遭遇黑客,請求幫忙
最近伺服器被黑客破解了,因為激動又第一時間刪除了新建用戶的名稱,不知道他在服務上幹了什麼壞事,導致系統有諸多問題,請大俠們幫個忙.
具體癥狀如下:
1.系統啟動有時不成功,需要重啟
2.執行cp、chown、chmod命令時會出現:Segmentation Fault錯誤
3.執行某些命令如:ls -al -crt /data/*.gz | awk '{print $9}' | head -1將不能正確退出
4.ps后發現很多進程無故僵死
ps -aux結果如下:
------------------------------------------------------------------
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 08:03 ? 00:00:01 init
root 2 1 0 08:03 ? 00:00:00
root 3 1 0 08:03 ? 00:00:00
root 4 1 0 08:03 ? 00:00:00
root 5 1 0 08:03 ? 00:00:00
root 6 1 0 08:03 ? 00:00:00
root 7 1 0 08:03 ? 00:00:00
root 8 6 0 08:03 ? 00:00:00
root 9 6 0 08:03 ? 00:00:00
root 62 6 0 08:03 ? 00:00:00
root 63 6 0 08:03 ? 00:00:00
root 64 1 0 08:03 ? 00:00:00
root 73 6 0 08:03 ? 00:00:00
root 74 6 0 08:03 ? 00:00:00
root 76 6 0 08:03 ? 00:00:00
root 77 6 0 08:03 ? 00:00:00
root 75 1 0 08:03 ? 00:00:00
root 150 1 0 08:03 ? 00:00:00
root 212 1 0 08:03 ? 00:00:00
root 213 1 0 08:03 ? 00:00:00
root 224 1 0 08:03 ? 00:00:00
root 517 8 0 08:03 ? 00:00:00 /bin/sh /sbin/hotplug vc
root 530 517 0 08:03 ? 00:00:00 /bin/bash /etc/hotplug.d/default/default.hotplug vc
root 541 1 0 08:03 ? 00:00:00 uname -r
root 543 541 0 08:03 ? 00:00:00 <defunct>
root 1295 1 0 08:04 ? 00:00:00 udevd
root 2036 1 0 08:04 ? 00:00:00
root 2065 1 0 08:04 ? 00:00:00 chgrp utmp /var/run/utmp /var/log/wtmp
root 2326 1 0 08:04 ? 00:00:00 syslogd -m 0
root 2330 1 0 08:04 ? 00:00:00 klogd -x
root 2341 1 0 08:04 ? 00:00:00 irqbalance
rpc 2352 1 0 08:04 ? 00:00:00 portmap
rpcuser 2374 1 0 08:04 ? 00:00:00 rpc.statd
root 2402 1 0 08:04 ? 00:00:00 rpc.idmapd
oracle 2498 1 0 08:04 ? 00:00:00 /oradb/app/oracle/10g/bin/tnslsnr LISTENER -inherit
oracle 2505 1 0 08:04 ? 00:00:00 ora_pmon_spsc
oracle 2507 1 0 08:04 ? 00:00:00 ora_mman_spsc
oracle 2509 1 0 08:04 ? 00:00:00 ora_dbw0_spsc
oracle 2511 1 0 08:04 ? 00:00:00 ora_lgwr_spsc
oracle 2513 1 0 08:04 ? 00:00:01 ora_ckpt_spsc
oracle 2515 1 0 08:04 ? 00:00:00 ora_smon_spsc
oracle 2517 1 0 08:04 ? 00:00:00 ora_reco_spsc
oracle 2519 1 0 08:04 ? 00:00:00 ora_cjq0_spsc
oracle 2521 1 0 08:04 ? 00:00:00 ora_d000_spsc
oracle 2523 1 0 08:04 ? 00:00:00 ora_s000_spsc
oracle 2533 1 0 08:04 ? 00:00:00 ora_qmnc_spsc
oracle 2535 1 0 08:04 ? 00:00:02 ora_mmon_spsc
oracle 2537 1 0 08:04 ? 00:00:00 ora_mmnl_spsc
root 2546 1 0 08:04 ? 00:00:00 /usr/sbin/acpid
oracle 2556 1 0 08:04 ? 00:00:04 ora_j000_spsc
oracle 2558 1 0 08:04 ? 00:00:09 ora_j001_spsc
root 2562 1 0 08:04 ? 00:00:00 cupsd
root 2587 1 0 08:04 ? 00:00:00 /usr/sbin/sshd
root 2602 1 0 08:04 ? 00:00:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
root 2612 1 0 08:04 ? 00:00:00 gpm -m /dev/input/mice -t imps2
htt 2642 1 0 08:04 ? 00:00:00 /usr/sbin/htt -retryonerror 0
htt 2643 2642 0 08:04 ? 00:00:00 htt_server -nodaemon
root 2653 1 0 08:04 ? 00:00:00 crond
xfs 2675 1 0 08:04 ? 00:00:00 xfs -droppriv -daemon
daemon 2694 1 0 08:04 ? 00:00:00 /usr/sbin/atd
dbus 2724 1 0 08:05 ? 00:00:00 dbus-daemon-1 --system
root 2738 1 0 08:05 ? 00:00:00 cups-config-daemon
root 2749 1 0 08:05 ? 00:00:00 hald
root 2756 1 0 08:05 ? 00:00:00 /bin/sh /oradb/esoms/orabak
root 2760 1 0 08:05 tty1 00:00:00 /sbin/mingetty tty1
root 2761 1 0 08:05 tty2 00:00:00 /sbin/mingetty tty2
root 2762 1 0 08:05 tty3 00:00:00 /sbin/mingetty tty3
root 2763 1 0 08:05 tty4 00:00:00 /sbin/mingetty tty4
root 2801 1 0 08:05 tty5 00:00:00 /sbin/mingetty tty5
root 2802 1 0 08:05 tty6 00:00:00 /sbin/mingetty tty6
root 2803 1 0 08:05 ? 00:00:00 /usr/bin/gdm-binary -nodaemon
root 2804 1 0 08:05 ? 00:00:00 /bin/su -l oracle -c exec /oradb/app/oracle/10g/bin/ocssd
root 3236 2803 0 08:05 ? 00:00:00 /usr/bin/gdm-binary -nodaemon
root 3241 3236 0 08:05 ? 00:00:10 /usr/X11R6/bin/X :0 -audit 0 -auth /var/gdm/:0.Xauth -nolisten tcp vt7
oracle 3381 2804 0 08:05 ? 00:00:00 /bin/sh /oradb/app/oracle/10g/bin/ocssd
oracle 3421 1 0 08:05 ? 00:00:00 /bin/uname
oracle 3422 3421 0 08:05 ? 00:00:00 <defunct>
root 3639 1 0 08:05 ? 00:00:00 /usr/bin/ssh-agent -s
root 3759 1 0 08:05 ? 00:00:00 /usr/bin/python /usr/bin/system-control-network
root 3760 3759 0 08:05 ? 00:00:00 /bin/sh -c find /lib/modules/$(uname -r)/{kernel,unsupported}/drivers/isdn -name '*.?o' -print
root 3764 1 0 08:05 ? 00:00:00 uname -r
root 3823 1 0 08:06 ? 00:00:00 sleep 2
root 3829 3823 0 08:06 ? 00:00:00 <defunct>
root 3881 1 0 08:06 ? 00:00:00 sleep 2
root 3886 3881 0 08:06 ? 00:00:00 <defunct>
root 3909 8 0 08:10 ? 00:00:00 /bin/sh /sbin/hotplug input
root 3910 8 0 08:10 ? 00:00:00 /bin/sh /sbin/hotplug input
root 3918 3909 0 08:10 ? 00:00:00 /bin/sh /etc/hotplug/input.agent
root 3935 3910 0 08:10 ? 00:00:00 /bin/bash /etc/hotplug.d/default/default.hotplug input
root 3947 1 0 08:10 ? 00:00:00 uname -r
root 3949 3947 0 08:10 ? 00:00:00 <defunct>
root 3953 8 0 08:10 ? 00:00:00 /bin/sh /sbin/hotplug usb
root 3959 3953 0 08:10 ? 00:00:00 /bin/sh /etc/hotplug/usb.agent
root 3976 1 0 08:10 ? 00:00:00 uname -r
root 3978 3976 0 08:10 ? 00:00:00 <defunct>
root 3986 1 0 08:10 ? 00:00:00 uname -r
root 3990 3986 0 08:10 ? 00:00:00 <defunct>
oracle 3997 1 0 08:10 ? 00:00:00 oraclespsc (LOCAL=NO)
oracle 4031 1 0 08:51 ? 00:00:00 oraclespsc (LOCAL=NO)
oracle 4033 1 0 08:51 ? 00:00:03 oraclespsc (LOCAL=NO)
oracle 4047 1 0 09:01 ? 00:00:03 oraclespsc (LOCAL=NO)
oracle 4049 1 0 09:01 ? 00:00:00 oraclespsc (LOCAL=NO)
oracle 4517 1 0 09:34 ? 00:00:03 oraclespsc (LOCAL=NO)
root 4542 1 0 10:05 ? 00:00:00 sleep 3600
root 4543 4542 0 10:05 ? 00:00:00 <defunct>
oracle 4565 1 0 10:29 ? 00:00:01 oraclespsc (LOCAL=NO)
root 4588 1 0 11:05 ? 00:00:00 sleep 3600
root 4589 4588 0 11:05 ? 00:00:00 <defunct>
root 4627 8 0 11:37 ? 00:00:00 /bin/sh /sbin/hotplug input
root 4630 8 0 11:37 ? 00:00:00 /bin/sh /sbin/hotplug input
root 4638 4627 0 11:37 ? 00:00:00 /bin/bash /etc/hotplug.d/default/default.hotplug input
root 4644 4630 0 11:37 ? 00:00:00 /bin/bash /etc/hotplug.d/default/default.hotplug input
root 4648 1 0 11:37 ? 00:00:00 uname -r
root 4649 1 0 11:37 ? 00:00:00 uname -r
root 4650 4648 0 11:37 ? 00:00:00 <defunct>
root 4651 4649 0 11:37 ? 00:00:00 <defunct>
root 4753 1 0 11:38 ? 00:00:00 /usr/bin/ssh-agent -s
root 4956 1 0 11:39 ? 00:00:00 /usr/bin/ssh-agent -s
gdm 5108 3236 0 11:39 ? 00:00:00 /usr/bin/gdmgreeter
root 5109 8 0 11:42 ? 00:00:00 /bin/sh /sbin/hotplug input
root 5110 8 0 11:42 ? 00:00:00 /bin/sh /sbin/hotplug input
root 5111 8 0 11:42 ? 00:00:00 /bin/sh /sbin/hotplug input
root 5116 8 0 11:42 ? 00:00:00 /bin/sh /sbin/hotplug usb
root 5128 5109 0 11:42 ? 00:00:00 /bin/sh /etc/hotplug/input.agent
root 5134 5110 0 11:42 ? 00:00:00 /bin/bash /etc/hotplug.d/default/default.hotplug input
root 5140 5111 0 11:42 ? 00:00:00 /bin/bash /etc/hotplug.d/default/default.hotplug input
root 5141 5116 0 11:42 ? 00:00:00 /bin/bash /etc/hotplug.d/default/default.hotplug usb
root 5148 1 0 11:42 ? 00:00:00 uname -r
root 5154 5148 0 11:42 ? 00:00:00 <defunct>
root 5155 1 0 11:42 ? 00:00:00 uname -r
root 5156 1 0 11:42 ? 00:00:00 uname -r
root 5157 5155 0 11:42 ? 00:00:00 <defunct>
root 5158 5156 0 11:42 ? 00:00:00 <defunct>
root 5170 1 0 11:42 ? 00:00:00 uname -r
root 5173 5170 0 11:42 ? 00:00:00 <defunct>
root 5204 1 0 12:05 ? 00:00:00 sleep 3600
root 5205 5204 0 12:05 ? 00:00:00 <defunct>
root 5272 1 0 13:05 ? 00:00:00 sleep 3600
root 5273 5272 0 13:05 ? 00:00:00 <defunct>
oracle 5283 1 0 13:19 ? 00:00:00 oraclespsc (LOCAL=NO)
root 5323 2756 0 14:05 ? 00:00:00 sleep 3600
root 5324 5323 0 14:05 ? 00:00:00 <defunct>
oracle 5341 1 0 14:34 ? 00:00:00 oraclespsc (LOCAL=NO)
root 5342 2587 0 14:36 ? 00:00:00 sshd: oracle
oracle 5344 5342 0 14:36 ? 00:00:00 sshd: oracle@pts/1
oracle 5345 5344 0 14:36 pts/1 00:00:00 -bash
oracle 5378 1 10 14:36 pts/1 00:00:04 ls --color=tty
oracle 5380 1 0 14:36 ? 00:00:00 ora_q000_spsc
oracle 5383 5345 0 14:37 pts/1 00:00:00 ps -eaf
《解決方案》
老兄,只能表示同情!愛莫能助
《解決方案》
保存數據,重裝系統,為上策。
《解決方案》
在不知道「黑客」作了什麼的情況下建議reinstall系統。