Open lihongjie0209 opened 3 years ago
有台服务器一直空闲, 之前安装过jenins用于测试, 登录之后发现有些异常
最明显的就是CPU100%, 但是 Command却为空
使用proc查询也无法看到命令行
[root@VM_45_207_centos ~]# cat /proc/8000/cmdline [root@VM_45_207_centos ~]#
然后使用strace查看这个进程在干嘛
[root@VM_45_207_centos ~]# strace -p 8000 strace: Process 8000 attached epoll_pwait(7, [], 1024, 240, NULL, 8) = 0 clock_gettime(CLOCK_REALTIME, {tv_sec=1605852311, tv_nsec=137056113}) = 0 epoll_pwait(7, [], 1024, 500, NULL, 8) = 0 clock_gettime(CLOCK_REALTIME, {tv_sec=1605852311, tv_nsec=638004483}) = 0 epoll_pwait(7, [], 1024, 145, NULL, 8) = 0 clock_gettime(CLOCK_MONOTONIC, {tv_sec=10679012, tv_nsec=200368751}) = 0 epoll_pwait(7, [], 1024, 352, NULL, 8) = 0 clock_gettime(CLOCK_REALTIME, {tv_sec=1605852312, tv_nsec=142021317}) = 0 clock_gettime(CLOCK_REALTIME, {tv_sec=1605852312, tv_nsec=142050352}) = 0 clock_gettime(CLOCK_REALTIME, {tv_sec=1605852312, tv_nsec=142070265}) = 0 clock_gettime(CLOCK_REALTIME, {tv_sec=1605852312, tv_nsec=142090905}) = 0 clock_gettime(CLOCK_REALTIME, {tv_sec=1605852312, tv_nsec=142177042}) = 0 epoll_pwait(7, [], 1024, 500, NULL, 8) = 0 clock_gettime(CLOCK_REALTIME, {tv_sec=1605852312, tv_nsec=647348698}) = 0 epoll_pwait(7, [], 1024, 139, NULL, 8) = 0 clock_gettime(CLOCK_MONOTONIC, {tv_sec=10679013, tv_nsec=210201712}) = 0 epoll_pwait(7, [], 1024, 351, NULL, 8) = 0 clock_gettime(CLOCK_REALTIME, {tv_sec=1605852313, tv_nsec=157841691}) = 0 epoll_pwait(7, [], 1024, 500, NULL, 8) = 0 clock_gettime(CLOCK_REALTIME, {tv_sec=1605852313, tv_nsec=668967121}) = 0 epoll_pwait(7, [], 1024, 127, NULL, 8) = 0 clock_gettime(CLOCK_MONOTONIC, {tv_sec=10679014, tv_nsec=218273236}) = 0 epoll_pwait(7, [], 1024, 365, NULL, 8) = 0 clock_gettime(CLOCK_REALTIME, {tv_sec=1605852314, tv_nsec=176982120}) = 0 epoll_pwait(7, ^Cstrace: Process 8000 detached
看到 epoll 基本确定是在进行网络请求, 接下来使用 ss 查看socket信息
[root@VM_45_207_centos ~]# ss -antp | grep 800 ESTAB 0 0 10.104.45.207:44746 213.32.74.157:14444 users:(("crypto",pid=8000,fd=14)) ESTAB 0 0 10.104.45.207:34082 104.26.2.232:443 users:(("e775904005a676f",pid=31380,fd=6),("crypto",pid=8000,fd=6)) ESTAB 0 0 10.104.45.207:41284 104.26.3.232:443 users:(("e775904005a676f",pid=31380,fd=4),("crypto",pid=8000,fd=4)) ESTAB 0 0 10.104.45.207:32814 104.26.2.232:443 users:(("e775904005a676f",pid=31380,fd=3),("crypto",pid=8000,fd=3)) ESTAB 0 0 10.104.45.207:60598 104.26.2.232:443 users:(("e775904005a676f",pid=31380,fd=5),("crypto",pid=8000,fd=5))
ip地址定位
看到有443端口, 访问一下
查看IP 发现是cf的反代
其他的没有什么有价值的信息了. 没有数据在上面, 直接选择重装
有台服务器一直空闲, 之前安装过jenins用于测试, 登录之后发现有些异常
最明显的就是CPU100%, 但是 Command却为空
使用proc查询也无法看到命令行
然后使用strace查看这个进程在干嘛
看到 epoll 基本确定是在进行网络请求, 接下来使用 ss 查看socket信息
ip地址定位
看到有443端口, 访问一下
查看IP 发现是cf的反代![image](https://user-images.githubusercontent.com/21978475/99765371-e4ff5100-2b39-11eb-9536-af96132f9d38.png)
其他的没有什么有价值的信息了. 没有数据在上面, 直接选择重装