Amazon-Ec2

Ubuntu 14.04 /tmp/systemd 程序使用 100% CPU

  • April 25, 2018

我們有一個帶有 Ubuntu 14.04 的實時 AWS EC2 實例,我已被交給我來維護。我發現一個奇怪的地方是我有一個使用所有可用 CPU 的 /tmp/systemd 程序:

top - 11:35:20 up  2:34,  1 user,  load average: 1.13, 1.16, 1.15
Tasks: 114 total,   2 running, 111 sleeping,   0 stopped,   1 zombie
%Cpu(s): 32.7 us,  0.0 sy,  0.0 ni,  0.0 id,  0.0 wa,  0.0 hi,  0.0 si, 67.3 st
KiB Mem:   2048516 total,   726492 used,  1322024 free,    38784 buffers
KiB Swap:        0 total,        0 used,        0 free.   439788 cached Mem

 PID USER      PR  NI    VIRT    RES    SHR S %CPU %MEM     TIME+ COMMAND
1797 www-data  20   0  192900   4008   1140 S 95.2  0.2 107:42.82 /tmp/systemd
1145 mysql     20   0  681596 121328   7560 S  3.6  5.9   2:35.84 /usr/sbin/mysqld
3669 ubuntu    20   0  103084   1904    920 S  0.7  0.1   0:00.06 sshd: ubuntu@pts/0
  40 root      rt   0       0      0      0 S  0.3  0.0   0:04.96 [watchdog/0]
3692 ubuntu    20   0   23728   1652   1104 R  0.3  0.1   0:00.11 top
   1 root      20   0   33556   2880   1480 S  0.0  0.1   0:03.20 /sbin/init
   2 root      20   0       0      0      0 S  0.0  0.0   0:00.00 [kthreadd]

我認為 /tmp/systemd 對於命令源來說似乎有點奇怪,所以我檢查了 /tmp 目錄 - 它完全是空的。

執行 strace 似乎表明它正在輪詢某事以完成:

ubuntu@ip-10-0-0-157:~$ sudo strace -fvvp 1797
Process 1797 attached with 6 threads
[pid  1801] futex(0x799404, FUTEX_WAIT_PRIVATE, 4, NULL <unfinished ...>
[pid  1802] futex(0x799404, FUTEX_WAIT_PRIVATE, 4, NULL <unfinished ...>
[pid  1803] futex(0x799404, FUTEX_WAIT_PRIVATE, 4, NULL <unfinished ...>
[pid  1800] futex(0x799404, FUTEX_WAIT_PRIVATE, 4, NULL <unfinished ...>
[pid  1797] clock_gettime(CLOCK_MONOTONIC, {9448, 290556741}) = 0
[pid  1797] epoll_wait(7,  <unfinished ...>
[pid  1799] sched_yield()               = 0
[pid  1799] clock_gettime(CLOCK_REALTIME, {1524656311, 141773213}) = 0
[pid  1797] <... epoll_wait resumed> {}, 1024, 27) = 0
[pid  1797] clock_gettime(CLOCK_MONOTONIC, {9448, 328709201}) = 0
[pid  1797] clock_gettime(CLOCK_MONOTONIC, {9448, 328773526}) = 0
[pid  1797] epoll_wait(7,  <unfinished ...>
[pid  1799] sched_yield()               = 0
[pid  1799] sched_yield()               = 0
[pid  1797] <... epoll_wait resumed> {}, 1024, 500) = 0
[pid  1797] clock_gettime(CLOCK_MONOTONIC, {9448, 839857928}) = 0
[pid  1797] clock_gettime(CLOCK_MONOTONIC, {9448, 839934892}) = 0
[pid  1797] epoll_wait(7, {}, 1024, 18) = 0
[pid  1797] clock_gettime(CLOCK_MONOTONIC, {9448, 860012749}) = 0
[pid  1797] clock_gettime(CLOCK_MONOTONIC, {9448, 860081346}) = 0
[pid  1797] epoll_wait(7,  <unfinished ...>
[pid  1799] sched_yield()               = 0
[pid  1799] sched_yield()               = 0
[pid  1799] sched_yield()               = 0
[pid  1799] sched_yield()               = 0
[pid  1797] <... epoll_wait resumed> {}, 1024, 479) = 0
[pid  1797] clock_gettime(CLOCK_MONOTONIC, {9449, 350734613}) = 0
[pid  1797] clock_gettime(CLOCK_MONOTONIC, {9449, 350806967}) = 0
[pid  1797] epoll_wait(7,  <unfinished ...>
[pid  1799] sched_yield()               = 0
[pid  1799] sched_yield()               = 0
[pid  1799] sched_yield()               = 0
q[pid  1797] <... epoll_wait resumed> {}, 1024, 500) = 0
[pid  1797] clock_gettime(CLOCK_MONOTONIC, {9449, 905946457}) = 0
[pid  1797] clock_gettime(CLOCK_MONOTONIC, {9449, 906007520}) = 0
[pid  1797] epoll_wait(7,  <unfinished ...>
[pid  1799] sched_yield()               = 0
[pid  1799] sched_yield()               = 0

我已經嘗試更新並重新啟動伺服器,但它沒有任何改變。我可以終止該程序,但大約 1 小時後它將重新啟動。

您能否就如何找到它的來源或我如何找出它在做什麼以及開始它的原因提供建議?

沒有 /tmp/systemd 二進製文件或臨時二進製文件,因為啟動該過程的使用者是非互動式“www-data”,我建議您的網路伺服器受到損害。

檢查是否存在任何可疑的出站連接,使用 noexec 重新掛載 /tmp 並檢查 www-data 擁有的所有內容是否正常。查找不應屬於 www-data 的 shell 腳本或其他執行檔。

看起來像 Tiny XMR mooner - https://xorl.wordpress.com/2017/12/21/the-tiny-xml-mooner-linux-cryptominer-malware/

這種情況下的最佳做法是製作機器映像(例如使用 dd)並在沒有 Internet 訪問權限的環境中對其進行離線分析。

引用自:https://serverfault.com/questions/909397