- 论坛徽章:
- 0
|
网关发现上联的网络端口有异常流量\r\n\r\n查看我的主机,发现不停的在报这个错误PING主机地址无法\r\nMar 31 12:32:37 radius-host /usr/lib/snmp/snmpdx: [ID 702911 daemon.error] error while receiving a pdu from 173.1.78.3.38328: Decode the header of message failed: asn length too long\r\nMar 31 12:32:37 radius-host last message repeated 1 time\r\nMar 31 12:32:40 radius-host /usr/lib/snmp/snmpdx: [ID 702911 daemon.error] error while receiving a pdu from 173.1.78.124.65378: Decode the header of message failed: asn length too long\r\nMar 31 12:32:40 radius-host last message repeated 1 time\r\nMar 31 12:32:41 radius-host /usr/lib/snmp/snmpdx: [ID 702911 daemon.error] error while receiving a pdu from 173.1.78.178.38040: Decode the header of message failed: asn length too long\r\nMar 31 12:32:41 radius-host last message repeated 1 time\r\nMar 31 12:32:42 radius-host /usr/lib/snmp/snmpdx: [ID 702911 daemon.error] error while receiving a pdu from 173.1.78.58.36007: Decode the header of message failed: asn length too long\r\nMar 31 12:32:42 radius-host last message repeated 1 time\r\nMar 31 12:32:42 radius-host /usr/lib/snmp/snmpdx: [ID 702911 daemon.error] error while receiving a pdu from 173.1.78.132.23222: Decode the header of message failed: asn length too long\r\nMar 31 12:32:42 radius-host last message repeated 1 time\r\nMar 31 12:32:43 radius-host snmpXdmid: [ID 334616 daemon.error] Error receiving PDU Decode the header of message failed: asn length too long.\r\nMar 31 12:32:43 radius-host snmpXdmid: [ID 352064 daemon.error] Error receiving packet from agent; rc = -1.\r\nMar 31 12:32:43 radius-host snmpXdmid: [ID 669004 daemon.error] Will attempt to re-establish connection.\r\nMar 31 12:32:43 radius-host snmpXdmid: [ID 334616 daemon.error] Error receiving PDU Decode the header of message failed: asn length too long.\r\nMar 31 12:32:43 radius-host snmpXdmid: [ID 352064 daemon.error] Error receiving packet from agent; rc = -1.\r\nMar 31 12:32:43 radius-host snmpXdmid: [ID 669004 daemon.error] Will attempt to re-establish connection.\r\n\r\n\r\n把SNMPXDIMD进程给KILL之后,地址就恢复响应了\r\n\r\n但我发现PRSTAT里面有一个进程叫G3M的,占用满了CPU.但诡异的是用PS -EF|GREP G3M,无法查到这个进程,GREP进程号也不行.只知道是用ROOT用户起的,从什么路经起用的就不知道了..\r\n\r\n后来用FIND命令看到/usr/lib/有个/usr/lib/.../g3m的,把他更名后KILL掉所有的G3M的PID,CPU迅速的降下来了\r\n==============================================\r\n请问是否我的机器被人当作肉鸡了?他怎么弄的?这个G3M有谁碰到过是什么东东??\r\n\r\n我已经更改了所有账户的密码,剔除出了所有PTS用WHO命令看到的登陆终端,后续我能做哪些防范?\r\n\r\n现在我发现我的/var/adm/sulog内每分钟都会有一条root-radius(日常操作的账户)记录,是不是代表这个入侵的人还在我的系统内?\n\n[ 本帖最后由 guozhongyan 于 2009-3-31 18:29 编辑 ] |
|