我有一台 Linux 机器,它似乎被某种形式的机器人感染了。我可以通过 top 查看几个可疑进程
1819 nginx 20 0 40680 6744 2200 S 0.7 0.1 0:01.44 bash
2786 nginx 20 0 51288 17016 1876 S 0.7 0.1 0:01.01 httpd
我可以看到它们以 nginx 用户身份运行,但我不确定如何追溯到它们在机器上的实际位置。我尝试使用 lsof 查看,发现它们是 Perl。我已经重建了一个新机器,但肯定有办法追踪它们……
lsof 输出
lsof -p 2786
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 2786 nginx cwd DIR 8,0 4096 2 /
bash 2786 nginx rtd DIR 8,0 4096 2 /
bash 2786 nginx txt REG 8,0 11408 5339 /usr/bin/perl
bash 2786 nginx mem REG 8,0 28312 28445 /usr/lib64/perl5/auto/File/Glob/Glob.so
bash 2786 nginx mem REG 8,0 86888 2715 /usr/lib64/perl5/auto/POSIX/POSIX.so
bash 2786 nginx mem REG 8,0 19520 2680 /usr/lib64/perl5/auto/Fcntl/Fcntl.so
bash 2786 nginx mem REG 8,0 44520 1424 /usr/lib64/perl5/vendor_perl/auto/Socket/Socket.so
bash 2786 nginx mem REG 8,0 19808 2696 /usr/lib64/perl5/auto/IO/IO.so
bash 2786 nginx mem REG 8,0 11384 25007 /usr/lib64/libfreebl3.so
bash 2786 nginx mem REG 8,0 2118128 9731 /usr/lib64/libc-2.17.so
bash 2786 nginx mem REG 8,0 143944 9299 /usr/lib64/libpthread-2.17.so
bash 2786 nginx mem REG 8,0 14872 9341 /usr/lib64/libutil-2.17.so
bash 2786 nginx mem REG 8,0 41080 9183 /usr/lib64/libcrypt-2.17.so
bash 2786 nginx mem REG 8,0 1141928 25020 /usr/lib64/libm-2.17.so
bash 2786 nginx mem REG 8,0 19776 25018 /usr/lib64/libdl-2.17.so
bash 2786 nginx mem REG 8,0 113584 25046 /usr/lib64/libnsl-2.17.so
bash 2786 nginx mem REG 8,0 111080 25064 /usr/lib64/libresolv-2.17.so
bash 2786 nginx mem REG 8,0 1647288 25323 /usr/lib64/perl5/CORE/libperl.so
bash 2786 nginx mem REG 8,0 155464 13486 /usr/lib64/ld-2.17.so
bash 2786 nginx 0r CHR 1,3 0t0 1029 /dev/null
bash 2786 nginx 1w CHR 1,3 0t0 1029 /dev/null
bash 2786 nginx 2w CHR 1,3 0t0 1029 /dev/null
bash 2786 nginx 3u sock 0,7 0t0 45177471 protocol: TCP
bash 2786 nginx 4u IPv4 46428309 0t0 TCP *:26450 (LISTEN)
bash 2786 nginx 7u a_inode 0,11 0 8898 [eventpoll]
ps aux -H 输出(节选)
nginx 6193 0.5 0.1 51392 17164 ? Ss 17:16 0:01 httpd
nginx 6562 0.5 0.0 40780 6564 ? Ss 17:19 0:00 bash
我的问题是“您将如何寻找可疑文件?“
答案1
尝试ps x
或者更易读ps aux -H