Board logo

标题: [求助] 求助,服务器被入侵,请问如何解决 [打印本页]

作者: lee-1    时间: 2017-4-21 17:46     标题: 求助,服务器被入侵,请问如何解决

如题,搬瓦工服务器,安装了WDCP3.09,今天收到邮件提示服务器检测到恶意软件被挂起

这台机器只是自己搭建用来学习Linux,没什么重要数据,重装系统也无所谓,但担心再装上wdcp还会出现类似问题

请各位大牛帮忙看看该如何解决?如果必须重装,之后应该做什么防范措施?

非常感谢。

附:后台信息如下

Reason:         Hacked/rooted server

More details:         We have detected hacking activity on this server

Additional information:
---------------------------------------------------------------------------------------------------------
KiwiVM has detected the following process on this server:
[getty] /usr/bin/bsd-port/getty

This process is a malware binary installed on the server with the sole purpose to perform abuse (DoS attacks, spamming, etc).
Seems like this server has been compromised and therefore it has been suspended to prevent further damage.

**********************************************
List of processes
**********************************************
180348     screen           SCREEN -d -m -S lanmp -t lanmp -s /bin/bash
180350     bash             /bin/bash
195833     nginx            nginx: master process /www/wdlinux/nginx/sbin/nginx -c /www/wdlinux/nginx/conf/nginx.conf
195836     nginx            nginx: worker process
195837     nginx            nginx: worker process
195838     nginx            nginx: worker process
195844     php-fpm          php-fpm: master process (/www/wdlinux/nginx_php-5.3.29/etc/php-fpm.conf)
195846     php-fpm          php-fpm: pool www
195847     php-fpm          php-fpm: pool www
199479     udp28            ./udp28
201270     getty            /usr/bin/bsd-port/getty
201450     .sshd            /usr/bin/.sshd
545291     wdcp             /www/wdlinux/wdcp/wdcp
591403     mysqld_safe      /bin/sh /www/wdlinux/mysql-5.1.69/bin/mysqld_safe --datadir=/www/wdlinux/mysql-5.1.69/var --pid-file=/www/wdlinux/mysql-5.1.69/var/localhost.localdomain.pid
591625     mysqld           /www/wdlinux/mysql-5.1.69/libexec/mysqld --basedir=/www/wdlinux/mysql-5.1.69 --datadir=/www/wdlinux/mysql-5.1.69/var --user=mysql --log-error=/www/wdlinux/mysql-5.1.69/var/localhost.localdomain.err --pid-file=/www/wdlinux/mysql-5.1.69/var/localhost.localdomain.pid --socket=/tmp/mysql.sock --port=3306
591779     pure-ftpd        pure-ftpd (SERVER)
1011542    init             init
1011543    kthreadd/511189  
1011544    khelper/511189   
1012295    sshd             /usr/sbin/sshd
1012326    ssserver         /usr/bin/python /usr/bin/ssserver -s ::0 -p 443 -k YWYyMTViMj -m aes-256-cfb --user nobody --workers 2 -d start
1012328    ssserver         /usr/bin/python /usr/bin/ssserver -s ::0 -p 443 -k YWYyMTViMj -m aes-256-cfb --user nobody --workers 2 -d start
1012329    ssserver         /usr/bin/python /usr/bin/ssserver -s ::0 -p 443 -k YWYyMTViMj -m aes-256-cfb --user nobody --workers 2 -d start
---------------------------------------------------------------------------------------------------------




欢迎光临 WDlinux官方论坛 (http://www.wdlinux.cn/bbs/) Powered by Discuz! 7.2