top內看到perl的程式把CPU吃光了,不過我沒抓下來
用netstat看一下從那裡來的@@
# netstat -n|more你是誰啊= =Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 xxx.xxx.xxx.xxx:80 134.208.xxx.xxx:49561 SYN_RECV
tcp 0 0 xxx.xxx.xxx.xxx:38693 69.64.47.228:5190 ESTABLISHED
# lsof -i :5190
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
perl 2524 apache 3u IPv4 74879420 TCP xxx-xxx-xxx-xxx:38693->balder791.startdedicated.com:aol (ESTABLISHED)
perl 2561 apache 3u IPv4 74879420 TCP xxx-xxx-xxx-xxx:38693->balder791.startdedicated.com:aol (ESTABLISHED)
perl 2573 apache 3u IPv4 74879420 TCP xxx-xxx-xxx-xxx:38693->balder791.startdedicated.com:aol (ESTABLISHED)
perl 2654 apache 3u IPv4 74879420 TCP xxx-xxx-xxx-xxx:38693->balder791.startdedicated.com:aol (ESTABLISHED)
perl 2680 apache 3u IPv4 74879420 TCP xxx-xxx-xxx-xxx:38693->balder791.startdedicated.com:aol (ESTABLISHED)
perl 2741 apache 3u IPv4 74879420 TCP xxx-xxx-xxx-xxx:38693->balder791.startdedicated.com:aol (ESTABLISHED)
perl 10443 apache 3u IPv4 74879420 TCP xxx-xxx-xxx-xxx:38693->balder791.startdedicated.com:aol (ESTABLISHED)
=..=每次攻擊都是這個域名公司的
全部kill掉後,上辜狗找到可能的原因是透過php的fileupload上來的,可執行的程式碼上傳到/tmp底下,利用/tmp預設大家都可寫入可執行的特色,進行攻擊。
進到/tmp底下發現名為'f'的檔案,手賤的我一看到它就rm掉了
忘了看它裡面寫什麼東西...= =""
但是網站還是需要上傳的功能,總不能把它關了
這時候就要利用mount -o noexec,nosuid的方式
將/tmp掛載成不能執行,不能使用指令的模式
# vi /etc/fstab
/dev/VG00/lv_tmp /tmp ext3 noexec,nosuid 1 2
#mount /tmp -o remount
希望降子能有效阻擋此類攻擊 囧>
--
參考網址
http://www.study-area.org/phorum/index.php?topic=59532.0
http://blog.teatime.com.tw/1/post/126
