Shulou(Shulou.com)11/24 Report--

This article comes from the official account of Wechat: programming Technology Universe (ID:xuanyuancoding), author: Xuanyuan Wind

This story is adapted from the last mining virus incident.

In the evening, the alarm sounded and the entire Linux empire was in a state of panic.

The minister of security quickly summoned everyone to discuss how to deal with it.

"ladies and gentlemen, in an emergency, the CPU occupancy rate has suddenly soared and has not declined for a long time. Ah Q of the CPU factory has expressed a strong protest to us."

At this time, one side of the kill command said: "Minister Mo hurry, ask Brother top to see who is occupying CPU, get the process number pid, I will kill him."

As soon as this remark came out, all of you nodded and approved, with a slightly frightened look.

The top command stood up with a smug look on his face, said, "Please watch," and printed out a list of current processes:

Everyone stared and looked at it for a long time, but did not see which process was crazily occupying brother CPU,top.

At this time, one side of the ps command gathered up, "Let me try."

The ps command takes a deep breath and prints out a list of processes.

However, there is still no suspicious progress.

"what's the matter with you two? why didn't you?" The minister of security is a little unhappy.

"Minister, we both traverse the contents of the / proc/ directory, and according to reason, all the processes will be here, and I can't figure out why I can't find them," brother top said aggrieved.

"traversing, how do you traverse?"

"it is traversed through these system call functions of opendir/readdir, which are all standard interfaces provided by the Empire, and should not go wrong, unless," top paused.

"unless what?"

"unless these system calls filter out that process, then I can't see it. Did someone sneak into the Imperial kernel and tamper with the system call?"

The Minister of Security opened his eyes wide. If that's the case, it's a big deal.

Watching the minister turn around anxiously, netstat stood up and said, "Minister, I met a good friend named unhide, and he is good at catching hidden processes. Why don't you invite him to try it?"

The minister was overjoyed, "Why are you hesitating? hurry up and invite it!"

"I've been in touch, and I'll be right there."

The minister looked at netstat and said, "just take advantage of this moment to see if there are any suspicious connections."

Netstat nodded and printed out all the network connection information:

"come and claim it one by one and see whose it belongs to," the minister said.

"this 80-port service is mine," nginx stepped forward.

"this 6379 port service is mine," redis also stepped forward.

"this, 9200 is mine," elasticsearch said.

"3306, that's mine."

"8182 is mine."

After a while of noise, there was only one connection left unclaimed:

Tcp 0 0192.168.0.4 netstat 51854 88.99.193.240 ESTABLISHED-"Minister, this is probably the connection of the guy hiding in the dark," netstat said.

The security minister thought for a moment and asked, "where is curl? come and visit this IP address to find out the truth of the other side."

Curl stood up and said, "here we go."

Curl carefully sent a HTTP request, and the other party replied:

An eye-catching line of mining poll appeared in front of everyone.

"dig, mine virus!" Brother top called out.

At this time, all the people present took a cold breath.

The minister hurriedly asked the firewall firewall to configure a rule to disconnect the connection.

Just then, unhide came in.

After a brief understanding of the situation, unhide patted his chest and said, "I'll take care of this. I'll find this guy."

Then, unhide acted like a tiger and output a few lines of information:

Found HIDDEN PID 13053 Executable: "/ usr/bin/picks" $USER=rootFound HIDDEN PID 13064 Executable: "/ usr/bin/picks" $USER=root everyone came over and stared wide. Brother unhide didn't cover it, and he did find a few suspicious elements.

Top was a little skeptical and asked, "I dare to ask my brother, why do I not see the existence of these processes?"

Unhide said with a smile: "there is no mystery, in fact, I also traverse the / proc/ directory, unlike you, I do not use readdir, but from the smallest process id to the largest, one by one access / proc/$pid directory, once found that the directory exists and is not in the output of brother ps, then this is a hidden process."

Ps smiled and said, "I still have my credit."

"I found it, this is the guy!" Netstat said aloud.

How can you be so sure? The minister asked.

"Please see that all files opened by the process are in the / proc/pid/fd directory, and socket is also a file. I just took a look at it. This process happens to have a socket. Combined with / proc/ tcp information, we can determine that this socket is the one of the target port number 7777!"

"good boy! good guy," everyone applauded.

"what are you waiting for? let me kill it!" Brother kill can no longer contain himself.

"Let me delete it." rm also sharpened his knife.

The minister shook his head and said, "wait a minute, where is cp? back up this guy to the quarantined directory so that you can settle accounts later."

Cp copy completed, kill and rm together, put the guy behind the law on the spot.

Top hastened to check the latest resource usage and cheered with surprise: "well, the CPU occupancy rate has finally dropped, which is really gratifying."

It was getting late, and before long, the people left one after another, and the empire regained its former calm.

However, the security minister still had a sad look on his face.

"Minister, why are you still depressed when the virus has been cleared?" The assistant asked.

"although the virus has been cleared, I don't know how this guy broke in, and who is behind it to protect and hide it, which really worries me."

Unwittingly late at night, the Imperial Security Alert suddenly sounded again.

"what's going on here?" The minister asked harshly.

"Minister, that kid rm is a fake. He lied to us today. The virus hasn't been deleted at all, and it's back!"

The minister looked at the distant sky, and the fan at the gate of the CPU factory began to spin crazily again.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.