今天早上收到通知說服務器的root密碼被修改了,趕緊測試,果然無法鏈接登陸,通過其他渠道經過一系列周折恢復密碼,經過初步診斷在無人修改密碼的情況下被修改了密碼,只有系統被入侵的可能性了。然後在使用命令查看進程時出現下面的提示:
- Unknown HZ value! (288) Assume 100.
- root 15575 0.0 0.0 61116 740 pts/3 S 11:40 0:00 grep httpd
Unknown HZ value! (288) Assume 100,這個錯誤以前還從來沒遇到過,搜索一番後得知是應該是系統被入侵後的結果,該提示的說明如下:
- Unknown HZ value! (##) Assume 100 -- You've been hacked!
-
- On RHEL or CentOS 4 or 5, If you run the linux command top and you see something like:
-
- "Unknown HZ value! (75) Assume 100"
-
- Yours might not say "75" -- it could be any number.
- If you see this, you should run rkhunter immediately, because your box has probably been taken over by arootkit -- either SHV4 or SHV5.
-
- The only reason you see this clue "Unknown HZ value" is because the rootkit replaces the top command (among others)with a substitute top command that will hide its processes. Their replacement top is old (version 1.2) and cannothandle the HZ value of the 2.6 linux kernel.
- Sad to say, but if this happens to you, its time to reinstall your OS!
按照這個說明,安裝了一個rkhunter進行系統檢測,發現有很多Warning和Not Found錯誤,同時也檢測到幾個隱藏程序入下:
- Rootkit checks...
- Rootkits checked : 258
- Possible rootkits: 3
- Rootkit names : cb Rootkit, SHV4 Rootkit, SHV5 Rootkit
有SHV4和SHV5後門程序,google一下,這些後門程序可以替換諸如ls、ifconfig、login、ssh等系統命令。果然是被入侵了,估計想徹底清除這些後門程序還真不簡單,暫時也不知道這些後門程序是如何被注入的,是破解root密碼還是系統bug?不確定,今天趕緊備份數據先,解決不了這些隱藏後門,只好重裝系統了。
