篡改各种命令,生成各种木马,从而导致应用所在的服务器轮为DDOS的肉鸡或挖矿工具,更为甚者导致数据泄露。
解决方案:
1. 根据木马的特征,编写相应的脚本每分钟做扫描,定时终止木马进程,保证木马没有可执行环境。
2. 根据木马目前入侵的位置,定时删除相应目录下的可执行文件,保证木马没有可执行的内容。
3. 降低jboss进程在操作系统的权限,改为非root用户启动,预防被攻入后木马可以随意在系统篡改内容。
4. 根据apache官方和安全网站的建议,修改struts2对于content-type执行的判断,拒绝非法内容的执行。
5. 升级struts2的版本到制定版本
参考资料:
http://8btc.com/article-1880-1.html
https://www.secpulse.com/archives/56570.html
本文出自 “囧囧男” 博客,请务必保留此出处http://strongit.blog.51cto.com/10020534/1907248
再续服务器被肉鸡的经历-- struts2漏洞
声明:以上内容来自用户投稿及互联网公开渠道收集整理发布,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任,若内容有误或涉及侵权可进行投诉: 投诉/举报 工作人员会在5个工作日内联系你,一经查实,本站将立刻删除涉嫌侵权内容。