我发现一个可疑进程,它由进程 1 (init) 生成,按照指南我进行了检查/etc/rc.d/rc3.d,但我找不到名为 的条目Sxxkauditd,文件中没有找到可疑条目inittab,如何对其进行故障排除?
ps -ef|grep kaudi
root 903 179 0 2015 ? 00:00:33 [kauditd]
root 1183 1257 0 08:06 pts/0 00:00:00 [kauditd]
root 1257 1 0 07:28 pts/0 00:00:00 [kauditd]
lrwxrwxrwx 1 root root 0 01-11 08:06 /proc/1257/exe -> /tmp/8e65aafe-df29-44b5-9394-04f101eab3e8 (deleted)
[root@localhost cron.d]# cat /proc/13177/maps|更多
00400000-00405000 r-xp 00000000 08:02 1310725 /tmp/ba1412e8-633a-48a8-bcb
8-738215a6e1ec (deleted)
00605000-00607000 rwxp 00005000 08:02 1310725 /tmp/ba1412e8-633a-48a8-bcb
8-738215a6e1ec (deleted)
0102c000-0104d000 rwxp 00000000 00:00 0 [heap]
3967200000-3967220000 r-xp 00000000 08:02 4072631 /lib64/ld-2.12.so
3967420000-3967421000 r-xp 00020000 08:02 4072631 /lib64/ld-2.12.so
3967421000-3967422000 rwxp 00021000 08:02 4072631 /lib64/ld-2.12.so
3967422000-3967423000 rwxp 00000000 00:00 0
3967600000-396778b000 r-xp 00000000 08:02 4072632 /lib64/libc-2.12.so
396778b000-396798a000 ---p 0018b000 08:02 4072632 /lib64/libc-2.12.so
396798a000-396798e000 r-xp 0018a000 08:02 4072632 /lib64/libc-2.12.so
396798e000-3967990000 rwxp 0018e000 08:02 4072632 /lib64/libc-2.12.so
3967990000-3967994000 rwxp 00000000 00:00 0
3967a00000-3967a02000 r-xp 00000000 08:02 4072634 /lib64/libdl-2.12.so
3967a02000-3967c02000 ---p 00002000 08:02 4072634 /lib64/libdl-2.12.so
3967c02000-3967c03000 r-xp 00002000 08:02 4072634 /lib64/libdl-2.12.so
3967c03000-3967c04000 rwxp 00003000 08:02 4072634 /lib64/libdl-2.12.so
3967e00000-3967e17000 r-xp 00000000 08:02 4063368 /lib64/libpthread-2.12.so
3967e17000-3968017000 ---p 00017000 08:02 4063368 /lib64/libpthread-2.12.so
3968017000-3968018000 r-xp 00017000 08:02 4063368 /lib64/libpthread-2.12.so
3968018000-3968019000 rwxp 00018000 08:02 4063368 /lib64/libpthread-2.12.so
3968019000-396801d000 rwxp 00000000 00:00 0
3968a00000-3968a15000 r-xp 00000000 08:02 4072641 /lib64/libz.so.1.2.3
3968a15000-3968c14000 ---p 00015000 08:02 4072641 /lib64/libz.so.1.2.3
3968c14000-3968c15000 r-xp 00014000 08:02 4072641 /lib64/libz.so.1.2.3
3968c15000-3968c16000 rwxp 00015000 08:02 4072641 /lib64/libz.so.1.2.3
3968e00000-3968e1d000 r-xp 00000000 08:02 4072642 /lib64/libselinux.so.1
396901c000-396901d000 r-xp 0001c000 08:02 4072642 /lib64/libselinux.so.1
396901d000-396901e000 rwxp 0001d000 08:02 4072642 /lib64/libselinux.so.1
396901e000-396901f000 rwxp 00000000 00:00 0
3969600000-3969616000 r-xp 00000000 08:02 4063331 /lib64/libresolv-2.12.so
3969616000-3969816000 ---p 00016000 08:02 4063331 /lib64/libresolv-2.12.so
3969816000-3969817000 r-xp 00016000 08:02 4063331 /lib64/libresolv-2.12.so
3969817000-3969818000 rwxp 00017000 08:02 4063331 /lib64/libresolv-2.12.so
3969818000-396981a000 rwxp 00000000 00:00 0
396ca00000-396ca03000 r-xp 00000000 08:02 4072655 /lib64/libcom_err.so.2.1
396ca03000-396cc02000 ---p 00003000 08:02 4072655 /lib64/libcom_err.so.2.1
396cc02000-396cc03000 r-xp 00002000 08:02 4072655 /lib64/libcom_err.so.2.1
396cc03000-396cc04000 rwxp 00003000 08:02 4072655 /lib64/libcom_err.so.2.1
396d600000-396d7ba000 r-xp 00000000 08:02 3279504 /usr/lib64/libcrypto.so.1.0
.1e
396d7ba000-396d9ba000 ---p 001ba000 08:02 3279504 /usr/lib64/libcrypto.so.1.0
.1e
396d9ba000-396d9d5000 r-xp 001ba000 08:02 3279504 /usr/lib64/libcrypto.so.1.0
.1e
396d9d5000-396d9e1000 rwxp 001d5000 08:02 3279504 /usr/lib64/libcrypto.so.1.0
.1e
396d9e1000-396d9e5000 rwxp 00000000 00:00 0
396de00000-396de02000 r-xp 00000000 08:02 4063312 /lib64/libkeyutils.so.1.3
396de02000-396e001000 ---p 00002000 08:02 4063312 /lib64/libkeyutils.so.1.3
396e001000-396e002000 r-xp 00001000 08:02 4063312 /lib64/libkeyutils.so.1.3
396e002000-396e003000 rwxp 00002000 08:02 4063312 /lib64/libkeyutils.so.1.3
396ea00000-396ea29000 r-xp 00000000 08:02 4072654 /lib64/libk5crypto.so.3.1
396ea29000-396ec29000 ---p 00029000 08:02 4072654 /lib64/libk5crypto.so.3.1
396ec29000-396ec2a000 r-xp 00029000 08:02 4072654 /lib64/libk5crypto.so.3.1
396ec2a000-396ec2b000 rwxp 0002a000 08:02 4072654 /lib64/libk5crypto.so.3.1
396ec2b000-396ec2c000 rwxp 00000000 00:00 0
396ee00000-396ee0a000 r-xp 00000000 08:02 4072653 /lib64/libkrb5support.so.0.
1
396ee0a000-396f009000 ---p 0000a000 08:02 4072653 /lib64/libkrb5support.so.0.
1
396f009000-396f00a000 r-xp 00009000 08:02 4072653 /lib64/libkrb5support.so.0.
1
396f00a000-396f00b000 rwxp 0000a000 08:02 4072653 /lib64/libkrb5support.so.0.
1
396f200000-396f241000 r-xp 00000000 08:02 4072657 /lib64/libgssapi_krb5.so.2.
2
396f241000-396f441000 ---p 00041000 08:02 4072657 /lib64/libgssapi_krb5.so.2.
2
396f441000-396f442000 r-xp 00041000 08:02 4072657 /lib64/libgssapi_krb5.so.2.
2
396f442000-396f444000 rwxp 00042000 08:02 4072657 /lib64/libgssapi_krb5.so.2.
2
396f600000-396f6dc000 r-xp 00000000 08:02 4072656 /lib64/libkrb5.so.3.3
396f6dc000-396f8db000 ---p 000dc000 08:02 4072656 /lib64/libkrb5.so.3.3
396f8db000-396f8e5000 r-xp 000db000 08:02 4072656 /lib64/libkrb5.so.3.3
396f8e5000-396f8e7000 rwxp 000e5000 08:02 4072656 /lib64/libkrb5.so.3.3
3970600000-3970662000 r-xp 00000000 08:02 3290174 /usr/lib64/libssl.so.1.0.1e
3970662000-3970862000 ---p 00062000 08:02 3290174 /usr/lib64/libssl.so.1.0.1e
3970862000-3970866000 r-xp 00062000 08:02 3290174 /usr/lib64/libssl.so.1.0.1e
3970866000-397086c000 rwxp 00066000 08:02 3290174 /usr/lib64/libssl.so.1.0.1e
7f1898130000-7f1898138000 rwxp 00000000 00:00 0
7f1898142000-7f1898143000 rwxp 00000000 00:00 0
7fffbacf0000-7fffbad05000 rwxp 00000000 00:00 0 [stack]
7fffbad4e000-7fffbad4f000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
可疑进程的strace结果
strace -f -e trace=file ../suspicious_kauditd
execve("../suspicious_kauditd", ["../suspicious_kauditd"], [/* 40 vars */]) = 0
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
open("/usr/lib64/libssl.so.10", O_RDONLY) = 3
open("/lib64/libc.so.6", O_RDONLY) = 3
open("/usr/lib64/libcrypto.so.10", O_RDONLY) = 3
open("/lib64/libgssapi_krb5.so.2", O_RDONLY) = 3
open("/lib64/libkrb5.so.3", O_RDONLY) = 3
open("/lib64/libcom_err.so.2", O_RDONLY) = 3
open("/lib64/libk5crypto.so.3", O_RDONLY) = 3
open("/lib64/libdl.so.2", O_RDONLY) = 3
open("/lib64/libz.so.1", O_RDONLY) = 3
open("/lib64/libkrb5support.so.0", O_RDONLY) = 3
open("/lib64/libkeyutils.so.1", O_RDONLY) = 3
open("/lib64/libresolv.so.2", O_RDONLY) = 3
open("/lib64/libpthread.so.0", O_RDONLY) = 3
open("/lib64/libselinux.so.1", O_RDONLY) = 3
statfs("/selinux", {f_type="EXT2_SUPER_MAGIC", f_bsize=4096, f_blocks=35244766, f_bfree=27460719, f_bavail=25668719, f_files=8962048, f_ffree=8837001, f_fsid={-1884128229, 1876969564}, f_namelen=255, f_frsize=4096}) = 0
open("/proc/filesystems", O_RDONLY) = 3
open("/etc/pki/tls/legacy-settings", O_RDONLY) = -1 ENOENT (No such file or directory)
access("/usr/share/dracut/modules.d/01fips", F_OK) = -1 ENOENT (No such file or directory)
chdir("/") = 0
Process 12124 attached
Process 12125 attached
[pid 12123] +++ exited with 0 +++
[pid 12125] open("/etc/resolv.conf", O_RDONLYProcess 12126 attached
) = 4
[pid 12126] execve("/bin/sh", ["/bin/sh", "-c", "grep -q 'nameserver 8.8.8.8' /et"...], [/* 0 vars */]Process 12127 attached
<unfinished ...>
[pid 12127] execve("/bin/sh", ["/bin/sh", "-c", "sed -i '/\\(z0gg.me\\|x63.in\\)/d' "...], [/* 0 vars */] <unfinished ...>
[pid 12126] <... execve resumed> ) = 0
[pid 12126] access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
[pid 12127] <... execve resumed> ) = 0
[pid 12126] open("/etc/ld.so.cache", O_RDONLY) = 3
[pid 12127] access("/etc/ld.so.preload", R_OK <unfinished ...>
[pid 12126] open("/lib64/libtinfo.so.5", O_RDONLY <unfinished ...>
[pid 12127] <... access resumed> ) = -1 ENOENT (No such file or directory)
[pid 12126] <... open resumed> ) = 3
[pid 12127] open("/etc/ld.so.cache", O_RDONLY) = 3
[pid 12125] open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 4
[pid 12127] open("/lib64/libtinfo.so.5", O_RDONLY) = 3
[pid 12126] open("/lib64/libdl.so.2", O_RDONLY) = 3
[pid 12125] open("/etc/ld.so.cache", O_RDONLY <unfinished ...>
[pid 12127] open("/lib64/libdl.so.2", O_RDONLY <unfinished ...>
[pid 12125] <... open resumed> ) = 4
[pid 12127] <... open resumed> ) = 3
[pid 12126] open("/lib64/libc.so.6", O_RDONLY) = 3
[pid 12125] open("/lib64/libnss_files.so.2", O_RDONLY) = 4
[pid 12127] open("/lib64/libc.so.6", O_RDONLY) = 3
[pid 12125] open("/etc/host.conf", O_RDONLY|O_CLOEXEC) = 4
[pid 12126] open("/dev/tty", O_RDWR|O_NONBLOCK) = 3
[pid 12125] open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 4
[pid 12126] open("/proc/meminfo", O_RDONLY|O_CLOEXEC <unfinished ...>
[pid 12127] open("/dev/tty", O_RDWR|O_NONBLOCK <unfinished ...>
[pid 12126] <... open resumed> ) = 3
[pid 12127] <... open resumed> ) = 3
[pid 12125] open("/etc/ld.so.cache", O_RDONLY) = 4
[pid 12127] open("/proc/meminfo", O_RDONLY|O_CLOEXEC) = 3
[pid 12125] open("/lib64/libnss_dns.so.2", O_RDONLY) = 4
[pid 12126] getcwd("/", 4096) = 2
[pid 12126] open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3
[pid 12127] getcwd("/", 4096) = 2
[pid 12126] open("/etc/ld.so.cache", O_RDONLY) = 3
[pid 12126] open("/lib64/libnss_files.so.2", O_RDONLY) = 3
[pid 12127] open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3
[pid 12126] open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
[pid 12127] open("/etc/ld.so.cache", O_RDONLY) = 3
[pid 12127] open("/lib64/libnss_files.so.2", O_RDONLY) = 3
[pid 12127] open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
[pid 12126] stat(".", {st_mode=S_IFDIR|0555, st_size=4096, ...}) = 0
[pid 12126] stat("/usr/local/bin/grep", 0x7ffe273886f0) = -1 ENOENT (No such file or directory)
[pid 12126] stat("/bin/grep", {st_mode=S_IFREG|0755, st_size=167840, ...}) = 0
[pid 12126] stat("/bin/grep", {st_mode=S_IFREG|0755, st_size=167840, ...}) = 0
[pid 12126] access("/bin/grep", X_OK) = 0
[pid 12126] stat("/bin/grep", {st_mode=S_IFREG|0755, st_size=167840, ...}) = 0
[pid 12126] access("/bin/grep", R_OK <unfinished ...>
[pid 12127] stat(".", <unfinished ...>
[pid 12126] <... access resumed> ) = 0
[pid 12127] <... stat resumed> {st_mode=S_IFDIR|0555, st_size=4096, ...}) = 0
[pid 12126] stat("/bin/grep", <unfinished ...>
[pid 12127] stat("/usr/local/bin/sed", <unfinished ...>
[pid 12126] <... stat resumed> {st_mode=S_IFREG|0755, st_size=167840, ...}) = 0
[pid 12127] <... stat resumed> 0x7ffcd6c2ca40) = -1 ENOENT (No such file or directory)
[pid 12126] stat("/bin/grep", <unfinished ...>
[pid 12127] stat("/bin/sed", <unfinished ...>
[pid 12126] <... stat resumed> {st_mode=S_IFREG|0755, st_size=167840, ...}) = 0
[pid 12127] <... stat resumed> {st_mode=S_IFREG|0755, st_size=72248, ...}) = 0
[pid 12127] stat("/bin/sed", <unfinished ...>
[pid 12126] access("/bin/grep", X_OK) = 0
[pid 12126] stat("/bin/grep", {st_mode=S_IFREG|0755, st_size=167840, ...}) = 0
[pid 12126] access("/bin/grep", R_OK) = 0
Process 12128 attached
[pid 12127] <... stat resumed> {st_mode=S_IFREG|0755, st_size=72248, ...}) = 0
[pid 12127] access("/bin/sed", X_OK) = 0
[pid 12127] stat("/bin/sed", {st_mode=S_IFREG|0755, st_size=72248, ...}) = 0
[pid 12128] execve("/bin/grep", ["grep", "-q", "nameserver 8.8.8.8", "/etc/resolv.conf"], [/* 3 vars */] <unfinished ...>
[pid 12127] access("/bin/sed", R_OK) = 0
[pid 12127] stat("/bin/sed", {st_mode=S_IFREG|0755, st_size=72248, ...}) = 0
[pid 12127] stat("/bin/sed", {st_mode=S_IFREG|0755, st_size=72248, ...}) = 0
[pid 12128] <... execve resumed> ) = 0
[pid 12127] access("/bin/sed", X_OK) = 0
[pid 12127] stat("/bin/sed", <unfinished ...>
[pid 12128] access("/etc/ld.so.preload", R_OK <unfinished ...>
[pid 12127] <... stat resumed> {st_mode=S_IFREG|0755, st_size=72248, ...}) = 0
[pid 12128] <... access resumed> ) = -1 ENOENT (No such file or directory)
[pid 12128] open("/etc/ld.so.cache", O_RDONLY) = 3
[pid 12127] access("/bin/sed", R_OK) = 0
[pid 12128] open("/lib64/libpcre.so.0", O_RDONLY) = 3
[pid 12127] execve("/bin/sed", ["sed", "-i", "/\\(z0gg.me\\|x63.in\\)/d", "/etc/hosts"], [/* 3 vars */] <unfinished ...>
[pid 12128] open("/lib64/libc.so.6", O_RDONLY) = 3
[pid 12127] <... execve resumed> ) = 0
[pid 12127] access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
[pid 12127] open("/etc/ld.so.cache", O_RDONLY) = 3
[pid 12127] open("/lib64/libselinux.so.1", O_RDONLY) = 3
[pid 12127] open("/lib64/libc.so.6", O_RDONLY) = 3
[pid 12128] openat(AT_FDCWD, "/etc/resolv.conf", O_RDONLY) = 3
[pid 12127] open("/lib64/libdl.so.2", O_RDONLY) = 3
[pid 12128] +++ exited with 0 +++
[pid 12126] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=12128, si_status=0, si_utime=0, si_stime=0} ---
[pid 12127] statfs("/selinux", {f_type="EXT2_SUPER_MAGIC", f_bsize=4096, f_blocks=35244766, f_bfree=27460719, f_bavail=25668719, f_files=8962048, f_ffree=8837001, f_fsid={-1884128229, 1876969564}, f_namelen=255, f_frsize=4096}) = 0
[pid 12126] +++ exited with 0 +++
[pid 12127] open("/proc/filesystems", O_RDONLY) = 3
[pid 12127] open("/usr/lib64/charset.alias", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 12127] open("/etc/hosts", O_RDONLY) = 3
[pid 12127] open("/etc/sedvlymmH", O_RDWR|O_CREAT|O_EXCL, 0600) = 4
[pid 12127] rename("/etc/sedvlymmH", "/etc/hosts") = 0
[pid 12127] +++ exited with 0 +++
Process 12154 attached
[pid 12154] open("/etc/resolv.conf", O_RDONLYProcess 12155 attached
) = 4
[pid 12155] execve("/bin/sh", ["/bin/sh", "-c", "grep -q 'nameserver 8.8.8.8' /et"...], [/* 0 vars */]Process 12156 attached
<unfinished ...>
[pid 12156] execve("/bin/sh", ["/bin/sh", "-c", "sed -i '/\\(z0gg.me\\|x63.in\\)/d' "...], [/* 0 vars */] <unfinished ...>
[pid 12155] <... execve resumed> ) = 0
[pid 12155] access("/etc/ld.so.preload", R_OK <unfinished ...>
[pid 12156] <... execve resumed> ) = 0
[pid 12155] <... access resumed> ) = -1 ENOENT (No such file or directory)
[pid 12155] open("/etc/ld.so.cache", O_RDONLY) = 3
[pid 12154] open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 4
[pid 12155] open("/lib64/libtinfo.so.5", O_RDONLY) = 3
[pid 12155] open("/lib64/libdl.so.2", O_RDONLY) = 3
[pid 12154] open("/etc/ld.so.cache", O_RDONLY) = 4
[pid 12155] open("/lib64/libc.so.6", O_RDONLY) = 3
[pid 12154] open("/lib64/libnss_files.so.2", O_RDONLY) = 4
[pid 12156] access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
[pid 12156] open("/etc/ld.so.cache", O_RDONLY) = 3
[pid 12156] open("/lib64/libtinfo.so.5", O_RDONLY) = 3
[pid 12154] open("/etc/host.conf", O_RDONLY|O_CLOEXEC) = 4
[pid 12154] open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 4
[pid 12156] open("/lib64/libdl.so.2", O_RDONLY) = 3
[pid 12154] open("/etc/ld.so.cache", O_RDONLY) = 4
[pid 12155] open("/dev/tty", O_RDWR|O_NONBLOCK) = 3
[pid 12154] open("/lib64/libnss_dns.so.2", O_RDONLY) = 4
[pid 12155] open("/proc/meminfo", O_RDONLY|O_CLOEXEC) = 3
[pid 12156] open("/lib64/libc.so.6", O_RDONLY) = 3
[pid 12155] getcwd("/", 4096) = 2
[pid 12155] open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3
[pid 12155] open("/etc/ld.so.cache", O_RDONLY <unfinished ...>
[pid 12156] open("/dev/tty", O_RDWR|O_NONBLOCK <unfinished ...>
[pid 12155] <... open resumed> ) = 3
[pid 12156] <... open resumed> ) = 3
[pid 12155] open("/lib64/libnss_files.so.2", O_RDONLY) = 3
[pid 12155] open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
[pid 12156] open("/proc/meminfo", O_RDONLY|O_CLOEXEC) = 3
[pid 12155] stat(".", {st_mode=S_IFDIR|0555, st_size=4096, ...}) = 0
[pid 12155] stat("/usr/local/bin/grep", 0x7ffe945afca0) = -1 ENOENT (No such file or directory)
[pid 12155] stat("/bin/grep", {st_mode=S_IFREG|0755, st_size=167840, ...}) = 0
[pid 12155] stat("/bin/grep", {st_mode=S_IFREG|0755, st_size=167840, ...}) = 0
[pid 12156] getcwd("/", 4096) = 2
[pid 12155] access("/bin/grep", X_OK) = 0
[pid 12155] stat("/bin/grep", {st_mode=S_IFREG|0755, st_size=167840, ...}) = 0
[pid 12155] access("/bin/grep", R_OK) = 0
[pid 12155] stat("/bin/grep", {st_mode=S_IFREG|0755, st_size=167840, ...}) = 0
[pid 12155] stat("/bin/grep", {st_mode=S_IFREG|0755, st_size=167840, ...}) = 0
[pid 12155] access("/bin/grep", X_OK <unfinished ...>
[pid 12156] open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC <unfinished ...>
[pid 12155] <... access resumed> ) = 0
[pid 12156] <... open resumed> ) = 3
[pid 12155] stat("/bin/grep", {st_mode=S_IFREG|0755, st_size=167840, ...}) = 0
[pid 12155] access("/bin/grep", R_OK) = 0
[pid 12156] open("/etc/ld.so.cache", O_RDONLYProcess 12157 attached
) = 3
[pid 12156] open("/lib64/libnss_files.so.2", O_RDONLY) = 3
[pid 12157] execve("/bin/grep", ["grep", "-q", "nameserver 8.8.8.8", "/etc/resolv.conf"], [/* 3 vars */]) = 0
[pid 12156] open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
[pid 12157] access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
[pid 12157] open("/etc/ld.so.cache", O_RDONLY) = 3
[pid 12157] open("/lib64/libpcre.so.0", O_RDONLY) = 3
[pid 12157] open("/lib64/libc.so.6", O_RDONLY) = 3
[pid 12156] stat(".", {st_mode=S_IFDIR|0555, st_size=4096, ...}) = 0
[pid 12156] stat("/usr/local/bin/sed", 0x7ffef8b136e0) = -1 ENOENT (No such file or directory)
[pid 12156] stat("/bin/sed", {st_mode=S_IFREG|0755, st_size=72248, ...}) = 0
[pid 12156] stat("/bin/sed", {st_mode=S_IFREG|0755, st_size=72248, ...}) = 0
[pid 12156] access("/bin/sed", X_OK) = 0
[pid 12156] stat("/bin/sed", {st_mode=S_IFREG|0755, st_size=72248, ...}) = 0
[pid 12156] access("/bin/sed", R_OK <unfinished ...>
[pid 12157] openat(AT_FDCWD, "/etc/resolv.conf", O_RDONLY <unfinished ...>
[pid 12156] <... access resumed> ) = 0
[pid 12157] <... openat resumed> ) = 3
[pid 12156] stat("/bin/sed", {st_mode=S_IFREG|0755, st_size=72248, ...}) = 0
[pid 12156] stat("/bin/sed", {st_mode=S_IFREG|0755, st_size=72248, ...}) = 0
[pid 12156] access("/bin/sed", X_OK) = 0
[pid 12156] stat("/bin/sed", {st_mode=S_IFREG|0755, st_size=72248, ...}) = 0
[pid 12157] +++ exited with 0 +++
[pid 12156] access("/bin/sed", R_OK) = 0
[pid 12155] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=12157, si_status=0, si_utime=0, si_stime=0} ---
[pid 12156] execve("/bin/sed", ["sed", "-i", "/\\(z0gg.me\\|x63.in\\)/d", "/etc/hosts"], [/* 3 vars */] <unfinished ...>
[pid 12155] +++ exited with 0 +++
[pid 12156] <... execve resumed> ) = 0
[pid 12156] access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
[pid 12156] open("/etc/ld.so.cache", O_RDONLY) = 3
[pid 12156] open("/lib64/libselinux.so.1", O_RDONLY) = 3
[pid 12156] open("/lib64/libc.so.6", O_RDONLY) = 3
[pid 12156] open("/lib64/libdl.so.2", O_RDONLY) = 3
[pid 12156] statfs("/selinux", {f_type="EXT2_SUPER_MAGIC", f_bsize=4096, f_blocks=35244766, f_bfree=27460671, f_bavail=25668671, f_files=8962048, f_ffree=8837001, f_fsid={-1884128229, 1876969564}, f_namelen=255, f_frsize=4096}) = 0
[pid 12156] open("/proc/filesystems", O_RDONLY) = 3
[pid 12156] open("/usr/lib64/charset.alias", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 12156] open("/etc/hosts", O_RDONLY) = 3
[pid 12156] open("/etc/sed8Sz5tf", O_RDWR|O_CREAT|O_EXCL, 0600) = 4
[pid 12156] rename("/etc/sed8Sz5tf", "/etc/hosts") = 0
[pid 12156] +++ exited with 0 +++
Process 12189 attached
[pid 12189] open("/etc/resolv.conf", O_RDONLY) = 4
Process 12191 attached
[pid 12189] open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 4
[pid 12191] execve("/bin/sh", ["/bin/sh", "-c", "sed -i '/\\(z0gg.me\\|x63.in\\)/d' "...], [/* 0 vars */] <unfinished ...>
[pid 12189] open("/etc/ld.so.cache", O_RDONLY <unfinished ...>
[pid 12191] <... execve resumed> ) = 0
[pid 12189] <... open resumed> ) = 4
[pid 12191] access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
[pid 12191] open("/etc/ld.so.cache", O_RDONLY) = 3
[pid 12189] open("/lib64/libnss_files.so.2", O_RDONLYProcess 12190 attached
) = 4
[pid 12190] execve("/bin/sh", ["/bin/sh", "-c", "grep -q 'nameserver 8.8.8.8' /et"...], [/* 0 vars */] <unfinished ...>
[pid 12191] open("/lib64/libtinfo.so.5", O_RDONLY) = 3
[pid 12190] <... execve resumed> ) = 0
[pid 12191] open("/lib64/libdl.so.2", O_RDONLY) = 3
[pid 12190] access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
[pid 12190] open("/etc/ld.so.cache", O_RDONLY) = 3
[pid 12189] open("/etc/host.conf", O_RDONLY|O_CLOEXEC <unfinished ...>
[pid 12191] open("/lib64/libc.so.6", O_RDONLY <unfinished ...>
[pid 12189] <... open resumed> ) = 4
[pid 12191] <... open resumed> ) = 3
[pid 12190] open("/lib64/libtinfo.so.5", O_RDONLY) = 3
[pid 12190] open("/lib64/libdl.so.2", O_RDONLY) = 3
[pid 12189] open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 4
[pid 12191] open("/dev/tty", O_RDWR|O_NONBLOCK <unfinished ...>
[pid 12190] open("/lib64/libc.so.6", O_RDONLY) = 3
[pid 12191] <... open resumed> ) = 3
[pid 12189] open("/etc/ld.so.cache", O_RDONLY) = 4
[pid 12189] open("/lib64/libnss_dns.so.2", O_RDONLY) = 4
[pid 12191] open("/proc/meminfo", O_RDONLY|O_CLOEXEC) = 3
[pid 12190] open("/dev/tty", O_RDWR|O_NONBLOCK) = 3
[pid 12190] open("/proc/meminfo", O_RDONLY|O_CLOEXEC) = 3
[pid 12191] getcwd("/", 4096) = 2
[pid 12191] open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3
[pid 12191] open("/etc/ld.so.cache", O_RDONLY) = 3
[pid 12191] open("/lib64/libnss_files.so.2", O_RDONLY) = 3
[pid 12191] open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
[pid 12191] stat(".", {st_mode=S_IFDIR|0555, st_size=4096, ...}) = 0
[pid 12191] stat("/usr/local/bin/sed", 0x7ffdbc8a3450) = -1 ENOENT (No such file or directory)
[pid 12191] stat("/bin/sed", {st_mode=S_IFREG|0755, st_size=72248, ...}) = 0
[pid 12191] stat("/bin/sed", {st_mode=S_IFREG|0755, st_size=72248, ...}) = 0
[pid 12191] access("/bin/sed", X_OK) = 0
[pid 12191] stat("/bin/sed", {st_mode=S_IFREG|0755, st_size=72248, ...}) = 0
[pid 12191] access("/bin/sed", R_OK) = 0
[pid 12191] stat("/bin/sed", {st_mode=S_IFREG|0755, st_size=72248, ...}) = 0
[pid 12191] stat("/bin/sed", {st_mode=S_IFREG|0755, st_size=72248, ...}) = 0
[pid 12191] access("/bin/sed", X_OK) = 0
[pid 12191] stat("/bin/sed", {st_mode=S_IFREG|0755, st_size=72248, ...}) = 0
[pid 12191] access("/bin/sed", R_OK) = 0
[pid 12191] execve("/bin/sed", ["sed", "-i", "/\\(z0gg.me\\|x63.in\\)/d", "/etc/hosts"], [/* 3 vars */]) = 0
[pid 12191] access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
[pid 12191] open("/etc/ld.so.cache", O_RDONLY) = 3
[pid 12191] open("/lib64/libselinux.so.1", O_RDONLY) = 3
[pid 12190] getcwd("/", 4096) = 2
[pid 12190] open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3
[pid 12190] open("/etc/ld.so.cache", O_RDONLY) = 3
[pid 12190] open("/lib64/libnss_files.so.2", O_RDONLY) = 3
[pid 12191] open("/lib64/libc.so.6", O_RDONLY) = 3
[pid 12191] open("/lib64/libdl.so.2", O_RDONLY) = 3
[pid 12190] open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
[pid 12191] statfs("/selinux", <unfinished ...>
[pid 12190] stat(".", <unfinished ...>
[pid 12191] <... statfs resumed> {f_type="EXT2_SUPER_MAGIC", f_bsize=4096, f_blocks=35244766, f_bfree=27460617, f_bavail=25668617, f_files=8962048, f_ffree=8837001, f_fsid={-1884128229, 1876969564}, f_namelen=255, f_frsize=4096}) = 0
[pid 12190] <... stat resumed> {st_mode=S_IFDIR|0555, st_size=4096, ...}) = 0
[pid 12190] stat("/usr/local/bin/grep", 0x7ffcccc5c5f0) = -1 ENOENT (No such file or directory)
[pid 12190] stat("/bin/grep", <unfinished ...>
[pid 12191] open("/proc/filesystems", O_RDONLY <unfinished ...>
[pid 12190] <... stat resumed> {st_mode=S_IFREG|0755, st_size=167840, ...}) = 0
[pid 12191] <... open resumed> ) = 3
[pid 12190] stat("/bin/grep", {st_mode=S_IFREG|0755, st_size=167840, ...}) = 0
[pid 12190] access("/bin/grep", X_OK) = 0
[pid 12190] stat("/bin/grep", {st_mode=S_IFREG|0755, st_size=167840, ...}) = 0
[pid 12191] open("/usr/lib64/charset.alias", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 12191] open("/etc/hosts", O_RDONLY) = 3
[pid 12190] access("/bin/grep", R_OK) = 0
[pid 12190] stat("/bin/grep", {st_mode=S_IFREG|0755, st_size=167840, ...}) = 0
[pid 12190] stat("/bin/grep", {st_mode=S_IFREG|0755, st_size=167840, ...}) = 0
[pid 12191] open("/etc/sedEpEYMO", O_RDWR|O_CREAT|O_EXCL, 0600) = 4
[pid 12190] access("/bin/grep", X_OK) = 0
[pid 12190] stat("/bin/grep", {st_mode=S_IFREG|0755, st_size=167840, ...}) = 0
[pid 12190] access("/bin/grep", R_OK) = 0
Process 12192 attached
[pid 12192] execve("/bin/grep", ["grep", "-q", "nameserver 8.8.8.8", "/etc/resolv.conf"], [/* 3 vars */] <unfinished ...>
[pid 12191] rename("/etc/sedEpEYMO", "/etc/hosts" <unfinished ...>
[pid 12192] <... execve resumed> ) = 0
[pid 12191] <... rename resumed> ) = 0
[pid 12192] access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
[pid 12191] +++ exited with 0 +++
[pid 12192] open("/etc/ld.so.cache", O_RDONLY) = 3
[pid 12192] open("/lib64/libpcre.so.0", O_RDONLY) = 3
[pid 12192] open("/lib64/libc.so.6", O_RDONLY) = 3
[pid 12192] openat(AT_FDCWD, "/etc/resolv.conf", O_RDONLY) = 3
[pid 12192] +++ exited with 0 +++
[pid 12190] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=12192, si_status=0, si_utime=0, si_stime=0} ---
[pid 12190] +++ exited with 0 +++
Process 12256 attached
[pid 12256] open("/etc/resolv.conf", O_RDONLYProcess 12257 attached
) = 4
[pid 12257] execve("/bin/sh", ["/bin/sh", "-c", "grep -q 'nameserver 8.8.8.8' /et"...], [/* 0 vars */]Process 12258 attached
<unfinished ...>
[pid 12258] execve("/bin/sh", ["/bin/sh", "-c", "sed -i '/\\(z0gg.me\\|x63.in\\)/d' "...], [/* 0 vars */] <unfinished ...>
[pid 12257] <... execve resumed> ) = 0
[pid 12257] access("/etc/ld.so.preload", R_OK <unfinished ...>
[pid 12258] <... execve resumed> ) = 0
[pid 12257] <... access resumed> ) = -1 ENOENT (No such file or directory)
[pid 12257] open("/etc/ld.so.cache", O_RDONLY) = 3
[pid 12258] access("/etc/ld.so.preload", R_OK <unfinished ...>
[pid 12257] open("/lib64/libtinfo.so.5", O_RDONLY) = 3
[pid 12258] <... access resumed> ) = -1 ENOENT (No such file or directory)
[pid 12258] open("/etc/ld.so.cache", O_RDONLY) = 3
[pid 12257] open("/lib64/libdl.so.2", O_RDONLY) = 3
[pid 12256] open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC <unfinished ...>
[pid 12258] open("/lib64/libtinfo.so.5", O_RDONLY <unfinished ...>
[pid 12256] <... open resumed> ) = 4
[pid 12258] <... open resumed> ) = 3
[pid 12257] open("/lib64/libc.so.6", O_RDONLY) = 3
[pid 12256] open("/etc/ld.so.cache", O_RDONLY) = 4
[pid 12258] open("/lib64/libdl.so.2", O_RDONLY) = 3
``