• ps、top命令查找不到进程的解决方案


    netstat -anpt发现一个奇怪的连接,但是ps和top命令确查不到此进程,这很可能是因为因为ps和top命令被替换了导致这些进程被过滤掉了。因此我这里有个脚本专门查找出来隐藏的进程

    #!/usr/bin/env python
    # -*- coding: utf-8 -*-
    import os
    
    def get_max_pid():
        out = os.popen('cat /proc/sys/kernel/pid_max')
        content = out.readline().strip('
    ')
        if content.isdigit():
            return int(content)
    
    def get_ps_proc_list():
        pid_list = []
        out = os.popen('ps -e --no-header')
        lines = out.readlines()
        for line in lines:
            parts = line.split(' ')
            for part in parts:
                if part == '':
                    parts.remove(part)
    
            pid = int(parts[0])
            pid_list.append(pid)
    
        return pid_list
    
    
    def get_ps_lwp_list():
        lwp_list = []
        out = os.popen('ps --no-header -eL o lwp')
        lines = out.readlines()
        for line in lines:
            tid = int(line)
            lwp_list.append(tid)
    
        return lwp_list
    
    
    def print_badpid_info(pid):
        out = os.popen('ls -l /proc/%d/exe' % pid)
        lines = out.readlines()
        print(lines)
    
    
    def main():
        max_pid = get_max_pid()
        print('max pid is %d' % max_pid)
        if max_pid < 0 or max_pid > 50000:
            return
    
        ps_pid_list = get_ps_proc_list()
        ps_lwp_list = get_ps_lwp_list()
    
        self_pid = os.getpid()
        for pid in range(2, max_pid):
    
            #print("handle pid: %d" % pid)
    
            if pid == self_pid:
                continue
    
            if pid in ps_pid_list or pid in ps_lwp_list:
                continue
    
            if not os.path.exists('/proc/' + str(pid)):
                continue
    
            print("found process not in ps list: %d" % pid)
    
            print_badpid_info(pid)
    
    if __name__ == '__main__':
        main()
    

    最后执行即可,python2和python3版本都可以直接执行,执行出来的就是使用ps和top看不到的隐藏进程,针对挖矿、中毒这种例子比较适用
    针对挖矿的例子,这里有个不错的文件介绍:https://mp.weixin.qq.com/s?__biz=MzAxODI5ODMwOA==&mid=2666550500&idx=1&sn=9e6cc70e53291b16f7feb5de25882b2b&chksm=80dc904fb7ab19591ccec1bf0bf985f076286545c03a680775a659aaa7e05057c5b8d8e45e11&mpshare=1&scene=23&srcid=0124OSJW32r89rZe9zJf5YKK&sharer_sharetime=1611488968087&sharer_shareid=526a33875b341a963104be96ad05b723#rd

  • 相关阅读:
    配置 dovecat 的 PAM
    通过CVE-2017-17215学习路由器漏洞分析,从入坑到放弃
    路由器漏洞复现分析第二弹:CNVD-2018-01084
    路由器漏洞复现分析第三弹:DVRF INTRO题目分析
    重新认识被人遗忘的HTTP头注入
    [转载]DLL劫持生成器 源码开放(纯WINDOWS SDK)+ 实例分析
    HOOK大法实现不修改程序代码给程序添加功能
    老树开新花:DLL劫持漏洞新玩法
    分享三个USB抓包软件---Bus Hound,USBlyzer 和-USBTrace
    网易云音乐PC客户端加密API逆向解析
  • 原文地址:https://www.cnblogs.com/FengGeBlog/p/14326794.html
Copyright © 2020-2023  润新知