- 論壇徽章:
- 0
|
網(wǎng)關(guān)發(fā)現(xiàn)上聯(lián)的網(wǎng)絡(luò)端口有異常流量
查看我的主機(jī),發(fā)現(xiàn)不停的在報(bào)這個(gè)錯(cuò)誤PING主機(jī)地址無(wú)法
Mar 31 12:32:37 radius-host /usr/lib/snmp/snmpdx: [ID 702911 daemon.error] error while receiving a pdu from 173.1.78.3.38328: Decode the header of message failed: asn length too long
Mar 31 12:32:37 radius-host last message repeated 1 time
Mar 31 12:32:40 radius-host /usr/lib/snmp/snmpdx: [ID 702911 daemon.error] error while receiving a pdu from 173.1.78.124.65378: Decode the header of message failed: asn length too long
Mar 31 12:32:40 radius-host last message repeated 1 time
Mar 31 12:32:41 radius-host /usr/lib/snmp/snmpdx: [ID 702911 daemon.error] error while receiving a pdu from 173.1.78.178.38040: Decode the header of message failed: asn length too long
Mar 31 12:32:41 radius-host last message repeated 1 time
Mar 31 12:32:42 radius-host /usr/lib/snmp/snmpdx: [ID 702911 daemon.error] error while receiving a pdu from 173.1.78.58.36007: Decode the header of message failed: asn length too long
Mar 31 12:32:42 radius-host last message repeated 1 time
Mar 31 12:32:42 radius-host /usr/lib/snmp/snmpdx: [ID 702911 daemon.error] error while receiving a pdu from 173.1.78.132.23222: Decode the header of message failed: asn length too long
Mar 31 12:32:42 radius-host last message repeated 1 time
Mar 31 12:32:43 radius-host snmpXdmid: [ID 334616 daemon.error] Error receiving PDU Decode the header of message failed: asn length too long.
Mar 31 12:32:43 radius-host snmpXdmid: [ID 352064 daemon.error] Error receiving packet from agent; rc = -1.
Mar 31 12:32:43 radius-host snmpXdmid: [ID 669004 daemon.error] Will attempt to re-establish connection.
Mar 31 12:32:43 radius-host snmpXdmid: [ID 334616 daemon.error] Error receiving PDU Decode the header of message failed: asn length too long.
Mar 31 12:32:43 radius-host snmpXdmid: [ID 352064 daemon.error] Error receiving packet from agent; rc = -1.
Mar 31 12:32:43 radius-host snmpXdmid: [ID 669004 daemon.error] Will attempt to re-establish connection.
把SNMPXDIMD進(jìn)程給KILL之后,地址就恢復(fù)響應(yīng)了
但我發(fā)現(xiàn)PRSTAT里面有一個(gè)進(jìn)程叫G3M的,占用滿了CPU.但詭異的是用PS -EF|GREP G3M,無(wú)法查到這個(gè)進(jìn)程,GREP進(jìn)程號(hào)也不行.只知道是用ROOT用戶起的,從什么路經(jīng)起用的就不知道了..
后來(lái)用FIND命令看到/usr/lib/有個(gè)/usr/lib/.../g3m的,把他更名后KILL掉所有的G3M的PID,CPU迅速的降下來(lái)了
==============================================
請(qǐng)問(wèn)是否我的機(jī)器被人當(dāng)作肉雞了?他怎么弄的?這個(gè)G3M有誰(shuí)碰到過(guò)是什么東東??
我已經(jīng)更改了所有賬戶的密碼,剔除出了所有PTS用WHO命令看到的登陸終端,后續(xù)我能做哪些防范?
現(xiàn)在我發(fā)現(xiàn)我的/var/adm/sulog內(nèi)每分鐘都會(huì)有一條root-radius(日常操作的賬戶)記錄,是不是代表這個(gè)入侵的人還在我的系統(tǒng)內(nèi)?
[ 本帖最后由 guozhongyan 于 2009-3-31 18:29 編輯 ] |
|
免費(fèi)注冊(cè)
發(fā)表于 2009-03-31 18:25
