Amazon-Ec2
Ubuntu 14.04 /tmp/systemd 程序使用 100% CPU
我們有一個帶有 Ubuntu 14.04 的實時 AWS EC2 實例,我已被交給我來維護。我發現一個奇怪的地方是我有一個使用所有可用 CPU 的 /tmp/systemd 程序:
top - 11:35:20 up 2:34, 1 user, load average: 1.13, 1.16, 1.15 Tasks: 114 total, 2 running, 111 sleeping, 0 stopped, 1 zombie %Cpu(s): 32.7 us, 0.0 sy, 0.0 ni, 0.0 id, 0.0 wa, 0.0 hi, 0.0 si, 67.3 st KiB Mem: 2048516 total, 726492 used, 1322024 free, 38784 buffers KiB Swap: 0 total, 0 used, 0 free. 439788 cached Mem PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 1797 www-data 20 0 192900 4008 1140 S 95.2 0.2 107:42.82 /tmp/systemd 1145 mysql 20 0 681596 121328 7560 S 3.6 5.9 2:35.84 /usr/sbin/mysqld 3669 ubuntu 20 0 103084 1904 920 S 0.7 0.1 0:00.06 sshd: ubuntu@pts/0 40 root rt 0 0 0 0 S 0.3 0.0 0:04.96 [watchdog/0] 3692 ubuntu 20 0 23728 1652 1104 R 0.3 0.1 0:00.11 top 1 root 20 0 33556 2880 1480 S 0.0 0.1 0:03.20 /sbin/init 2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 [kthreadd]
我認為 /tmp/systemd 對於命令源來說似乎有點奇怪,所以我檢查了 /tmp 目錄 - 它完全是空的。
執行 strace 似乎表明它正在輪詢某事以完成:
ubuntu@ip-10-0-0-157:~$ sudo strace -fvvp 1797 Process 1797 attached with 6 threads [pid 1801] futex(0x799404, FUTEX_WAIT_PRIVATE, 4, NULL <unfinished ...> [pid 1802] futex(0x799404, FUTEX_WAIT_PRIVATE, 4, NULL <unfinished ...> [pid 1803] futex(0x799404, FUTEX_WAIT_PRIVATE, 4, NULL <unfinished ...> [pid 1800] futex(0x799404, FUTEX_WAIT_PRIVATE, 4, NULL <unfinished ...> [pid 1797] clock_gettime(CLOCK_MONOTONIC, {9448, 290556741}) = 0 [pid 1797] epoll_wait(7, <unfinished ...> [pid 1799] sched_yield() = 0 [pid 1799] clock_gettime(CLOCK_REALTIME, {1524656311, 141773213}) = 0 [pid 1797] <... epoll_wait resumed> {}, 1024, 27) = 0 [pid 1797] clock_gettime(CLOCK_MONOTONIC, {9448, 328709201}) = 0 [pid 1797] clock_gettime(CLOCK_MONOTONIC, {9448, 328773526}) = 0 [pid 1797] epoll_wait(7, <unfinished ...> [pid 1799] sched_yield() = 0 [pid 1799] sched_yield() = 0 [pid 1797] <... epoll_wait resumed> {}, 1024, 500) = 0 [pid 1797] clock_gettime(CLOCK_MONOTONIC, {9448, 839857928}) = 0 [pid 1797] clock_gettime(CLOCK_MONOTONIC, {9448, 839934892}) = 0 [pid 1797] epoll_wait(7, {}, 1024, 18) = 0 [pid 1797] clock_gettime(CLOCK_MONOTONIC, {9448, 860012749}) = 0 [pid 1797] clock_gettime(CLOCK_MONOTONIC, {9448, 860081346}) = 0 [pid 1797] epoll_wait(7, <unfinished ...> [pid 1799] sched_yield() = 0 [pid 1799] sched_yield() = 0 [pid 1799] sched_yield() = 0 [pid 1799] sched_yield() = 0 [pid 1797] <... epoll_wait resumed> {}, 1024, 479) = 0 [pid 1797] clock_gettime(CLOCK_MONOTONIC, {9449, 350734613}) = 0 [pid 1797] clock_gettime(CLOCK_MONOTONIC, {9449, 350806967}) = 0 [pid 1797] epoll_wait(7, <unfinished ...> [pid 1799] sched_yield() = 0 [pid 1799] sched_yield() = 0 [pid 1799] sched_yield() = 0 q[pid 1797] <... epoll_wait resumed> {}, 1024, 500) = 0 [pid 1797] clock_gettime(CLOCK_MONOTONIC, {9449, 905946457}) = 0 [pid 1797] clock_gettime(CLOCK_MONOTONIC, {9449, 906007520}) = 0 [pid 1797] epoll_wait(7, <unfinished ...> [pid 1799] sched_yield() = 0 [pid 1799] sched_yield() = 0
我已經嘗試更新並重新啟動伺服器,但它沒有任何改變。我可以終止該程序,但大約 1 小時後它將重新啟動。
您能否就如何找到它的來源或我如何找出它在做什麼以及開始它的原因提供建議?
沒有 /tmp/systemd 二進製文件或臨時二進製文件,因為啟動該過程的使用者是非互動式“www-data”,我建議您的網路伺服器受到損害。
檢查是否存在任何可疑的出站連接,使用 noexec 重新掛載 /tmp 並檢查 www-data 擁有的所有內容是否正常。查找不應屬於 www-data 的 shell 腳本或其他執行檔。
看起來像 Tiny XMR mooner - https://xorl.wordpress.com/2017/12/21/the-tiny-xml-mooner-linux-cryptominer-malware/
這種情況下的最佳做法是製作機器映像(例如使用 dd)並在沒有 Internet 訪問權限的環境中對其進行離線分析。