求助，公司linux系统可能中毒了，老板要我解决，在线等！

zhbl

求助，公司linux系统可能中毒了，老板要我解决
这几天公司网络很不稳定，linux网关服务器（144.20.80.142）经常会断开网络，无法ping通，过一会儿又好了。而且经常这样，而公司内机器也老是中毒，有没有什么好点的解决办法啊？急啊！
相关系统日志如下：
cat messages
Feb 14 12:01:51 DnProxy pppoe[2394]: Bad TCP checksum d745
Feb 14 12:01:57 DnProxy pppoe[2394]: Bad TCP checksum 97cf
Feb 14 12:04:09 DnProxy pppoe[2394]: Bad TCP checksum 14a4
Feb 14 12:09:16 DnProxy pppoe[2394]: Bad TCP checksum c2ee
Feb 14 12:46:47 DnProxy pppoe[2394]: Bad TCP checksum ef64
Feb 14 12:51:12 DnProxy smbd[5189]: [2007/02/14 12:51:12, 0] lib/util_sock.c:read_socket_data(384)
Feb 14 12:51:12 DnProxy smbd[5189]:   read_socket_data: recv failure for 4. Error = 连接超时
Feb 14 12:58:29 DnProxy pppoe[2394]: Bad TCP checksum 100
Feb 14 12:58:38 DnProxy last message repeated 2 times
Feb 14 13:16:37 DnProxy pppoe[2394]: Bad TCP checksum e873
Feb 14 13:26:36 DnProxy smbd[5325]: [2007/02/14 13:26:36, 0] lib/util_sock.c:read_socket_data(384)
Feb 14 13:26:36 DnProxy smbd[5325]:   read_socket_data: recv failure for 4. Error = Connection reset by peer
Feb 14 13:27:49 DnProxy pppoe[2394]: Bad TCP checksum 8285
Feb 14 13:28:29 DnProxy pppoe[2394]: Bad TCP checksum 68cf
Feb 14 13:40:56 DnProxy smbd[5350]: [2007/02/14 13:40:56, 0] lib/util_sock.c:read_socket_data(384)
Feb 14 13:40:56 DnProxy smbd[5350]:   read_socket_data: recv failure for 4. Error = Connection reset by peer
Feb 14 13:45:11 DnProxy smbd[5355]: [2007/02/14 13:45:11, 0] lib/util_sock.c:read_socket_data(384)
Feb 14 13:45:11 DnProxy smbd[5355]:   read_socket_data: recv failure for 4. Error = Connection reset by peer
Feb 14 13:51:28 DnProxy smbd[5368]: [2007/02/14 13:51:28, 0] lib/util_sock.c:read_socket_data(384)
Feb 14 13:51:28 DnProxy smbd[5368]:   read_socket_data: recv failure for 4. Error = Connection reset by peer
Feb 14 14:00:01 DnProxy smbd[5383]: [2007/02/14 14:00:01, 0] lib/util_sock.c:read_socket_data(384)



more secure
Feb 14 16:04:13 DnProxy sshd[5496]: Illegal user lpa from 88.52.113.164
Feb 14 16:04:15 DnProxy sshd[5496]: Failed password for illegal user lpa from 88.52.113.164 port 39787 ssh2
Feb 14 16:04:24 DnProxy sshd[5498]: Failed password for admin from 88.52.113.164 port 39971 ssh2
Feb 14 16:04:36 DnProxy sshd[5500]: Failed password for admin from 88.52.113.164 port 40152 ssh2
Feb 14 17:39:53 DnProxy sshd[6370]: Did not receive identification string from 211.189.50.94
Feb 14 17:42:08 DnProxy sshd[6371]: Failed password for root from 211.189.50.94 port 52781 ssh2
Feb 14 17:59:48 DnProxy sshd[6787]: Illegal user lpd from 222.73.236.51
Feb 14 17:59:50 DnProxy sshd[6787]: Failed password for illegal user lpd from 222.73.236.51 port 46675 ssh2
Feb 14 17:59:50 DnProxy sshd[6789]: Illegal user lpa from 222.73.236.51
Feb 14 17:59:53 DnProxy sshd[6789]: Failed password for illegal user lpa from 222.73.236.51 port 46900 ssh2
Feb 14 17:59:55 DnProxy sshd[6791]: Failed password for admin from 222.73.236.51 port 47130 ssh2
Feb 14 17:59:58 DnProxy sshd[6793]: Failed password for admin from 222.73.236.51 port 47362 ssh2
Feb 14 18:00:00 DnProxy sshd[6795]: Failed password for admin from 222.73.236.51 port 47601 ssh2
Feb 14 18:00:00 DnProxy sshd[6797]: Illegal user ftpuser from 222.73.236.51
Feb 14 18:00:03 DnProxy sshd[6797]: Failed password for illegal user ftpuser from 222.73.236.51 port 47855 ssh2
Feb 14 18:00:03 DnProxy sshd[6799]: Illegal user ftpuser from 222.73.236.51
Feb 14 18:00:05 DnProxy sshd[6799]: Failed password for illegal user ftpuser from 222.73.236.51 port 48103 ssh2
Feb 14 18:00:05 DnProxy sshd[6801]: Illegal user ftpuser from 222.73.236.51
Feb 14 18:00:08 DnProxy sshd[6801]: Failed password for illegal user ftpuser from 222.73.236.51 port 48344 ssh2
Feb 14 18:00:08 DnProxy sshd[6803]: Illegal user ftpuser from 222.73.236.51
Feb 14 18:00:10 DnProxy sshd[6803]: Failed password for illegal user ftpuser from 222.73.236.51 port 48585 ssh2
Feb 14 18:00:10 DnProxy sshd[6805]: Illegal user ftpuser from 222.73.236.51
Feb 14 18:00:13 DnProxy sshd[6805]: Failed password for illegal user ftpuser from 222.73.236.51 port 48822 ssh2
Feb 14 18:00:13 DnProxy sshd[6807]: Illegal user ftpuser from 222.73.236.51
Feb 14 18:00:15 DnProxy sshd[6807]: Failed password for illegal user ftpuser from 222.73.236.51 port 49054 ssh2
Feb 14 18:00:15 DnProxy sshd[6809]: Illegal user ftpuser from 222.73.236.51
Feb 14 18:00:18 DnProxy sshd[6809]: Failed password for illegal user ftpuser from 222.73.236.51 port 49308 ssh2
Feb 14 18:00:18 DnProxy sshd[6811]: Illegal user mailtest from 222.73.236.51
Feb 14 18:00:20 DnProxy sshd[6811]: Failed password for illegal user mailtest from 222.73.236.51 port 49544 ssh2
Feb 14 18:00:20 DnProxy sshd[6813]: Illegal user mailtest from 222.73.236.51
Feb 14 18:00:23 DnProxy sshd[6813]: Failed password for illegal user mailtest from 222.73.236.51 port 49777 ssh2
Feb 14 18:00:23 DnProxy sshd[6815]: Illegal user mailtest from 222.73.236.51
Feb 14 18:00:25 DnProxy sshd[6815]: Failed password for illegal user mailtest from 222.73.236.51 port 50012 ssh2
Feb 14 18:00:25 DnProxy sshd[6817]: Illegal user mailtest from 222.73.236.51

公司linux服务器每天晚上下班以后都关机，因此/var/log下，messages，secure都只记录了当天的消息，我看了下都是正常的啊。
还有passwd文件的信息看后面我的回帖，帮我看看是否有问题

还有我在10楼和13楼贴了，messages和secure的记录，帮我看看，有没有问题？还有eth1 mac和它的访问情况如下：
[root@DnProxy etc]# ifconfig eth1
eth1      Link encap:Ethernet  HWaddr 00:E0:4C:C3:41:60  
          inet addr:144.20.80.142  Bcast:144.20.80.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3136739 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3255192 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:606375596 (578.2 Mb)  TX bytes:2138286532 (2039.2 Mb)
          Interrupt:5 Base address:0xb000




[root@DnProxy etc]# tcpdump arp -i eth1
tcpdump: listening on eth1
16:12:39.192643 arp who-has 144.20.80.103 tell 144.20.80.142
16:12:39.192886 arp reply 144.20.80.103 is-at 0:f:1f:c6:80:80
16:12:41.122637 arp who-has 144.20.80.186 tell 144.20.80.142
16:12:41.122837 arp reply 144.20.80.186 is-at 0:15:c5:52:20:86
16:12:41.682637 arp who-has 144.20.80.125 tell 144.20.80.142
16:12:41.682830 arp reply 144.20.80.125 is-at 0:e0:4c:b4:f4:e
16:12:43.412641 arp who-has 144.20.80.206 tell 144.20.80.142
16:12:43.412799 arp reply 144.20.80.206 is-at 0:1:6c:88:ac:bd
16:12:43.852643 arp who-has 144.20.80.36 tell 144.20.80.142
16:12:43.852750 arp reply 144.20.80.36 is-at 0:8:2:e9:54:ac
16:12:45.987825 arp who-has 144.20.80.31 tell 144.20.80.233
16:12:45.987892 arp who-has 144.20.80.31 tell 144.20.80.191
16:12:58.267572 arp who-has 144.20.80.199 tell 144.20.80.200
16:12:58.932639 arp who-has 144.20.80.237 tell 144.20.80.142
16:12:58.932837 arp reply 144.20.80.237 is-at 0:40:95:a0:f:ca
16:13:03.292637 arp who-has 144.20.80.169 tell 144.20.80.142
16:13:03.292851 arp reply 144.20.80.169 is-at 0:a:e4:33:c5:26
16:13:03.482642 arp who-has 144.20.80.22 tell 144.20.80.142
16:13:03.482843 arp reply 144.20.80.22 is-at 0:8:74:9d:7d:3
16:13:03.492645 arp who-has 144.20.80.155 tell 144.20.80.142
16:13:03.492652 arp who-has 144.20.80.233 tell 144.20.80.142
16:13:03.492790 arp reply 144.20.80.233 is-at 0:18:8b:bb:ba:13
16:13:03.492794 arp reply 144.20.80.155 is-at 0:e0:4c:57:ac:37
16:13:03.662637 arp who-has 144.20.80.191 tell 144.20.80.142
16:13:03.662872 arp reply 144.20.80.191 is-at 0:12:3f:13:43:80
16:13:04.162638 arp who-has 144.20.80.240 tell 144.20.80.142
16:13:04.162808 arp reply 144.20.80.240 is-at 0:b:2f:0:c2:ed
16:13:05.152642 arp who-has 144.20.80.239 tell 144.20.80.142
16:13:05.152813 arp reply 144.20.80.239 is-at 0:14:38:1a:b5:1b
16:13:06.602644 arp who-has 144.20.80.35 tell 144.20.80.142
16:13:06.602805 arp reply 144.20.80.35 is-at 0:3:d:19:c0:75
16:13:09.422642 arp who-has 144.20.80.111 tell 144.20.80.142
16:13:09.422808 arp reply 144.20.80.111 is-at 0:12:79:5a:5f:2a
16:13:10.572643 arp who-has 144.20.80.103 tell 144.20.80.142
16:13:10.572813 arp reply 144.20.80.103 is-at 0:f:1f:c6:80:80
16:13:10.692641 arp who-has 144.20.80.125 tell 144.20.80.142
16:13:10.692822 arp reply 144.20.80.125 is-at 0:e0:4c:b4:f4:e
16:13:13.142643 arp who-has 144.20.80.186 tell 144.20.80.142
16:13:13.142835 arp reply 144.20.80.186 is-at 0:15:c5:52:20:86
16:13:13.821269 arp who-has 144.20.80.142 tell 144.20.80.198
16:13:13.821290 arp reply 144.20.80.142 is-at 0:e0:4c:c3:41:60

41 packets received by filter
0 packets dropped by kernel


还有使用tcpdump -nn -i eth1 > error.network中产生的带‘arp’关键字段的条目见27楼，我的回复，这个MAC的地址是不是太多了

[ 本帖最后由 zhbl 于 2007-4-13 16:18 编辑 ]

fsm11

晕倒，说的这么简单谁能帮你！！

fsm11

晕倒，说的这么简单谁能帮你！！

zhbl

那需要些什么信息啊？你说下我贴上来好么？急啊

zhbl

这是passwd 记录：
[root@DnProxy etc]# more passwd
root:0:0:root:/root:/bin/bash
bin:1:1:bin:/bin:/sbin/nologin
daemon:2:2:daemon:/sbin:/sbin/nologin
adm:3:4:adm:/var/adm:/sbin/nologin
lp:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:5:0:sync:/sbin:/bin/sync
shutdown:6:0:shutdown:/sbin:/sbin/shutdown
halt:7:0:halt:/sbin:/sbin/halt
mail:8:12:mail:/var/spool/mail:/sbin/nologin
news:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0perator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
ident:x:100:101::/home/ident:/sbin/nologin
sshd:x:74:74rivilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32ortmapper RPC user:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
desktop:x:80:80:desktop:/var/lib/menu/kde:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
admin:x:500:500::/home/admin:/bin/bash
dn:x:501:501::/home/dn:/bin/bash

zhbl

admin:500:500::/home/admin:/bin/bash
这个用户是不是系统装好本身就存在的？

zhbl

公司linux服务器每天晚上下班以后都关机，因此/var/log下，messages，secure都只记录了当天的消息，我看了下都是正常的啊。

zhbl

谢谢你的回复，公司内部网络好像是有很多病毒啊，我刚来这个公司，新装上的系统，没用几天就有很多病毒了。这样是否会造成linux网关频繁掉线

zhbl

这是前几天的messages的记录，帮我看看是否有问题：
Feb 14 07:17:45 DnProxy smbd[4959]:   read_socket_data: recv failure for 4. Error = Connection reset by peer
Feb 14 07:38:50 DnProxy smbd[4962]: [2007/02/14 07:38:50, 0] lib/util_sock.c:get_peer_addr(1000)
Feb 14 07:38:50 DnProxy smbd[4962]:   getpeername failed. Error was 传输端点尚未连接
Feb 14 07:38:50 DnProxy smbd[4962]: [2007/02/14 07:38:50, 0] lib/util_sock.c:read_socket_data(384)
Feb 14 07:38:50 DnProxy smbd[4962]:   read_socket_data: recv failure for 4. Error = Connection reset by peer
Feb 14 07:39:01 DnProxy smbd[4963]: [2007/02/14 07:39:01, 0] lib/util_sock.c:read_socket_data(384)
Feb 14 07:39:01 DnProxy smbd[4963]:   read_socket_data: recv failure for 4. Error = Connection reset by peer
Feb 14 07:39:18 DnProxy smbd[4964]: [2007/02/14 07:39:18, 0] lib/util_sock.c:read_socket_data(384)
Feb 14 07:39:18 DnProxy smbd[4964]:   read_socket_data: recv failure for 4. Error = Connection reset by peer
Feb 14 08:47:18 DnProxy smbd[4975]: [2007/02/14 08:47:18, 0] lib/util_sock.c:read_socket_data(384)
Feb 14 08:47:18 DnProxy smbd[4975]:   read_socket_data: recv failure for 4. Error = Connection reset by peer
Feb 14 08:47:22 DnProxy smbd[4976]: [2007/02/14 08:47:22, 0] lib/util_sock.c:read_socket_data(384)
Feb 14 08:47:22 DnProxy smbd[4976]:   read_socket_data: recv failure for 4. Error = Connection reset by peer
Feb 14 08:53:31 DnProxy smbd[4981]: [2007/02/14 08:53:31, 0] lib/util_sock.c:read_socket_data(384)
Feb 14 08:53:31 DnProxy smbd[4981]:   read_socket_data: recv failure for 4. Error = Connection reset by peer
Feb 14 09:10:12 DnProxy smbd[4997]: [2007/02/14 09:10:12, 0] lib/util_sock.c:read_socket_data(384)
Feb 14 09:10:12 DnProxy smbd[4997]:   read_socket_data: recv failure for 4. Error = Connection reset by peer
Feb 14 09:16:20 DnProxy smbd[5002]: [2007/02/14 09:16:20, 0] lib/util_sock.c:read_socket_data(384)
Feb 14 09:16:20 DnProxy smbd[5002]:   read_socket_data: recv failure for 4. Error = Connection reset by peer
Feb 14 09:22:08 DnProxy smbd[5005]: [2007/02/14 09:22:08, 0] lib/util_sock.c:read_socket_data(384)
Feb 14 09:22:08 DnProxy smbd[5005]:   read_socket_data: recv failure for 4. Error = Connection reset by peer
Feb 14 09:27:27 DnProxy smbd[5011]: [2007/02/14 09:27:27, 0] lib/util_sock.c:read_socket_data(384)
Feb 14 09:27:27 DnProxy smbd[5011]:   read_socket_data: recv failure for 4. Error = Connection reset by peer
Feb 14 11:19:31 DnProxy smbd[5171]: [2007/02/14 11:19:31, 0] lib/util_sock.c:read_socket_data(384)
Feb 14 11:19:31 DnProxy smbd[5171]:   read_socket_data: recv failure for 4. Error = Connection reset by peer
Feb 14 11:23:58 DnProxy smbd[5179]: [2007/02/14 11:23:58, 0] lib/util_sock.c:read_socket_data(384)
Feb 14 11:23:58 DnProxy smbd[5179]:   read_socket_data: recv failure for 4. Error = Connection reset by peer
Feb 14 11:32:47 DnProxy pppoe[2394]: Bad TCP checksum e873
Feb 14 11:33:32 DnProxy pppoe[2394]: Bad TCP checksum cad6
Feb 14 11:37:10 DnProxy pppoe[2394]: Bad TCP checksum e873
Feb 14 11:37:30 DnProxy pppoe[2394]: Bad TCP checksum e94c
Feb 14 11:40:04 DnProxy smbd[5194]: [2007/02/14 11:40:04, 0] lib/util_sock.c:read_socket_data(384)
Feb 14 11:40:04 DnProxy smbd[5194]:   read_socket_data: recv failure for 4. Error = Connection reset by peer
Feb 14 11:40:05 DnProxy smbd[5195]: [2007/02/14 11:40:05, 0] lib/util_sock.c:read_socket_data(384)
Feb 14 11:40:05 DnProxy smbd[5195]:   read_socket_data: recv failure for 4. Error = Connection reset by peer
Feb 14 11:40:15 DnProxy smbd[5196]: [2007/02/14 11:40:15, 0] lib/util_sock.c:read_socket_data(384)
Feb 14 11:40:15 DnProxy smbd[5196]:   read_socket_data: recv failure for 4. Error = Connection reset by peer
Feb 14 11:40:26 DnProxy pppoe[2394]: Bad TCP checksum 9e52