大家来帮忙分析一下这个现象,是不是表示系统被入侵过?

2017-07-01 21:10:08 +08:00
 kyrre

无意中看了一下 ps 的结果,发现和平常看到的不一样。而且每次都是这种类型的输出。

lic@Nginx:~$ ps
  PID TTY          TIME CMD
31544 pts/1    00:00:00 bash
32002 pts/1    00:00:00 ps
32003 pts/1    00:00:00 sh
32004 pts/1    00:00:00 ps



lic@Nginx:~$ strace ps
execve("/bin/ps", ["ps"], [/* 20 vars */]) = 0
[ Process PID=32131 runs in 32 bit mode. ]
uname({sys="Linux", node="Nginx", ...}) = 0
brk(0)                                  = 0x9602000
brk(0x9602c90)                          = 0x9602c90
set_thread_area(0xffe53de4)             = 0
set_tid_address(0x9602878)              = 32131
rt_sigaction(SIGRTMIN, {0x8093710, [], SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {0x8093778, [], SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0
_sysctl({0x2081076ec, -1753584, (nil), (nil), (nil), 18439214703981887489}) = 0
brk(0x9623c90)                          = 0x9623c90
brk(0x9624000)                          = 0x9624000
brk(0x9648000)                          = 0x9648000
futex(0x8132c4c, FUTEX_WAKE, 2147483647) = 0
brk(0x9669000)                          = 0x9669000
close(3)                                = -1 EBADF (Bad file descriptor)
close(4)                                = -1 EBADF (Bad file descriptor)
... 一堆 close 调用,从 3 直到 1023
close(1023)                             = -1 EBADF (Bad file descriptor)
readlink("/proc/32131/exe", "/bin/ps", 1024) = 7
stat64("/bin/ps", {st_mode=S_IFREG|0755, st_size=1223123, ...}) = 0
getppid()                               = 32127
readlink("/proc/32127/exe", "/usr/bin/strace", 255) = 15
readlink("/proc/32131/exe", "/bin/ps", 1024) = 7
readlink("/proc/32131/exe", "/bin/ps", 1024) = 7
readlink("/proc/32131/exe", "/bin/ps", 1024) = 7
access("/usr/bin/dpkgd/ps", F_OK)       = 0
pipe([3, 4])                            = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0) = 32132
close(4)                                = 0
fstat64(3, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xfffffffff778c000
read(3, "  PID TTY          TIME CMD\n3154"..., 4096) = 169
fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=32132, si_status=0, si_utime=0, si_stime=0} ---
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xfffffffff778b000
write(1, "  PID TTY          TIME CMD\n", 28  PID TTY          TIME CMD
) = 28
write(1, "31544 pts/1    00:00:00 bash\n", 2931544 pts/1    00:00:00 bash
) = 29
write(1, "32127 pts/1    00:00:00 strace\n", 3132127 pts/1    00:00:00 strace
) = 31
write(1, "32131 pts/1    00:00:00 ps\n", 2732131 pts/1    00:00:00 ps
) = 27
write(1, "32132 pts/1    00:00:00 sh\n", 2732132 pts/1    00:00:00 sh
) = 27
write(1, "32133 pts/1    00:00:00 ps\n", 2732133 pts/1    00:00:00 ps
) = 27
read(3, "", 4096)                       = 0
close(3)                                = 0
waitpid(32132, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0) = 32132
munmap(0xf778c000, 4096)                = 0
munmap(0xf778b000, 4096)                = 0
exit_group(0)                           = ?
+++ exited with 0 +++
2340 次点击
所在节点    Linux
4 条回复
ihciah
2017-07-02 02:53:27 +08:00
检查 hash,还有找个确认安全的相同机器对比下呢?
kyrre
2017-07-02 08:52:24 +08:00
bash 程序的 md5 确实是不一样的
fiht
2017-07-02 11:34:46 +08:00
ps 不出来东西的话可能就是 ps 被换掉了,找个安全的相同机器对比一下看。
或者看 /etc/init.d 下有没有异常的启动文件,我遇到的两台被弱口令入侵的 Server 都发现了异常的启动文件
xdqi
2017-07-02 16:45:21 +08:00
/usr/bin/dpkgd/ps 感觉是被换了

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/372388

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX