【问讯飞星火】
这是什么意思:Oct 16 22:32:01 centos76 CROND[15768]: (root) CMD (/tmp/rmrf/.files/./.b4nd1d0 > /dev/null 2>&1 & disown)
这是一个CRON任务的日志记录。它表示在10月16日22:32:01,CROND服务(一个用于管理定时任务的服务)执行了一个命令。这个命令是:
简单密码还敢放到公网上,真是心大. 建议还是重要文件备份出来,然后重装系统. 后门很难查,一般都隐藏在一些常规二进制程序里. 还是重装最省事
/tmp/rmrf/.files/./.b4nd1d0 > /dev/null 2>&1 & disown
这个命令的作用是将/tmp/rmrf/.files/./.b4nd1d0文件的内容重定向到/dev/null(即丢弃输出),并将错误信息也重定向到/dev/null。同时,使用&将命令放到后台运行,并使用disown命令使该命令与当前shell分离,这样即使当前shell退出,该命令也不会被终止。
看不出有没有被新增的用户
[root@centos76 ~]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
mysql:x:1000:1000::/home/mysql:/sbin/nologin
nginx:x:1001:1001::/home/nginx:/sbin/nologin
[root@centos76 ~]# lastlog
Username Port From Latest
root pts/0 192.168.1.98 Tue Oct 17 10:37:41 +0800 2023
bin **Never logged in**
daemon **Never logged in**
adm **Never logged in**
lp **Never logged in**
sync **Never logged in**
shutdown **Never logged in**
halt **Never logged in**
mail **Never logged in**
operator **Never logged in**
games **Never logged in**
ftp **Never logged in**
nobody **Never logged in**
systemd-network **Never logged in**
dbus **Never logged in**
polkitd **Never logged in**
sshd **Never logged in**
postfix **Never logged in**
mysql **Never logged in**
nginx **Never logged in**
[root@centos76 ~]#
123456 哈哈哈😃
https://www.chengyao.xyz
列出所有service
[root@centos76 ~]# systemctl list-units --type=service
UNIT LOAD ACTIVE SUB DESCRIPTION
UNIT LOAD ACTIVE SUB DESCRIPTION
UNIT LOAD ACTIVE SUB DESCRIPTION
UNIT LOAD ACTIVE SUB DESCRIPTION
UNIT LOAD ACTIVE SUB DESCRIPTION
auditd.service loaded active running Security Auditing Service
containerd.service loaded active running containerd container runtime
crond.service loaded active running Command Scheduler
dbus.service loaded active running D-Bus System Message Bus
docker.service loaded active running Docker Application Container Engine
frpc.service loaded active running frpc service
getty@tty1.service loaded active running Getty on tty1
irqbalance.service loaded active running irqbalance daemon
kdump.service loaded active exited Crash recovery kernel arming
kmod-static-nodes.service loaded active exited Create list of required static device nodes for the current kernel
lvm2-lvmetad.service loaded active running LVM2 metadata daemon
lvm2-monitor.service loaded active exited Monitoring of LVM2 mirrors, snapshots etc. using dmeventd or progress polling
lvm2-pvscan@8:3.service loaded active exited LVM2 PV scan on device 8:3
myservice.service loaded activating auto-restart Example systemd service.
mysql57.service loaded active running LSB: start and stop MySQL
mysql81.service loaded active running LSB: start and stop MySQL
network.service loaded active exited LSB: Bring up/down networking
NetworkManager-wait-online.service loaded active exited Network Manager Wait Online
NetworkManager.service loaded active running Network Manager
polkit.service loaded active running Authorization Manager
postfix.service loaded active running Postfix Mail Transport Agent
rhel-dmesg.service loaded active exited Dump dmesg to /var/log/dmesg
rhel-domainname.service loaded active exited Read and set NIS domainname from /etc/sysconfig/network
rhel-import-state.service loaded active exited Import network configuration from initramfs
rhel-readonly.service loaded active exited Configure read-only root support
rsyslog.service loaded active running System Logging Service
sshd.service loaded active running OpenSSH server daemon
systemd-backlight@backlight:acpi_video0.service loaded active exited Load/Save Screen Backlight Brightness of backlight:acpi_video0
systemd-journal-flush.service loaded active exited Flush Journal to Persistent Storage
systemd-journald.service loaded active running Journal Service
systemd-logind.service loaded active running Login Service
systemd-random-seed.service loaded active exited Load/Save Random Seed
systemd-readahead-collect.service loaded active exited Collect Read-Ahead Data
systemd-readahead-replay.service loaded active exited Replay Read-Ahead Data
systemd-remount-fs.service loaded active exited Remount Root and Kernel File Systems
systemd-sysctl.service loaded active exited Apply Kernel Variables
systemd-tmpfiles-setup-dev.service loaded active exited Create Static Device Nodes in /dev
systemd-tmpfiles-setup.service loaded active exited Create Volatile Files and Directories
systemd-udev-trigger.service loaded active exited udev Coldplug all Devices
systemd-udevd.service loaded active running udev Kernel Device Manager
systemd-update-utmp.service loaded active exited Update UTMP about System Boot/Shutdown
systemd-user-sessions.service loaded active exited Permit User Sessions
systemd-vconsole-setup.service loaded active exited Setup Virtual Console
tuned.service loaded active running Dynamic System Tuning Daemon
frp使用情况:
Name
ssh
Port
6022
Connections
0
Traffic In
4.61 MB
Traffic Out
7.00 MB
ClientVersion
0.51.0
Status
online