- 论坛徽章:
- 0
|
放在IDC机房的一台Red Hat Linux release 9 服务器,是做测试用的,没启任何服务,
但最近从交换机的流量图上发现流量经常冲到7M以上,时间都是晚上或夜里。而且系统中多了一个
莫名其妙的用户。请教一下大家:
1、是怎么被黑的?redhat 9有什么漏洞吗?我开着iptables的,用了最严格的的策略。
2、那个大流量是怎么回事?
附:系统信息
#uname -a
Linux 2.4.26 #1 SMP Sat Jun 5 14:04:39 CST 2004 i686 i686 i386 GNU/Linux
#netstat -ln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:32768 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:32769 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:199 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
udp 0 0 0.0.0.0:32768 0.0.0.0:*
udp 0 0 0.0.0.0:792 0.0.0.0:*
udp 0 0 0.0.0.0:161 0.0.0.0:*
udp 0 0 0.0.0.0:111 0.0.0.0:*
udp 0 0 0.0.0.0:631 0.0.0.0:*
#iptables -L -nv
Chain INPUT (policy DROP 9 packets, 544 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x12/0x12 state NEW reject-with tcp-reset
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW LOG flags 0 level 4 prefix `INPUT ! SYN : '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state NEW
979 69824 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 18
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 flags:0x16/0x02 state NEW
0 0 ACCEPT tcp -- * * x.x.x.x/24 0.0.0.0/0 tcp dpt:22 flags:0x16/0x02 state NEW
8 936 ACCEPT all -- * * x.x.x.x/27 0.0.0.0/0
9 544 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 6 prefix `[INPUT] : '
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 2 packets, 152 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
853 256K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 17
0 0 ACCEPT udp -- * * x.x.x.x/27 0.0.0.0/0 udp dpt:123
2 152 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 6 prefix `[OUTPUT] : '
注: x.x.x.x是我们局域网的ip。
# ps -ax
PID TTY STAT TIME COMMAND
1 ? S 0:41 init [3]
2 ? SW 0:00 [keventd]
3 ? SWN 0:00 [ksoftirqd_CPU0]
4 ? SWN 0:00 [ksoftirqd_CPU1]
5 ? SW 0:00 [kswapd]
6 ? SW 0:00 [bdflush]
7 ? SW 0:11 [kupdated]
9 ? SW 0:00 [ahc_dv_0]
10 ? SW 0:00 [ahc_dv_1]
11 ? SW 0:00 [scsi_eh_0]
12 ? SW 0:00 [scsi_eh_1]
13 ? SW 0:00 [khubd]
14 ? SW 0:09 [kjournald]
133 ? SW 0:04 [kjournald]
134 ? SW 0:06 [kjournald]
135 ? SW 0:11 [kjournald]
136 ? SW 0:00 [kjournald]
137 ? SW 0:00 [kjournald]
1021 ? S 0:00 portmap
1040 ? S 0:00 rpc.statd
1133 ? S 1:27 /usr/sbin/sshd
1147 ? S 0:00 xinetd -stayalive -reuse -pidfile /var/run/xinetd.pid
1161 ? SL 2:15 ntpd -U ntp -g
1180 ? S 1:47 sendmail: accepting connections
1189 ? S 0:01 sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue
1199 ? S 0:00 gpm -t ps/2 -m /dev/psaux
1208 ? S 0:03 crond
1289 ? S 0:00 xfs -droppriv -daemon
1307 ? S 0:01 /usr/sbin/atd
1321 tty1 S 0:00 /sbin/mingetty tty1
1322 tty2 S 0:00 /sbin/mingetty tty2
1323 tty3 S 0:00 /sbin/mingetty tty3
1324 tty4 S 0:00 /sbin/mingetty tty4
1325 tty5 S 0:00 /sbin/mingetty tty5
1326 tty6 S 0:00 /sbin/mingetty tty6
2791 ? S 0:26 /usr/sbin/snmpd -s -l /dev/null -P /var/run/snmpd -a
4002 ? S 0:00 syslogd -m 0
4006 ? S 0:00 klogd -x
5082 ? S 0:02 cupsd
12760 ? S 0:00 /usr/sbin/sshd
12762 pts/1 S 0:00 -bash
12820 ? S 0:00 /usr/sbin/sshd
12822 pts/2 S 0:00 -bash
12914 pts/2 R 0:00 ps -ax |
|
免费注册
发表于 2005-06-21 10:08
