无意中看了一下 ps 的结果,发现和平常看到的不一样。而且每次都是这种类型的输出。
lic@Nginx:~$ ps
PID TTY TIME CMD
31544 pts/1 00:00:00 bash
32002 pts/1 00:00:00 ps
32003 pts/1 00:00:00 sh
32004 pts/1 00:00:00 ps
lic@Nginx:~$ strace ps
execve("/bin/ps", ["ps"], [/* 20 vars */]) = 0
[ Process PID=32131 runs in 32 bit mode. ]
uname({sys="Linux", node="Nginx", ...}) = 0
brk(0) = 0x9602000
brk(0x9602c90) = 0x9602c90
set_thread_area(0xffe53de4) = 0
set_tid_address(0x9602878) = 32131
rt_sigaction(SIGRTMIN, {0x8093710, [], SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {0x8093778, [], SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0
_sysctl({0x2081076ec, -1753584, (nil), (nil), (nil), 18439214703981887489}) = 0
brk(0x9623c90) = 0x9623c90
brk(0x9624000) = 0x9624000
brk(0x9648000) = 0x9648000
futex(0x8132c4c, FUTEX_WAKE, 2147483647) = 0
brk(0x9669000) = 0x9669000
close(3) = -1 EBADF (Bad file descriptor)
close(4) = -1 EBADF (Bad file descriptor)
... 一堆 close 调用,从 3 直到 1023
close(1023) = -1 EBADF (Bad file descriptor)
readlink("/proc/32131/exe", "/bin/ps", 1024) = 7
stat64("/bin/ps", {st_mode=S_IFREG|0755, st_size=1223123, ...}) = 0
getppid() = 32127
readlink("/proc/32127/exe", "/usr/bin/strace", 255) = 15
readlink("/proc/32131/exe", "/bin/ps", 1024) = 7
readlink("/proc/32131/exe", "/bin/ps", 1024) = 7
readlink("/proc/32131/exe", "/bin/ps", 1024) = 7
access("/usr/bin/dpkgd/ps", F_OK) = 0
pipe([3, 4]) = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0) = 32132
close(4) = 0
fstat64(3, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xfffffffff778c000
read(3, " PID TTY TIME CMD\n3154"..., 4096) = 169
fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=32132, si_status=0, si_utime=0, si_stime=0} ---
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xfffffffff778b000
write(1, " PID TTY TIME CMD\n", 28 PID TTY TIME CMD
) = 28
write(1, "31544 pts/1 00:00:00 bash\n", 2931544 pts/1 00:00:00 bash
) = 29
write(1, "32127 pts/1 00:00:00 strace\n", 3132127 pts/1 00:00:00 strace
) = 31
write(1, "32131 pts/1 00:00:00 ps\n", 2732131 pts/1 00:00:00 ps
) = 27
write(1, "32132 pts/1 00:00:00 sh\n", 2732132 pts/1 00:00:00 sh
) = 27
write(1, "32133 pts/1 00:00:00 ps\n", 2732133 pts/1 00:00:00 ps
) = 27
read(3, "", 4096) = 0
close(3) = 0
waitpid(32132, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0) = 32132
munmap(0xf778c000, 4096) = 0
munmap(0xf778b000, 4096) = 0
exit_group(0) = ?
+++ exited with 0 +++
1
ihciah 2017-07-02 02:53:27 +08:00 via iPhone
检查 hash,还有找个确认安全的相同机器对比下呢?
|
2
kyrre OP bash 程序的 md5 确实是不一样的
|
3
fiht 2017-07-02 11:34:46 +08:00
ps 不出来东西的话可能就是 ps 被换掉了,找个安全的相同机器对比一下看。
或者看 /etc/init.d 下有没有异常的启动文件,我遇到的两台被弱口令入侵的 Server 都发现了异常的启动文件 |
4
xdqi 2017-07-02 16:45:21 +08:00
/usr/bin/dpkgd/ps 感觉是被换了
|