中毒了，疯狂向外发送SYN攻击请求

该病毒疯狂在服务器SYN发包攻击其他服务器，建立几百个SYN请求；
使用kill -9杀掉后，几分钟后马上又恢复，查找程序源路径处于删除状态，无法溯源病毒源路径。导致服务器带宽占用异常，设定防火墙规则无解，依旧疯狂发包。
[root@VM-0-8-centos cron]# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)


[root@VM-0-8-centos cron]# netstat -anp4|grep SYN
tcp        0      1 172.16.0.8:42298        172.29.142.208:8088     SYN_SENT    7107/AtAnKA3        
tcp        0      1 172.16.0.8:51494        172.29.140.255:8088     SYN_SENT    7107/AtAnKA3        
tcp        0      1 172.16.0.8:35388        172.29.143.206:8088     SYN_SENT    7107/AtAnKA3        
tcp        0      1 172.16.0.8:49868        172.29.142.123:8088     SYN_SENT    7107/AtAnKA3        
tcp        0      1 172.16.0.8:33938        172.29.142.100:8088     SYN_SENT    7107/AtAnKA3        
tcp        0      1 172.16.0.8:53584        172.29.142.20:8088      SYN_SENT    7107/AtAnKA3        
tcp        0      1 172.16.0.8:39266        172.29.141.188:8088     SYN_SENT    7107/AtAnKA3        
tcp        0      1 172.16.0.8:46154        172.29.143.66:8088      SYN_SENT    7107/AtAnKA3   

[root@VM-0-8-centos cron]#  readlink /proc/7107/exe
/hd (deleted)
[root@VM-0-8-centos cron]# ps -p 7107 -o lstart
                 STARTED
Wed Aug 16 14:53:29 2023
[root@VM-0-8-centos cron]# systemctl status 7107
● session-1410386.scope
   Loaded: loaded
   Active: active (abandoned) since Mon 2023-01-30 16:17:13 CST; 6 months 15 days ago
   CGroup: /user.slice/user-0.slice/session-1410386.scope
           ├─ 6278 THsyW91
           ├─ 7107 AtAnKA3
           └─18042 PHY2Jet

Aug 09 17:20:05 VM-0-8-centos crontab[21252]: (root) LIST (root)
Aug 09 18:11:08 VM-0-8-centos crontab[2543]: (root) REPLACE (root)
Aug 10 15:27:00 VM-0-8-centos crontab[26247]: (root) LIST (root)
Aug 10 17:09:03 VM-0-8-centos crontab[19777]: (root) LIST (root)
Aug 11 02:32:31 VM-0-8-centos crontab[30510]: (root) LIST (root)
Aug 13 01:23:10 VM-0-8-centos crontab[6493]: (root) LIST (root)
Aug 14 04:38:09 VM-0-8-centos crontab[24488]: (root) LIST (root)
Aug 14 16:30:08 VM-0-8-centos crontab[5441]: (root) LIST (root)
Aug 15 16:48:14 VM-0-8-centos crontab[14512]: (root) LIST (root)
[root@VM-0-8-centos cron]# ls -l /proc/7107/exe
lrwxrwxrwx 1 root root 0 Aug 16 14:54 /proc/7107/exe -> /hd (deleted)
[root@VM-0-8-centos cron]#  file /proc/7107/exe
/proc/7107/exe: broken symbolic link to `/hd (deleted)'

提取了/proc/进程/exe文件，别的文件都是删除状态，无法查看到[ro recovered_proc_exe.zip (1008.17 KB)

2023-8-16 15:50 上传

点击文件名下载附件
下载积分: 经验 -1

ot@VM-0-8-centos cron]# systemctl status 6278

1. ● session-1410386.scope
   
2.    Loaded: loaded
   
3.    Active: active (abandoned) since Mon 2023-01-30 16:17:13 CST; 6 months 15 days ago
   
4.    CGroup: /user.slice/user-0.slice/session-1410386.scope
   
5.            ├─ 6278 THsyW91
   
6.            ├─18042 PHY2Jet
   
7.            └─20800 SYerFul
   
8. 
   
9. Aug 09 18:11:08 VM-0-8-centos crontab[2543]: (root) REPLACE (root)
   
10. Aug 10 15:27:00 VM-0-8-centos crontab[26247]: (root) LIST (root)
    
11. Aug 10 17:09:03 VM-0-8-centos crontab[19777]: (root) LIST (root)
    
12. Aug 11 02:32:31 VM-0-8-centos crontab[30510]: (root) LIST (root)
    
13. Aug 13 01:23:10 VM-0-8-centos crontab[6493]: (root) LIST (root)
    
14. Aug 14 04:38:09 VM-0-8-centos crontab[24488]: (root) LIST (root)
    
15. Aug 14 16:30:08 VM-0-8-centos crontab[5441]: (root) LIST (root)
    
16. Aug 15 16:48:14 VM-0-8-centos crontab[14512]: (root) LIST (root)
    
17. Aug 16 09:40:53 VM-0-8-centos crontab[26035]: (root) LIST (root)
    
18. Aug 16 15:36:05 VM-0-8-centos crontab[18863]: (root) LIST (root)

复制代码

您好，您留下在线联系方式，我们看下现场