一次惊心动魄的linux肉鸡入侵检测经历

root15840.00.0185268?SNov170:00/sbin/ttyload-q
root15860.00.01500168?SNov170:26ttymontymon
[root@victimroot]#netstat-anp
ActiveInternetconnections(serversandestablished)
ProtoRecv-QSend-QLocalAddressForeignAddressStatePID/Programname
tcp000.0.0.0:313380.0.0.0:*LISTEN1584/ttyload
tcp000.0.0.0:800.0.0.0:*LISTEN1702/httpd
tcp000.0.0.0:220.0.0.0:*LISTEN1516/sshd
tcp00127.0.0.1:250.0.0.0:*LISTEN1540/
raw000.0.0.0:10.0.0.0:*71586/ttymon
raw131200.0.0.0:10.0.0.0:*71586/ttymon

[root@victimroot]#lsof-n-p1584
COMMANDPIDUSERFDTYPEDEVICESIZENODENAME
31584rootcwdDIR8,340962/
31584rootrtdDIR8,340962/
31584roottxtREG8,3652620212994/tmp/sh-DJYK3MJABRP(deleted)-->这个是upx压缩后的特征之一。
31584rootmemREG8,310304412828674/lib/ld-2.3.2.so
31584rootmemREG8,39160412828689/lib/libnsl-2.3.2.so
31584rootmemREG8,32366812828683/lib/libcrypt-2.3.2.so
31584rootmemREG8,31269612828711/lib/libutil-2.3.2.so
31584rootmemREG8,3153106413991938/lib/tls/libc-2.3.2.so
31584root0uCHR1,367051/dev/null
31584root1uCHR1,367051/dev/null
31584root2uCHR1,367051/dev/null
31584root3uIPv41798TCP*:31338(LISTEN)
[root@victimroot]#lsof-n-p1586
COMMANDPIDUSERFDTYPEDEVICESIZENODENAME
ttymon1586rootcwdDIR8,340962/
ttymon1586rootrtdDIR8,340962/
ttymon1586roottxtREG8,39347643663399/sbin/ttymon
ttymon1586rootmemREG8,310304412828674/lib/ld-2.3.2.so
ttymon1586rootmemREG8,35247212828695/lib/libnss_files-2.3.2.so
ttymon1586rootmemREG8,3153106413991938/lib/tls/libc-2.3.2.so
ttymon1586root3uraw179900000000:0001->00000000:0000st=07

[root@victimroot]#nclocalhost31338
SSH-1.5-2.0.13