ps、top命令查詢不到程序的解決方案
阿新 • • 發佈:2021-10-16
netstat -anpt發現一個奇怪的連線,但是ps和top命令確查不到此程序,這很可能是因為因為ps和top命令被替換了導致這些程序被過濾掉了。因此我這裡有個指令碼專門查找出來隱藏的程序
#!/usr/bin/env python # -*- coding: utf-8 -*- import os def get_max_pid(): out = os.popen('cat /proc/sys/kernel/pid_max') content = out.readline().strip('\n') if content.isdigit(): return int(content) def get_ps_proc_list(): pid_list = [] out = os.popen('ps -e --no-header') lines = out.readlines() for line in lines: parts = line.split(' ') for part in parts: if part == '': parts.remove(part) pid = int(parts[0]) pid_list.append(pid) return pid_list def get_ps_lwp_list(): lwp_list = [] out = os.popen('ps --no-header -eL o lwp') lines = out.readlines() for line in lines: tid = int(line) lwp_list.append(tid) return lwp_list def print_badpid_info(pid): out = os.popen('ls -l /proc/%d/exe' % pid) lines = out.readlines() print(lines) def main(): max_pid = get_max_pid() print('max pid is %d' % max_pid) if max_pid < 0 or max_pid > 50000: return ps_pid_list = get_ps_proc_list() ps_lwp_list = get_ps_lwp_list() self_pid = os.getpid() for pid in range(2, max_pid): #print("handle pid: %d" % pid) if pid == self_pid: continue if pid in ps_pid_list or pid in ps_lwp_list: continue if not os.path.exists('/proc/' + str(pid)): continue print("found process not in ps list: %d" % pid) print_badpid_info(pid) if __name__ == '__main__': main()
最後執行即可,python2和python3版本都可以直接執行,執行出來的就是使用ps和top看不到的隱藏程序,針對挖礦、中毒這種例子比較適用
針對挖礦的例子,這裡有個不錯的檔案介紹:
https://mp.weixin.qq.com/s?__biz=MzAxODI5ODMwOA==&mid=2666550500&idx=1&sn=9e6cc70e53291b16f7feb5de25882b2b&chksm=80dc904fb7ab19591ccec1bf0bf985f076286545c03a680775a659aaa7e05057c5b8d8e45e11&mpshare=1&scene=23&srcid=0124OSJW32r89rZe9zJf5YKK&sharer_sharetime=1611488968087&sharer_shareid=526a33875b341a963104be96ad05b723#rd