linux-流量異常高怎麼處理

時間  2020-04-15
標籤 linux 流量 異常 怎麼 處理 欄目 Linux 简体版
原文   原文鏈接

這裏就簡單說說這個流量跑高。mysql

  首先我從cacti 中監控到了一臺放在機房的服務器流量異常,何爲異常這裏說一下:自己這臺服務器交換機中限制帶寬爲兩兆峯值,而他卻能夠跑到100M,按正常狀況來講,當你的服務器流量跑滿的時候,你的機器會很卡、遠程鏈接會掉線或者根本連不上,因此正常流量來看,是絕對不會跑到100M的,因此這叫流量異常。下面給你們看一下圖:sql

1、  安全

那麼當我發現異常後,我就查資料表找出這臺機器的IP地址還有系統信息等等。服務器

  最終斷定這是一臺CentOS 5.4 密碼爲數字加大小寫。如下是我查看到的一些信息:ssh

[root@aaa ~]# iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8080
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destinationtcp

 這是防火牆規則

[root@aaa ~]# netstat -anpt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 0.0.0.0:60003               0.0.0.0:                   LISTEN      3552/cupsdd
tcp        0      0 0.0.0.0:5801                0.0.0.0:                   LISTEN      2569/Xvnc
tcp        0      0 0.0.0.0:5802                0.0.0.0:                   LISTEN      2613/Xvnc
tcp        0      0 0.0.0.0:3306                0.0.0.0:                   LISTEN      2506/mysqld
tcp        0      0 0.0.0.0:14379               0.0.0.0:                   LISTEN      3516/ora_d000_thdb
tcp        0      0 0.0.0.0:5803                0.0.0.0:                   LISTEN      2674/Xvnc
tcp        0      0 0.0.0.0:5901                0.0.0.0:                   LISTEN      2569/Xvnc
tcp        0      0 0.0.0.0:5902                0.0.0.0:                   LISTEN      2613/Xvnc
tcp        0      0 0.0.0.0:5903                0.0.0.0:                   LISTEN      2674/Xvnc
tcp        0      0 119.57.51.103:80            221.209.56.114:27808        SYN_RECV    -
tcp        0      0 119.57.51.103:80            221.209.56.114:27807        SYN_RECV    -
tcp        0      0 119.57.51.103:80            206.217.132.75:2229         SYN_RECV    -
tcp        0      0 119.57.51.103:80            121.232.7.242:51370         SYN_RECV    -
tcp        0      0 119.57.51.103:80            182.185.216.13:53534        SYN_RECV    -
tcp        0      0 119.57.51.103:80            111.161.23.92:37697         SYN_RECV    -
tcp        0      0 119.57.51.103:80            157.55.35.96:18323          SYN_RECV    -
tcp        0      0 119.57.51.103:80            125.39.163.95:30525         SYN_RECV    -
tcp        0      0 119.57.51.103:80            183.3.87.80:51903           SYN_RECV    -
tcp        0      0 119.57.51.103:80            221.209.56.114:27806        SYN_RECV    -
tcp        0      0 119.57.51.103:80            221.209.56.114:27809        SYN_RECV    -
tcp        0      0 0.0.0.0:1521                0.0.0.0:                   LISTEN      3426/tnslsnr
tcp        0      0 0.0.0.0:6001                0.0.0.0:                   LISTEN      2569/Xvnc
tcp        0      0 0.0.0.0:6002                0.0.0.0:                   LISTEN      2613/Xvnc
tcp        0      0 0.0.0.0:6003                0.0.0.0:*                   LISTEN      2674/Xvnc
tcp        0      1 127.0.0.1:50865             127.0.0.1:1521              SYN_SENT    3494/ora_pmon_thdb
tcp        0      0 119.57.51.103:32005         202.103.178.76:10991        ESTABLISHED 3648/atdd
tcp        0      0 119.57.51.103:32007         202.103.178.76:10991        ESTABLISHED 4059/atdd
tcp        0      0 119.57.51.103:32006         202.103.178.76:10991        ESTABLISHED 3760/atdd
tcp        0      0 119.57.51.103:32008         202.103.178.76:10991        ESTABLISHED 3881/atdd
tcp        0      0 119.57.51.103:32011         202.103.178.76:10991        ESTABLISHED 4472/atdd
tcp        0      0 119.57.51.103:32012         202.103.178.76:10991        ESTABLISHED 4300/atdd
tcp        0      0 119.57.51.103:32015         202.103.178.76:10991        ESTABLISHED 4617/atdd
tcp        0      0 119.57.51.103:32014         202.103.178.76:10991        ESTABLISHED 4198/atdd
tcp        0      0 119.57.51.103:64255         121.12.110.96:10991         ESTABLISHED 3558/ksapd
tcp        0      0 119.57.51.103:64259         121.12.110.96:10991         ESTABLISHED 3832/ksapd
tcp        0      0 119.57.51.103:64258         121.12.110.96:10991         ESTABLISHED 3652/ksapd
tcp        0      0 119.57.51.103:64257         121.12.110.96:10991         ESTABLISHED 4527/ksapd
tcp        0      1 119.57.51.103:51903         112.90.252.76:10991         SYN_SENT    4544/kysapd
tcp        0      1 119.57.51.103:51902         112.90.252.76:10991         SYN_SENT    4365/kysapd
tcp        0      1 119.57.51.103:51901         112.90.252.76:10991         SYN_SENT    4291/kysapd
tcp        0      1 119.57.51.103:51900         112.90.252.76:10991         SYN_SENT    3978/kysapd
tcp        0      1 119.57.51.103:51899         112.90.252.76:10991         SYN_SENT    3878/kysapd
tcp        0      1 119.57.51.103:51898         112.90.252.76:10991         SYN_SENT    4154/kysapd
tcp        0      1 119.57.51.103:51897         112.90.252.76:10991         SYN_SENT    3709/kysapd
tcp        0      1 119.57.51.103:51896         112.90.252.76:10991         SYN_SENT    3604/kysapd
tcp        0      1 127.0.0.1:5369              127.0.0.1:6113              SYN_SENT    3426/tnslsnr
tcp        0      0 :::80                       :::                        LISTEN      2879/httpd
tcp        0      0 :::6001                     :::                        LISTEN      2569/Xvnc
tcp        0      0 :::6002                     :::                        LISTEN      2613/Xvnc
tcp        0      0 :::6003                     :::                        LISTEN      2674/Xvnc
tcp        0      0 :::22                       :::*                        LISTEN      2448/sshd
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:157.55.34.74:57650   TIME_WAIT   -
tcp        0     64 ::ffff:119.57.51.103:22     ::ffff:119.57.180.130:46177 ESTABLISHED 6691/sshd: root@not
tcp        0  29866 ::ffff:119.57.51.103:80     ::ffff:157.55.32.154:24818  FIN_WAIT1   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:218.106.154.11:14554 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:218.106.154.11:13526 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:180.173.86.128:1107  TIME_WAIT   -
tcp        0   6692 ::ffff:119.57.51.103:22     ::ffff:114.250.249.21:56821 ESTABLISHED 7269/0
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:182.118.19.211:10424 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:60.190.138.140:35502 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:221.224.14.222:59613 FIN_WAIT2   7271/httpd
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:221.224.14.222:59615 ESTABLISHED 7506/httpd
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:221.224.14.222:59614 FIN_WAIT2   7507/httpd
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:221.224.14.222:59611 FIN_WAIT2   7505/httpd
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:183.60.214.28:55574  TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:182.118.19.109:46068 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:157.55.34.74:63141   TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:157.55.34.74:11155   TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:182.118.19.127:54739 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:218.106.154.11:15706 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:221.224.14.222:59617 FIN_WAIT2   7509/httpd
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:221.224.14.222:59616 FIN_WAIT2   7508/httpd
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:218.106.154.11:13094 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:182.118.28.30:29387  TIME_WAIT   -
tcp        0      1 ::ffff:119.57.51.103:80     ::ffff:125.39.172.32:37149  LAST_ACK    -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:157.55.34.74:56558   TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:218.106.154.11:13315 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:81.91.9.160:57503    FIN_WAIT2   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:81.91.9.160:57499    FIN_WAIT2   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:183.60.213.114:45041 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:60.176.253.144:30624 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:182.118.21.34:16701  ESTABLISHED 7450/httpd
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:60.176.253.144:30626 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:60.176.253.144:30627 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:60.176.253.144:30628 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:60.176.253.144:30620 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:157.55.35.96:58678   TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:206.217.132.75:2132  FIN_WAIT2   7276/httpd
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:157.55.35.96:50474   TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:61.55.192.181:3096   TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:61.55.192.181:3095   TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:61.55.192.181:3094   TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:61.55.192.181:3093   TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:81.91.9.160:57505    FIN_WAIT2   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:157.55.35.96:64322   TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:182.118.19.84:61477  TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:49.81.2.181:8203     TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:49.81.2.181:8200     TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:49.81.2.181:8204     TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:49.81.2.181:8218     TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:60.176.253.144:30754 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:49.81.2.181:8211     TIME_WAIT   -
tcp        0  37440 ::ffff:119.57.51.103:80     ::ffff:118.250.130.121:7924 ESTABLISHED 6929/httpd
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:49.81.2.181:8210     TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:157.55.35.96:38531   TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:49.81.2.181:8214     TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:49.81.2.181:8213     TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:49.81.2.181:8212     TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:111.164.196.141:9503 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:111.164.196.141:9504 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:61.55.192.181:3231   FIN_WAIT2   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:61.55.192.181:3230   FIN_WAIT2   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:110.177.0.129:60133  ESTABLISHED 7518/httpd
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:110.177.0.129:60132  ESTABLISHED 7512/httpd
tcp        0  21900 ::ffff:119.57.51.103:80     ::ffff:157.55.33.50:48368   ESTABLISHED 7514/httpd
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:111.164.196.141:9530 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:110.177.0.129:60134  ESTABLISHED 7442/httpd
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:110.177.0.129:60129  ESTABLISHED 7516/httpd
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:111.164.196.141:9532 FIN_WAIT2   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:110.177.0.129:60131  ESTABLISHED 7517/httpd
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:110.177.0.129:60130  ESTABLISHED 7519/httpd
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:111.164.196.141:9543 TIME_WAIT   -
tcp        0      1 ::ffff:119.57.51.103:80     ::ffff:111.164.196.141:8519 LAST_ACK    -
tcp        0      1 ::ffff:119.57.51.103:80     ::ffff:111.164.196.141:8520 LAST_ACK    -
tcp        0      1 ::ffff:119.57.51.103:80     ::ffff:111.164.196.141:8521 LAST_ACK    -
tcp        0   2602 ::ffff:119.57.51.103:80     ::ffff:157.55.35.96:12748   FIN_WAIT1   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:121.232.7.242:51371  TIME_WAIT   -
tcp        0   1331 ::ffff:119.57.51.103:80     ::ffff:182.185.216.13:53468 ESTABLISHED 7440/httpd
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:60.176.253.144:30810 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:81.91.9.160:57459    FIN_WAIT2   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:60.176.253.144:30812 TIME_WAIT   -ide

 這是監聽的端口及運行的進程 能夠看到好多atdd ksapd kysapd 還有一個cupsdd 這些都是不正常的進程

[root@aaa ~]# cat /etc/rc.local
#!/bin/sh.net

This script will be executed after all the other init scripts.

You can put your own initialization stuff in here if you don't

want to do the full Sys V style init stuff.

nohup /etc/cupsdd > /dev/null 2>&1&
cd /etc;./ksapd
cd /etc;./kysapd
cd /etc;./atdd
nohup /etc/cupsdd > /dev/null 2>&1&
cd /etc;./ksapd
cd /etc;./kysapd
cd /etc;./atdd
nohup /etc/cupsdd > /dev/null 2>&1&
cd /etc;./ksapd
cd /etc;./kysapd
cd /etc;./atdd
nohup /etc/cupsdd > /dev/null 2>&1&
cd /etc;./ksapd
cd /etc;./kysapd
cd /etc;./atdd
nohup /etc/cupsdd > /dev/null 2>&1&
cd /etc;./ksapd
cd /etc;./kysapd
cd /etc;./atdd
nohup /etc/cupsdd > /dev/null 2>&1&
cd /etc;./ksapd
cd /etc;./kysapd
cd /etc;./atdd
nohup /etc/cupsdd > /dev/null 2>&1&
cd /etc;./ksapd
cd /etc;./kysapd
cd /etc;./atdd
nohup /etc/cupsdd > /dev/null 2>&1&
cd /etc;./ksapd
cd /etc;./kysapd
cd /etc;./atddserver

 這是個人rc.local 文件 被加入了好多東西,網查發現正是這些東西致使服務器大量向外發包

  那以上就是此次案例的一些文字東西了,在這裏向你們說一聲密碼必定不能簡單化,尤爲是公網IP,處理方法的話就把他隨機器啓動的一些文件所有刪除,把他添加的一些東西刪除掉,不過  強烈建議從新作系統,安全要作好!
————————————————
版權聲明:本文爲CSDN博主「RedHat-小怪獸」的原創文章,遵循 CC 4.0 BY-SA 版權協議,轉載請附上原文出處連接及本聲明。
原文連接:https://blog.csdn.net/redhat_xiaoguaishou/article/details/19042147blog

相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程