背景
博主在访问pve web端时偶然发现有个虚拟机CPU占用持续100%!!!于是连接到虚拟机中使用top查看系统资源使用情况,但是CPU占用率显示100%而下方的进程列表中按CPU占用排序并没有高占用进程。所以判断应该是病毒程序使用了某些隐藏手段!
1. 使用unhide找出隐藏进程
先安装unhide apt install unhide 然后执行 unhide proc
root@ubuntu-template:~# unhide proc
Unhide 20130526
Copyright © 2013 Yago Jesus & Patrick Gouin
License GPLv3+ : GNU GPL version 3 or later
http://www.unhide-forensics.info
NOTE : This version of unhide is for systems using Linux >= 2.6
Used options:
[*]Searching for Hidden processes through /proc stat scanning
Found HIDDEN PID: 1072
Cmdline: "-bash"
Executable: "/usr/bin/-bash (deleted)"
Command: "-bash"
$USER=root
$PWD=/root
Found HIDDEN PID: 1074
Cmdline: "-bash"
Executable: "/usr/bin/-bash (deleted)"
Command: "-bash"
$USER=root
$PWD=/root
Found HIDDEN PID: 1075
Cmdline: "-bash"
Executable: "/usr/bin/-bash (deleted)"
Command: "-bash"
$USER=root
$PWD=/root
Found HIDDEN PID: 1076
Cmdline: "-bash"
Executable: "/usr/bin/-bash (deleted)"
Command: "-bash"
$USER=root
$PWD=/root
Found HIDDEN PID: 1077
Cmdline: "-bash"
Executable: "/usr/bin/-bash (deleted)"
Command: "-bash"
$USER=root
$PWD=/root
Found HIDDEN PID: 1078
Cmdline: "-bash"
Executable: "/usr/bin/-bash (deleted)"
Command: "-bash"
$USER=root
$PWD=/root
Found HIDDEN PID: 1081
Cmdline: "-bash"
Executable: "/usr/bin/-bash (deleted)"
Command: "-bash"
$USER=root
$PWD=/root
|
好家伙!这么多隐藏进程!
现在来看这些隐藏进程的细节都是干嘛的。
root@ubuntu-template:~# systemctl status 1072
● session-1.scope - Session 1 of user root
Loaded: loaded (/run/systemd/transient/session-1.scope; transient)
Transient: yes
Active: active (running) since Fri 2024-05-31 16:40:58 CST; 22s ago
Tasks: 11
Memory: 29.7M
CGroup: /user.slice/user-0.slice/session-1.scope
├─ 862 sshd: root@pts/0
├─1000 -bash
├─1072 -bash
├─1470 systemctl status 1072
└─1472 pager
|
2. 清理隐藏进程的可执行文件和服务
根据unhide和systemctl status的结果,清理隐藏进程的可执行文件和服务。
3. 使用杀毒软件扫描系统确认是否还有可疑文件
这里可以使用ClamAV和Chkrootkit 、Rootkit Hunter等杀毒软件来扫描系统,确认是否还有可疑文件。
微信
支付宝
