netstat -anpt发现一个奇怪的连接,但是ps和top命令确查不到此进程,这很可能是因为因为ps和top命令被替换了导致这些进程被过滤掉了。因此我这里有个脚本专门查找出来隐藏的进程
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import os
def get_max_pid():
out = os.popen('cat /proc/sys/kernel/pid_max')
content = out.readline().strip('
')
if content.isdigit():
return int(content)
def get_ps_proc_list():
pid_list = []
out = os.popen('ps -e --no-header')
lines = out.readlines()
for line in lines:
parts = line.split(' ')
for part in parts:
if part == '':
parts.remove(part)
pid = int(parts[0])
pid_list.append(pid)
return pid_list
def get_ps_lwp_list():
lwp_list = []
out = os.popen('ps --no-header -eL o lwp')
lines = out.readlines()
for line in lines:
tid = int(line)
lwp_list.append(tid)
return lwp_list
def print_badpid_info(pid):
out = os.popen('ls -l /proc/%d/exe' % pid)
lines = out.readlines()
print(lines)
def main():
max_pid = get_max_pid()
print('max pid is %d' % max_pid)
if max_pid < 0 or max_pid > 50000:
return
ps_pid_list = get_ps_proc_list()
ps_lwp_list = get_ps_lwp_list()
self_pid = os.getpid()
for pid in range(2, max_pid):
#print("handle pid: %d" % pid)
if pid == self_pid:
continue
if pid in ps_pid_list or pid in ps_lwp_list:
continue
if not os.path.exists('/proc/' + str(pid)):
continue
print("found process not in ps list: %d" % pid)
print_badpid_info(pid)
if __name__ == '__main__':
main()
最后执行即可,python2和python3版本都可以直接执行,执行出来的就是使用ps和top看不到的隐藏进程,针对挖矿、中毒这种例子比较适用
针对挖矿的例子,这里有个不错的文件介绍:https://mp.weixin.qq.com/s?__biz=MzAxODI5ODMwOA==&mid=2666550500&idx=1&sn=9e6cc70e53291b16f7feb5de25882b2b&chksm=80dc904fb7ab19591ccec1bf0bf985f076286545c03a680775a659aaa7e05057c5b8d8e45e11&mpshare=1&scene=23&srcid=0124OSJW32r89rZe9zJf5YKK&sharer_sharetime=1611488968087&sharer_shareid=526a33875b341a963104be96ad05b723#rd