本文介绍了两例Linux服务器流量异常的案例。第一例中,服务器流量异常升高,通过检查iptables规则和rc.local文件,发现异常进程并清理。第二例中,服务器流量80多兆向外发包,通过查看系统日志、进程和cron任务,发现恶意脚本并清除。强调了密码安全和系统维护的重要性。
这里就简单说说这个流量跑高。
首先我从cacti 中监控到了一台放在机房的服务器流量异常,何为异常这里说一下:本身这台服务器交换机中限制带宽为两兆峰值,而他却可以跑到100M,按正常情况来说,当你的服务器流量跑满的时候,你的机器会很卡、远程连接会掉线或者根本连不上,所以正常流量来看,是绝对不会跑到100M的,所以这叫流量异常。下面给大家看一下图:
一、
那么当我发现异常后,我就查资料表找出这台机器的IP地址还有系统信息等等。
最终判定这是一台CentOS 5.4 密码为数字加大小写。以下是我查看到的一些信息:
[root@aaa ~]# iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
## 这是防火墙规则
[root@aaa ~]# netstat -anptActive Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:60003 0.0.0.0:* LISTEN 3552/cupsdd
tcp 0 0 0.0.0.0:5801 0.0.0.0:* LISTEN 2569/Xvnc
tcp 0 0 0.0.0.0:5802 0.0.0.0:* LISTEN 2613/Xvnc
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 2506/mysqld
tcp 0 0 0.0.0.0:14379 0.0.0.0:* LISTEN 3516/ora_d000_thdb
tcp 0 0 0.0.0.0:5803 0.0.0.0:* LISTEN 2674/Xvnc
tcp 0 0 0.0.0.0:5901 0.0.0.0:* LISTEN 2569/Xvnc
tcp 0 0 0.0.0.0:5902 0.0.0.0:* LISTEN 2613/Xvnc
tcp 0 0 0.0.0.0:5903 0.0.0.0:* LISTEN 2674/Xvnc
tcp 0 0 119.57.51.103:80 221.209.56.114:27808 SYN_RECV -
tcp 0 0 119.57.51.103:80 221.209.56.114:27807 SYN_RECV -
tcp 0 0 119.57.51.103:80 206.217.132.75:2229 SYN_RECV -
tcp 0 0 119.57.51.103:80 121.232.7.242:51370 SYN_RECV -
tcp 0 0 119.57.51.103:80 182.185.216.13:53534 SYN_RECV -
tcp 0 0 119.57.51.103:80 111.161.23.92:37697 SYN_RECV -
tcp 0 0 119.57.51.103:80 157.55.35.96:18323 SYN_RECV -
tcp 0 0 119.57.51.103:80 125.39.163.95:30525 SYN_RECV -
tcp 0 0 119.57.51.103:80 183.3.87.80:51903 SYN_RECV -
tcp 0 0 119.57.51.103:80 221.209.56.114:27806 SYN_RECV -
tcp 0 0 119.57.51.103:80 221.209.56.114:27809 SYN_RECV -
tcp 0 0 0.0.0.0:1521 0.0.0.0:* LISTEN 3426/tnslsnr
tcp 0 0 0.0.0.0:6001 0.0.0.0:* LISTEN 2569/Xvnc
tcp 0 0 0.0.0.0:6002 0.0.0.0:* LISTEN 2613/Xvnc
tcp 0 0 0.0.0.0:6003 0.0.0.0:* LISTEN 2674/Xvnc
tcp 0 1 127.0.0.1:50865 127.0.0.1:1521 SYN_SENT 3494/ora_pmon_thdb
tcp 0 0 119.57.51.103:32005 202.103.178.76:10991 ESTABLISHED 3648/atdd
tcp 0 0 119.57.51.103:32007 202.103.178.76:10991 ESTABLISHED 4059/atdd
tcp 0 0 119.57.51.103:32006 202.103.178.76:10991 ESTABLISHED 3760/atdd
tcp 0 0 119.57.51.103:32008 202.103.178.76:10991 ESTABLISHED 3881/atdd
tcp 0 0 119.57.51.103:32011 202.103.178.76:10991 ESTABLISHED 4472/atdd
tcp 0 0 119.57.51.103:32012 202.103.178.76:10991 ESTABLISHED 4300/atdd
tcp 0 0 119.57.51.103:32015 202.103.178.76:10991 ESTABLISHED 4617/atdd
tcp 0 0 119.57.51.103:32014 202.103.178.76:10991 ESTABLISHED 4198/atdd
tcp 0 0 119.57.51.103:64255 121.12.110.96:10991 ESTABLISHED 3558/ksapd
tcp 0 0 119.57.51.103:64259 121.12.110.96:10991 ESTABLISHED 3832/ksapd
tcp 0 0 119.57.51.103:64258 121.12.110.96:10991 ESTABLISHED 3652/ksapd
tcp 0 0 119.57.51.103:64257 121.12.110.96:10991 ESTABLISHED 4527/ksapd
tcp 0 1 119.57.51.103:51903 112.90.252.76:10991 SYN_SENT 4544/kysapd
tcp 0 1 119.57.51.103:51902 112.90.252.76:10991 SYN_SENT 4365/kysapd
tcp 0 1 119.57.51.103:51901 112.90.252.76:10991 SYN_SENT 4291/kysapd
tcp 0 1 119.57.51.103:51900 112.90.252.76:10991 SYN_SENT 3978/kysapd
tcp 0 1 119.57.51.103:51899 112.90.252.76:10991 SYN_SENT 3878/kysapd
tcp 0 1 119.57.51.103:51898 112.90.252.76:10991 SYN_SENT 4154/kysapd
tcp 0 1 119.57.51.103:51897 112.90.252.76:10991 SYN_SENT 3709/kysapd
tcp 0 1 119.57.51.103:51896 112.90.252.76:10991 SYN_SENT 3604/kysapd
tcp 0 1 127.0.0.1:5369 127.0.0.1:6113 SYN_SENT 3426/tnslsnr
tcp 0 0 :::80 :::* LISTEN 2879/httpd
tcp 0 0 :::6001 :::* LISTEN 2569/Xvnc
tcp 0 0 :::6002 :::* LISTEN 2613/Xvnc
t
最低0.47元/天 解锁文章
扫一扫
6219
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
