该病毒疯狂在服务器SYN发包攻击其他服务器,建立几百个SYN请求;
使用kill -9杀掉后,几分钟后马上又恢复,查找程序源路径处于删除状态,无法溯源病毒源路径。导致服务器带宽占用异常,设定防火墙规则无解,依旧疯狂发包。
[root@VM-0-8-centos cron]# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)
[root@VM-0-8-centos cron]# netstat -anp4|grep SYN
tcp 0 1 172.16.0.8:42298 172.29.142.208:8088 SYN_SENT 7107/AtAnKA3
tcp 0 1 172.16.0.8:51494 172.29.140.255:8088 SYN_SENT 7107/AtAnKA3
tcp 0 1 172.16.0.8:35388 172.29.143.206:8088 SYN_SENT 7107/AtAnKA3
tcp 0 1 172.16.0.8:49868 172.29.142.123:8088 SYN_SENT 7107/AtAnKA3
tcp 0 1 172.16.0.8:33938 172.29.142.100:8088 SYN_SENT 7107/AtAnKA3
tcp 0 1 172.16.0.8:53584 172.29.142.20:8088 SYN_SENT 7107/AtAnKA3
tcp 0 1 172.16.0.8:39266 172.29.141.188:8088 SYN_SENT 7107/AtAnKA3
tcp 0 1 172.16.0.8:46154 172.29.143.66:8088 SYN_SENT 7107/AtAnKA3
[root@VM-0-8-centos cron]# readlink /proc/7107/exe
/hd (deleted)
[root@VM-0-8-centos cron]# ps -p 7107 -o lstart
STARTED
Wed Aug 16 14:53:29 2023
[root@VM-0-8-centos cron]# systemctl status 7107
● session-1410386.scope
Loaded: loaded
Active: active (abandoned) since Mon 2023-01-30 16:17:13 CST; 6 months 15 days ago
CGroup: /user.slice/user-0.slice/session-1410386.scope
├─ 6278 THsyW91
├─ 7107 AtAnKA3
└─18042 PHY2Jet
Aug 09 17:20:05 VM-0-8-centos crontab[21252]: (root) LIST (root)
Aug 09 18:11:08 VM-0-8-centos crontab[2543]: (root) REPLACE (root)
Aug 10 15:27:00 VM-0-8-centos crontab[26247]: (root) LIST (root)
Aug 10 17:09:03 VM-0-8-centos crontab[19777]: (root) LIST (root)
Aug 11 02:32:31 VM-0-8-centos crontab[30510]: (root) LIST (root)
Aug 13 01:23:10 VM-0-8-centos crontab[6493]: (root) LIST (root)
Aug 14 04:38:09 VM-0-8-centos crontab[24488]: (root) LIST (root)
Aug 14 16:30:08 VM-0-8-centos crontab[5441]: (root) LIST (root)
Aug 15 16:48:14 VM-0-8-centos crontab[14512]: (root) LIST (root)
[root@VM-0-8-centos cron]# ls -l /proc/7107/exe
lrwxrwxrwx 1 root root 0 Aug 16 14:54 /proc/7107/exe -> /hd (deleted)
[root@VM-0-8-centos cron]# file /proc/7107/exe
/proc/7107/exe: broken symbolic link to `/hd (deleted)'
|
|
|
|
评论
直达楼层