我家里的 Raspberry Pi 上运行着 Pi-hole(v5.2.2 Web 界面 v5.2.2 FTL v5.3.4),并且我已将 LAN 配置为使用它来满足 DNS 需求。从前段时间开始,我注意到我的计算机在打开时会无缘无故地显示为离线状态。
经过一番研究,我注意到我的 Synology 716+II NAS(DSM 版本:6.2.3-25426 更新 3)会向路由器(ASUS RT-AC88U)发送大量 DNS 查询,而路由器又会将这些查询转发到 Pi-hole。路由器的 dnsmasq 会偶尔阻止查询,因为它们进入得太快。这似乎阻止了客户端执行 DNS 探测,这就是为什么我的计算机认为它们处于离线状态。
问题是,我的 NAS 每小时发送大约 5,000 个有关不相关网页的查询。显然,NAS 被某种恶意软件感染,充当 DNS 服务器并响应查询。我没有安装 Synology DNS 服务器包。我已确定 IP 并通过在路由器级别阻止它,似乎大大减少了 NAS 发送的查询。
我尝试了所有方法,例如禁用路由器的 UPnP、禁用所有端口转发。在 NAS 上重新安装 DSM,但都无济于事。我没有格式化硬盘,只是执行了系统分区清理并重新安装。
关于如何识别该问题的原因/应用有什么提示吗?
从 SSH 连接到 NAS 的 tcpdump 示例。192.168.1.8是 NAS 并且192.168.1.4是 Raspberry Pi:
ps waux 命令的输出:
root 1 0.0 0.0 24144 3292 ? Ss 2020 1:02 /sbin/init
root 2 0.0 0.0 0 0 ? S 2020 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S 2020 0:17 [ksoftirqd/0]
root 5 0.0 0.0 0 0 ? S< 2020 0:00 [kworker/0:0H]
root 7 0.0 0.0 0 0 ? S 2020 0:07 [migration/0]
root 8 0.0 0.0 0 0 ? S 2020 0:00 [rcu_bh]
root 9 0.1 0.0 0 0 ? S 2020 1:34 [rcu_sched]
root 10 0.0 0.0 0 0 ? S 2020 0:00 [watchdog/0]
root 11 0.0 0.0 0 0 ? S 2020 0:00 [watchdog/1]
root 12 0.0 0.0 0 0 ? S 2020 0:09 [migration/1]
root 13 0.0 0.0 0 0 ? S 2020 0:16 [ksoftirqd/1]
root 15 0.0 0.0 0 0 ? S< 2020 0:00 [kworker/1:0H]
root 16 0.0 0.0 0 0 ? S 2020 0:00 [watchdog/2]
root 17 0.0 0.0 0 0 ? S 2020 0:01 [migration/2]
root 18 0.0 0.0 0 0 ? S 2020 0:16 [ksoftirqd/2]
root 20 0.0 0.0 0 0 ? S< 2020 0:00 [kworker/2:0H]
root 21 0.0 0.0 0 0 ? S 2020 0:00 [watchdog/3]
root 22 0.0 0.0 0 0 ? S 2020 0:02 [migration/3]
root 23 0.0 0.0 0 0 ? S 2020 0:16 [ksoftirqd/3]
root 25 0.0 0.0 0 0 ? S< 2020 0:00 [kworker/3:0H]
root 26 0.0 0.0 0 0 ? S< 2020 0:00 [khelper]
root 27 0.0 0.0 0 0 ? S 2020 0:00 [kdevtmpfs]
root 28 0.0 0.0 0 0 ? S< 2020 0:00 [netns]
root 190 0.0 0.0 0 0 ? S< 2020 0:00 [writeback]
root 194 0.0 0.0 0 0 ? S< 2020 0:00 [kintegrityd]
root 195 0.0 0.0 0 0 ? S< 2020 0:00 [bioset]
root 196 0.0 0.0 0 0 ? S< 2020 0:00 [crypto]
root 198 0.0 0.0 0 0 ? S< 2020 0:00 [kblockd]
root 312 0.0 0.0 0 0 ? S< 2020 0:00 [ata_sff]
root 322 0.0 0.0 0 0 ? S< 2020 0:00 [md]
root 467 0.0 0.0 0 0 ? S< 2020 0:00 [rpciod]
root 532 0.0 0.0 0 0 ? S 2020 0:00 [khungtaskd]
root 537 0.5 0.0 0 0 ? S 2020 7:33 [kswapd0]
root 546 0.0 0.0 0 0 ? SN 2020 0:00 [ksmd]
root 547 0.0 0.0 0 0 ? S 2020 0:00 [fsnotify_mark]
root 552 0.0 0.0 0 0 ? S< 2020 0:00 [nfsiod]
http 1133 0.0 0.5 463332 42780 ? S 2020 0:27 php-fpm: pool www
root 1223 0.0 0.0 0 0 ? S 12:05 0:00 [kworker/1:2]
http 1252 0.0 0.4 461804 39348 ? S 2020 0:22 php-fpm: pool www
root 2327 0.0 0.1 36400 10740 ? S<s 2020 0:00 nginx: master process /usr/bin/nginx -g pid /run/nginx.pid; daemon on; master_process on;
root 2472 0.0 0.0 0 0 ? S 12:29 0:00 [kworker/u8:3]
root 2939 0.0 0.0 0 0 ? S< 2020 0:00 [iscsi_eh]
root 2974 0.0 0.0 0 0 ? S 2020 0:00 [scsi_eh_0]
root 2991 0.0 0.0 0 0 ? S 2020 0:00 [scsi_eh_1]
root 3034 0.0 0.0 0 0 ? S 12:40 0:00 [kworker/2:0]
root 3072 0.0 0.0 0 0 ? S 12:41 0:00 [kworker/u8:0]
root 3096 0.0 0.0 0 0 ? S 2020 0:00 [scsi_eh_2]
http 3186 0.0 0.0 99636 2300 ? S 2020 0:00 /var/packages/Apache2.4/target/usr/local/bin/httpd24
http 3190 0.0 0.0 2412032 5160 ? Sl 2020 0:00 /var/packages/Apache2.4/target/usr/local/bin/httpd24
root 3244 0.0 0.0 0 0 ? S< 2020 0:00 [raid5wq]
root 3289 0.0 0.0 0 0 ? S< 2020 0:00 [deferwq]
root 3409 0.0 0.0 0 0 ? S 2020 0:00 [khubd]
root 3414 0.0 0.0 0 0 ? S 2020 0:00 [kethubd]
root 3585 0.0 0.0 0 0 ? S< 2020 0:00 [etxhci_wq3]
root 3636 0.0 0.0 0 0 ? S< 2020 0:04 [kworker/2:1H]
root 3637 0.0 0.0 0 0 ? S< 2020 0:05 [kworker/3:1H]
root 3640 0.0 0.0 0 0 ? S< 2020 0:00 [bioset]
root 3641 0.0 0.0 0 0 ? S 2020 0:02 [md0_raid1]
root 3642 0.0 0.0 0 0 ? S< 2020 0:05 [kworker/0:1H]
root 3643 0.0 0.0 0 0 ? S< 2020 0:05 [kworker/1:1H]
root 3668 0.0 0.0 0 0 ? S< 2020 0:00 [bioset]
root 3669 0.0 0.0 0 0 ? S 2020 0:00 [md1_raid1]
root 3750 0.0 0.0 0 0 ? S 12:53 0:00 [kworker/0:1]
root 3805 2.7 0.2 452484 18244 ? S 01:44 19:11 /usr/bin/smbd -F
root 3856 0.0 0.0 0 0 ? S< 2020 0:00 [ext4-group-desc]
root 3857 0.0 0.0 0 0 ? S 2020 0:02 [jbd2/md0-8]
root 3858 0.0 0.0 0 0 ? S< 2020 0:00 [ext4-dio-unwrit]
root 3901 0.0 0.0 17276 792 ? Ss 2020 0:00 /usr/bin/cgmanager --sigstop
system 3982 0.2 0.1 1240188 9068 ? Ssl 2020 3:07 /usr/bin/syslog-ng -F --worker-threads=4 -u system -g log
root 4291 0.0 0.0 0 0 ? S 13:03 0:00 [kworker/u8:1]
root 4346 0.0 0.0 0 0 ? S 13:04 0:00 [kworker/2:1]
root 4397 0.0 0.0 0 0 ? S 13:05 0:00 [kworker/0:0]
root 4402 0.0 0.0 0 0 ? S 13:05 0:00 [kworker/u8:2]
root 4430 0.0 0.0 0 0 ? S< 2020 0:00 [ipv6_addrconf]
root 4498 0.0 0.0 0 0 ? S 13:07 0:00 [kworker/u8:4]
root 4577 0.0 0.0 0 0 ? S 13:08 0:00 [kworker/2:3]
root 4593 0.0 0.0 76140 2816 ? Ss 2020 0:01 /usr/syno/sbin/synologaccd -f
root 4609 0.0 0.0 81568 2076 ? SNs 2020 0:00 /usr/syno/bin/synologrotated
root 4615 0.0 0.0 0 0 ? S 13:09 0:00 [kworker/3:2]
root 4617 0.0 0.0 13124 1200 ? Ss 2020 0:04 /sbin/dbus-daemon --session --fork --print-address
root 4648 0.0 0.0 0 0 ? S 13:10 0:00 [kworker/0:3]
root 4657 0.0 0.0 0 0 ? S 13:10 0:00 [kworker/1:0]
root 4661 0.5 0.1 213004 9968 ? Ss 13:10 0:00 sshd: root@pts/14
root 4669 0.4 0.0 199800 7812 pts/14 Ss 13:10 0:00 sudo -i
root 4672 0.0 0.0 26140 2328 pts/14 S 13:10 0:00 -ash
root 4703 0.0 0.0 27740 1464 pts/14 R+ 13:10 0:00 ps waux
root 4707 0.0 0.0 13124 880 ? Ss 2020 0:00 /sbin/dbus-daemon --system --nopidfile
root 4800 0.0 0.0 326104 4552 ? Ssl 2020 0:00 /usr/syno/sbin/synoconfd -D
root 4822 0.0 0.0 311484 3672 ? Ssl 2020 0:02 /usr/syno/sbin/synonetd
root 4850 0.0 0.0 0 0 ? S 2020 0:00 [ecryptfs-kthrea]
root 5251 0.0 0.0 18024 1304 ? Ss 2020 0:00 udevd --daemon
http 5320 1.9 0.5 802180 44704 ? Ssl 2020 23:48 [stealth]
root 5770 0.6 0.0 0 0 ? Z 04:33 3:33 [synoavscan] <defunct>
root 5903 0.0 0.0 0 0 ? S< 2020 0:00 [bioset]
root 6505 0.0 0.0 0 0 ? S< 03:55 0:00 [kworker/u9:0]
root 7116 0.0 0.0 8512 1900 ? Ss 2020 0:00 /usr/sbin/dhclient -4 -d -q -lf /tmp/dhcpv4.leases.eth1 -pf /tmp/dhcpcd-eth1.pid -sf /var/run/dh
root 7204 0.0 0.0 0 0 ? S< 2020 0:00 [bioset]
root 7208 0.0 0.0 0 0 ? S 2020 0:04 [md2_raid1]
root 7505 0.0 0.0 8516 1932 ? Ss 2020 0:00 /usr/sbin/dhclient -4 -d -q -lf /tmp/dhcpv4.leases.eth0 -pf /tmp/dhcpcd-eth0.pid -sf /var/run/dh
root 7784 0.0 0.0 0 0 ? Z<s 04:36 0:00 [SYNO.Core.Deskt] <defunct>
system 7804 0.0 0.0 262852 72 ? S 04:36 0:00 synoscgi
root 7853 0.0 0.0 0 0 ? Z<s 04:36 0:00 [SYNO.Core.Packa] <defunct>
root 8047 0.0 0.0 0 0 ? S< 2020 0:00 [btrfs-worker]
root 8049 0.0 0.0 0 0 ? S< 2020 0:00 [btrfs-worker-hi]
root 8050 0.0 0.0 0 0 ? S< 2020 0:00 [btrfs-delalloc]
root 8051 0.0 0.0 0 0 ? S< 2020 0:00 [btrfs-flush_del]
root 8052 0.0 0.0 0 0 ? S< 2020 0:00 [btrfs-flush_met]
root 8053 0.0 0.0 0 0 ? S< 2020 0:00 [btrfs-cache]
root 8054 0.0 0.0 0 0 ? S< 2020 0:00 [btrfs-submit]
root 8055 0.0 0.0 0 0 ? S< 2020 0:00 [btrfs-fixup]
root 8056 0.0 0.0 0 0 ? S< 2020 0:00 [btrfs-endio]
root 8057 0.0 0.0 0 0 ? S< 2020 0:00 [btrfs-endio-met]
root 8059 0.0 0.0 0 0 ? S< 2020 0:00 [btrfs-endio-met]
root 8060 0.0 0.0 0 0 ? S< 2020 0:00 [btrfs-endio-rai]
root 8061 0.0 0.0 0 0 ? S< 2020 0:00 [btrfs-rmw]
root 8062 0.0 0.0 0 0 ? S< 2020 0:00 [btrfs-endio-wri]
root 8063 0.0 0.0 0 0 ? S< 2020 0:00 [btrfs-freespace]
root 8064 0.0 0.0 0 0 ? S< 2020 0:00 [btrfs-delayed-m]
root 8065 0.0 0.0 0 0 ? S< 2020 0:00 [btrfs-readahead]
root 8067 0.0 0.0 0 0 ? S< 2020 0:00 [btrfs-qgroup-re]
root 8068 0.0 0.0 0 0 ? S< 2020 0:00 [btrfs-usrquota-]
root 8069 0.0 0.0 0 0 ? S< 2020 0:00 [btrfs-extent-re]
root 8070 0.0 0.0 0 0 ? S< 2020 0:00 [btrfs-syno_noco]
root 8072 0.0 0.0 0 0 ? S< 2020 0:00 [btrfs-syno_high]
root 8120 0.0 0.0 0 0 ? S 2020 0:00 [btrfs-cleaner]
root 8121 0.0 0.0 0 0 ? S 2020 0:09 [btrfs-transacti]
root 8510 0.0 0.0 295464 3616 ? Ssl 2020 0:00 /usr/syno/sbin/synologand
root 8529 0.0 0.0 117404 2380 ? Ss 2020 0:00 /usr/syno/sbin/synocrond
root 8677 0.0 0.0 147788 1816 ? Ss 2020 0:00 synostoraged
root 8683 0.0 0.0 147788 2140 ? S 2020 0:03 /usr/syno/sbin/synostoraged
root 8684 0.0 0.0 147788 2824 ? S 2020 0:20 /usr/syno/sbin/synostoraged
root 8685 0.0 0.0 147788 2880 ? S 2020 0:14 /usr/syno/sbin/synostoraged
root 8820 0.0 0.0 171536 3612 ? Ss 2020 0:01 /usr/syno/bin/s2s_daemon -d
root 9002 0.0 0.0 0 0 ? S 2020 0:00 [scsi_eh_3]
root 9003 0.0 0.0 0 0 ? S 2020 0:00 [usb-storage]
root 9177 0.0 0.0 73300 1696 ? Ss 2020 0:01 /usr/syno/bin/synobackupd
root 9278 0.0 0.0 151976 3116 ? Ss 2020 0:11 /usr/syno/sbin/hotplugd
root 9467 0.1 0.1 265900 8932 ? Ss 2020 2:19 /usr/bin/snmpd -fLn -c /etc/snmp/snmpd.conf -p /var/run/snmpd.pid 127.0.0.1:161
root 9604 0.0 0.0 96888 3260 ? Ss 2020 0:00 /usr/syno/sbin/synoagentregisterd
root 9617 0.0 0.0 262852 1544 ? S<s 2020 0:23 synoscgi
root 9621 0.0 0.1 348628 8116 ? Ss 02:10 0:03 /usr/bin/nmbd -F
root 9634 0.0 0.0 155928 4208 ? S<s 2020 0:03 /usr/syno/sbin/synosnmpcd
root 9651 0.0 0.0 266272 3928 ? S<s 2020 0:13 /usr/syno/sbin/synocgid -D
root 9659 0.0 0.0 130088 5724 ? Ss 2020 0:01 /usr/syno/sbin/ddnsd
root 9664 0.0 0.0 127636 5736 ? Ss 2020 0:02 /usr/syno/sbin/heartbeatd
root 9696 0.0 0.0 25124 1512 ? S 02:10 0:01 avahi-daemon: running [DIMI-NAS.local]
http 9709 0.0 0.1 36404 11064 ? S< 02:10 0:00 nginx: worker process
http 9710 0.0 0.1 36404 11328 ? S< 02:10 0:00 nginx: worker process
http 9711 0.0 0.1 36404 11396 ? S< 02:10 0:02 nginx: worker process
http 9712 0.0 0.1 36404 11448 ? S< 02:10 0:03 nginx: worker process
ntp 9758 0.0 0.0 96156 2132 ? Ssl 2020 0:03 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u ntp:ntp
root 9759 0.0 0.0 199800 3588 ? Ss 2020 0:00 sudo -u nobody /usr/syno/bin/synowstransferd
root 9761 0.0 0.0 227128 2420 ? S<s 2020 0:00 /usr/syno/bin/findhostd
root 9765 0.0 0.0 0 0 ? Z<s 04:37 0:00 [SYNO.Entry.Requ] <defunct>
root 9809 0.0 0.0 174300 2876 ? S 2020 0:01 /usr/bin/netatalk
root 9838 0.0 0.0 148260 3824 ? Ss 2020 0:00 /usr/bin/sshd
root 9898 0.0 0.0 0 0 ? Z<s 04:37 0:00 [SYNO.Core.Packa] <defunct>
root 9899 0.0 0.0 0 0 ? Z<s 04:37 0:00 [SYNO.Core.UserS] <defunct>
root 9939 0.0 0.0 240360 6160 ? S 2020 0:01 /usr/bin/afpd -d -F /etc/afp.conf
root 9940 0.0 0.0 150520 2812 ? S 2020 0:00 /usr/bin/cnid_metad -d -F /etc/afp.conf
root 9960 0.0 0.0 199800 3584 ? Ss 2020 0:00 sudo -u nobody /usr/syno/bin/synowsdiscoveryd
root 9974 0.0 0.0 0 0 ? S 2020 0:01 [Syno_HDDMon]
nobody 10000 0.0 0.0 70064 1600 ? S 2020 0:00 /usr/syno/bin/synowstransferd
root 10028 0.0 0.1 319336 9112 ? SNsl 2020 0:02 /usr/syno/sbin/synocontentextractd
root 10048 0.0 0.0 6248 2340 ? SLs 2020 0:00 /usr/bin/vmtouch -lfd /var/run
root 10055 0.0 0.0 8584 700 ttyS0 Ss+ 2020 0:00 /sbin/getty 115200 console
nobody 10062 0.1 0.1 244072 12812 ? Sl 2020 1:56 /bin/python2 /usr/syno/bin/synowsdiscoveryd
root 10150 0.0 0.0 0 0 ? S 2020 0:00 [RODSP_ODX_LOGIN]
root 10151 0.0 0.0 0 0 ? S 2020 0:00 [RODSP_VLUN_LOGI]
root 10152 0.0 0.0 0 0 ? S 2020 0:00 [RODSP_VDISK_LOG]
system 10201 0.0 0.0 262852 72 ? S 04:37 0:00 synoscgi
postgres 10217 0.0 0.4 574888 33104 ? Ss 2020 0:00 /usr/bin/postgres -D /var/services/pgsql
root 10282 0.0 0.1 424688 11408 ? Ss 2020 0:01 /usr/bin/smbd -F
root 10427 0.0 0.0 325584 1020 ? Ssl 03:56 0:00 /var/packages/AntiVirus/target/bin/synoavd
postgres 10435 0.0 0.0 575148 884 ? Ss 2020 0:00 postgres: checkpointer process
postgres 10436 0.0 0.0 575148 4056 ? Ss 2020 0:00 postgres: writer process
postgres 10437 0.0 0.0 575148 884 ? Ss 2020 0:00 postgres: wal writer process
root 10451 0.0 0.0 245604 2756 ? SNs 2020 0:00 /usr/syno/sbin/synocontentextractd
root 10452 0.0 0.0 245604 2760 ? SNs 2020 0:00 /usr/syno/sbin/synocontentextractd
system 10465 0.0 0.0 262852 80 ? S 03:56 0:00 synoscgi
root 10543 0.0 0.0 0 0 ? S< 2020 0:00 [cifsiod]
root 10546 0.0 0.0 0 0 ? S< 2020 0:00 [cifsoplockd]
root 10659 0.0 0.0 498400 5572 ? S 2020 0:08 /usr/bin/smbd -F
root 10661 0.0 0.0 424660 4004 ? S 2020 0:00 /usr/bin/smbd -F
root 10763 0.0 0.0 68868 1236 ? SNs 2020 0:00 /usr/syno/sbin/synoindexd
root 10787 0.0 0.1 448184 10336 ? S 2020 0:11 /usr/bin/smbd -F
root 11013 0.0 0.0 7224 1132 ? Ss 2020 0:00 /usr/sbin/crond
root 11015 0.0 0.0 141424 3192 ? Ss 2020 0:00 /usr/syno/bin/synodisklatencyd
root 11060 0.2 0.0 750384 4336 ? Ssl 2020 2:58 /usr/syno/bin/scemd
root 11100 0.8 0.1 305424 11432 ? SLl 2020 11:08 /usr/syno/sbin/synorelayd
root 11224 0.0 0.1 432312 8548 ? Ss 2020 0:02 php-fpm: master process (/var/packages/WebStation/target/misc/php74_fpm.conf)
root 12363 0.0 0.0 520928 4200 ? Ssl 2020 0:03 /var/packages/FileStation/target/sbin/thumbd
root 12368 0.0 0.0 447196 3676 ? Ss 2020 0:00 /var/packages/FileStation/target/sbin/thumbd
root 12369 0.0 0.0 447196 3680 ? Ss 2020 0:00 /var/packages/FileStation/target/sbin/thumbd
root 12785 0.0 0.0 603184 4592 ? Ssl 2020 0:29 /var/packages/USBCopy/target/sbin/usb-copyd
root 12789 0.0 0.0 68888 1408 ? SN 2020 0:00 /usr/syno/sbin/synoindexscand
root 12790 0.0 0.0 68868 1424 ? SN 2020 0:00 /usr/syno/sbin/synoindexworkerd
root 12791 0.0 0.0 82276 2064 ? SN 2020 0:00 /usr/syno/sbin/synoindexplugind
root 12792 0.0 0.0 117096 4060 ? SN 2020 0:00 /usr/syno/sbin/synomediaparserd
root 12916 0.0 0.0 520928 3728 ? Ss 2020 0:00 /var/packages/FileStation/target/sbin/thumbd
root 12917 0.0 0.0 520928 3728 ? Ss 2020 0:00 /var/packages/FileStation/target/sbin/thumbd
root 12918 0.0 0.0 520928 3724 ? Ss 2020 0:00 /var/packages/FileStation/target/sbin/thumbd
root 12919 0.0 0.0 520928 3724 ? Ss 2020 0:00 /var/packages/FileStation/target/sbin/thumbd
root 12920 0.0 0.0 520928 3724 ? Ss 2020 0:00 /var/packages/FileStation/target/sbin/thumbd
root 12922 0.0 0.0 520928 3724 ? Ss 2020 0:00 /var/packages/FileStation/target/sbin/thumbd
root 12923 0.0 0.0 520928 3724 ? Ss 2020 0:00 /var/packages/FileStation/target/sbin/thumbd
root 12924 0.0 0.0 520928 3724 ? Ss 2020 0:00 /var/packages/FileStation/target/sbin/thumbd
http 12970 0.0 0.0 14960 636 ? Ss 2020 0:00 /var/packages/WebStation/target/usr/bin/multiwatch -f 4 -- /var/packages/WebStation/target/usr/b
http 12976 0.0 0.0 8420 332 ? S 2020 0:00 /var/packages/WebStation/target/usr/bin/fcgiwrap
http 12977 0.0 0.0 8420 332 ? S 2020 0:00 /var/packages/WebStation/target/usr/bin/fcgiwrap
http 12978 0.0 0.0 8420 332 ? S 2020 0:00 /var/packages/WebStation/target/usr/bin/fcgiwrap
http 12979 0.0 0.0 8420 332 ? S 2020 0:00 /var/packages/WebStation/target/usr/bin/fcgiwrap
root 13635 0.0 0.5 543588 42652 ? Ssl 2020 0:10 /var/packages/SynoFinder/target/sbin/synoelasticd
root 13904 0.0 0.0 293060 2848 ? SNsl 2020 0:00 /usr/syno/bin/iscsi_snapshot_comm_core -D
root 13907 0.0 0.0 145600 2872 ? SNs 2020 0:00 /usr/syno/bin/iscsi_snapshot_server -D
root 13915 0.0 0.0 189332 5260 ? Ssl 2020 0:03 /usr/syno/bin/scsi_plugin_server
root 13972 0.0 0.0 4232 372 ? SLs 02:33 0:00 /bin/vmtouch -l /usr/syno/bin/synoschedtask /usr/syno/bin/synoschedtool /usr/syno/etc/scheduled_
root 14281 0.0 0.0 99636 6696 ? Ss 2020 0:03 /var/packages/Apache2.4/target/usr/local/bin/httpd24
root 14914 0.0 0.0 4188 308 ? Ss 2020 0:01 /usr/bin/minissdpd -i eth0 -i eth1
root 15049 0.0 0.0 457424 7680 ? Ss 2020 0:01 php-fpm: master process (/usr/syno/etc/packages/WebStation/php_profile/6c71a6ba-110a-4a99-8333-0
http 15070 0.0 0.0 432312 948 ? S 2020 0:00 php-fpm: pool www
http 15071 0.0 0.0 432312 948 ? S 2020 0:00 php-fpm: pool www
http 15945 0.0 0.3 461332 29336 ? S 2020 0:23 php-fpm: pool www
root 19984 9.8 0.4 61092 39096 pts/15 S+ 04:22 51:54 grep --color=auto -rnw / -e nslookup
root 21568 0.0 0.0 293072 204 ? S 04:23 0:00 synoscgi_SYNO.AntiVirus.Scan_1_start_full
root 21574 98.8 12.4 1846268 1005620 ? RNs 04:23 521:44 /var/packages/AntiVirus/target/bin/synoavscan --all
root 21800 0.0 0.0 0 0 ? S< 2020 0:00 [kworker/u9:1]
root 22917 0.0 0.0 213004 5140 ? Ss 03:28 0:00 sshd: root@pts/15
root 22939 0.0 0.0 199800 3588 pts/15 Ss 03:28 0:00 sudo -i
root 22941 0.0 0.0 26156 1732 pts/15 S 03:28 0:00 -ash
root 23090 0.3 0.4 2636340 38796 ? Ssl 2020 4:46 /var/packages/CloudSync/target/sbin/syno-cloud-syncd /volume1/@cloudsync/config/daemon.conf
root 26067 0.0 0.0 0 0 ? S 09:40 0:03 [kworker/0:2]
system 26818 0.0 0.0 262852 80 ? S 00:56 0:00 synoscgi
system 26819 0.0 0.0 262852 80 ? S 00:56 0:00 synoscgi
root 28727 0.0 0.0 11976 1436 ? S 2020 0:00 /bin/sh /usr/local/mariadb10/bin/mysqld_safe --datadir=/var/packages/MariaDB10/target/mysql --pi
mysql 28863 0.0 0.6 1781284 54596 ? Sl 2020 0:30 /usr/local/mariadb10/bin/mysqld --basedir=/usr/local/mariadb10 --datadir=/var/packages/MariaDB10
root 29521 0.0 0.0 0 0 ? S 10:45 0:01 [kworker/3:1]
root 30333 0.0 0.0 0 0 ? S 11:01 0:01 [kworker/3:0]
root 30377 0.0 0.0 0 0 ? S 11:02 0:01 [kworker/1:1]
root 32190 0.0 0.0 0 0 ? S 11:37 0:01 [kworker/2:2]
使用 Tonny 的建议进行更多研究:
udp 0 0 DIMI-NAS:56353 pihole:domain ESTABLISHED
udp 0 0 DIMI-NAS:48653 pihole:domain ESTABLISHED
udp 0 0 DIMI-NAS:53011 pihole:domain ESTABLISHED
udp 0 0 DIMI-NAS:53159 pihole:domain ESTABLISHED
udp 0 0 DIMI-NAS:53203 pihole:domain ESTABLISHED
udp 0 0 DIMI-NAS:53288 pihole:domain ESTABLISHED
udp 0 0 DIMI-NAS:53474 pihole:domain ESTABLISHED
udp 0 0 DIMI-NAS:37553 pihole:domain ESTABLISHED
udp 0 0 DIMI-NAS:42539 pihole:domain ESTABLISHED
udp 0 0 DIMI-NAS:35339 pihole:domain ESTABLISHED
答案1
嗯,问题解决了。
正如@Tonny 在评论中指出的那样,我在 NAS 网站上运行的唯一 wordpress 网页确实存在漏洞。显然,该网页的所有者安装了一些包含恶意代码的破解插件,并允许 HTTP 请求在后台执行恶意操作。我删除了连接到该网页的虚拟主机,大约 24 小时后,问题没有再发生。