如何让别人网站降权优化推广公司哪家好
周末想打两把训练赛,没想到朋友发来一个截图
我:嗯??wtf
于是我上服务器看了一下日志,诶我超,还真的
查看进程详情
[root@iZ7xv7q4im4c48qen2do2bZ project]# pstree -tp postgres
memory(904475)─┬─{memory}(904476)├─{memory}(904477)├─{memory}(904478)├─{memory}(904479)├─{memory}(904480)├─{memory}(904856)└─{memory}(904857)pg_mem(904437)─┬─{pg_mem}(904440)├─{pg_mem}(904441)├─{pg_mem}(904442)└─{pg_mem}(904444)psql(61378)systemd(61206)───(sd-pam)(61208)
[root@iZ7xv7q4im4c48qen2do2bZ project]# ps -aux
postgres  904437  0.1  2.3 730512 40128 ?        Ssl  12:09   0:01 postgres
postgres  904475 23.6 15.6 310828 265260 ?       Sl   12:09   3:32 postgres: autovacuum reader
查看是否有人ssh登录
[root@iZ7xv7q4im4c48qen2do2bZ project]# w12:26:20 up 8 days,  1:26,  0 users,  load average: 0.03, 0.15, 0.33
USER     TTY        LOGIN@   IDLE   JCPU   PCPU WHAT
查看登录记录
[root@iZ7xv7q4im4c48qen2do2bZ project]# last
root     pts/3        127.0.0.1        Sat Sep  2 12:08 - 12:08  (00:00)
root     pts/1        127.0.0.1        Mon Aug 28 10:09 - 12:02  (01:53)
root     pts/1        127.0.0.1        Fri Aug 25 17:41 - 17:41  (00:00)
root     pts/0        127.0.0.1        Fri Aug 25 11:50 - 14:04  (02:13)
root     pts/0        127.0.0.1        Fri Aug 25 11:01 - 11:50  (00:49)
reboot   system boot  5.14.0-350.el9.x Fri Aug 25 10:59   still running
root     pts/0        127.0.0.1        Fri Aug 25 09:54 - 10:59  (01:05)
admin    pts/0        100.104.200.30   Fri Aug 25 09:53 - 09:53  (00:00)
admin    pts/0        100.104.200.30   Fri Aug 25 09:53 - 09:53  (00:00)
reboot   system boot  5.14.0-350.el9.x Fri Aug 25 09:49 - 10:59  (01:10)
root     pts/0        127.0.0.1        Fri Aug 25 01:28 - 01:28  (00:00)
root     pts/0        127.0.0.1        Fri Aug 25 01:01 - 01:19  (00:17)
root     pts/1        127.0.0.1        Fri Aug 25 00:03 - 00:04  (00:01)
root     pts/0        127.0.0.1        Thu Aug 24 21:13 - 21:15  (00:01)
root     pts/0        127.0.0.1        Thu Aug 24 20:54 - 21:12  (00:18)
root     pts/0        127.0.0.1        Thu Aug 24 20:52 - 20:53  (00:01)
root     pts/0        127.0.0.1        Thu Aug 24 20:41 - 20:51  (00:10)
root     pts/0        127.0.0.1        Thu Aug 24 00:31 - 08:16  (07:44)
root     pts/2        127.0.0.1        Wed Aug 23 17:46 - 17:46  (00:00)
root     pts/2        127.0.0.1        Wed Aug 23 17:38 - 17:38  (00:00)
root     pts/2        127.0.0.1        Wed Aug 23 17:16 - 17:16  (00:00)
root     pts/2        127.0.0.1        Wed Aug 23 16:08 - 16:08  (00:00)
root     pts/2        127.0.0.1        Wed Aug 23 16:07 - 16:07  (00:00)
root     pts/2        127.0.0.1        Wed Aug 23 15:46 - 15:47  (00:00)
root     pts/1        127.0.0.1        Wed Aug 23 15:10 - 17:50  (02:39)
root     pts/1        127.0.0.1        Wed Aug 23 12:58 - 12:58  (00:00)
root     pts/1        127.0.0.1        Wed Aug 23 12:58 - 12:58  (00:00)
root     pts/1        127.0.0.1        Wed Aug 23 12:56 - 12:56  (00:00)
root     pts/1        127.0.0.1        Wed Aug 23 11:51 - 11:51  (00:00)
root     pts/1        127.0.0.1        Wed Aug 23 11:49 - 11:49  (00:00)
admin    pts/0        100.104.200.36   Wed Aug 23 11:41 - 17:57  (06:15)
admin    pts/0        100.104.200.36   Wed Aug 23 11:41 - 11:41  (00:00)
root     pts/0        127.0.0.1        Wed Aug 23 01:32 - 07:29  (05:57)
root     pts/0        127.0.0.1        Wed Aug 23 01:26 - 01:32  (00:05)
root     pts/0        127.0.0.1        Wed Aug 23 01:16 - 01:17  (00:01)
reboot   system boot  5.14.0-350.el9.x Wed Aug 23 01:06 - 10:59 (2+09:53)
admin    pts/0        100.104.200.27   Wed Aug 23 00:35 - crash  (00:30)
admin    pts/0        100.104.200.27   Wed Aug 23 00:35 - 00:35  (00:00)
reboot   system boot  5.14.0-350.el9.x Wed Aug 23 00:33 - 10:59 (2+10:26)
admin    pts/0        100.104.200.41   Wed Aug 23 00:08 - 00:32  (00:23)
admin    pts/0        100.104.200.41   Wed Aug 23 00:08 - 00:08  (00:00)
reboot   system boot  5.14.0-350.el9.x Wed Aug 23 00:08 - 10:59 (2+10:51)
admin    pts/0        100.104.200.30   Tue Aug 22 23:04 - 23:38  (00:33)
admin    pts/0        100.104.200.30   Tue Aug 22 23:04 - 23:04  (00:00)
reboot   system boot  5.14.0-350.el9.x Tue Aug 22 23:03 - 10:59 (2+11:56)
root     pts/1        127.0.0.1        Tue Aug 22 22:29 - 22:29  (00:00)
root     pts/1        127.0.0.1        Tue Aug 22 22:26 - 22:26  (00:00)
admin    pts/0        100.104.200.23   Tue Aug 22 21:50 - crash  (01:12)
admin    pts/0        100.104.200.23   Tue Aug 22 21:50 - 21:50  (00:00)
reboot   system boot  5.14.0-134.el9.x Tue Aug 22 21:45 - 10:59 (2+13:13)
reboot   system boot  5.14.0-134.el9.x Tue Aug  9 15:38 - 15:39  (00:00)wtmp begins Wed Jul 27 14:03:31 2022
查看进程详情
 [root@iZ7xv7q4im4c48qen2do2bZ project]top -p 904475
top - 12:34:17 up 8 days,  1:34,  0 users,  load average: 2.27, 1.78, 1.04
Tasks:   1 total,   0 running,   1 sleeping,   0 stopped,   0 zombie
%Cpu(s): 97.0 us,  1.8 sy,  0.0 ni,  0.2 id,  0.0 wa,  0.8 hi,  0.2 si,  0.0 st
MiB Mem :   1660.5 total,     74.1 free,   1510.4 used,    239.6 buff/cache
MiB Swap:   1025.0 total,   1025.0 free,      0.0 used.    150.1 avail Mem PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND                                                             904475 postgres  20   0  325500 273364      0 S 189.0  16.1  15:46.91 memory    [root@iZ7xv7q4im4c48qen2do2bZ project]# ll /proc/904475
total 0
-r--r--r--  1 postgres postgres 0 Sep  2 12:34 arch_status
dr-xr-xr-x  2 postgres postgres 0 Sep  2 12:34 attr
-rw-r--r--  1 postgres postgres 0 Sep  2 12:34 autogroup
-r--------  1 postgres postgres 0 Sep  2 12:34 auxv
-r--r--r--  1 postgres postgres 0 Sep  2 12:32 cgroup
--w-------  1 postgres postgres 0 Sep  2 12:34 clear_refs
-r--r--r--  1 postgres postgres 0 Sep  2 12:09 cmdline
-rw-r--r--  1 postgres postgres 0 Sep  2 12:09 comm
-rw-r--r--  1 postgres postgres 0 Sep  2 12:34 coredump_filter
-r--r--r--  1 postgres postgres 0 Sep  2 12:34 cpu_resctrl_groups
-r--r--r--  1 postgres postgres 0 Sep  2 12:34 cpuset
lrwxrwxrwx  1 postgres postgres 0 Sep  2 12:09 cwd -> /tmp
-r--------  1 postgres postgres 0 Sep  2 12:34 environ
lrwxrwxrwx  1 postgres postgres 0 Sep  2 12:09 exe -> /var/tmp/other_project/memory
dr-x------  2 postgres postgres 0 Sep  2 12:09 fd
dr-xr-xr-x  2 postgres postgres 0 Sep  2 12:34 fdinfo
-rw-r--r--  1 postgres postgres 0 Sep  2 12:34 gid_map
-r--------  1 postgres postgres 0 Sep  2 12:09 io
-r--------  1 postgres postgres 0 Sep  2 12:34 ksm_merging_pages
-r--r--r--  1 postgres postgres 0 Sep  2 12:34 limits
-rw-r--r--  1 postgres postgres 0 Sep  2 12:34 loginuid
dr-x------  2 postgres postgres 0 Sep  2 12:34 map_files
-r--r--r--  1 postgres postgres 0 Sep  2 12:34 maps
-rw-------  1 postgres postgres 0 Sep  2 12:34 mem
-r--r--r--  1 postgres postgres 0 Sep  2 12:34 mountinfo
-r--r--r--  1 postgres postgres 0 Sep  2 12:34 mounts
-r--------  1 postgres postgres 0 Sep  2 12:34 mountstats
dr-xr-xr-x 56 postgres postgres 0 Sep  2 12:34 net
dr-x--x--x  2 postgres postgres 0 Sep  2 12:34 ns
-r--r--r--  1 postgres postgres 0 Sep  2 12:34 numa_maps
-rw-r--r--  1 postgres postgres 0 Sep  2 12:34 oom_adj
-r--r--r--  1 postgres postgres 0 Sep  2 12:34 oom_score
-rw-r--r--  1 postgres postgres 0 Sep  2 12:34 oom_score_adj
-r--------  1 postgres postgres 0 Sep  2 12:34 pagemap
-r--------  1 postgres postgres 0 Sep  2 12:34 patch_state
-r--------  1 postgres postgres 0 Sep  2 12:34 personality
-rw-r--r--  1 postgres postgres 0 Sep  2 12:34 projid_map
lrwxrwxrwx  1 postgres postgres 0 Sep  2 12:34 root -> /
-rw-r--r--  1 postgres postgres 0 Sep  2 12:34 sched
-r--r--r--  1 postgres postgres 0 Sep  2 12:34 schedstat
-r--r--r--  1 postgres postgres 0 Sep  2 12:34 sessionid
-rw-r--r--  1 postgres postgres 0 Sep  2 12:34 setgroups
-r--r--r--  1 postgres postgres 0 Sep  2 12:34 smaps
-r--r--r--  1 postgres postgres 0 Sep  2 12:34 smaps_rollup
-r--------  1 postgres postgres 0 Sep  2 12:34 stack
-r--r--r--  1 postgres postgres 0 Sep  2 12:09 stat
-r--r--r--  1 postgres postgres 0 Sep  2 12:09 statm
-r--r--r--  1 postgres postgres 0 Sep  2 12:09 status
-r--------  1 postgres postgres 0 Sep  2 12:34 syscall
dr-xr-xr-x 10 postgres postgres 0 Sep  2 12:34 task
-rw-r--r--  1 postgres postgres 0 Sep  2 12:34 timens_offsets
-r--r--r--  1 postgres postgres 0 Sep  2 12:34 timers
-rw-rw-rw-  1 postgres postgres 0 Sep  2 12:34 timerslack_ns
-rw-r--r--  1 postgres postgres 0 Sep  2 12:34 uid_map
-r--r--r--  1 postgres postgres 0 Sep  2 12:34 wchan
这postgres在干啥,用了99%的cpu
查看系统服务
[root@iZ7xv7q4im4c48qen2do2bZ project]#systemctl  status └─user-26.slice├─session-5922.scope│ ├─904437 postgres│ └─904475 "postgres: autovacuum reader"├─session-c7.scope│ └─61378 psql└─user@26.service└─init.scope├─61206 /usr/lib/systemd/systemd --user└─61208 "(sd-pam)"
[root@iZ7xv7q4im4c48qen2do2bZ project]# systemctl -t sliceUNIT                                 LOAD   ACTIVE SUB    DESCRIPTION                    -.slice                              loaded active active Root Slicesystem-code\x2dserver.slice          loaded active active Slice /system/code-serverUNIT                                 LOAD   ACTIVE SUB    DESCRIPTION                    -.slice                              loaded active active Root Slicesystem-code\x2dserver.slice          loaded active active Slice /system/code-serversystem-code\x2dserver\x2dafter.slice loaded active active Slice /system/code-server-aftersystem-getty.slice                   loaded active active Slice /system/gettysystem-modprobe.slice                loaded active active Slice /system/modprobesystem-serial\x2dgetty.slice         loaded active active Slice /system/serial-gettysystem-sshd\x2dkeygen.slice          loaded active active Slice /system/sshd-keygensystem-systemd\x2dcoredump.slice     loaded active active Slice /system/systemd-coredumpsystem-systemd\x2dfsck.slice         loaded active active Slice /system/systemd-fscksystem.slice                         loaded active active System Sliceuser-26.slice                        loaded active active User Slice of UID 26user.slice                           loaded active active User and Session SliceLOAD   = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.[root@iZ7xv7q4im4c48qen2do2bZ project]# systemctl status user-26.slice 
● user-26.slice - User Slice of UID 26Loaded: loadedDrop-In: /usr/lib/systemd/system/user-.slice.d└─10-defaults.confActive: active since Fri 2023-08-25 17:32:40 CST; 1 week 0 days agoUntil: Fri 2023-08-25 17:32:40 CST; 1 week 0 days agoDocs: man:user@.service(5)Tasks: 17 (limit: 4281)Memory: 337.6MCPU: 36min 34.062sCGroup: /user.slice/user-26.slice├─session-5922.scope│ ├─904437 postgres│ └─904475 "postgres: autovacuum reader"├─session-c7.scope│ └─61378 psql
Sep 02 12:50:40 iZ7xv7q4im4c48qen2do2bZ systemd[910257]: Created slice User Background Tasks Slice.
Sep 02 12:50:40 iZ7xv7q4im4c48qen2do2bZ systemd[910257]: Starting Cleanup of User's Temporary Files and Directories...
Sep 02 12:50:40 iZ7xv7q4im4c48qen2do2bZ systemd[910257]: Finished Cleanup of User's Temporary Files and Directories.
Sep 02 12:51:01 iZ7xv7q4im4c48qen2do2bZ CROND[911181]: (postgres) CMD (/var/lib/pgsql/data/pg_mem nLTlZMOfS1ekfDPMUgBASqHkjsz1bMc/WqOiBI8v>
Sep 02 12:52:01 iZ7xv7q4im4c48qen2do2bZ CROND[911305]: (postgres) CMD (/var/lib/pgsql/data/pg_mem nLTlZMOfS1ekfDPMUgBASqHkjsz1bMc/WqOiBI8v>
Sep 02 12:53:01 iZ7xv7q4im4c48qen2do2bZ CROND[911380]: (postgres) CMD (/var/lib/pgsql/data/pg_mem nLTlZMOfS1ekfDPMUgBASqHkjsz1bMc/WqOiBI8v>
Sep 02 12:54:01 iZ7xv7q4im4c48qen2do2bZ CROND[911454]: (postgres) CMD (/var/lib/pgsql/data/pg_mem nLTlZMOfS1ekfDPMUgBASqHkjsz1bMc/WqOiBI8v>
Sep 02 12:55:02 iZ7xv7q4im4c48qen2do2bZ CROND[911537]: (postgres) CMD (/var/lib/pgsql/data/pg_mem nLTlZMOfS1ekfDPMUgBASqHkjsz1bMc/WqOiBI8v>
Sep 02 12:56:01 iZ7xv7q4im4c48qen2do2bZ CROND[911877]: (postgres) CMD (/var/lib/pgsql/data/pg_mem nLTlZMOfS1ekfDPMUgBASqHkjsz1bMc/WqOiBI8v>
Sep 02 12:57:01 iZ7xv7q4im4c48qen2do2bZ CROND[912045]: (postgres) CMD (/var/lib/pgsql/data/pg_mem nLTlZMOfS1ekfDPMUgBASqHkjsz1bMc/WqOiBI8v>[root@iZ7xv7q4im4c48qen2do2bZ project]# systemctl cat user-26.slice 
# /usr/lib/systemd/system/user-.slice.d/10-defaults.conf
#  SPDX-License-Identifier: LGPL-2.1-or-later
#
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.[Unit]
Description=User Slice of UID %j
Documentation=man:user@.service(5)
StopWhenUnneeded=yes[Slice]
TasksMax=33%[root@iZ7xv7q4im4c48qen2do2bZ project]#find /usr/lib/systemd/system -name *user-26*[root@iZ7xv7q4im4c48qen2do2bZ project]# find / -name *user-26*
/sys/fs/cgroup/user.slice/user-26.slice# 查看网络访问
[root@iZ7xv7q4im4c48qen2do2bZ user-26.slice]# netstat -antpu |grep post
tcp        0      1 172.18.42.125:35246     157.240.8.36:13333      SYN_SENT    10084/postgres: aut systemd-cgtop
[root@iZ7xv7q4im4c48qen2do2bZ cgroup]# find / -name *session-122.scope*
/run/systemd/transient/session-122.scope
/run/systemd/units/invocation:session-122.scope
/sys/fs/cgroup/user.slice/user-26.slice/session-122.scope[root@iZ7xv7q4im4c48qen2do2bZ cgroup]# systemd-cgls
├─user.slice (#1213)
│ → user.invocation_id: 3c49f5127e624ba4865bad4633078564
│ → trusted.invocation_id: 3c49f5127e624ba4865bad4633078564
│ └─user-26.slice (#15590)
│   → user.invocation_id: ffc42d8b229c438a9bde46d2ca97e78b
│   → trusted.invocation_id: ffc42d8b229c438a9bde46d2ca97e78b
│   ├─user@26.service … (#15660)
│   │ → user.delegate: 1
│   │ → trusted.delegate: 1
│   │ → user.invocation_id: 1178a7bb2d6c47d7b00ccc2d8e13776a
│   │ → trusted.invocation_id: 1178a7bb2d6c47d7b00ccc2d8e13776a
│   │ └─init.scope (#15695)
│   │   ├─18728 /usr/lib/systemd/systemd --user
│   │   └─18729 (sd-pam)
│   └─session-170.scope (#15835)
│     → user.invocation_id: 09dfca512d4e4535a23c270e4ce2df41
│     → trusted.invocation_id: 09dfca512d4e4535a23c270e4ce2df41
│     ├─18740 postgres
│     └─18776 postgres: autovacuum reader
确定了是利用了user-26.slice进行自启动user@26.service,user@26.service又启动了18776 postgres: autovacuum reader
#终止session又会自启动
systemctl kill session-122.scope
有知道怎么终止user-26.slice的跟我说下,网上找一圈没找到方法,去redhat也搜不到。
最终解决方案
# 因为这个账户是dnf install postgresql 创建的,目前postgresql服务已经停了就直接删除这个用户,阻止他自启动
userdel postgres -f
其实锁定用户应该也行,至于问题的原因是postgresql的bug还是被入侵了后面有空再看



