服务器貌似被黑了 iftop 显示
AY131206202454765300Z => 10.141.56.177 2.62Mb 2.55Mb 2.44Mb
<= 38.2Mb 36.4Mb 35.8Mb
然后 netstat 显示
tcp 0 0 AY131206202454765300Z:53798 10.84.135.99:http TIME_WAIT
tcp 0 0 121.199.xx.xx:http 222.80.167.72:49484 TIME_WAIT
tcp 0 0 AY131206202454765300Z:16160 10.141.56.177:mysql TIME_WAIT
tcp 0 0 AY131206202454765300Z:20286 10.141.56.177:mysql TIME_WAIT
tcp 0 0 121.199.xx.xx:http 139.227.220.95:mpsysrmsvr ESTABLISHED
tcp 0 0 121.199.xx.xx:http 223.21.232.140:26347 TIME_WAIT
tcp 0 0 121.199.xx.xx:http 175.148.61.66:62296 ESTABLISHED
tcp 0 0 AY131206202454765300Z:20777 10.141.56.177:mysql TIME_WAIT
tcp 0 5462 121.199.xx.xx:http 155-229-105-63.east.d:53038 FIN_WAIT1
tcp 0 0 AY131206202454765300Z:13202 10.141.56.177:mysql TIME_WAIT
tcp 0 0 AY131206202454765300Z:13834 10.141.56.177:mysql TIME_WAIT
tcp 0 0 AY131206202454765300Z:54130 10.84.135.99:http TIME_WAIT
有什么办法能够确认这是那个进程发出的请求吗? 服务器是阿里云的,问了阿里云,所这个 ip 找不到,是个本地 ip
请问大神这个大概是什么原因?
1
LT OP ifconfig 显示,但是这个单独一台服务器,用的阿里云的 mysql 应该和这个上面的 mysql 无关. 按照我的常识,一台独立机器的 ip 应该是 127.0.0.1 而非 10.132.44.216
``` eth0 Link encap:Ethernet HWaddr xxxxxxx inet addr:10.132.44.216 Bcast:10.132.47.255 Mask:255.255.240.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:111369052 errors:0 dropped:0 overruns:0 frame:0 TX packets:65757349 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:74522608343 (69.4 GiB) TX bytes:6549181907 (6.0 GiB) Interrupt:148 ``` |
2
LT OP route -n 显示
``` Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface xxx.xx.x.x 0.0.0.0 255.255.252.0 U 0 0 0 eth1 x.x.x.x 0.0.0.0 255.255.240.0 U 0 0 0 eth0 xx.x.x.x 0.0.0.0 255.255.0.0 U 1002 0 0 eth0 .x.x.x.x 0.0.0.0 255.255.0.0 U 1003 0 0 eth1 172.16.0.0 10.132.47.247 255.240.0.0 UG 0 0 0 eth0 100.64.0.0 10.132.47.247 255.192.0.0 UG 0 0 0 eth0 10.0.0.0 10.132.47.247 255.0.0.0 UG 0 0 0 eth0 0.0.0.0 121.199.27.247 0.0.0.0 UG 0 0 0 eth1 ``` 这个 10.132.47.247 网关是否存在问题? |
3
skydiver 2016-07-17 02:19:00 +08:00
man netstat
-p, --program Show the PID and name of the program to which each socket belongs. |
4
LT OP 现在 nginx 日志 显示
应该是 106.187.97.172 这个 ip 在转发数据包, ``` 117.41.145.148 - - [17/Jul/2016:10:02:20 +0800] "GET /forum.php?&wangzhanbeihei&chongzhuangwangzhan&chongzhuangfuwuqi&&wangzhanbeihei&chongzhuangwangzhan&chongzhuangfuwuqi&wangzhanbeihei&chongzhuangwangzhan&chongzhuangfuwuqi&&wangzhanbeihei&chongzhuangwangzhan&chongzhuangfuwuqi&wangzhanbeihei&chongzhuangwangzhan&chongzhuangfuwuqi&&wangzhanbeihei&chongzhuangwangzhan&chongzhuangfuwuqi&wangzhanbeihei&chongzhuangwangzhan&chongzhuangfuwuqi&&wangzhanbeihei&chongzhuangwangzhan&chongzhuangfuwuqi&wangzhanbeihei&chongzhuangwangzhan&chongzhuangfuwuqi&&wangzhanbeihei&chongzhuangwangzhan&chongzhuangfuwuqi&wangzhanbeihei&chongzhuangwangzhan&chongzhuangfuwuqi&&wangzhanbeihei&chongzhuangwangzhan&chongzhuangfuwuqi&wangzhanbeihei&chongzhuangwangzhan&chongzhuangfuwuqi&&wangzhanbeihei&chongzhuangwangzhan&chongzhuangfuwuqi&wangzhanbeihei&chongzhuangwangzhan&chongzhuangfuwuqi&&wangzhanbeihei&chongzhuangwangzhan&chongzhuangfuwuqi&13798 HTTP/1.1" 200 31 "http://106.187.97.172/info.php" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" ``` nginx 配置为 ``` valid_referers none blocked 106.187.97.172; if ($invalid_referer) { return 403; } ``` 貌似没法阻止? |
5
Syc 2016-07-17 10:22:28 +08:00 via Android
备份……重装系统……设置好安全措施……还原数据
|