论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2006-07-29 22:58 |只看该作者 |倒序浏览

系统是RH9.0,是单位的www+DNS+qmail服务器,平常访问量并不是很大,已经用了两年多,一直都还正常,最近系统总是隔几天就没有响应,具体现象是:能ping通, nmap 扫描端口时,能看到端口都开着,有时会显示端口被filtered了.主要的问题就是所有对服务器的请求都没有响应了,http,邮件,以及ssh都没有任何发应. 起器重启后就一切正常.过段时间又会发生同样的问题. 系统日志里没有任何异常的记录. 我已经为这个问题折腾得没有办法了,请大家帮忙分析一下原因. 请版主原谅我要贴比较长的系统日志,以及有关网络连接状态的信息.  以下218.108.**.**为本机的IP地址

出现异常时 nmap 218.108.**.** -P0结果:
[aaa]$ nmap -P0 218.108.**.**

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2006-07-29 22:11 CST
Interesting ports on 218.108.**.**:
(The 1649 ports scanned but not shown below are in state: closed)
PORT    STATE SERVICE
21/tcp open    ftp
22/tcp open    ssh
25/tcp filtered smtp
53/tcp open    domain
80/tcp filtered http
82/tcp open    xfer
110/tcp  open    pop3
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
3306/tcp open    mysql

[aaa]$ nmap -P0 218.108.**.**

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2006-07-29 22:14 CST
Interesting ports on 218.108.**.**:
(The 1649 ports scanned but not shown below are in state: closed)
PORT    STATE SERVICE
21/tcp open    ftp
22/tcp open    ssh
25/tcp open    smtp
53/tcp open    domain
80/tcp open    http
82/tcp open    xfer
110/tcp  open    pop3
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
3306/tcp open    mysql

Nmap run completed -- 1 IP address (1 host up) scanned in 11.257 seconds

[aaa]$ nmap -P0 218.108.**.**

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2006-07-29 22:16 CST
Interesting ports on 218.108.**.**:
(The 1649 ports scanned but not shown below are in state: closed)
PORT    STATE SERVICE
21/tcp open    ftp
22/tcp open    ssh
25/tcp open    smtp
53/tcp open    domain
80/tcp filtered http
82/tcp open    xfer
110/tcp  open    pop3
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
3306/tcp open    mysql

Nmap run completed -- 1 IP address (1 host up) scanned in 11.369 seconds

shuecy

白手起家

论坛徽章:: 0

2楼 [报告]

发表于 2006-07-29 23:01 |只看该作者

在系统出错前系统日志中的最后记录

这是机器重启后,message文件中在机器重启前的有关记录. 这些好象和系统出错没有什么关系

Jul 29 21:16:57 www sshd[7624]: error: Could not get shadow information for NOUSER
Jul 29 21:16:57 www sshd[7624]: Failed password for invalid user test1 from 72.232.184.114 port 58127 ssh2
Jul 29 21:16:59 www sshd[7626]: Invalid user user from 72.232.184.114
Jul 29 21:16:59 www sshd[7626]: reverse mapping checking getaddrinfo for 114.184.232.72.reverse.layeredtech.com failed - POSSIBLE BREAKIN ATTEMPT!
Jul 29 21:16:59 www sshd[7626]: error: Could not get shadow information for NOUSER
Jul 29 21:16:59 www sshd[7626]: Failed password for invalid user user from 72.232.184.114 port 58160 ssh2
Jul 29 21:17:01 www sshd[7628]: Failed password for root from 72.232.184.114 port 58183 ssh2
Jul 29 21:17:01 www sshd[7628]: reverse mapping checking getaddrinfo for 114.184.232.72.reverse.layeredtech.com failed - POSSIBLE BREAKIN ATTEMPT!
Jul 29 21:17:03 www sshd[7631]: Failed password for root from 72.232.184.114 port 58216 ssh2
Jul 29 21:17:03 www sshd[7631]: reverse mapping checking getaddrinfo for 114.184.232.72.reverse.layeredtech.com failed - POSSIBLE BREAKIN ATTEMPT!
Jul 29 21:17:05 www sshd[7634]: Failed password for root from 72.232.184.114 port 58242 ssh2
Jul 29 21:17:05 www sshd[7634]: reverse mapping checking getaddrinfo for 114.184.232.72.reverse.layeredtech.com failed - POSSIBLE BREAKIN ATTEMPT!
Jul 29 22:22:22 www syslogd 1.4.1: restart.

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

shuecy

白手起家

论坛徽章:: 0

3楼 [报告]

发表于 2006-07-29 23:06 |只看该作者

netstat -ao 的输出 (只贴出部分可疑信息,)

www.mydomain.com 是我的主机名

tcp       0    0 www.mydomain.com:http 201.254.182.60.bro:4035 SYN_RECV on (86.92/5/0)
tcp       0    0 www.mydomain.com:http 201.254.182.60.bro:4039 SYN_RECV on (86.92/5/0)
tcp       0    0 www.mydomain.com:http 201.254.182.60.bro:4037 SYN_RECV on (86.92/5/0)
tcp       0    0 www.mydomain.com:http 220.205.139.100:1312 SYN_RECV on (1.07/0/0)
tcp       0    0 www.mydomain.com:http 220.205.212.83:1751    SYN_RECV on (0.32/5/0)
tcp       0    0 www.mydomain.com:http 201.254.182.60.bro:4034 SYN_RECV on (86.12/5/0)
tcp       0    0 www.mydomain.com:http 201.254.182.60.bro:4038 SYN_RECV on (86.12/5/0)
tcp       0    0 www.mydomain.com:http 201.254.182.60.bro:4036 SYN_RECV on (86.12/5/0)
tcp       0    0 www.mydomain.com:http 201.254.182.60.bro:4040 SYN_RECV on (86.32/5/0)

tcp       0  30660 www.mydomain.com:http hn.kd.jz.adsl:2005    ESTABLISHED on (0.52/0/0)
tcp       0    0 www.mydomain.com:http lj601399.inktomis:50244 TIME_WAIT timewait (37.87/0/0)
tcp       0    0 www.mydomain.com:http hn.kd.jz.adsl:1993    TIME_WAIT timewait (54.24/0/0)
tcp       0    0 www.mydomain.com:http crawl-66-249-72-3:50213 ESTABLISHED keepalive (7196.58/0/0)
tcp       0    0 www.mydomain.com:http lj601109.inktomis:48065 TIME_WAIT timewait (58.50/0/0)
tcp       0    0 www.mydomain.com:http lj9079.inktomisea:42442 TIME_WAIT timewait (54.03/0/0)

tcp       0    0 www.mydomain.com:http 220.205.146.114:1398 ESTABLISHED keepalive (7189.54/0/0)
tcp       0    0 www.mydomain.com:http crawl-66-249-72-4:41939 ESTABLISHED keepalive (7189.49/0/0)
tcp       0    0 www.mydomain.com:32912 www.mydomain.com:http TIME_WAIT timewait (14.13/0/0)
tcp       0    0 localhost.localdo:32913 localhost.localdom:http TIME_WAIT timewait (11.02/0/0)
tcp       0    0 www.mydomain.com:32914 www.mydomain.com:http TIME_WAIT timewait (32.36/0/0)
tcp       0    0 www.mydomain.com:32915 www.mydomain.com:http TIME_WAIT timewait (37.45/0/0)
tcp       0    0 localhost.localdo:32916 localhost.localdom:http TIME_WAIT timewait (32.47/0/0)
tcp       0    0 localhost.localdo:32917 localhost.localdom:http TIME_WAIT timewait (33.47/0/0)