今天早上收到通知说服务器的root密码被修改了,赶紧测试,果然无法链接登陆,通过其他渠道经过一系列周折恢复密码,经过初步诊断在无人修改密码的情况下被修改了密码,只有系统被入侵的可能性了。然后在使用命令查看进程时出现下面的提示:
Unknown HZ value! (288) Assume 100. root 15575 0.0 0.0 61116 740 pts/3 S 11:40 0:00 grep httpdUnknown HZ value! (288) Assume 100,这个错误以前还从来没遇到过,搜索一番后得知是应该是系统被入侵后的结果,该提示的说明如下:
Unknown HZ value! (##) Assume 100 -- You've been hacked! On RHEL or CentOS 4 or 5, If you run the linux command top and you see something like: "Unknown HZ value! (75) Assume 100" Yours might not say "75" -- it could be any number. If you see this, you should run rkhunter immediately, because your box has probably been taken over by arootkit -- either SHV4 or SHV5. The only reason you see this clue "Unknown HZ value" is because the rootkit replaces the top command (among others)with a substitute top command that will hide its processes. Their replacement top is old (version 1.2) and cannothandle the HZ value of the 2.6 linux kernel. Sad to say, but if this happens to you, its time to reinstall your OS!按照这个说明,安装了一个rkhunter进行系统检测,发现有很多Warning和Not Found错误,同时也检测到几个隐藏程序入下:
Rootkit checks... Rootkits checked : 258 Possible rootkits: 3 Rootkit names : cb Rootkit, SHV4 Rootkit, SHV5 Rootkit有SHV4和SHV5后门程序,google一下,这些后门程序可以替换诸如ls、ifconfig、login、ssh等系统命令。果然是被入侵了,估计想彻底清除这些后门程序还真不简单,暂时也不知道这些后门程序是如何被注入的,是破解root密码还是系统bug?不确定,今天赶紧备份数据先,解决不了这些隐藏后门,只好重装系统了。