Ssh
請幫助辨識任何奇怪的過程
我需要幫助。我們最近遇到了伺服器妥協並設法進行了一次很好的清理,但我試圖在不移動伺服器的情況下擺脫該錯誤。
任何人都可以查看下面的執行過程,並可能指出任何被認為奇怪/不尋常的事情。 黑客確實設法獲得了 SSH 訪問權限並更改了許多組權限。
這是一個執行 WordPress 的簡單網站。小流量。Wordfence 專家和其他人無法確定某些事情。提前致謝
UID PID PPID C STIME TTY TIME CMD root 1 0 0 Mar17 ? 00:00:02 /sbin/init root 2 0 0 Mar17 ? 00:00:00 [kthreadd] root 3 2 0 Mar17 ? 00:00:05 [migration/0] root 4 2 0 Mar17 ? 00:00:05 [ksoftirqd/0] root 5 2 0 Mar17 ? 00:00:00 [stopper/0] root 6 2 0 Mar17 ? 00:00:01 [watchdog/0] root 7 2 0 Mar17 ? 00:00:03 [migration/1] root 8 2 0 Mar17 ? 00:00:00 [stopper/1] root 9 2 0 Mar17 ? 00:00:03 [ksoftirqd/1] root 10 2 0 Mar17 ? 00:00:00 [watchdog/1] root 11 2 0 Mar17 ? 00:00:42 [events/0] root 12 2 0 Mar17 ? 00:00:39 [events/1] root 13 2 0 Mar17 ? 00:00:00 [events/0] root 14 2 0 Mar17 ? 00:00:00 [events/1] root 15 2 0 Mar17 ? 00:00:00 [events_long/0] root 16 2 0 Mar17 ? 00:00:00 [events_long/1] root 17 2 0 Mar17 ? 00:00:00 [events_power_ef] root 18 2 0 Mar17 ? 00:00:00 [events_power_ef] root 19 2 0 Mar17 ? 00:00:00 [cgroup] root 20 2 0 Mar17 ? 00:00:00 [khelper] root 21 2 0 Mar17 ? 00:00:00 [netns] root 22 2 0 Mar17 ? 00:00:00 [async/mgr] root 23 2 0 Mar17 ? 00:00:00 [pm] root 24 2 0 Mar17 ? 00:00:01 [sync_supers] root 25 2 0 Mar17 ? 00:00:02 [bdi-default] root 26 2 0 Mar17 ? 00:00:00 [kintegrityd/0] root 27 2 0 Mar17 ? 00:00:00 [kintegrityd/1] root 28 2 0 Mar17 ? 00:01:03 [kblockd/0] root 29 2 0 Mar17 ? 00:00:02 [kblockd/1] root 30 2 0 Mar17 ? 00:00:00 [kacpid] root 31 2 0 Mar17 ? 00:00:00 [kacpi_notify] root 32 2 0 Mar17 ? 00:00:00 [kacpi_hotplug] root 33 2 0 Mar17 ? 00:00:00 [ata_aux] root 34 2 0 Mar17 ? 00:00:00 [ata_sff/0] root 35 2 0 Mar17 ? 00:00:00 [ata_sff/1] root 36 2 0 Mar17 ? 00:00:00 [ksuspend_usbd] root 37 2 0 Mar17 ? 00:00:00 [khubd] root 38 2 0 Mar17 ? 00:00:00 [kseriod] root 39 2 0 Mar17 ? 00:00:00 [md/0] root 40 2 0 Mar17 ? 00:00:00 [md/1] root 41 2 0 Mar17 ? 00:00:00 [md_misc/0] root 42 2 0 Mar17 ? 00:00:00 [md_misc/1] root 43 2 0 Mar17 ? 00:00:00 [linkwatch] root 44 2 0 Mar17 ? 00:00:00 [khungtaskd] root 45 2 0 Mar17 ? 00:01:01 [kswapd0] root 46 2 0 Mar17 ? 00:00:00 [ksmd] root 47 2 0 Mar17 ? 00:00:01 [khugepaged] root 48 2 0 Mar17 ? 00:00:00 [aio/0] root 49 2 0 Mar17 ? 00:00:00 [aio/1] root 50 2 0 Mar17 ? 00:00:00 [crypto/0] root 51 2 0 Mar17 ? 00:00:00 [crypto/1] root 58 2 0 Mar17 ? 00:00:00 [kthrotld/0] root 59 2 0 Mar17 ? 00:00:00 [kthrotld/1] root 61 2 0 Mar17 ? 00:00:00 [kpsmoused] root 62 2 0 Mar17 ? 00:00:00 [usbhid_resumer] root 63 2 0 Mar17 ? 00:00:00 [deferwq] root 250 2 0 Mar17 ? 00:00:00 [scsi_eh_0] root 254 2 0 Mar17 ? 00:00:00 [scsi_eh_1] root 305 1419 0 Mar21 ? 00:00:00 sshd: root [priv] sshd 306 305 0 Mar21 ? 00:00:00 sshd: root [net] root 349 2 0 Mar17 ? 00:00:00 [virtio-blk] root 379 2 0 Mar17 ? 00:01:37 [jbd2/vda1-8] root 380 2 0 Mar17 ? 00:00:00 [ext4-dio-unwrit] root 458 1 0 Mar17 ? 00:00:00 /sbin/udevd -d root 563 2 0 Mar17 ? 00:00:00 [virtio-net] root 586 2 0 Mar17 ? 00:00:00 [vballoon] root 742 2 0 Mar17 ? 00:00:00 [kdmremove] root 743 2 0 Mar17 ? 00:00:00 [kstriped] root 769 2 0 Mar17 ? 00:01:08 [flush-253:0] nobody 837 11478 0 14:29 ? 00:00:00 /usr/sbin/httpd -k start root 992 2 0 Mar17 ? 00:00:01 [kauditd] root 1047 2 0 Mar17 ? 00:00:13 [loop0] root 1051 2 0 Mar17 ? 00:00:05 [kjournald] root 1071 1419 0 Mar18 ? 00:00:00 sshd: unknown [priv] sshd 1072 1071 0 Mar18 ? 00:00:00 sshd: unknown [net] root 1230 1 0 Mar17 ? 00:00:01 auditd root 1294 1 0 Mar17 ? 00:00:40 /sbin/rsyslogd -i /var/run/syslo named 1317 1 0 Mar17 ? 00:00:02 /usr/sbin/named -u named dbus 1335 1 0 Mar17 ? 00:00:00 dbus-daemon --system root 1366 1 0 Mar17 ? 00:00:00 /usr/sbin/acpid nscd 1385 1 0 Mar17 ? 00:00:31 /usr/sbin/nscd root 1419 1 0 Mar17 ? 00:00:00 /usr/sbin/sshd ntp 1430 1 0 Mar17 ? 00:00:01 ntpd -u ntp:ntp -p /var/run/ntpd root 1449 1 0 Mar17 ? 00:00:00 /bin/sh /usr/bin/mysqld_safe --d root 1632 1 0 00:00 ? 00:00:20 lfd - sleeping root 1711 1 0 Mar17 ? 00:00:00 pure-ftpd (SERVER) root 1713 1 0 Mar17 ? 00:00:00 /usr/sbin/pure-authd -s /var/run root 1725 1 0 Mar17 ? 00:00:02 crond root 1740 1 0 Mar17 ? 00:00:00 /usr/sbin/atd root 1875 1 0 Mar17 tty1 00:00:00 /sbin/mingetty /dev/tty1 root 1877 1 0 Mar17 tty2 00:00:00 /sbin/mingetty /dev/tty2 root 1879 1 0 Mar17 tty3 00:00:00 /sbin/mingetty /dev/tty3 root 1881 1 0 Mar17 tty4 00:00:00 /sbin/mingetty /dev/tty4 root 1883 1 0 Mar17 tty5 00:00:00 /sbin/mingetty /dev/tty5 root 1885 1 0 Mar17 tty6 00:00:00 /sbin/mingetty /dev/tty6 root 1889 458 0 Mar17 ? 00:00:00 /sbin/udevd -d root 1890 458 0 Mar17 ? 00:00:00 /sbin/udevd -d nobody 2733 11478 0 14:45 ? 00:00:00 /usr/sbin/httpd -k start nobody 2736 11478 0 14:45 ? 00:00:00 /usr/sbin/httpd -k start nobody 2739 11478 0 14:45 ? 00:00:00 /usr/sbin/httpd -k start nobody 3264 11478 0 14:50 ? 00:00:00 /usr/sbin/httpd -k start 503 3265 11478 0 14:50 ? 00:00:00 /usr/sbin/httpd -k start nobody 3270 11478 0 14:50 ? 00:00:00 /usr/sbin/httpd -k start nobody 3272 11478 0 14:50 ? 00:00:00 /usr/sbin/httpd -k start nobody 3278 11478 0 14:50 ? 00:00:00 /usr/sbin/httpd -k start 503 3577 11566 23 14:54 ? 00:00:12 php-fpm: pool mysite root 3596 1419 0 14:54 ? 00:00:00 sshd: root@pts/0 503 3600 11566 23 14:54 ? 00:00:06 php-fpm: pool mysite 503 3602 11566 23 14:54 ? 00:00:06 php-fpm: pool mysite root 3619 3596 0 14:54 pts/0 00:00:00 -bash root 3670 3619 0 14:54 pts/0 00:00:00 ps -ef root 4331 1419 0 00:52 ? 00:00:00 sshd: unknown [priv] sshd 4332 4331 0 00:52 ? 00:00:00 sshd: unknown [net] root 4365 1419 0 00:53 ? 00:00:00 sshd: root [priv] sshd 4367 4365 0 00:53 ? 00:00:00 sshd: root [net] root 4758 1419 0 Mar19 ? 00:00:00 sshd: root [priv] sshd 4760 4758 0 Mar19 ? 00:00:00 sshd: root [net] mysql 5024 1449 3 Mar19 ? 02:24:33 /usr/sbin/mysqld --basedir=/usr root 7284 2 0 02:05 ? 00:00:00 [flush-7:0] root 8078 1419 0 Mar21 ? 00:00:00 sshd: unknown [priv] sshd 8082 8078 0 Mar21 ? 00:00:00 sshd: unknown [net] root 9047 1 0 Mar21 ? 00:00:00 /usr/sbin/dovecot dovenull 9049 9047 0 Mar21 ? 00:00:00 dovecot/pop3-login dovenull 9050 9047 0 Mar21 ? 00:00:00 dovecot/imap-login dovecot 9051 9047 0 Mar21 ? 00:00:00 dovecot/anvil root 9052 9047 0 Mar21 ? 00:00:00 dovecot/log dovenull 9054 9047 0 Mar21 ? 00:00:00 dovecot/pop3-login root 9055 9047 0 Mar21 ? 00:00:00 dovecot/config dovenull 9056 9047 0 Mar21 ? 00:00:00 dovecot/imap-login root 9431 1419 0 Mar21 ? 00:00:00 sshd: unknown [priv] sshd 9432 9431 0 Mar21 ? 00:00:00 sshd: unknown [net] root 9639 1 0 Mar21 ? 00:00:07 cpsrvd (SSL) - dormant mode - ac root 9647 1 0 Mar21 ? 00:00:05 queueprocd - wait to process a t root 9651 1 0 Mar21 ? 00:00:01 dnsadmin - dormant mode root 9667 1 0 Mar21 ? 00:00:07 php-fpm: master process (/usr/lo root 9676 1 0 Mar21 ? 00:00:14 cPhulkd - processor root 9685 1 0 Mar21 ? 00:00:00 cpdavd - accepting connections o root 9689 1 0 Mar21 ? 00:00:00 cpanellogd - sleeping for logs root 11396 1 0 03:42 ? 00:00:01 tailwatchd root 11443 1419 0 Mar21 ? 00:00:00 sshd: root [priv] sshd 11444 11443 0 Mar21 ? 00:00:00 sshd: root [net] root 11478 1 0 03:42 ? 00:00:02 /usr/sbin/httpd -k start root 11566 1 0 03:42 ? 00:00:04 php-fpm: master process (/opt/cp 503 12423 9047 0 11:11 ? 00:00:00 dovecot/quota-status -p postfix root 12782 1419 0 Mar18 ? 00:00:00 sshd: root [priv] root 12783 1419 0 Mar18 ? 00:00:00 sshd: unknown [priv] sshd 12784 12782 0 Mar18 ? 00:00:00 sshd: root [net] sshd 12787 12783 0 Mar18 ? 00:00:00 sshd: unknown [net] root 12800 1419 0 Mar20 ? 00:00:00 sshd: root [priv] sshd 12801 12800 0 Mar20 ? 00:00:00 sshd: root [net] mailman 12890 1 0 11:17 ? 00:00:00 /usr/bin/python /usr/local/cpane mailman 12891 12890 0 11:17 ? 00:00:01 /usr/bin/python /usr/local/cpane mailman 12892 12890 0 11:17 ? 00:00:02 /usr/bin/python /usr/local/cpane mailman 12893 12890 0 11:17 ? 00:00:01 /usr/bin/python /usr/local/cpane mailman 12894 12890 0 11:17 ? 00:00:02 /usr/bin/python /usr/local/cpane mailman 12895 12890 0 11:17 ? 00:00:01 /usr/bin/python /usr/local/cpane mailman 12896 12890 0 11:17 ? 00:00:02 /usr/bin/python /usr/local/cpane mailman 12897 12890 0 11:17 ? 00:00:02 /usr/bin/python /usr/local/cpane mailman 12898 12890 0 11:17 ? 00:00:00 /usr/bin/python /usr/local/cpane root 18367 1 0 Mar21 ? 00:00:00 /usr/bin/python -Es /usr/bin/fai root 19644 1419 0 Mar18 ? 00:00:00 sshd: unknown [priv] sshd 19645 19644 0 Mar18 ? 00:00:00 sshd: unknown [net] root 19713 1419 0 Mar19 ? 00:00:00 sshd: root [priv] sshd 19714 19713 0 Mar19 ? 00:00:00 sshd: root [net] root 19937 1419 0 12:38 ? 00:00:00 sshd: root@pts/1 root 20109 19937 0 12:39 pts/1 00:00:00 -bash root 20816 1419 0 12:44 ? 00:00:00 sshd: root@pts/2 root 20819 20816 0 12:44 pts/2 00:00:00 -bash root 21666 1419 0 04:29 ? 00:00:00 sshd: root [priv] sshd 21667 21666 0 04:29 ? 00:00:00 sshd: root [net] root 21985 1419 0 04:33 ? 00:00:00 sshd: root [priv] sshd 21986 21985 0 04:33 ? 00:00:00 sshd: root [net] root 23160 1419 0 Mar18 ? 00:00:00 sshd: root [priv] sshd 23161 23160 0 Mar18 ? 00:00:00 sshd: root [net] root 23331 1419 0 Mar19 ? 00:00:00 sshd: unknown [priv] sshd 23332 23331 0 Mar19 ? 00:00:00 sshd: unknown [net] root 23409 11478 0 13:04 ? 00:00:00 /usr/local/cpanel/3rdparty/bin/p nobody 27199 11478 0 13:32 ? 00:00:02 /usr/sbin/httpd -k start mailnull 27668 1 0 Mar21 ? 00:00:00 /usr/sbin/exim -ps -bd -q1h -oP root 27680 1 0 Mar21 ? 00:07:36 spamd-dormant: waiting for conne 32010 27694 1 0 Mar21 ? 00:03:11 /usr/local/cpanel/3rdparty/sbin/ root 30316 1419 0 Mar18 ? 00:00:00 sshd: root [priv] sshd 30317 30316 0 Mar18 ? 00:00:00 sshd: root [net] root 30837 1419 0 Mar21 ? 00:00:00 sshd: root [priv] sshd 30838 30837 0 Mar21 ? 00:00:00 sshd: root [net]
如果這台機器已經被入侵,它可能已經安裝了一個 rootkit 來阻止某些程序出現在 ps、/proc 或磁碟上。唯一安全的方法是從受信任的來源重建它們的機器。