论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2008-03-05 09:52 |只看该作者 |倒序浏览

近期发现一台 RHAS4U5 的系统经常网络自己死掉(ping 不通)，重启后恢复，查看日志发现重启的时候有如下的信息

Mar  4 10:08:49 localhost gdm[2796]: 主人正在重新启动...

是否有木马在运行？
下面是系统进程情况

UID       PID  PPID  C STIME TTY       TIME CMD
root       1    0  0 10:10 ?       00:00:00 init [5]
root       2    1  0 10:10 ?       00:00:00 [migration/0]
root       3    1  0 10:10 ?       00:00:00 [ksoftirqd/0]
root       4    1  0 10:10 ?       00:00:00 [migration/1]
root       5    1  0 10:10 ?       00:00:00 [ksoftirqd/1]
root       6    1  0 10:10 ?       00:00:00 [migration/2]
root       7    1  0 10:10 ?       00:00:00 [ksoftirqd/2]
root       8    1  0 10:10 ?       00:00:00 [migration/3]
root       9    1  0 10:10 ?       00:00:00 [ksoftirqd/3]
root       10    1  0 10:10 ?       00:00:00 [events/0]
root       11    1  0 10:10 ?       00:00:00 [events/1]
root       12    1  0 10:10 ?       00:00:00 [events/2]
root       13    1  0 10:10 ?       00:00:00 [events/3]
root       14 10  0 10:10 ?       00:00:00 [khelper]
root       15 10  0 10:10 ?       00:00:00 [kacpid]
root       45 10  0 10:10 ?       00:00:00 [kblockd/0]
root       46 10  0 10:10 ?       00:00:00 [kblockd/1]
root       47 10  0 10:10 ?       00:00:00 [kblockd/2]
root       48 10  0 10:10 ?       00:00:00 [kblockd/3]
root       49    1  0 10:10 ?       00:00:00 [khubd]
root       63 10  0 10:10 ?       00:00:00 [pdflush]
root       64 10  0 10:10 ?       00:00:00 [pdflush]
root       66 10  0 10:10 ?       00:00:00 [aio/0]
root       65    1  0 10:10 ?       00:00:00 [kswapd0]
root       67 10  0 10:10 ?       00:00:00 [aio/1]
root       68 10  0 10:10 ?       00:00:00 [aio/2]
root       69 10  0 10:10 ?       00:00:00 [aio/3]
root    142    1  0 10:10 ?       00:00:00 [kseriod]
root    221 12  0 10:10 ?       00:00:00 [kmirrord]
root    222 10  0 10:10 ?       00:00:00 [kmir_mon]
root    229    1  0 10:10 ?       00:00:00 [kjournald]
root    1091    1  0 10:10 ?       00:00:00 udevd
root    1540 11  0 10:10 ?       00:00:00 [kauditd]
root    1591    1  0 10:10 ?       00:00:00 [kjournald]
root    1790    1  0 10:11 ?       00:00:00 cpuspeed -d -n
root    1791  1790  0 10:11 ?       00:00:00 cpuspeed -d -n
root    1792  1790  0 10:11 ?       00:00:00 cpuspeed -d -n
root    1793  1790  0 10:11 ?       00:00:00 cpuspeed -d -n
root    2039    1  0 10:11 ?       00:00:00 syslogd -m 0
root    2043    1  0 10:11 ?       00:00:00 klogd -x
root    2054    1  0 10:11 ?       00:00:00 irqbalance
rpc    2063    1  0 10:11 ?       00:00:00 portmap
rpcuser 2083    1  0 10:11 ?       00:00:00 rpc.statd
root    2122    1  0 10:11 ?       00:00:00 rpc.idmapd
root    2208    1  0 10:11 ?       00:00:00 /usr/sbin/acpid
root    2220    1  0 10:11 ?       00:00:00 cupsd
root    2245    1  0 10:11 ?       00:00:00 /usr/sbin/sshd
root    2260    1  0 10:11 ?       00:00:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
root    2280    1  0 10:11 ?       00:00:00 sendmail: accepting connections
smmsp    2288    1  0 10:11 ?       00:00:00 sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue
root    2299    1  0 10:11 ?       00:00:00 gpm -m /dev/input/mice -t imps2
htt    2327    1  0 10:11 ?       00:00:00 /usr/sbin/htt -retryonerror 0
htt    2328  2327  0 10:11 ?       00:00:00 htt_server -nodaemon
root    2338    1  0 10:11 ?       00:00:00 crond
xfs    2366    1  0 10:11 ?       00:00:00 xfs -droppriv -daemon
root    2385    1  0 10:11 ?       00:00:00 /usr/sbin/atd
dbus    2404    1  0 10:11 ?       00:00:00 dbus-daemon-1 --system
root    2418    1  0 10:11 ?       00:00:00 cups-config-daemon
root    2429    1  0 10:11 ?       00:00:00 hald
root    2611    1  7 10:11 ?       00:04:06 /opt/IBM/WebSphere/AppServer/java/bin/java -Xbootclasspath/p:/opt/IBM/WebSphere/AppServer/java/jre/lib/ext/ibmorb.jar:/opt/IBM/WebSphere/AppServer/java/jre/lib/ext/ibmext.jar -Dwas.status.socket=32775 -classpath /opt/IBM/WebSphere/AppServer/profiles/default/properties:/opt/IBM/WebSphere/AppServer/properties:/opt/IBM/WebSphere/AppServer/lib/bootstrap.jar:/opt/IBM/WebSphere/AppServer/lib/j2ee.jar:/opt/IBM/WebSphere/AppServer/lib/lmproxy.jar:/opt/IBM/WebSphere/AppServer/lib/urlprotocols.jar -Xms768m -Xmx1024m -Dws.ext.dirs=/opt/IBM/WebSphere/AppServer/java/lib:/opt/IBM/WebSphere/AppServer/profiles/default/classes:/opt/IBM/WebSphere/AppServer/classes:/opt/IBM/WebSphere/AppServer/lib:/opt/IBM/WebSphere/AppServer/installedChannels:/opt/IBM/WebSphere/AppServer/lib/ext:/opt/IBM/WebSphere/AppServer/web/help:/opt/IBM/WebSphere/AppServer/deploytool/itp/plugins/com.ibm.etools.ejbdeploy/runtime -Dderby.system.home=/opt/IBM/WebSphere/AppServer/derby -Dcom.ibm.itp.location=/opt/IBM/WebSphere/AppServer/bin -Djava.util.logging.configureByServer=true -Dibm.websphere.preload.classes=true -Duser.install.root=/opt/IBM/WebSphere/AppServer/profiles/default -Dwas.install.root=/opt/IBM/WebSphere/AppServer -Djava.util.logging.manager=com.ibm.ws.bootstrap.WsLogManager -Ddb2j.system.home=/opt/IBM/WebSphere/AppServer/cloudscape -Dserver.root=/opt/IBM/WebSphere/AppServer/profiles/default -DCUSTOMER=GZTY -Doa_file_path=/oapath -Doapath=/oapath -Dencoding=GBK -Dfile.encoding=GBK -Djava.awt.headless=true -Djava.security.auth.login.config=/opt/IBM/WebSphere/AppServer/profiles/default/properties/wsjaas.conf -Djava.security.policy=/opt/IBM/WebSphere/AppServer/profiles/default/properties/server.policy com.ibm.ws.bootstrap.WSLauncher com.ibm.ws.runtime.WsServer /opt/IBM/WebSphere/AppServer/profiles/default/config localhostNode01Cell localhostNode01 server1
root    2772    1  0 10:12 tty1    00:00:00 /sbin/mingetty tty1
root    2773    1  0 10:12 tty2    00:00:00 /sbin/mingetty tty2
root    2774    1  0 10:12 tty3    00:00:00 /sbin/mingetty tty3
root    2776    1  0 10:12 tty4    00:00:00 /sbin/mingetty tty4
root    2779    1  0 10:12 tty5    00:00:00 /sbin/mingetty tty5
root    2783    1  0 10:12 tty6    00:00:00 /sbin/mingetty tty6
root    2897    1  0 10:12 ?       00:00:00 /usr/bin/gdm-binary -nodaemon
root    3196  2897  0 10:12 ?       00:00:00 /usr/bin/gdm-binary -nodaemon
root    3202  3196  0 10:12 ?       00:00:04 /usr/X11R6/bin/X :0 -audit 0 -auth /var/gdm/:0.Xauth -nolisten tcp vt7
root    3274  3196  0 10:29 ?       00:00:00 /usr/bin/gnome-session
root    3296    1  0 10:29 ?       00:00:00 /usr/libexec/gconfd-2 13
root    3297  3274  0 10:29 ?       00:00:00 /bin/bash /etc/X11/xdm/Xsession default
root    3302  3297  0 10:29 ?       00:00:00 httx
root    3303  3302  0 10:29 ?       00:00:00 htt_xbe
root    3306    1  0 10:29 ?       00:00:00 /usr/bin/ssh-agent -s
root    3337    1  0 10:29 ?       00:00:00 /usr/bin/dbus-launch --exit-with-session /etc/X11/xinit/Xclients
root    3338    1  0 10:29 ?       00:00:00 dbus-daemon-1 --fork --print-pid 8 --print-address 6 --session
root    3344    1  0 10:29 ?       00:00:00 /usr/bin/gnome-keyring-daemon
root    3346    1  0 10:29 ?       00:00:00 /usr/libexec/bonobo-activation-server --ac-activate --ior-output-fd=18
root    3348    1  0 10:29 ?       00:00:00 /usr/libexec/gnome-settings-daemon --oaf-activate-iid=OAFIID:GNOME_SettingsDaemon --oaf-ior-fd=22
root    3352  3303  0 10:29 ?       00:00:00 com.redhat.chinput.status
root    3355    1  0 10:29 ?       00:00:00 /usr/libexec/gam_server
root    3382    1  0 10:29 ?       00:00:00 metacity --sm-save-file 1166688928-3308-1696153609.ms
root    3386    1  0 10:29 ?       00:00:00 gnome-panel --sm-config-prefix /gnome-panel-NX6KlA/ --sm-client-id 117f000001000116652125300000031880001 --screen 0
root    3388    1  0 10:29 ?       00:00:00 nautilus --sm-config-prefix /nautilus-pATrih/ --sm-client-id 117f000001000116652125300000031880003 --screen 0 --no-default-window
root    3390    1  0 10:29 ?       00:00:00 eggcups --sm-config-prefix /eggcups-K3pUuE/ --sm-client-id 117f000001000116652125400000031880004 --screen 0
root    3392    1  0 10:29 ?       00:00:00 /usr/bin/pam-panel-icon --sm-client-id 117f000001000116652125400000031880005
root    3394    1  0 10:29 ?       00:00:00 /usr/bin/python /usr/bin/rhn-applet-gui --sm-config-prefix /rhn-applet-bHxQ9z/ --sm-client-id 117f000001000116652125500000031880006 --screen 0
root    3395  3392  0 10:29 ?       00:00:00 /sbin/pam_timestamp_check -d root
root    3399    1  0 10:29 ?       00:00:00 /usr/libexec/gnome-vfs-daemon --oaf-activate-iid=OAFIID:GNOME_VFS_Daemon_Factory --oaf-ior-fd=28
root    3406    1  0 10:29 ?       00:00:00 /usr/libexec/mapping-daemon
root    3409    1  0 10:29 ?       00:00:00 /usr/libexec/wnck-applet --oaf-activate-iid=OAFIID:GNOME_Wncklet_Factory --oaf-ior-fd=30
root    3411    1  0 10:29 ?       00:00:00 /usr/libexec/mixer_applet2 --oaf-activate-iid=OAFIID:GNOME_MixerApplet_Factory --oaf-ior-fd=32
root    3413    1  0 10:29 ?       00:00:00 /usr/libexec/clock-applet --oaf-activate-iid=OAFIID:GNOME_ClockApplet_Factory --oaf-ior-fd=34
root    3415    1  0 10:29 ?       00:00:00 /usr/libexec/notification-area-applet --oaf-activate-iid=OAFIID:GNOME_NotificationAreaApplet_Factory --oaf-ior-fd=36
root    3417    1  0 10:29 ?       00:00:00 /usr/libexec/gnome-im-switcher-applet --oaf-activate-iid=OAFIID:GNOME_imswitcher_Factory --oaf-ior-fd=38
root    3419    1  0 10:30 ?       00:00:00 /usr/bin/gnome-terminal
root    3421  3419  0 10:30 ?       00:00:00 gnome-pty-helper
root    3422  3419  0 10:30 pts/1 00:00:00 bash
root    3440    1  0 10:35 ?       00:00:00 /usr/bin/system-config-network
root    3441  3440  0 10:35 ?       00:00:00 /usr/sbin/userhelper -w system-config-network
root    3442  3441  0 10:35 ?       00:00:01 /usr/bin/python /usr/sbin/system-config-network-gui
root    3667  2245  0 10:36 ?       00:00:00 sshd: root@notty
root    3676  3667  0 10:36 ?       00:00:00 /usr/libexec/openssh/sftp-server
root    3759  2245  0 11:01 ?       00:00:00 sshd: root@pts/2
root    3761  3759  0 11:02 pts/2 00:00:00 -bash
root    3796  3761  0 11:02 pts/2 00:00:00 ps -ef

文库|博客

troyme

小富即安

论坛徽章:: 0

2楼 [报告]

发表于 2008-03-05 13:48 |只看该作者

把gdm卸载掉试试看:wink: :wink:

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

返回列表

Chinaunix › 论坛 › 操作系统 › Linux系统管理 › 主人正在重新启动

主人正在重新启动 [复制链接]

浏览过的版块