记一次服务器被黑经历
今天下午,一朋友找上我需要帮忙,说他服务器里面有大量的ssh-scan进程,登录服务器一看,确实被黑了,被人植入了非法程序:
ps axjf
1 20894 20894 20894 ? -1 Ss 502 0:07 ./SCREEN
20894 20896 20896 20896 pts/3 10203 Ss 502 0:01 \_ /bin/bash
20896 10203 10203 20896 pts/3 10203 S+ 502 0:00 \_ /bin/bash ./start 203.141
10203 12521 10203 20896 pts/3 10203 S+ 502 0:00 \_ ./ssh-scan 100
12521 12522 10203 20896 pts/3 10203 S+ 502 0:00 \_ ./ssh-scan 100
12522 12524 10203 20896 pts/3 10203 S+ 502 0:02 \_ ./ssh-scan 100
12522 12525 10203 20896 pts/3 10203 S+ 502 0:01 \_ ./ssh-scan 100
12522 12575 10203 20896 pts/3 10203 S+ 502 0:01 \_ ./ssh-scan 100
12522 12586 10203 20896 pts/3 10203 S+ 502 0:02 \_ ./ssh-scan 100
20894 20896 20896 20896 pts/3 10203 Ss 502 0:01 \_ /bin/bash
20896 10203 10203 20896 pts/3 10203 S+ 502 0:00 \_ /bin/bash ./start 203.141
10203 12521 10203 20896 pts/3 10203 S+ 502 0:00 \_ ./ssh-scan 100
12521 12522 10203 20896 pts/3 10203 S+ 502 0:00 \_ ./ssh-scan 100
12522 12524 10203 20896 pts/3 10203 S+ 502 0:02 \_ ./ssh-scan 100
12522 12525 10203 20896 pts/3 10203 S+ 502 0:01 \_ ./ssh-scan 100
12522 12575 10203 20896 pts/3 10203 S+ 502 0:01 \_ ./ssh-scan 100
12522 12586 10203 20896 pts/3 10203 S+ 502 0:02 \_ ./ssh-scan 100