我的服务器有问题。服务器正在运行 centos 6(CloudLinux 服务器版本 6.2)。 uname -a = 2.6.32-320.4.1.lve1.1.4.el6.x86_64
那是一个kvm客人。在主机上是 debian 6。
如果我运行命令ps aux,它停留在随机进程(仅显示一些进程),top命令工作正常。htop也不起作用(黑屏)。
top - 12:11:51 up 34 min, 1 user, load average: 4.26, 6.71, 16.15
Tasks: 201 total, 7 running, 192 sleeping, 0 stopped, 2 zombie
Cpu(s): 7.9%us, 2.8%sy, 0.0%ni, 87.5%id, 1.6%wa, 0.0%hi, 0.2%si, 0.0%st
Mem: 9862044k total, 2359484k used, 7502560k free, 171720k buffers
Swap: 10485720k total, 0k used, 10485720k free, 1336872k cached
服务器有一个 Intel(R) Xeon(R) CPU E5606 @ 2.13GHz,
free -m
total used free shared buffers cached
Mem: 9630 2336 7293 0 170 1324
-/+ buffers/cache: 841 8789
Swap: 10239 0 10239
php -v
PHP 5.3.19 (cli) (built: Nov 28 2012 10:03:07)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies
with the ionCube PHP Loader v4.2.2, Copyright (c) 2002-2012, by ionCube Ltd., and
with Zend Guard Loader v3.3, Copyright (c) 1998-2010, by Zend Technologies
with Suhosin v0.9.33, Copyright (c) 2007-2012, by SektionEins GmbH
mysql服务器版本:5.1.63-cll
php -i
disable_functions => apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_e
xec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, openlog, passthru, php
_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_set
sid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_de
code, xmlrpc_server_create, putenv, show_source,mail => apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval,
exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore,
inject_code, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, pos
ix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exe
c, syslog, system, xmlrpc_entity_decode, xmlrpc_server_create, putenv, show_source,mail
...
suhosin.executor.disable_eval => Off => Off
suhosin.executor.eval.blacklist => include,include_once,require,require_once,curl_init,fpassthru,base64_encode,base64_decode,mail,exec,system,proc_open,leak,
syslog,pfsockopen,shell_exec,ini_restore,symlink,stream_socket_server,proc_nice,popen,proc_get_status,dl, pcntl_exec, pcntl_fork, pcntl_signal,pcntl_waitpid,
pcntl_wexitstatus, pcntl_wifexited, pcntl_wifsignaled,pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, socket_accept,socket_bind, socket_connect, socket_cr
eate, socket_create_listen,socket_create_pair,link,register_shutdown_function,register_tick_function,gzinflate => include,include_once,require,require_once,c
url_init,fpassthru,base64_encode,base64_decode,mail,exec,system,proc_open,leak,syslog,pfsockopen,shell_exec,ini_restore,symlink,stream_socket_server,proc_nic
e,popen,proc_get_status,dl, pcntl_exec, pcntl_fork, pcntl_signal,pcntl_waitpid, pcntl_wexitstatus, pcntl_wifexited, pcntl_wifsignaled,pcntl_wifstopped, pcntl
_wstopsig, pcntl_wtermsig, socket_accept,socket_bind, socket_connect, socket_create, socket_create_listen,socket_create_pair,link,register_shutdown_function,
register_tick_function,gzinflate
有时我无法终止 httpd 进程。我kill -9 PID什至跑了好几次,什么也没发生。php 通过 suphp 运行。我在某处了解到它可能是木马。我跑了strace ps aux,它停在
open("/proc/216456/cmdline", O_RDONLY) = 5
read(5,
如果我重新启动服务器,问题就消失了,但一段时间后它又回来了.. :(
谢谢。
问题出在审计上:
backlog limit exceeded在/etc/audit/audit.rules我设置-b为从320到之后9216,问题就消失了。谢谢大家的帮助:)你离系统很远吗?您是通过 SSH 连接吗?
这几乎看起来像是您所在位置和服务器位置之间某处的碎片化数据包/MTU 问题。我在那些情况下看到了文本输出问题。
为确保不是您本人,您能否从其他位置连接到服务器?
基于 Debian 的主机系统如何运行?它有反应吗?除了
ps aux,系统是否运行良好?如果您怀疑存在妥协,请运行此处记录的一些步骤来检查系统的健康状况并验证已安装的软件包。
另外:如何处理受感染的服务器?