前天突然发现移动云上的某个网站报错,让开发看下。
回答说 jumpserver (部署在公司)登录不上,我 ssh 到 jumpserver 一看发现 cpu 占用 100%,整个 ESXI 母鸡的 CPU 都满了。
刚开始不知道是什么问题,尝试 reboot jumpserver ,还是不行,后来还是恢复了之前升级时候的快照才好的。 处理好以后,开发通过 jumpserver 远程处理了移动云数据问题的问题。
我就赶紧处理 ESXI CPU 占用 100%的问题。
ESXI 的问题找到了,因为虚拟主机的 CPU 没有做限制,多台虚机的 CPU 同时占用过多导致母鸡 CPU 占满。
昨天就怀疑是不是中挖矿病毒了,今天才有时间好好排查下。
top 看没有问题
vsphere 后台看是有问题的,已经超出了限制。
移运云监控也发现有问题。
查看链接,发现有连接一个俄罗斯 IP 地址:45.140.168.200:443
网上查了这个 IP 也查不到什么东西,很多服务器都是和这个 IP 有交互
看不到进程的 PID
busybox 不允许执行,提示无法执行二进制文件
也尝试了网上的很多方法都搞不定,准备重装了,中招的有 12 台移动云主机和本地的几台服务器主机。
为何云主机和本地的主机一同中招,我估计是通过 jumpserver 感染的,因为我们的 Jumpserver 可以管理所有机器。
1
dbow 2023-05-19 17:00:37 +08:00
病毒怎么搞到的 root 权限呢, 有 ssh 弱密码?
|
3
ohwind 2023-05-19 17:19:43 +08:00
top 看不到东西,不会是给你替换了吧,重装 top 或者用 ps 看看
|
4
young 2023-05-19 17:41:18 +08:00
搜一下 “ld.so.preload 挖矿”,前阵子刚处理过类似问题
|
5
feedcode 2023-05-19 18:19:44 +08:00
cpu 75%内核,你看下内核模块有啥异常的
awk '{print $1}' /proc/modules |xargs -n1 modinfo -n |
6
simplove OP @feedcode /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/ipv4/udp_diag.ko.xz
/lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/ipv4/tcp_diag.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/ipv4/inet_diag.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/ipv6/netfilter/ip6t_rpfilter.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/ipv6/netfilter/ip6t_REJECT.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/ipv6/netfilter/nf_reject_ipv6.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/ipv4/netfilter/ipt_REJECT.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/ipv4/netfilter/nf_reject_ipv4.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/netfilter/xt_conntrack.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/bridge/netfilter/ebtable_nat.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/bridge/netfilter/ebtable_broute.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/bridge/bridge.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/802/stp.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/llc/llc.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/ipv6/netfilter/ip6table_nat.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/ipv6/netfilter/nf_conntrack_ipv6.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/ipv6/netfilter/nf_defrag_ipv6.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/ipv6/netfilter/nf_nat_ipv6.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/ipv6/netfilter/ip6table_mangle.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/ipv6/netfilter/ip6table_security.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/ipv6/netfilter/ip6table_raw.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/ipv4/netfilter/iptable_nat.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/ipv4/netfilter/nf_conntrack_ipv4.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/ipv4/netfilter/nf_defrag_ipv4.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/ipv4/netfilter/nf_nat_ipv4.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/netfilter/nf_nat.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/ipv4/netfilter/iptable_mangle.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/ipv4/netfilter/iptable_security.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/ipv4/netfilter/iptable_raw.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/netfilter/nf_conntrack.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/netfilter/ipset/ip_set.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/bridge/netfilter/ebtable_filter.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/bridge/netfilter/ebtables.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/ipv6/netfilter/ip6table_filter.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/ipv6/netfilter/ip6_tables.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/ipv4/netfilter/iptable_filter.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/vmw_vsock/vmw_vsock_vmci_transport.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/vmw_vsock/vsock.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/arch/x86/platform/intel/iosf_mbi.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/arch/x86/crypto/crc32-pclmul.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/arch/x86/crypto/ghash-clmulni-intel.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/arch/x86/crypto/aesni-intel.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/drivers/char/ppdev.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/crypto/lrw.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/crypto/gf128mul.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/arch/x86/crypto/glue_helper.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/arch/x86/crypto/ablk_helper.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/drivers/misc/vmw_balloon.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/crypto/cryptd.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/drivers/input/joydev.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/drivers/scsi/sg.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/drivers/input/misc/pcspkr.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/drivers/misc/vmw_vmci/vmw_vmci.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/drivers/i2c/busses/i2c-piix4.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/drivers/parport/parport_pc.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/drivers/parport/parport.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/net/ipv4/netfilter/ip_tables.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/fs/xfs/xfs.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/lib/libcrc32c.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/drivers/ata/ata_generic.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/drivers/ata/pata_acpi.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/drivers/gpu/drm/vmwgfx/vmwgfx.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/drivers/gpu/drm/drm_kms_helper.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/drivers/video/syscopyarea.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/drivers/video/sysfillrect.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/drivers/video/sysimgblt.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/drivers/video/fb_sys_fops.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/drivers/gpu/drm/ttm/ttm.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/drivers/ata/ahci.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/drivers/gpu/drm/drm.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/drivers/scsi/sd_mod.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/lib/crc-t10dif.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/crypto/crct10dif_generic.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/drivers/ata/ata_piix.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/drivers/ata/libahci.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/drivers/ata/libata.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/arch/x86/crypto/crct10dif-pclmul.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/crypto/crct10dif_common.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/arch/x86/crypto/crc32c-intel.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/drivers/acpi/nfit/nfit.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/drivers/input/serio/serio_raw.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/drivers/nvdimm/libnvdimm.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/drivers/net/vmxnet3/vmxnet3.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/drivers/scsi/vmw_pvscsi.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/drivers/gpu/drm/drm_panel_orientation_quirks.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/drivers/md/dm-mirror.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/drivers/md/dm-region-hash.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/drivers/md/dm-log.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/drivers/md/dm-mod.ko.xz /lib/modules/3.10.0-1160.45.1.el7.x86_64/kernel/fs/fuse/fuse.ko.xz 看不太懂啊大佬 |
8
feedcode 2023-05-19 21:55:42 +08:00 2
都是默认位置,可以校验下 kernel rpm 包有没有被篡改
rpm --verify kernel-3.10.0-1160.45.1 如果文件都正常的话要用 perf 查下到底是卡在哪里里 perf record -agT -- sleep 60 perf report # or perf report --sort=comm --stdio https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/monitoring_and_managing_system_status_and_performance/recording-and-analyzing-performance-profiles-with-perf_monitoring-and-managing-system-status-and-performance https://access.redhat.com/solutions/5720801 |
9
patrickyoung 2023-05-20 13:08:38 +08:00 via iPhone
用 static linked 的 binary (例如 toybox) 或者其他的东西查 /proc 目录,可提供有偿支持。
|
10
kenvix 2023-05-20 14:15:04 +08:00 1
这种算是典型 Rootkit 了,比如说已经把核心 c 库,比如 glibc 篡改了,导致很多程序输出假结果。
建议不要在线诊断,结果可能被篡改。最好是单独启动另一个系统然后去诊断目标 |
11
Les1ie 2023-05-20 17:25:22 +08:00
busybox top 试试?
|
12
simplove OP @Les1ie busybox 都装不上去,一直报错。提示无法执行二进制文件
同样的安装方法我在另外一台没有中毒的机器上执行就没有任何问题。说明肯定是病毒感染了环境或者函数导致的。 |
13
wolfmei 2023-05-20 22:25:08 +08:00
这么可怕?
|
14
dode 2023-05-20 23:18:47 +08:00 via Android
还好病毒不会提权攻击 esxi ,给一些关键机器加一些 CPU ,网卡速度限制也挺好的呀
|
15
willdawn 2023-05-27 14:06:07 +08:00 via Android
@simplove 下载个静态链接的 busybox 用,还不行关机用 eset 或者卡巴的 iso 离线杀毒扫一试试?这要是比较新的 rootkit 或者 bootkit,你跑着系统肯定不好查
|
16
WingYo 2023-06-08 11:05:57 +08:00
说句题外的,我的黑群晖前一段时间也发现了这个问题,我以为是 qt 网速拉满造成的,但是 10500cpu 应该不应该,重启后就好了,后面又发现了一次,又重启,到现在还没有发现。我是用 top 可以发现 cpu 的占用,都是 sh 脚本。不知道和楼主这个情况是不是一样的。
|