我需要帮助。我们最近遇到了一个服务器入侵,虽然我们设法进行了彻底清理,但我还是想在不移动服务器的情况下解决该漏洞。
有人可以查看下面正在运行的进程吗?指出任何被认为奇怪/不寻常的事情。 黑客确实成功获取了 SSH 访问权限并改变了许多群组权限。
这是一个运行 WordPress 的简单网站。流量很小。Wordfence 专家和其他人无法确定某些事情。提前致谢
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 Mar17 ? 00:00:02 /sbin/init
root 2 0 0 Mar17 ? 00:00:00 [kthreadd]
root 3 2 0 Mar17 ? 00:00:05 [migration/0]
root 4 2 0 Mar17 ? 00:00:05 [ksoftirqd/0]
root 5 2 0 Mar17 ? 00:00:00 [stopper/0]
root 6 2 0 Mar17 ? 00:00:01 [watchdog/0]
root 7 2 0 Mar17 ? 00:00:03 [migration/1]
root 8 2 0 Mar17 ? 00:00:00 [stopper/1]
root 9 2 0 Mar17 ? 00:00:03 [ksoftirqd/1]
root 10 2 0 Mar17 ? 00:00:00 [watchdog/1]
root 11 2 0 Mar17 ? 00:00:42 [events/0]
root 12 2 0 Mar17 ? 00:00:39 [events/1]
root 13 2 0 Mar17 ? 00:00:00 [events/0]
root 14 2 0 Mar17 ? 00:00:00 [events/1]
root 15 2 0 Mar17 ? 00:00:00 [events_long/0]
root 16 2 0 Mar17 ? 00:00:00 [events_long/1]
root 17 2 0 Mar17 ? 00:00:00 [events_power_ef]
root 18 2 0 Mar17 ? 00:00:00 [events_power_ef]
root 19 2 0 Mar17 ? 00:00:00 [cgroup]
root 20 2 0 Mar17 ? 00:00:00 [khelper]
root 21 2 0 Mar17 ? 00:00:00 [netns]
root 22 2 0 Mar17 ? 00:00:00 [async/mgr]
root 23 2 0 Mar17 ? 00:00:00 [pm]
root 24 2 0 Mar17 ? 00:00:01 [sync_supers]
root 25 2 0 Mar17 ? 00:00:02 [bdi-default]
root 26 2 0 Mar17 ? 00:00:00 [kintegrityd/0]
root 27 2 0 Mar17 ? 00:00:00 [kintegrityd/1]
root 28 2 0 Mar17 ? 00:01:03 [kblockd/0]
root 29 2 0 Mar17 ? 00:00:02 [kblockd/1]
root 30 2 0 Mar17 ? 00:00:00 [kacpid]
root 31 2 0 Mar17 ? 00:00:00 [kacpi_notify]
root 32 2 0 Mar17 ? 00:00:00 [kacpi_hotplug]
root 33 2 0 Mar17 ? 00:00:00 [ata_aux]
root 34 2 0 Mar17 ? 00:00:00 [ata_sff/0]
root 35 2 0 Mar17 ? 00:00:00 [ata_sff/1]
root 36 2 0 Mar17 ? 00:00:00 [ksuspend_usbd]
root 37 2 0 Mar17 ? 00:00:00 [khubd]
root 38 2 0 Mar17 ? 00:00:00 [kseriod]
root 39 2 0 Mar17 ? 00:00:00 [md/0]
root 40 2 0 Mar17 ? 00:00:00 [md/1]
root 41 2 0 Mar17 ? 00:00:00 [md_misc/0]
root 42 2 0 Mar17 ? 00:00:00 [md_misc/1]
root 43 2 0 Mar17 ? 00:00:00 [linkwatch]
root 44 2 0 Mar17 ? 00:00:00 [khungtaskd]
root 45 2 0 Mar17 ? 00:01:01 [kswapd0]
root 46 2 0 Mar17 ? 00:00:00 [ksmd]
root 47 2 0 Mar17 ? 00:00:01 [khugepaged]
root 48 2 0 Mar17 ? 00:00:00 [aio/0]
root 49 2 0 Mar17 ? 00:00:00 [aio/1]
root 50 2 0 Mar17 ? 00:00:00 [crypto/0]
root 51 2 0 Mar17 ? 00:00:00 [crypto/1]
root 58 2 0 Mar17 ? 00:00:00 [kthrotld/0]
root 59 2 0 Mar17 ? 00:00:00 [kthrotld/1]
root 61 2 0 Mar17 ? 00:00:00 [kpsmoused]
root 62 2 0 Mar17 ? 00:00:00 [usbhid_resumer]
root 63 2 0 Mar17 ? 00:00:00 [deferwq]
root 250 2 0 Mar17 ? 00:00:00 [scsi_eh_0]
root 254 2 0 Mar17 ? 00:00:00 [scsi_eh_1]
root 305 1419 0 Mar21 ? 00:00:00 sshd: root [priv]
sshd 306 305 0 Mar21 ? 00:00:00 sshd: root [net]
root 349 2 0 Mar17 ? 00:00:00 [virtio-blk]
root 379 2 0 Mar17 ? 00:01:37 [jbd2/vda1-8]
root 380 2 0 Mar17 ? 00:00:00 [ext4-dio-unwrit]
root 458 1 0 Mar17 ? 00:00:00 /sbin/udevd -d
root 563 2 0 Mar17 ? 00:00:00 [virtio-net]
root 586 2 0 Mar17 ? 00:00:00 [vballoon]
root 742 2 0 Mar17 ? 00:00:00 [kdmremove]
root 743 2 0 Mar17 ? 00:00:00 [kstriped]
root 769 2 0 Mar17 ? 00:01:08 [flush-253:0]
nobody 837 11478 0 14:29 ? 00:00:00 /usr/sbin/httpd -k start
root 992 2 0 Mar17 ? 00:00:01 [kauditd]
root 1047 2 0 Mar17 ? 00:00:13 [loop0]
root 1051 2 0 Mar17 ? 00:00:05 [kjournald]
root 1071 1419 0 Mar18 ? 00:00:00 sshd: unknown [priv]
sshd 1072 1071 0 Mar18 ? 00:00:00 sshd: unknown [net]
root 1230 1 0 Mar17 ? 00:00:01 auditd
root 1294 1 0 Mar17 ? 00:00:40 /sbin/rsyslogd -i /var/run/syslo
named 1317 1 0 Mar17 ? 00:00:02 /usr/sbin/named -u named
dbus 1335 1 0 Mar17 ? 00:00:00 dbus-daemon --system
root 1366 1 0 Mar17 ? 00:00:00 /usr/sbin/acpid
nscd 1385 1 0 Mar17 ? 00:00:31 /usr/sbin/nscd
root 1419 1 0 Mar17 ? 00:00:00 /usr/sbin/sshd
ntp 1430 1 0 Mar17 ? 00:00:01 ntpd -u ntp:ntp -p /var/run/ntpd
root 1449 1 0 Mar17 ? 00:00:00 /bin/sh /usr/bin/mysqld_safe --d
root 1632 1 0 00:00 ? 00:00:20 lfd - sleeping
root 1711 1 0 Mar17 ? 00:00:00 pure-ftpd (SERVER)
root 1713 1 0 Mar17 ? 00:00:00 /usr/sbin/pure-authd -s /var/run
root 1725 1 0 Mar17 ? 00:00:02 crond
root 1740 1 0 Mar17 ? 00:00:00 /usr/sbin/atd
root 1875 1 0 Mar17 tty1 00:00:00 /sbin/mingetty /dev/tty1
root 1877 1 0 Mar17 tty2 00:00:00 /sbin/mingetty /dev/tty2
root 1879 1 0 Mar17 tty3 00:00:00 /sbin/mingetty /dev/tty3
root 1881 1 0 Mar17 tty4 00:00:00 /sbin/mingetty /dev/tty4
root 1883 1 0 Mar17 tty5 00:00:00 /sbin/mingetty /dev/tty5
root 1885 1 0 Mar17 tty6 00:00:00 /sbin/mingetty /dev/tty6
root 1889 458 0 Mar17 ? 00:00:00 /sbin/udevd -d
root 1890 458 0 Mar17 ? 00:00:00 /sbin/udevd -d
nobody 2733 11478 0 14:45 ? 00:00:00 /usr/sbin/httpd -k start
nobody 2736 11478 0 14:45 ? 00:00:00 /usr/sbin/httpd -k start
nobody 2739 11478 0 14:45 ? 00:00:00 /usr/sbin/httpd -k start
nobody 3264 11478 0 14:50 ? 00:00:00 /usr/sbin/httpd -k start
503 3265 11478 0 14:50 ? 00:00:00 /usr/sbin/httpd -k start
nobody 3270 11478 0 14:50 ? 00:00:00 /usr/sbin/httpd -k start
nobody 3272 11478 0 14:50 ? 00:00:00 /usr/sbin/httpd -k start
nobody 3278 11478 0 14:50 ? 00:00:00 /usr/sbin/httpd -k start
503 3577 11566 23 14:54 ? 00:00:12 php-fpm: pool mysite
root 3596 1419 0 14:54 ? 00:00:00 sshd: root@pts/0
503 3600 11566 23 14:54 ? 00:00:06 php-fpm: pool mysite
503 3602 11566 23 14:54 ? 00:00:06 php-fpm: pool mysite
root 3619 3596 0 14:54 pts/0 00:00:00 -bash
root 3670 3619 0 14:54 pts/0 00:00:00 ps -ef
root 4331 1419 0 00:52 ? 00:00:00 sshd: unknown [priv]
sshd 4332 4331 0 00:52 ? 00:00:00 sshd: unknown [net]
root 4365 1419 0 00:53 ? 00:00:00 sshd: root [priv]
sshd 4367 4365 0 00:53 ? 00:00:00 sshd: root [net]
root 4758 1419 0 Mar19 ? 00:00:00 sshd: root [priv]
sshd 4760 4758 0 Mar19 ? 00:00:00 sshd: root [net]
mysql 5024 1449 3 Mar19 ? 02:24:33 /usr/sbin/mysqld --basedir=/usr
root 7284 2 0 02:05 ? 00:00:00 [flush-7:0]
root 8078 1419 0 Mar21 ? 00:00:00 sshd: unknown [priv]
sshd 8082 8078 0 Mar21 ? 00:00:00 sshd: unknown [net]
root 9047 1 0 Mar21 ? 00:00:00 /usr/sbin/dovecot
dovenull 9049 9047 0 Mar21 ? 00:00:00 dovecot/pop3-login
dovenull 9050 9047 0 Mar21 ? 00:00:00 dovecot/imap-login
dovecot 9051 9047 0 Mar21 ? 00:00:00 dovecot/anvil
root 9052 9047 0 Mar21 ? 00:00:00 dovecot/log
dovenull 9054 9047 0 Mar21 ? 00:00:00 dovecot/pop3-login
root 9055 9047 0 Mar21 ? 00:00:00 dovecot/config
dovenull 9056 9047 0 Mar21 ? 00:00:00 dovecot/imap-login
root 9431 1419 0 Mar21 ? 00:00:00 sshd: unknown [priv]
sshd 9432 9431 0 Mar21 ? 00:00:00 sshd: unknown [net]
root 9639 1 0 Mar21 ? 00:00:07 cpsrvd (SSL) - dormant mode - ac
root 9647 1 0 Mar21 ? 00:00:05 queueprocd - wait to process a t
root 9651 1 0 Mar21 ? 00:00:01 dnsadmin - dormant mode
root 9667 1 0 Mar21 ? 00:00:07 php-fpm: master process (/usr/lo
root 9676 1 0 Mar21 ? 00:00:14 cPhulkd - processor
root 9685 1 0 Mar21 ? 00:00:00 cpdavd - accepting connections o
root 9689 1 0 Mar21 ? 00:00:00 cpanellogd - sleeping for logs
root 11396 1 0 03:42 ? 00:00:01 tailwatchd
root 11443 1419 0 Mar21 ? 00:00:00 sshd: root [priv]
sshd 11444 11443 0 Mar21 ? 00:00:00 sshd: root [net]
root 11478 1 0 03:42 ? 00:00:02 /usr/sbin/httpd -k start
root 11566 1 0 03:42 ? 00:00:04 php-fpm: master process (/opt/cp
503 12423 9047 0 11:11 ? 00:00:00 dovecot/quota-status -p postfix
root 12782 1419 0 Mar18 ? 00:00:00 sshd: root [priv]
root 12783 1419 0 Mar18 ? 00:00:00 sshd: unknown [priv]
sshd 12784 12782 0 Mar18 ? 00:00:00 sshd: root [net]
sshd 12787 12783 0 Mar18 ? 00:00:00 sshd: unknown [net]
root 12800 1419 0 Mar20 ? 00:00:00 sshd: root [priv]
sshd 12801 12800 0 Mar20 ? 00:00:00 sshd: root [net]
mailman 12890 1 0 11:17 ? 00:00:00 /usr/bin/python /usr/local/cpane
mailman 12891 12890 0 11:17 ? 00:00:01 /usr/bin/python /usr/local/cpane
mailman 12892 12890 0 11:17 ? 00:00:02 /usr/bin/python /usr/local/cpane
mailman 12893 12890 0 11:17 ? 00:00:01 /usr/bin/python /usr/local/cpane
mailman 12894 12890 0 11:17 ? 00:00:02 /usr/bin/python /usr/local/cpane
mailman 12895 12890 0 11:17 ? 00:00:01 /usr/bin/python /usr/local/cpane
mailman 12896 12890 0 11:17 ? 00:00:02 /usr/bin/python /usr/local/cpane
mailman 12897 12890 0 11:17 ? 00:00:02 /usr/bin/python /usr/local/cpane
mailman 12898 12890 0 11:17 ? 00:00:00 /usr/bin/python /usr/local/cpane
root 18367 1 0 Mar21 ? 00:00:00 /usr/bin/python -Es /usr/bin/fai
root 19644 1419 0 Mar18 ? 00:00:00 sshd: unknown [priv]
sshd 19645 19644 0 Mar18 ? 00:00:00 sshd: unknown [net]
root 19713 1419 0 Mar19 ? 00:00:00 sshd: root [priv]
sshd 19714 19713 0 Mar19 ? 00:00:00 sshd: root [net]
root 19937 1419 0 12:38 ? 00:00:00 sshd: root@pts/1
root 20109 19937 0 12:39 pts/1 00:00:00 -bash
root 20816 1419 0 12:44 ? 00:00:00 sshd: root@pts/2
root 20819 20816 0 12:44 pts/2 00:00:00 -bash
root 21666 1419 0 04:29 ? 00:00:00 sshd: root [priv]
sshd 21667 21666 0 04:29 ? 00:00:00 sshd: root [net]
root 21985 1419 0 04:33 ? 00:00:00 sshd: root [priv]
sshd 21986 21985 0 04:33 ? 00:00:00 sshd: root [net]
root 23160 1419 0 Mar18 ? 00:00:00 sshd: root [priv]
sshd 23161 23160 0 Mar18 ? 00:00:00 sshd: root [net]
root 23331 1419 0 Mar19 ? 00:00:00 sshd: unknown [priv]
sshd 23332 23331 0 Mar19 ? 00:00:00 sshd: unknown [net]
root 23409 11478 0 13:04 ? 00:00:00 /usr/local/cpanel/3rdparty/bin/p
nobody 27199 11478 0 13:32 ? 00:00:02 /usr/sbin/httpd -k start
mailnull 27668 1 0 Mar21 ? 00:00:00 /usr/sbin/exim -ps -bd -q1h -oP
root 27680 1 0 Mar21 ? 00:07:36 spamd-dormant: waiting for conne
32010 27694 1 0 Mar21 ? 00:03:11 /usr/local/cpanel/3rdparty/sbin/
root 30316 1419 0 Mar18 ? 00:00:00 sshd: root [priv]
sshd 30317 30316 0 Mar18 ? 00:00:00 sshd: root [net]
root 30837 1419 0 Mar21 ? 00:00:00 sshd: root [priv]
sshd 30838 30837 0 Mar21 ? 00:00:00 sshd: root [net]
答案1
如果计算机已被入侵,则可能已安装 rootkit,从而阻止某些进程出现在 ps、/proc 或磁盘上。唯一安全的方法是从受信任的来源重建计算机。