CPU使用率非常高但是无法找到具体进程
系统CPU使用率非常高但是无法找到具体进程问题
问题现象
系统CPU使用非常高,达到1200%,但是使用top/htop等工具无法看到具体什么进程使系统CPU占用很高,如下图所示:
问题原因
这种情况是因为有隐藏进程存在,但是top、htop等工具看不到,需要找到具体的隐藏进程
相关工具:unhide,使用如下命令安装:
sudo apt install unhide
排查原因
sudo unhide proc
结果如下:
root@linux:/home/ubuntu# unhide procUnhide 20130526Copyright © 2013 Yago Jesus & Patrick GouinLicense GPLv3+ : GNU GPL version 3 or laterhttp://www.unhide-forensics.infoNOTE : This version of unhide is for systems using Linux >= 2.6Error : You must be root to run unhide !ubuntu@xhumanoid-NucBox-K9:~/kai$ sudo unhide procUnhide 20130526Copyright © 2013 Yago Jesus & Patrick GouinLicense GPLv3+ : GNU GPL version 3 or laterhttp://www.unhide-forensics.infoNOTE : This version of unhide is for systems using Linux >= 2.6Used options:[*]Searching for Hidden processes through /proc stat scanningFound HIDDEN PID: 1704Cmdline: "<none>"Executable: "<no link>""<none> ... maybe a transitory process"Found HIDDEN PID: 1706Cmdline: "/dev/shm/netools"Executable: "/dev/shm/netools (deleted)"Command: "netools"$USER=<undefined>$PWD=/Found HIDDEN PID: 1708Cmdline: "/dev/shm/netools"Executable: "/dev/shm/netools (deleted)"Command: "netools"$USER=<undefined>$PWD=/Found HIDDEN PID: 1709Cmdline: "/dev/shm/netools"Executable: "/dev/shm/netools (deleted)"Command: "netools"$USER=<undefined>$PWD=/Found HIDDEN PID: 1710Cmdline: "/dev/shm/netools"Executable: "/dev/shm/netools (deleted)"Command: "netools"$USER=<undefined>$PWD=/Found HIDDEN PID: 1711Cmdline: "/dev/shm/netools"Executable: "/dev/shm/netools (deleted)"Command: "netools"$USER=<undefined>$PWD=/Found HIDDEN PID: 3016Cmdline: "/dev/shm/netools"Executable: "/dev/shm/netools (deleted)"Command: "netools"$USER=<undefined>$PWD=/Found HIDDEN PID: 3017Cmdline: "/dev/shm/netools"Executable: "/dev/shm/netools (deleted)"Command: "netools"$USER=<undefined>$PWD=/Found HIDDEN PID: 3018Cmdline: "/dev/shm/netools"Executable: "/dev/shm/netools (deleted)"Command: "netools"$USER=<undefined>$PWD=/Found HIDDEN PID: 3019Cmdline: "/dev/shm/netools"Executable: "/dev/shm/netools (deleted)"Command: "netools"$USER=<undefined>$PWD=/Found HIDDEN PID: 3020Cmdline: "/dev/shm/netools"Executable: "/dev/shm/netools (deleted)"Command: "netools"$USER=<undefined>$PWD=/Found HIDDEN PID: 3021Cmdline: "/dev/shm/netools"Executable: "/dev/shm/netools (deleted)"Command: "netools"$USER=<undefined>$PWD=/Found HIDDEN PID: 3022Cmdline: "/dev/shm/netools"Executable: "/dev/shm/netools (deleted)"Command: "netools"$USER=<undefined>$PWD=/Found HIDDEN PID: 3023Cmdline: "/dev/shm/netools"Executable: "/dev/shm/netools (deleted)"Command: "netools"$USER=<undefined>$PWD=/Found HIDDEN PID: 3024Cmdline: "/dev/shm/netools"Executable: "/dev/shm/netools (deleted)"Command: "netools"$USER=<undefined>$PWD=/Found HIDDEN PID: 3025Cmdline: "/dev/shm/netools"Executable: "/dev/shm/netools (deleted)"Command: "netools"$USER=<undefined>$PWD=/Found HIDDEN PID: 3026Cmdline: "/dev/shm/netools"Executable: "/dev/shm/netools (deleted)"Command: "netools"$USER=<undefined>$PWD=/Found HIDDEN PID: 3027Cmdline: "/dev/shm/netools"Executable: "/dev/shm/netools (deleted)"Command: "netools"$USER=<undefined>$PWD=/Found HIDDEN PID: 3028Cmdline: "/dev/shm/netools"Executable: "/dev/shm/netools (deleted)"Command: "netools"$USER=<undefined>$PWD=/Found HIDDEN PID: 3029Cmdline: "/dev/shm/netools"Executable: "/dev/shm/netools (deleted)"Command: "netools"$USER=<undefined>$PWD=/Found HIDDEN PID: 3030Cmdline: "/dev/shm/netools"Executable: "/dev/shm/netools (deleted)"Command: "netools"$USER=<undefined>$PWD=/Found HIDDEN PID: 3031Cmdline: "/dev/shm/netools"Executable: "/dev/shm/netools (deleted)"Command: "netools"$USER=<undefined>$PWD=/Found HIDDEN PID: 3032Cmdline: "/dev/shm/netools"Executable: "/dev/shm/netools (deleted)"Command: "netools"$USER=<undefined>$PWD=/Found HIDDEN PID: 3033Cmdline: "/dev/shm/netools"Executable: "/dev/shm/netools (deleted)"Command: "netools"$USER=<undefined>$PWD=/
从上面的检测结果来看,系统存在多个隐藏进程(HIDDEN PID),这些进程极有可能是恶意程序(如病毒、挖矿程序或后门),具有如下特征:
- 1、进程路径:/dev/shm/netools(/dev/shm是内存临时目录,常被恶意程序用来隐藏文件)。
- 2、状态:Executable: “/dev/shm/netools (deleted)”(程序文件已被删除,但进程仍在运行,典型的恶意程序清理痕迹)。
- 3、大量重复进程:多个 PID(1706-1711、3016-3033 等)都运行相同的netools,可能是恶意程序的多进程挖矿或攻击行为,这也能解释之前 CPU 占用率异常高的问题(这些隐藏进程消耗了大量 CPU)。
这些进程可能在进行挖矿、窃取数据或发起网络攻击,且具备隐藏自身的能力(常规top/ps无法显示),需立即处理。
处理方法:
将上面结果保存(可以重定向到具体文件,如1.txt,sudo unhide proc > 1.txt):
cat 1.txt | grep PID | awk -F ':' '{print $2}' | xargs -I {} kill -9 {}
杀掉上述异常进程后,系统恢复正常,过一会儿,在看,CPU又被占用了,使用unhide工具看到又有很多隐藏进程起来了!
unhide procUnhide 20130526Copyright © 2013 Yago Jesus & Patrick GouinLicense GPLv3+ : GNU GPL version 3 or laterhttp://www.unhide-forensics.infoNOTE : This version of unhide is for systems using Linux >= 2.6Used options:[*]Searching for Hidden processes through /proc stat scanningFound HIDDEN PID: 53533Cmdline: "<none>"Executable: "<no link>""<none> ... maybe a transitory process"Found HIDDEN PID: 53535Cmdline: "/dev/shm/netools"Executable: "/dev/shm/netools (deleted)"Command: "netools"$USER=<undefined>$PWD=/rootFound HIDDEN PID: 53536Cmdline: "/dev/shm/netools"Executable: "/dev/shm/netools (deleted)"Command: "netools"$USER=<undefined>$PWD=/rootFound HIDDEN PID: 53537Cmdline: "/dev/shm/netools"Executable: "/dev/shm/netools (deleted)"Command: "netools"$USER=<undefined>$PWD=/rootFound HIDDEN PID: 53538Cmdline: "/dev/shm/netools"Executable: "/dev/shm/netools (deleted)"Command: "netools"$USER=<undefined>$PWD=/root
进到隐藏进程目录看一下(cd /proc/53533):
可以看到可以这货将exe文件软链接到’/dev/shm/netools(deleted)’
看一下fd目录(ls -rlt /proc/53533/fd):
task目录(ls -rlt /proc/53533/task):
反复几次都是如此,将隐藏任务杀死,过一会儿又重启了。
可以看出来肯定有一个定时任务定时启动运行,尝试将定时服务关闭掉:
sudo systemctl stop cron.service
然后杀掉隐藏进程,后不再启动;排查定时任务设置(/etc/cron.d),有三个定时任务设置:
anacron e2scrub_all RMKIkzOM
逐一排查,anacron和e2scrub_all均为系统默认的合法任务,RMKIkzOM中的内容为:
*/1 * * * * root /bin/acxDK1m7 1 1
从内容看这是一条明确的恶意定时任务!核心问题在于 /bin/acxDK1m7,这是一个陌生的、无系统默认关联的二进制文件,且以 root 权限每分钟执行一次(/1 *),极可能是 netools 恶意进程的自启动源头,必须立即删除并清理关联文件:
sudo rm -rf /etc/cron.d/RMKIkzOMsudo rm -rf /bin/acxDK1m7
万事大吉!
更多文章可关注公众号
