Nginx 进程正在运行,但不记得安装或运行过它

Nginx 进程正在运行,但不记得安装或运行过它

我刚刚检查了我的top输出,我有 4 个nginx在用户下运行的实例nobody

这是用于几个网站的网络服务器(Ubuntu 18.04),但所有网站都应该在其下运行,apache2所以我完全不知道为什么要启动 nginx。

我尝试用 来停止它sudo service nginx stop,但收到错误Failed to stop nginx.service: Unit nginx.service not loaded.

顶部输出:

31002 nobody    20   0   49660   7288    904 S 11.8  0.4 121:50.10 nginx
31003 nobody    20   0   50360   7988    904 S 11.8  0.4 121:52.87 nginx
31004 nobody    20   0   49660   7764   1380 S 11.8  0.4 121:47.32 nginx
31005 nobody    20   0   49472   7100    904 S 11.8  0.3 121:46.10 nginx

它占用了我近 50% 的 CPU。它到底在运行什么?如果我停止它,会有什么问题吗?我该如何停止它?

编辑:

lsof输出

sudo lsof -p 31002
COMMAND   PID   USER   FD      TYPE             DEVICE SIZE/OFF      NODE NAME
nginx   31002 nobody  cwd       DIR              252,1     4096    527275 /opt/ng99
nginx   31002 nobody  rtd       DIR              252,1     4096         2 /
nginx   31002 nobody  txt       REG              252,1   630136    527281 /opt/ng99/sbin/nginx
nginx   31002 nobody  mem       REG              252,1    31680      3544 /lib/x86_64-linux-gnu/librt-2.27.so
nginx   31002 nobody  mem       REG              252,1   258040      2023 /lib/x86_64-linux-gnu/libnss_systemd.so.2
nginx   31002 nobody  DEL       REG                0,5          332894646 /dev/zero
nginx   31002 nobody  mem       REG              252,1    47568      3266 /lib/x86_64-linux-gnu/libnss_files-2.27.so
nginx   31002 nobody  mem       REG              252,1    97176      3256 /lib/x86_64-linux-gnu/libnsl-2.27.so
nginx   31002 nobody  mem       REG              252,1    47576      3268 /lib/x86_64-linux-gnu/libnss_nis-2.27.so
nginx   31002 nobody  mem       REG              252,1    39744      3263 /lib/x86_64-linux-gnu/libnss_compat-2.27.so
nginx   31002 nobody  mem       REG              252,1    14560      3232 /lib/x86_64-linux-gnu/libdl-2.27.so
nginx   31002 nobody  mem       REG              252,1  2030544      3212 /lib/x86_64-linux-gnu/libc-2.27.so
nginx   31002 nobody  mem       REG              252,1   116960      2192 /lib/x86_64-linux-gnu/libz.so.1.2.11
nginx   31002 nobody  mem       REG              252,1  2361888      4958 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
nginx   31002 nobody  mem       REG              252,1   465096     13944 /lib/x86_64-linux-gnu/libpcre.so.3.13.3
nginx   31002 nobody  mem       REG              252,1    39208      3218 /lib/x86_64-linux-gnu/libcrypt-2.27.so
nginx   31002 nobody  mem       REG              252,1   144976      3542 /lib/x86_64-linux-gnu/libpthread-2.27.so
nginx   31002 nobody  mem       REG              252,1   170960      2798 /lib/x86_64-linux-gnu/ld-2.27.so
nginx   31002 nobody  DEL       REG               0,18          332894660 /[aio]
nginx   31002 nobody  DEL       REG                0,5          332894648 /dev/zero
nginx   31002 nobody    0u      CHR                1,3      0t0         6 /dev/null
nginx   31002 nobody    1u      CHR                1,3      0t0         6 /dev/null
nginx   31002 nobody    2w      CHR                1,3      0t0         6 /dev/null
nginx   31002 nobody    3u     unix 0xffff91167bbab000      0t0 332894651 type=STREAM
nginx   31002 nobody    4w      CHR                1,3      0t0         6 /dev/null
nginx   31002 nobody    5u     IPv4          332894647      0t0       TCP *:7080 (LISTEN)
nginx   31002 nobody    6u     unix 0xffff91167bbaa800      0t0 332894650 type=STREAM
nginx   31002 nobody    7u  a_inode               0,13        0      9574 [eventpoll]
nginx   31002 nobody    8u  a_inode               0,13        0      9574 [eventfd]
nginx   31002 nobody    9u  a_inode               0,13        0      9574 [eventfd]
nginx   31002 nobody   10u     unix 0xffff9116040f0c00      0t0 332894653 type=STREAM
nginx   31002 nobody   11u     unix 0xffff9116040f1c00      0t0 332894655 type=STREAM
nginx   31002 nobody   12u     IPv4          353160515      0t0       TCP example.com:7080->46.217.159.225:65414 (ESTABLISHED)
nginx   31002 nobody   13u     IPv4          353157436      0t0       TCP example.com:7080->mbl-82-60-103.dsl.net.pk:58900 (ESTABLISHED)
nginx   31002 nobody   14u     IPv4          353160894      0t0       TCP example.com:53940->hosted-by.leaseweb.com:http (ESTABLISHED)
nginx   31002 nobody   15u     IPv4          353160810      0t0       TCP example.com:7080->mail2.jenty-spedition.com:63067 (ESTABLISHED)
nginx   31002 nobody   16u     IPv4          353160425      0t0       TCP example.com:7080->cust38-37-249-197.netcabo.co.mz:49548 (ESTABLISHED)
nginx   31002 nobody   17u     IPv4          353159606      0t0       TCP example.com:52448->hosted-by.leaseweb.com:http (ESTABLISHED)
nginx   31002 nobody   18u     IPv4          353159799      0t0       TCP example.com:52676->hosted-by.leaseweb.com:http (ESTABLISHED)
nginx   31002 nobody   19u     IPv4          353160336      0t0       TCP example.com:7080->194.red-81-43-205.staticip.rima-tde.net:64736 (ESTABLISHED)
nginx   31002 nobody   20u     IPv4          353077137      0t0       TCP example.com:39648->hosted-by.leaseweb.com:http (CLOSE_WAIT)
nginx   31002 nobody   21u     IPv4          353159735      0t0       TCP example.com:7080->remote.ajax-mach.co.uk:15672 (ESTABLISHED)
nginx   31002 nobody   22u     IPv4          353159444      0t0       TCP example.com:7080->106.red-88-26-216.staticip.rima-tde.net:58409 (ESTABLISHED)
nginx   31002 nobody   23u     IPv4          353160361      0t0       TCP example.com:7080->234.86.232.180.dsl.static.inet.as18190:56522 (ESTABLISHED)
nginx   31002 nobody   24u     IPv4          353160107      0t0       TCP example.com:7080->195-70-120-40.stat.cablelink.at:26742 (ESTABLISHED)
nginx   31002 nobody   25u     IPv4          353160338      0t0       TCP example.com:7080->117.120.26.2:54749 (ESTABLISHED)
nginx   31002 nobody   26u     IPv4          353159878      0t0       TCP example.com:7080->mail.dzzemun.org.rs:20545 (ESTABLISHED)
nginx   31002 nobody   27u     IPv4          353160275      0t0       TCP example.com:7080->118.69.70.132:59654 (ESTABLISHED)
nginx   31002 nobody   28u     IPv4          353160819      0t0       TCP example.com:7080->host-80-17-254-205.business.telecomitalia.it:61051 (ESTABLISHED)
nginx   31002 nobody   29u     IPv4          353157413      0t0       TCP example.com:7080->202.52.248.178:52803 (ESTABLISHED)
nginx   31002 nobody   30u     IPv4          353160704      0t0       TCP example.com:7080->2e41ee77.skybroadband.com:49596 (ESTABLISHED)
nginx   31002 nobody   31u     IPv4          353160895      0t0       TCP example.com:7080->static.vnpt.vn:61600 (ESTABLISHED)
nginx   31002 nobody   32u     IPv4          353158288      0t0       TCP example.com:7080->31.223.154.37:52304 (ESTABLISHED)
nginx   31002 nobody   33u     IPv4          353161162      0t0       TCP example.com:7080->213.150.194.253:57229 (ESTABLISHED)
nginx   31002 nobody   34u     IPv4          353159044      0t0       TCP example.com:7080->14.114.175.72:9964 (ESTABLISHED)
nginx   31002 nobody   35u     IPv4          353160340      0t0       TCP example.com:7080->51-15-183-135.rev.poneytelecom.eu:58993 (ESTABLISHED)
nginx   31002 nobody   36u     IPv4          353160363      0t0       TCP example.com:7080->static.vnpt.vn:49440 (ESTABLISHED)
nginx   31002 nobody   37u     IPv4          353160665      0t0       TCP example.com:7080->140.red-2-136-150.staticip.rima-tde.net:56142 (ESTABLISHED)
nginx   31002 nobody   38u     IPv4          353124052      0t0       TCP example.com:7080->113.88.165.73:3554 (ESTABLISHED)
nginx   31002 nobody   39u     IPv4          353159348      0t0       TCP example.com:7080->41.80.67.201:55093 (ESTABLISHED)
nginx   31002 nobody   40u     sock                0,9      0t0 353161261 protocol: TCP
nginx   31002 nobody   41u     IPv4          353160799      0t0       TCP example.com:7080->host-2-116-29-249.business.telecomitalia.it:51897 (ESTABLISHED)
nginx   31002 nobody   42u     IPv4          353160426      0t0       TCP example.com:7080->www.euroconforto.com:56049 (ESTABLISHED)
nginx   31002 nobody   43u     IPv4          353159875      0t0       TCP example.com:7080->static-190-181-19-211.acelerate.net:59739 (ESTABLISHED)
nginx   31002 nobody   44u     IPv4          353156742      0t0       TCP example.com:49064->hosted-by.leaseweb.com:http (ESTABLISHED)
nginx   31002 nobody   45u     IPv4          353160666      0t0       TCP example.com:53716->hosted-by.leaseweb.com:http (ESTABLISHED)
nginx   31002 nobody   46u     IPv4          353156036      0t0       TCP example.com:7080->41.182.173.9:62750 (ESTABLISHED)
nginx   31002 nobody   47u     IPv4          353160113      0t0       TCP example.com:7080->117.198.240.57:51943 (ESTABLISHED)
nginx   31002 nobody   48u     IPv4          353160276      0t0       TCP example.com:7080->94.205.243.114:50083 (ESTABLISHED)
nginx   31002 nobody   49u     IPv4          353139004      0t0       TCP example.com:56416->hosted-by.leaseweb.com:http (ESTABLISHED)
nginx   31002 nobody   50u     IPv4          353160812      0t0       TCP example.com:7080->eopy320.static.otenet.gr:52781 (ESTABLISHED)
nginx   31002 nobody   51u     IPv4          353159047      0t0       TCP example.com:51818->hosted-by.leaseweb.com:http (ESTABLISHED)
nginx   31002 nobody   52u     sock                0,9      0t0 353161189 protocol: TCP
nginx   31002 nobody   53u     IPv4          353148651      0t0       TCP example.com:7080->183.63.101.59:52427 (ESTABLISHED)
nginx   31002 nobody   54u     IPv4          353160114      0t0       TCP example.com:7080->ppp-87-203-220-170.home.otenet.gr:52758 (ESTABLISHED)
nginx   31002 nobody   56u     sock                0,9      0t0 353161217 protocol: TCP
nginx   31002 nobody   57u     IPv4          353159483      0t0       TCP example.com:7080->27.17.52.90:57389 (ESTABLISHED)
nginx   31002 nobody   58u     IPv4          353160494      0t0       TCP example.com:7080->176.204.253.232:52539 (ESTABLISHED)
nginx   31002 nobody   59u     IPv4          353160642      0t0       TCP example.com:7080->static.77.89.237.94.tmg.md:22596 (ESTABLISHED)

这些都是example.com我正在运行的合法网站(使用Invision 电源板),但应该使用 Apache,而不是 nginx。

pstree输出:

pstree -a
systemd --system --deserialize 38
  ├─PM2 v3.5.1: God
  │   ├─node
  │   │   ├─sh -c next start -p 8080
  │   │   │   └─node /home/leonardo/wordpress-react/node_modules/.bin/next start -p 8080
  │   │   │       └─10*[{node}]
  │   │   └─10*[{node}]
  │   └─9*[{PM2 v3.5.1: God}]
  ├─accounts-daemon
  │   └─2*[{accounts-daemon}]
  ├─agetty -o -p -- \\u --keep-baud 115200,38400,9600 ttyS0 vt220
  ├─apache2 -k start
  │   ├─apache2 -k start
  │   │   └─63*[{apache2}]
  │   ├─apache2 -k start
  │   │   └─63*[{apache2}]
  │   └─apache2 -k start
  │       └─63*[{apache2}]
  ├─atd -f
  ├─cron -f
  ├─dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
  ├─do-agent --syslog
  │   └─7*[{do-agent}]
  ├─login -p --
  │   └─bash
  ├─lvmetad -f
  ├─lxcfs /var/lib/lxcfs/
  │   └─10*[{lxcfs}]
  ├─master -w
  │   ├─pickup -l -t unix -u -c
  │   └─qmgr -l -t unix -u
  ├─mysqld --daemonize --pid-file=/run/mysqld/mysqld.pid
  │   └─32*[{mysqld}]
  ├─networkd-dispat /usr/bin/networkd-dispatcher --run-startup-triggers
  │   └─{networkd-dispat}
  ├─nginx
  │   ├─nginx
  │   ├─nginx
  │   ├─nginx
  │   └─nginx
  ├─opendkim -x /etc/opendkim.conf
  │   └─opendkim -x /etc/opendkim.conf
  │       └─5*[{opendkim}]
  ├─php-fpm7.0
  │   ├─php-fpm7.0
  │   └─php-fpm7.0
  ├─php-fpm7.2
  │   ├─php-fpm7.2
  │   ├─php-fpm7.2
  │   └─php-fpm7.2
  ├─polkitd --no-debug
  │   └─2*[{polkitd}]
  ├─rsyslogd -n
  │   └─3*[{rsyslogd}]
  ├─ssh-agent -s
  ├─sshd -D
  │   └─sshd
  │       └─sshd
  │           └─bash
  │               └─pstree -a
  ├─systemd --user
  │   └─(sd-pam)
  ├─systemd --user
  │   └─(sd-pam)
  ├─systemd-journal
  ├─systemd-logind
  ├─systemd-network
  ├─systemd-resolve
  ├─systemd-timesyn
  │   └─{systemd-timesyn}
  ├─systemd-udevd
  ├─unattended-upgr /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
  │   └─{unattended-upgr}
  └─uuidd --socket-activation

netstat输出:

sudo netstat -tlpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:7080            0.0.0.0:*               LISTEN      31001/nginx: master
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      29988/mysqld
tcp        0      0 127.0.0.1:12301         0.0.0.0:*               LISTEN      948/opendkim
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      20528/systemd-resol
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      26277/sshd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1306/master
tcp6       0      0 :::8080                 :::*                    LISTEN      22794/node
tcp6       0      0 :::80                   :::*                    LISTEN      4144/apache2
tcp6       0      0 :::22                   :::*                    LISTEN      26277/sshd
tcp6       0      0 ::1:25                  :::*                    LISTEN      1306/master
tcp6       0      0 :::443                  :::*                    LISTEN      4144/apache2

再次强调,除了 nginx 之外,我都认识。

编辑2:尝试终止这些进程,但新的进程又立即启动。

编辑 3:我运行了 ps -Al,发现有一个父进程可能正在创建我上面看到的进程。一旦我杀死它,它们就消失了。我想现在这个问题已经解决了,但仍然有点令人担忧。

EDIT4:我已将 /opt/ng99 文件夹上传到 mega,您可以找到它这里

答案1

感谢您用输出更新原始描述pstree/lsof/netstat

让您检查/opt/ng99文件夹。我建议您在进行任何更改之前先将其压缩为 tar.gz/zip。这不是 nginx 服务器的标准名称/位置。

如果它是在 nobody 用户下创建的,我不会感到惊讶。如果是这样,请确保 nobody 或任何其他普通用户无法在 /opt 下创建文件夹。

如果您认为不是您或任何其他人以 root 权限创建了该服务器/opt/ng99,那么请备份 /etc 和 /var/logs 以供将来调查。同时备份 /root/.bash_history。您不应该在那里看到任何您没有执行的命令。

确保您的 apache 以正确的权限运行。网站被黑客入侵后,有时会在/tmp虚拟主机upload文件夹中创建一些进程,但/opt除非您允许某些用户进程提升其权限(例如 suid 位),否则这种情况不应该发生。您可能仍想测试某些东西,然后自己安装了它/opt/ng99。但根据您已经说过的话 - 这似乎不太可能。关键点:不要惊慌。不要消除证据。

- 编辑 -

我搜索了端口 7080,发现了以下对 Backdoor.Haxdoor.E [Symantec-2005-080212-3505-99] (2005.08.01) 的引用 https://www.speedguide.net/port.php?port=7080

您可能想阅读更多有关它以及如何防止攻击的信息。还请考虑更改密码,以防万一。如果您在其他地方使用过它们,也请更改它们。以防万一。

相关内容