大家来帮忙分析一下这个现象，是不是表示系统被入侵过？

无意中看了一下 ps 的结果，发现和平常看到的不一样。而且每次都是这种类型的输出。

lic@Nginx:~$ ps PID TTY TIME CMD 31544 pts/1 00:00:00 bash 32002 pts/1 00:00:00 ps 32003 pts/1 00:00:00 sh 32004 pts/1 00:00:00 ps lic@Nginx:~$ strace ps execve("/bin/ps", ["ps"], [/* 20 vars */]) = 0 [ Process PID=32131 runs in 32 bit mode. ] uname({sys="Linux", node="Nginx", ...}) = 0 brk(0) = 0x9602000 brk(0x9602c90) = 0x9602c90 set_thread_area(0xffe53de4) = 0 set_tid_address(0x9602878) = 32131 rt_sigaction(SIGRTMIN, {0x8093710, [], SA_SIGINFO}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {0x8093778, [], SA_RESTART|SA_SIGINFO}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0 _sysctl({0x2081076ec, -1753584, (nil), (nil), (nil), 18439214703981887489}) = 0 brk(0x9623c90) = 0x9623c90 brk(0x9624000) = 0x9624000 brk(0x9648000) = 0x9648000 futex(0x8132c4c, FUTEX_WAKE, 2147483647) = 0 brk(0x9669000) = 0x9669000 close(3) = -1 EBADF (Bad file descriptor) close(4) = -1 EBADF (Bad file descriptor) ... 一堆 close 调用，从 3 直到 1023 close(1023) = -1 EBADF (Bad file descriptor) readlink("/proc/32131/exe", "/bin/ps", 1024) = 7 stat64("/bin/ps", {st_mode=S_IFREG|0755, st_size=1223123, ...}) = 0 getppid() = 32127 readlink("/proc/32127/exe", "/usr/bin/strace", 255) = 15 readlink("/proc/32131/exe", "/bin/ps", 1024) = 7 readlink("/proc/32131/exe", "/bin/ps", 1024) = 7 readlink("/proc/32131/exe", "/bin/ps", 1024) = 7 access("/usr/bin/dpkgd/ps", F_OK) = 0 pipe([3, 4]) = 0 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0) = 32132 close(4) = 0 fstat64(3, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xfffffffff778c000 read(3, " PID TTY TIME CMD\n3154"..., 4096) = 169 fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=32132, si_status=0, si_utime=0, si_stime=0} --- mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xfffffffff778b000 write(1, " PID TTY TIME CMD\n", 28 PID TTY TIME CMD ) = 28 write(1, "31544 pts/1 00:00:00 bash\n", 2931544 pts/1 00:00:00 bash ) = 29 write(1, "32127 pts/1 00:00:00 strace\n", 3132127 pts/1 00:00:00 strace ) = 31 write(1, "32131 pts/1 00:00:00 ps\n", 2732131 pts/1 00:00:00 ps ) = 27 write(1, "32132 pts/1 00:00:00 sh\n", 2732132 pts/1 00:00:00 sh ) = 27 write(1, "32133 pts/1 00:00:00 ps\n", 2732133 pts/1 00:00:00 ps ) = 27 read(3, "", 4096) = 0 close(3) = 0 waitpid(32132, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0) = 32132 munmap(0xf778c000, 4096) = 0 munmap(0xf778b000, 4096) = 0 exit_group(0) = ? +++ exited with 0 +++