今天早上收到通知说服务器的root密码被修改了,赶紧测试,果然无法链接登陆,通过其他渠道经过一系列周折恢复密码,经过初步诊断在无人修改密码的情况下被修改了密码,只有系统被入侵的可能性了。然后在使用命令查看进程时出现下面的提示:
- Unknown HZ value! (288) Assume 100.
- root 15575 0.0 0.0 61116 740 pts/3 S 11:40 0:00 grep httpd
Unknown HZ value! (288) Assume 100,这个错误以前还从来没遇到过,搜索一番后得知是应该是系统被入侵后的结果,该提示的说明如下:
- Unknown HZ value! (##) Assume 100 — You’ve been hacked!
-
- On RHEL or CentOS 4 or 5, If you run the linux command top and you see something like:
-
- “Unknown HZ value! (75) Assume 100”
-
- Yours might not say “75” — it could be any number.
- If you see this, you should run rkhunter immediately, because your box has probably been taken over by arootkit — either SHV4 or SHV5.
-
- The only reason you see this clue “Unknown HZ value” is because the rootkit replaces the top command (among others)with a substitute top command that will hide its processes. Their replacement top is old (version 1.2) and cannothandle the HZ value of the 2.6 linux kernel.
- Sad to say, but if this happens to you, its time to reinstall your OS!
按照这个说明,安装了一个rkhunter进行系统检测,发现有很多Warning和Not Found错误,同时也检测到几个隐藏程序入下:
- Rootkit checks…
- Rootkits checked : 258
- Possible rootkits: 3
- Rootkit names : cb Rootkit, SHV4 Rootkit, SHV5 Rootkit
有SHV4和SHV5后门程序,google一下,这些后门程序可以替换诸如ls、ifconfig、login、ssh等系统命令。果然是被入侵了,估计想彻底清除这些后门程序还真不简单,暂时也不知道这些后门程序是如何被注入的,是破解root密码还是系统bug?不确定,今天赶紧备份数据先,解决不了这些隐藏后门,只好重装系统了。