我刚刚检查了我的top输出,我有 4 个nginx在用户下运行的实例nobody。
这是用于几个网站的网络服务器(Ubuntu 18.04),但所有网站都应该在其下运行,apache2所以我完全不知道为什么要启动 nginx。
我尝试用 来停止它sudo service nginx stop,但收到错误Failed to stop nginx.service: Unit nginx.service not loaded.。
顶部输出:
31002 nobody 20 0 49660 7288 904 S 11.8 0.4 121:50.10 nginx
31003 nobody 20 0 50360 7988 904 S 11.8 0.4 121:52.87 nginx
31004 nobody 20 0 49660 7764 1380 S 11.8 0.4 121:47.32 nginx
31005 nobody 20 0 49472 7100 904 S 11.8 0.3 121:46.10 nginx
它占用了我近 50% 的 CPU。它到底在运行什么?如果我停止它,会有什么问题吗?我该如何停止它?
编辑:
lsof输出
sudo lsof -p 31002
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nginx 31002 nobody cwd DIR 252,1 4096 527275 /opt/ng99
nginx 31002 nobody rtd DIR 252,1 4096 2 /
nginx 31002 nobody txt REG 252,1 630136 527281 /opt/ng99/sbin/nginx
nginx 31002 nobody mem REG 252,1 31680 3544 /lib/x86_64-linux-gnu/librt-2.27.so
nginx 31002 nobody mem REG 252,1 258040 2023 /lib/x86_64-linux-gnu/libnss_systemd.so.2
nginx 31002 nobody DEL REG 0,5 332894646 /dev/zero
nginx 31002 nobody mem REG 252,1 47568 3266 /lib/x86_64-linux-gnu/libnss_files-2.27.so
nginx 31002 nobody mem REG 252,1 97176 3256 /lib/x86_64-linux-gnu/libnsl-2.27.so
nginx 31002 nobody mem REG 252,1 47576 3268 /lib/x86_64-linux-gnu/libnss_nis-2.27.so
nginx 31002 nobody mem REG 252,1 39744 3263 /lib/x86_64-linux-gnu/libnss_compat-2.27.so
nginx 31002 nobody mem REG 252,1 14560 3232 /lib/x86_64-linux-gnu/libdl-2.27.so
nginx 31002 nobody mem REG 252,1 2030544 3212 /lib/x86_64-linux-gnu/libc-2.27.so
nginx 31002 nobody mem REG 252,1 116960 2192 /lib/x86_64-linux-gnu/libz.so.1.2.11
nginx 31002 nobody mem REG 252,1 2361888 4958 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
nginx 31002 nobody mem REG 252,1 465096 13944 /lib/x86_64-linux-gnu/libpcre.so.3.13.3
nginx 31002 nobody mem REG 252,1 39208 3218 /lib/x86_64-linux-gnu/libcrypt-2.27.so
nginx 31002 nobody mem REG 252,1 144976 3542 /lib/x86_64-linux-gnu/libpthread-2.27.so
nginx 31002 nobody mem REG 252,1 170960 2798 /lib/x86_64-linux-gnu/ld-2.27.so
nginx 31002 nobody DEL REG 0,18 332894660 /[aio]
nginx 31002 nobody DEL REG 0,5 332894648 /dev/zero
nginx 31002 nobody 0u CHR 1,3 0t0 6 /dev/null
nginx 31002 nobody 1u CHR 1,3 0t0 6 /dev/null
nginx 31002 nobody 2w CHR 1,3 0t0 6 /dev/null
nginx 31002 nobody 3u unix 0xffff91167bbab000 0t0 332894651 type=STREAM
nginx 31002 nobody 4w CHR 1,3 0t0 6 /dev/null
nginx 31002 nobody 5u IPv4 332894647 0t0 TCP *:7080 (LISTEN)
nginx 31002 nobody 6u unix 0xffff91167bbaa800 0t0 332894650 type=STREAM
nginx 31002 nobody 7u a_inode 0,13 0 9574 [eventpoll]
nginx 31002 nobody 8u a_inode 0,13 0 9574 [eventfd]
nginx 31002 nobody 9u a_inode 0,13 0 9574 [eventfd]
nginx 31002 nobody 10u unix 0xffff9116040f0c00 0t0 332894653 type=STREAM
nginx 31002 nobody 11u unix 0xffff9116040f1c00 0t0 332894655 type=STREAM
nginx 31002 nobody 12u IPv4 353160515 0t0 TCP example.com:7080->46.217.159.225:65414 (ESTABLISHED)
nginx 31002 nobody 13u IPv4 353157436 0t0 TCP example.com:7080->mbl-82-60-103.dsl.net.pk:58900 (ESTABLISHED)
nginx 31002 nobody 14u IPv4 353160894 0t0 TCP example.com:53940->hosted-by.leaseweb.com:http (ESTABLISHED)
nginx 31002 nobody 15u IPv4 353160810 0t0 TCP example.com:7080->mail2.jenty-spedition.com:63067 (ESTABLISHED)
nginx 31002 nobody 16u IPv4 353160425 0t0 TCP example.com:7080->cust38-37-249-197.netcabo.co.mz:49548 (ESTABLISHED)
nginx 31002 nobody 17u IPv4 353159606 0t0 TCP example.com:52448->hosted-by.leaseweb.com:http (ESTABLISHED)
nginx 31002 nobody 18u IPv4 353159799 0t0 TCP example.com:52676->hosted-by.leaseweb.com:http (ESTABLISHED)
nginx 31002 nobody 19u IPv4 353160336 0t0 TCP example.com:7080->194.red-81-43-205.staticip.rima-tde.net:64736 (ESTABLISHED)
nginx 31002 nobody 20u IPv4 353077137 0t0 TCP example.com:39648->hosted-by.leaseweb.com:http (CLOSE_WAIT)
nginx 31002 nobody 21u IPv4 353159735 0t0 TCP example.com:7080->remote.ajax-mach.co.uk:15672 (ESTABLISHED)
nginx 31002 nobody 22u IPv4 353159444 0t0 TCP example.com:7080->106.red-88-26-216.staticip.rima-tde.net:58409 (ESTABLISHED)
nginx 31002 nobody 23u IPv4 353160361 0t0 TCP example.com:7080->234.86.232.180.dsl.static.inet.as18190:56522 (ESTABLISHED)
nginx 31002 nobody 24u IPv4 353160107 0t0 TCP example.com:7080->195-70-120-40.stat.cablelink.at:26742 (ESTABLISHED)
nginx 31002 nobody 25u IPv4 353160338 0t0 TCP example.com:7080->117.120.26.2:54749 (ESTABLISHED)
nginx 31002 nobody 26u IPv4 353159878 0t0 TCP example.com:7080->mail.dzzemun.org.rs:20545 (ESTABLISHED)
nginx 31002 nobody 27u IPv4 353160275 0t0 TCP example.com:7080->118.69.70.132:59654 (ESTABLISHED)
nginx 31002 nobody 28u IPv4 353160819 0t0 TCP example.com:7080->host-80-17-254-205.business.telecomitalia.it:61051 (ESTABLISHED)
nginx 31002 nobody 29u IPv4 353157413 0t0 TCP example.com:7080->202.52.248.178:52803 (ESTABLISHED)
nginx 31002 nobody 30u IPv4 353160704 0t0 TCP example.com:7080->2e41ee77.skybroadband.com:49596 (ESTABLISHED)
nginx 31002 nobody 31u IPv4 353160895 0t0 TCP example.com:7080->static.vnpt.vn:61600 (ESTABLISHED)
nginx 31002 nobody 32u IPv4 353158288 0t0 TCP example.com:7080->31.223.154.37:52304 (ESTABLISHED)
nginx 31002 nobody 33u IPv4 353161162 0t0 TCP example.com:7080->213.150.194.253:57229 (ESTABLISHED)
nginx 31002 nobody 34u IPv4 353159044 0t0 TCP example.com:7080->14.114.175.72:9964 (ESTABLISHED)
nginx 31002 nobody 35u IPv4 353160340 0t0 TCP example.com:7080->51-15-183-135.rev.poneytelecom.eu:58993 (ESTABLISHED)
nginx 31002 nobody 36u IPv4 353160363 0t0 TCP example.com:7080->static.vnpt.vn:49440 (ESTABLISHED)
nginx 31002 nobody 37u IPv4 353160665 0t0 TCP example.com:7080->140.red-2-136-150.staticip.rima-tde.net:56142 (ESTABLISHED)
nginx 31002 nobody 38u IPv4 353124052 0t0 TCP example.com:7080->113.88.165.73:3554 (ESTABLISHED)
nginx 31002 nobody 39u IPv4 353159348 0t0 TCP example.com:7080->41.80.67.201:55093 (ESTABLISHED)
nginx 31002 nobody 40u sock 0,9 0t0 353161261 protocol: TCP
nginx 31002 nobody 41u IPv4 353160799 0t0 TCP example.com:7080->host-2-116-29-249.business.telecomitalia.it:51897 (ESTABLISHED)
nginx 31002 nobody 42u IPv4 353160426 0t0 TCP example.com:7080->www.euroconforto.com:56049 (ESTABLISHED)
nginx 31002 nobody 43u IPv4 353159875 0t0 TCP example.com:7080->static-190-181-19-211.acelerate.net:59739 (ESTABLISHED)
nginx 31002 nobody 44u IPv4 353156742 0t0 TCP example.com:49064->hosted-by.leaseweb.com:http (ESTABLISHED)
nginx 31002 nobody 45u IPv4 353160666 0t0 TCP example.com:53716->hosted-by.leaseweb.com:http (ESTABLISHED)
nginx 31002 nobody 46u IPv4 353156036 0t0 TCP example.com:7080->41.182.173.9:62750 (ESTABLISHED)
nginx 31002 nobody 47u IPv4 353160113 0t0 TCP example.com:7080->117.198.240.57:51943 (ESTABLISHED)
nginx 31002 nobody 48u IPv4 353160276 0t0 TCP example.com:7080->94.205.243.114:50083 (ESTABLISHED)
nginx 31002 nobody 49u IPv4 353139004 0t0 TCP example.com:56416->hosted-by.leaseweb.com:http (ESTABLISHED)
nginx 31002 nobody 50u IPv4 353160812 0t0 TCP example.com:7080->eopy320.static.otenet.gr:52781 (ESTABLISHED)
nginx 31002 nobody 51u IPv4 353159047 0t0 TCP example.com:51818->hosted-by.leaseweb.com:http (ESTABLISHED)
nginx 31002 nobody 52u sock 0,9 0t0 353161189 protocol: TCP
nginx 31002 nobody 53u IPv4 353148651 0t0 TCP example.com:7080->183.63.101.59:52427 (ESTABLISHED)
nginx 31002 nobody 54u IPv4 353160114 0t0 TCP example.com:7080->ppp-87-203-220-170.home.otenet.gr:52758 (ESTABLISHED)
nginx 31002 nobody 56u sock 0,9 0t0 353161217 protocol: TCP
nginx 31002 nobody 57u IPv4 353159483 0t0 TCP example.com:7080->27.17.52.90:57389 (ESTABLISHED)
nginx 31002 nobody 58u IPv4 353160494 0t0 TCP example.com:7080->176.204.253.232:52539 (ESTABLISHED)
nginx 31002 nobody 59u IPv4 353160642 0t0 TCP example.com:7080->static.77.89.237.94.tmg.md:22596 (ESTABLISHED)
这些都是example.com我正在运行的合法网站(使用Invision 电源板),但应该使用 Apache,而不是 nginx。
pstree输出:
pstree -a
systemd --system --deserialize 38
├─PM2 v3.5.1: God
│ ├─node
│ │ ├─sh -c next start -p 8080
│ │ │ └─node /home/leonardo/wordpress-react/node_modules/.bin/next start -p 8080
│ │ │ └─10*[{node}]
│ │ └─10*[{node}]
│ └─9*[{PM2 v3.5.1: God}]
├─accounts-daemon
│ └─2*[{accounts-daemon}]
├─agetty -o -p -- \\u --keep-baud 115200,38400,9600 ttyS0 vt220
├─apache2 -k start
│ ├─apache2 -k start
│ │ └─63*[{apache2}]
│ ├─apache2 -k start
│ │ └─63*[{apache2}]
│ └─apache2 -k start
│ └─63*[{apache2}]
├─atd -f
├─cron -f
├─dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
├─do-agent --syslog
│ └─7*[{do-agent}]
├─login -p --
│ └─bash
├─lvmetad -f
├─lxcfs /var/lib/lxcfs/
│ └─10*[{lxcfs}]
├─master -w
│ ├─pickup -l -t unix -u -c
│ └─qmgr -l -t unix -u
├─mysqld --daemonize --pid-file=/run/mysqld/mysqld.pid
│ └─32*[{mysqld}]
├─networkd-dispat /usr/bin/networkd-dispatcher --run-startup-triggers
│ └─{networkd-dispat}
├─nginx
│ ├─nginx
│ ├─nginx
│ ├─nginx
│ └─nginx
├─opendkim -x /etc/opendkim.conf
│ └─opendkim -x /etc/opendkim.conf
│ └─5*[{opendkim}]
├─php-fpm7.0
│ ├─php-fpm7.0
│ └─php-fpm7.0
├─php-fpm7.2
│ ├─php-fpm7.2
│ ├─php-fpm7.2
│ └─php-fpm7.2
├─polkitd --no-debug
│ └─2*[{polkitd}]
├─rsyslogd -n
│ └─3*[{rsyslogd}]
├─ssh-agent -s
├─sshd -D
│ └─sshd
│ └─sshd
│ └─bash
│ └─pstree -a
├─systemd --user
│ └─(sd-pam)
├─systemd --user
│ └─(sd-pam)
├─systemd-journal
├─systemd-logind
├─systemd-network
├─systemd-resolve
├─systemd-timesyn
│ └─{systemd-timesyn}
├─systemd-udevd
├─unattended-upgr /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
│ └─{unattended-upgr}
└─uuidd --socket-activation
netstat输出:
sudo netstat -tlpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:7080 0.0.0.0:* LISTEN 31001/nginx: master
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 29988/mysqld
tcp 0 0 127.0.0.1:12301 0.0.0.0:* LISTEN 948/opendkim
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 20528/systemd-resol
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 26277/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1306/master
tcp6 0 0 :::8080 :::* LISTEN 22794/node
tcp6 0 0 :::80 :::* LISTEN 4144/apache2
tcp6 0 0 :::22 :::* LISTEN 26277/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1306/master
tcp6 0 0 :::443 :::* LISTEN 4144/apache2
再次强调,除了 nginx 之外,我都认识。
编辑2:尝试终止这些进程,但新的进程又立即启动。
编辑 3:我运行了 ps -Al,发现有一个父进程可能正在创建我上面看到的进程。一旦我杀死它,它们就消失了。我想现在这个问题已经解决了,但仍然有点令人担忧。
EDIT4:我已将 /opt/ng99 文件夹上传到 mega,您可以找到它这里
答案1
感谢您用输出更新原始描述pstree/lsof/netstat。
让您检查/opt/ng99文件夹。我建议您在进行任何更改之前先将其压缩为 tar.gz/zip。这不是 nginx 服务器的标准名称/位置。
如果它是在 nobody 用户下创建的,我不会感到惊讶。如果是这样,请确保 nobody 或任何其他普通用户无法在 /opt 下创建文件夹。
如果您认为不是您或任何其他人以 root 权限创建了该服务器/opt/ng99,那么请备份 /etc 和 /var/logs 以供将来调查。同时备份 /root/.bash_history。您不应该在那里看到任何您没有执行的命令。
确保您的 apache 以正确的权限运行。网站被黑客入侵后,有时会在/tmp虚拟主机upload文件夹中创建一些进程,但/opt除非您允许某些用户进程提升其权限(例如 suid 位),否则这种情况不应该发生。您可能仍想测试某些东西,然后自己安装了它/opt/ng99。但根据您已经说过的话 - 这似乎不太可能。关键点:不要惊慌。不要消除证据。
- 编辑 -
我搜索了端口 7080,发现了以下对 Backdoor.Haxdoor.E [Symantec-2005-080212-3505-99] (2005.08.01) 的引用 https://www.speedguide.net/port.php?port=7080
您可能想阅读更多有关它以及如何防止攻击的信息。还请考虑更改密码,以防万一。如果您在其他地方使用过它们,也请更改它们。以防万一。