360fans_7PSftx 发表于 2023-8-16 15:39

中毒了,疯狂向外发送SYN攻击请求

该病毒疯狂在服务器SYN发包攻击其他服务器,建立几百个SYN请求;
使用kill -9杀掉后,几分钟后马上又恢复,查找程序源路径处于删除状态,无法溯源病毒源路径。导致服务器带宽占用异常,设定防火墙规则无解,依旧疯狂发包。
# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)


# netstat -anp4|grep SYN
tcp      0      1 172.16.0.8:42298      172.29.142.208:8088   SYN_SENT    7107/AtAnKA3      
tcp      0      1 172.16.0.8:51494      172.29.140.255:8088   SYN_SENT    7107/AtAnKA3      
tcp      0      1 172.16.0.8:35388      172.29.143.206:8088   SYN_SENT    7107/AtAnKA3      
tcp      0      1 172.16.0.8:49868      172.29.142.123:8088   SYN_SENT    7107/AtAnKA3      
tcp      0      1 172.16.0.8:33938      172.29.142.100:8088   SYN_SENT    7107/AtAnKA3      
tcp      0      1 172.16.0.8:53584      172.29.142.20:8088      SYN_SENT    7107/AtAnKA3      
tcp      0      1 172.16.0.8:39266      172.29.141.188:8088   SYN_SENT    7107/AtAnKA3      
tcp      0      1 172.16.0.8:46154      172.29.143.66:8088      SYN_SENT    7107/AtAnKA3   

#readlink /proc/7107/exe
/hd (deleted)
# ps -p 7107 -o lstart
               STARTED
Wed Aug 16 14:53:29 2023
# systemctl status 7107
● session-1410386.scope
   Loaded: loaded
   Active: active (abandoned) since Mon 2023-01-30 16:17:13 CST; 6 months 15 days ago
   CGroup: /user.slice/user-0.slice/session-1410386.scope
         ├─ 6278 THsyW91
         ├─ 7107 AtAnKA3
         └─18042 PHY2Jet

Aug 09 17:20:05 VM-0-8-centos crontab: (root) LIST (root)
Aug 09 18:11:08 VM-0-8-centos crontab: (root) REPLACE (root)
Aug 10 15:27:00 VM-0-8-centos crontab: (root) LIST (root)
Aug 10 17:09:03 VM-0-8-centos crontab: (root) LIST (root)
Aug 11 02:32:31 VM-0-8-centos crontab: (root) LIST (root)
Aug 13 01:23:10 VM-0-8-centos crontab: (root) LIST (root)
Aug 14 04:38:09 VM-0-8-centos crontab: (root) LIST (root)
Aug 14 16:30:08 VM-0-8-centos crontab: (root) LIST (root)
Aug 15 16:48:14 VM-0-8-centos crontab: (root) LIST (root)
# ls -l /proc/7107/exe
lrwxrwxrwx 1 root root 0 Aug 16 14:54 /proc/7107/exe -> /hd (deleted)
#file /proc/7107/exe
/proc/7107/exe: broken symbolic link to `/hd (deleted)'










360fans_7PSftx 发表于 2023-8-16 15:51

提取了/proc/进程/exe文件,别的文件都是删除状态,无法查看到# systemctl status 6278
● session-1410386.scope
   Loaded: loaded
   Active: active (abandoned) since Mon 2023-01-30 16:17:13 CST; 6 months 15 days ago
   CGroup: /user.slice/user-0.slice/session-1410386.scope
         ├─ 6278 THsyW91
         ├─18042 PHY2Jet
         └─20800 SYerFul

Aug 09 18:11:08 VM-0-8-centos crontab: (root) REPLACE (root)
Aug 10 15:27:00 VM-0-8-centos crontab: (root) LIST (root)
Aug 10 17:09:03 VM-0-8-centos crontab: (root) LIST (root)
Aug 11 02:32:31 VM-0-8-centos crontab: (root) LIST (root)
Aug 13 01:23:10 VM-0-8-centos crontab: (root) LIST (root)
Aug 14 04:38:09 VM-0-8-centos crontab: (root) LIST (root)
Aug 14 16:30:08 VM-0-8-centos crontab: (root) LIST (root)
Aug 15 16:48:14 VM-0-8-centos crontab: (root) LIST (root)
Aug 16 09:40:53 VM-0-8-centos crontab: (root) LIST (root)
Aug 16 15:36:05 VM-0-8-centos crontab: (root) LIST (root)

leo0205 发表于 2023-8-17 11:54

您好,您留下在线联系方式,我们看下现场
页: [1]
查看完整版本: 中毒了,疯狂向外发送SYN攻击请求