V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
Distributions
Ubuntu
Fedora
CentOS
中文资源站
网易开源镜像站
kyrre
V2EX  ›  Linux

大家来帮忙分析一下这个现象,是不是表示系统被入侵过?

  •  
  •   kyrre · 2017-07-01 21:10:08 +08:00 · 2468 次点击
    这是一个创建于 2693 天前的主题,其中的信息可能已经有所发展或是发生改变。

    无意中看了一下 ps 的结果,发现和平常看到的不一样。而且每次都是这种类型的输出。

    lic@Nginx:~$ ps
      PID TTY          TIME CMD
    31544 pts/1    00:00:00 bash
    32002 pts/1    00:00:00 ps
    32003 pts/1    00:00:00 sh
    32004 pts/1    00:00:00 ps
    
    
    
    lic@Nginx:~$ strace ps
    execve("/bin/ps", ["ps"], [/* 20 vars */]) = 0
    [ Process PID=32131 runs in 32 bit mode. ]
    uname({sys="Linux", node="Nginx", ...}) = 0
    brk(0)                                  = 0x9602000
    brk(0x9602c90)                          = 0x9602c90
    set_thread_area(0xffe53de4)             = 0
    set_tid_address(0x9602878)              = 32131
    rt_sigaction(SIGRTMIN, {0x8093710, [], SA_SIGINFO}, NULL, 8) = 0
    rt_sigaction(SIGRT_1, {0x8093778, [], SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
    rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
    getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0
    _sysctl({0x2081076ec, -1753584, (nil), (nil), (nil), 18439214703981887489}) = 0
    brk(0x9623c90)                          = 0x9623c90
    brk(0x9624000)                          = 0x9624000
    brk(0x9648000)                          = 0x9648000
    futex(0x8132c4c, FUTEX_WAKE, 2147483647) = 0
    brk(0x9669000)                          = 0x9669000
    close(3)                                = -1 EBADF (Bad file descriptor)
    close(4)                                = -1 EBADF (Bad file descriptor)
    ... 一堆 close 调用,从 3 直到 1023
    close(1023)                             = -1 EBADF (Bad file descriptor)
    readlink("/proc/32131/exe", "/bin/ps", 1024) = 7
    stat64("/bin/ps", {st_mode=S_IFREG|0755, st_size=1223123, ...}) = 0
    getppid()                               = 32127
    readlink("/proc/32127/exe", "/usr/bin/strace", 255) = 15
    readlink("/proc/32131/exe", "/bin/ps", 1024) = 7
    readlink("/proc/32131/exe", "/bin/ps", 1024) = 7
    readlink("/proc/32131/exe", "/bin/ps", 1024) = 7
    access("/usr/bin/dpkgd/ps", F_OK)       = 0
    pipe([3, 4])                            = 0
    clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0) = 32132
    close(4)                                = 0
    fstat64(3, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
    mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xfffffffff778c000
    read(3, "  PID TTY          TIME CMD\n3154"..., 4096) = 169
    fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0
    --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=32132, si_status=0, si_utime=0, si_stime=0} ---
    mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xfffffffff778b000
    write(1, "  PID TTY          TIME CMD\n", 28  PID TTY          TIME CMD
    ) = 28
    write(1, "31544 pts/1    00:00:00 bash\n", 2931544 pts/1    00:00:00 bash
    ) = 29
    write(1, "32127 pts/1    00:00:00 strace\n", 3132127 pts/1    00:00:00 strace
    ) = 31
    write(1, "32131 pts/1    00:00:00 ps\n", 2732131 pts/1    00:00:00 ps
    ) = 27
    write(1, "32132 pts/1    00:00:00 sh\n", 2732132 pts/1    00:00:00 sh
    ) = 27
    write(1, "32133 pts/1    00:00:00 ps\n", 2732133 pts/1    00:00:00 ps
    ) = 27
    read(3, "", 4096)                       = 0
    close(3)                                = 0
    waitpid(32132, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0) = 32132
    munmap(0xf778c000, 4096)                = 0
    munmap(0xf778b000, 4096)                = 0
    exit_group(0)                           = ?
    +++ exited with 0 +++
    
    4 条回复    2017-07-02 16:45:21 +08:00
    ihciah
        1
    ihciah  
       2017-07-02 02:53:27 +08:00 via iPhone
    检查 hash,还有找个确认安全的相同机器对比下呢?
    kyrre
        2
    kyrre  
    OP
       2017-07-02 08:52:24 +08:00
    bash 程序的 md5 确实是不一样的
    fiht
        3
    fiht  
       2017-07-02 11:34:46 +08:00
    ps 不出来东西的话可能就是 ps 被换掉了,找个安全的相同机器对比一下看。
    或者看 /etc/init.d 下有没有异常的启动文件,我遇到的两台被弱口令入侵的 Server 都发现了异常的启动文件
    xdqi
        4
    xdqi  
       2017-07-02 16:45:21 +08:00
    /usr/bin/dpkgd/ps 感觉是被换了
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   2785 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 22ms · UTC 11:54 · PVG 19:54 · LAX 03:54 · JFK 06:54
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.