我的防火墙收到一条警报,称我已尝试在 Debian 虚拟机上下载矿工病毒。
tcpdump 显示每分钟它到达:
07:55:01.379558 IP 185.191.32.198.80 > 192.168.1.205.49126: tcp 7300
07:55:01.379566 IP 192.168.1.205.49126 > 185.191.32.198.80: tcp 0
07:55:01.379576 IP 185.191.32.198.80 > 192.168.1.205.49126: tcp 2920
07:55:01.379584 IP 192.168.1.205.49126 > 185.191.32.198.80: tcp 0
07:55:01.379593 IP 185.191.32.198.80 > 192.168.1.205.49126: tcp 5840
07:55:01.379601 IP 192.168.1.205.49126 > 185.191.32.198.80: tcp 0
07:55:01.379609 IP 185.191.32.198.80 > 192.168.1.205.49126: tcp 8760
07:55:01.379617 IP 192.168.1.205.49126 > 185.191.32.198.80: tcp 0
07:55:01.379657 IP 185.191.32.198.80 > 192.168.1.205.49126: tcp 7300
07:55:01.379669 IP 192.168.1.205.49126 > 185.191.32.198.80: tcp 0
07:55:01.379680 IP 185.191.32.198.80 > 192.168.1.205.49126: tcp 4380
07:55:01.380974 IP 192.168.1.205.49126 > 185.191.32.198.80: tcp 0
07:55:01.381264 IP 192.168.1.205.49126 > 185.191.32.198.80: tcp 0
07:56:01.900223 IP 192.168.1.205.49128 > 185.191.32.198.80: tcp 0
07:56:01.900517 IP 185.191.32.198.80 > 192.168.1.205.49128: tcp 0
07:56:01.900553 IP 192.168.1.205.49128 > 185.191.32.198.80: tcp 0
07:56:01.900826 IP 192.168.1.205.49128 > 185.191.32.198.80: tcp 146
07:56:01.900967 IP 185.191.32.198.80 > 192.168.1.205.49128: tcp 0
07:56:01.901642 IP 185.191.32.198.80 > 192.168.1.205.49128: tcp 2920
07:56:01.901667 IP 192.168.1.205.49128 > 185.191.32.198.80: tcp 0
07:56:01.901684 IP 185.191.32.198.80 > 192.168.1.205.49128: tcp 4380
07:56:01.901696 IP 192.168.1.205.49128 > 185.191.32.198.80: tcp 0
07:56:01.901705 IP 185.191.32.198.80 > 192.168.1.205.49128: tcp 4380
07:56:01.901714 IP 192.168.1.205.49128 > 185.191.32.198.80: tcp 0
07:56:01.901725 IP 185.191.32.198.80 > 192.168.1.205.49128: tcp 2920
07:56:01.901738 IP 192.168.1.205.49128 > 185.191.32.198.80: tcp 0
07:56:01.901814 IP 185.191.32.198.80 > 192.168.1.205.49128: tcp 5840
07:56:01.901835 IP 192.168.1.205.49128 > 185.191.32.198.80: tcp 0
07:56:01.901848 IP 185.191.32.198.80 > 192.168.1.205.49128: tcp 8760
07:56:01.901858 IP 192.168.1.205.49128 > 185.191.32.198.80: tcp 0
07:56:01.901868 IP 185.191.32.198.80 > 192.168.1.205.49128: tcp 2920
07:56:01.901880 IP 192.168.1.205.49128 > 185.191.32.198.80: tcp 0
07:56:01.901891 IP 185.191.32.198.80 > 192.168.1.205.49128: tcp 4380
07:56:01.901905 IP 192.168.1.205.49128 > 185.191.32.198.80: tcp 0
07:56:01.901915 IP 185.191.32.198.80 > 192.168.1.205.49128: tcp 2920
07:56:01.901922 IP 192.168.1.205.49128 > 185.191.32.198.80: tcp 0
07:56:01.901932 IP 185.191.32.198.80 > 192.168.1.205.49128: tcp 5840
07:56:01.901939 IP 192.168.1.205.49128 > 185.191.32.198.80: tcp 0
07:56:01.901949 IP 185.191.32.198.80 > 192.168.1.205.49128: tcp 2920
07:56:01.901955 IP 192.168.1.205.49128 > 185.191.32.198.80: tcp 0
07:56:01.902010 IP 192.168.1.205.49128 > 185.191.32.198.80: tcp 0
07:56:01.902039 IP 185.191.32.198.80 > 192.168.1.205.49128: tcp 4380
07:56:01.902065 IP 192.168.1.205.49128 > 185.191.32.198.80: tcp 0
07:56:01.902076 IP 185.191.32.198.80 > 192.168.1.205.49128: tcp 4380
07:56:01.902084 IP 192.168.1.205.49128 > 185.191.32.198.80: tcp 0
07:57:01.909829 IP 192.168.1.205.49130 > 185.191.32.198.80: tcp 0
07:57:01.910130 IP 185.191.32.198.80 > 192.168.1.205.49130: tcp 0
07:57:01.910157 IP 192.168.1.205.49130 > 185.191.32.198.80: tcp 0
07:57:01.910245 IP 192.168.1.205.49130 > 185.191.32.198.80: tcp 146
07:57:01.910375 IP 185.191.32.198.80 > 192.168.1.205.49130: tcp 0
07:57:01.911050 IP 185.191.32.198.80 > 192.168.1.205.49130: tcp 2920
07:57:01.911076 IP 192.168.1.205.49130 > 185.191.32.198.80: tcp 0
07:57:01.911096 IP 185.191.32.198.80 > 192.168.1.205.49130: tcp 4380
07:57:01.911108 IP 192.168.1.205.49130 > 185.191.32.198.80: tcp 0
07:57:01.911120 IP 185.191.32.198.80 > 192.168.1.205.49130: tcp 4380
07:57:01.911130 IP 192.168.1.205.49130 > 185.191.32.198.80: tcp 0
07:57:01.911141 IP 185.191.32.198.80 > 192.168.1.205.49130: tcp 2920
07:57:01.911414 IP 192.168.1.205.49130 > 185.191.32.198.80: tcp 0
07:57:01.911507 IP 192.168.1.205.49130 > 185.191.32.198.80: tcp 0
当我查看防火墙日志时,我可以看到它到达:http://185.191.32.198/lr.sh
我可以通过防火墙阻止它,但我感兴趣的是了解我的服务器上的哪个进程正在执行此类查询,因为这些是出站查询。因此,存在某种漏洞或病毒从服务器尝试下载此脚本。
我尝试了在这里找到的各种 netstat 和 lsof 命令,但它们在实际发生时无法捕获流量,它们只是转储出来,因此没有活动连接。另外,请记住,我没有本地端口主动监听这些新的出站请求,每分钟一次。
那么如何设置来查看哪个进程/PID 每分钟发出这些出站请求呢?
netstat 可以在连续模式下使用“-p”选项来记录启动连接的进程,如下所述:https://unix.stackexchange.com/questions/56453/how-can-i-监控来自我的机器的所有传出请求连接
使用以下命令记录连接尝试并查明启动进程:
sudo netstat -nputwc | grep 185.191.32.198 | tee /tmp/nstat.txt
当您认为连接已记录时,使用 Ctrl-C 中断。
less /tmp/nstat.txt
然后你可以用ps来分析
sudo ps -ef | grep <PID>
sudo ps eww <PID>
sudo ps -T <PID>
使用 mbax 和 Dude Boy 输入,你可以这样做:
#!/bin/bash
while true
do
PID=$(netstat -nputw | grep 185.191.32.198)
if [ $? -ne 0 ]; then
:
else
ps -ajxf
echo "PID: ${PID}"
exit
fi
done
作为单行者:
while true; do PID=$(netstat -nputw | grep 185.191.32.198); if [ $? -ne 0 ]; then :; else ps -ajxf; echo "PID: ${PID}"; break; fi; done
编辑:原来的计时器 0.1 没有检测到我测试的每一次尝试,但 0.01 做到了。
编辑 2:使用
true
使用高达 2% 的 CPU,在狩猎时值得;)
建议使用
nethogs
流量监控工具来研究您的问题。 https://www.geeksforgeeks.org/linux-monitoring-network-traffic-with-nethogs/
可能需要一段时间才能发现违规进程。 即使您发现了它,有问题的进程也可能是一个用随机名称重新创建的暂时消失的脚本/程序。
如果您的系统被感染,那么您可能会发现感染是在合法的进程或服务上应用的。
建议同时使用防病毒软件扫描您的系统。
使用ptcpdump怎么样:
$ sudo ptcpdump -c 2 -i any port 80 and host 1.1.1.1
2024/06/09 13:34:34 capturing...
13:34:40.988936 wlp4s0 Out IP (tos 0x0, ttl 64, id 37971, offset 0, flags [DF], ip_proto TCP (6), length 60)
192.168.1.50.33372 > 1.1.1.1.80: Flags [S], cksum 0xc40a, seq 660356222, win 64240, options [mss 1460,sackOK,TS val 975552865 ecr 0,nop,wscale 7], length 0
Process (pid 1521192, cmd /usr/bin/curl, args curl 1.1.1.1)
13:34:41.190655 wlp4s0 In IP (tos 0x4, ttl 52, id 0, offset 0, flags [DF], ip_proto TCP (6), length 60)
1.1.1.1.80 > 192.168.1.50.33372: Flags [S.], cksum 0xe5f8, seq 3337357614, ack 660356223, win 65160, options [mss 1452,sackOK,TS val 3298044118 ecr 975552865,nop,wscale 13], length 0
Process (pid 1521192, cmd /usr/bin/curl, args curl 1.1.1.1)
2 packets captured
4 packets received by filter
0 packets dropped by kernel