LINUX 异常进程追溯执行链路

追查神器，快速定位

systemctl status 3857

历史命令

1 chmod -v u+w /etc/sudoers
2 vi /etc/sudoers
3 chmod -v u-w /etc/sudoers
4 su zlsc
5 top
6 exit
7 systemctl docker status
8 docker ps
9 docker ps -a
10 exit
11 docker logs -f fc1a27a0995f
12 docker logs -f fc1a27a0995f
13 curl 127.0.0.1:7080
14 top
15 crontab -l
16 top -c
17 top -c
18 crontab -e
19 ls -la /etc/cron.* /etc/crontab
20 cat /etc/crontab
21 rm -f /etc/ld.so.preload
22 ls -l /etc/ld.so.preload
23 rm -f /etc/cron.d/vgihme /etc/cron.daily/vgihme /etc/cron.hourly/vgihme /etc/cron.monthly/vgihme /etc/cron.wee kly/vgihme
24 rm -f /etc/cron.d/fmjdm # 其他可疑任务一并删除
25 lsattr /etc/ld.so.preload
26 chattr -ia /etc/ld.so.preload
27 echo "" > /etc/ld.so.preload
28 rm -f /usr/local/lib/libprocesshider.so
29 rm -f /etc/cron.d/vgihme
30 chattr -ia /etc/cron.d/vgihme /etc/cron.daily/vgihme /etc/cron.hourly/vgihme /etc/cron.monthly/vgihme /etc/cro n.weekly/vgihme
31 rm -f /etc/cron.d/vgihme
32 chattr +i /etc/ld.so.preload
33 chattr +i /var/spool/cron/
34 chattr +i /etc/ld.so.preload
35 top -c
36 lsof -p 74384
37 docker ps
38 sudo systemctl status docker
39 sudo systemctl start docker
40 sudo systemctl status docker
41 docker ps
42 docker ps -a
43 docker start fc1a27a0995f
44 docker ps
45 docker ps -a
46 docker logs
47 docker logs fc1a27a0995f
48 topc
49 top -c
50 kill 85371
51 kill -9 85371
52 top -c
53 ps -fp 86857
54 top -c
55 ps -fp 90970
56 ps -fp 91106
57 cat /proc/86857/cmdline
58 ls -l /proc/
59 ls -l /proc/93442/cmdline
60 docker ps
61 docker ps -a
62 docker start fc1a27a0995f
63 docker logs -it fc1a27a0995f
64 docker logs fc1a27a0995f
65 docker start fc1a27a0995f
66 top -c
67 s -l /proc/115153
68 ls -l /proc/115153
69 ls -l /etc/systemd/system/
70 cat /etc/systemd/system/uhvmkj.service
71 ls -la /bin/bejfxq /tmp/.snap*
72 ps aux | grep -i 'snap-private'
73 systemctl stop uhvmkj.service
74 systemctl stop rcajql.service
75 cat /etc/systemd/system/multi-user.target.wants
76 ls /etc/systemd/system/multi-user.target.wants/
77 ls -l /etc/systemd/system/multi-user.target.wants/
78 systemctl disable uhvmkj.service
79 systemctl disable rcajql.service
80 cat /etc/systemd/system/rcajql.service
81 ls -la /bin/rbkwjdg
82 ls -la /bin/rbkwjdg /tmp/.snap*
83 for service in ldeuqgafd ueujtbxsg uhvmkj rcajql nat-gobuster; do systemctl stop $service; systemctl disab le$ service; rm -f /etc/systemd/system/ $service.service /usr/lib/systemd/system/$ service.service; done
84 lsattr /etc/systemd/system/multi-user.target.wants/ldeuqgafd.service
85 ls -l /etc/systemd/system/multi-user.target.wants/ldeuqgafd.service
86 ls -l /etc/systemd/system/multi-user.target.wants
87 systemctl cat fluentd-jellyfin.service
88 ls -l =/usr/sbin/fluentd-jellyfin
89 ls -l /usr/sbin/fluentd-jellyfin
90 sudo systemctl status docker
91 top -c
92 kill 143003
93 top -c
94 kill -9 144749
95 top -c
96 systemctl stop mysqld
97 top -c
98 kill -9 145021
99 systemctl status ldeuqgafd.service
100 systemctl status l ueujtbxsg.service
101 systemctl status ueujtbxsg.service
102 systemctl status ueujtbxsg
103 ls -l /usr/lib/systemd/system/
104 systemctl status ueujtbxsg.service
105 history
106 ls -l /etc/systemd/system/
107 systemctl status uhvmkj.service
108 rm -rf /etc/systemd/system/uhvmkj.service
109 ls -l /etc/systemd/system/uhvmkj.service
110 chattr -ia /etc/systemd/system/uhvmkj.service
111 rm -rf /etc/systemd/system/uhvmkj.service
112 ls -l /etc/systemd/system/
113 rm -rf /etc/systemd/system/rcajql.service
114 chattr -ia /etc/systemd/system/rcajql.service
115 rm -rf /etc/systemd/system/rcajql.service
116 chattr -ia /etc/systemd/system/rcajql.service
117 ls -l /etc/systemd/system/
118 ls -l /etc/systemd/system/multi-user.target.wants
119 ls -l /etc/systemd/system/
120 ls -l /usr/lib/systemd/system/fluentd-jellyfin.service
121 ls -l /etc/systemd/system/dev-head.service
122 cat /etc/systemd/system/dev-head.service
123 crontab -l
124 crontab -r
125 history
126 ls -la /etc/cron.* /etc/crontab
127 cat /etc/cron.d/fmjdm
128 rm -f /etc/cron.d/fmjdm
129 chattr -ia /etc/cron.d/fmjdm
130 chattr -ia /etc/cron.d/vgihme
131 rm -f /etc/cron.d/fmjdm
132 ls -la /etc/cron.* /etc/crontab
133 chattr -ia /etc/cron.daily/vgihme
134 chattr -ia /etc/cron.hourly/vgihme
135 chattr -ia /etc/cron.monthly/vgihme
136 chattr -ia /etc/cron.weekly/vgihme
137 chattr -ia /etc/cron.weekly/fmjdm
138 chattr -ia /etc/cron.monthly/fmjdm
139 chattr -ia /etc/cron.hourly/fmjdm
140 chattr -ia /etc/cron.daily/fmjdm
141 rm -f /etc/cron.d/fmjdm
142 rm -f /etc/cron.daily/fmjdm
143 rm -f /etc/cron.hourly/fmjdm
144 rm -f /etc/cron.monthly/fmjdm
145 rm -f /etc/cron.weekly/fmjdm
146 ls -la /etc/cron.* /etc/crontab
147 rm -f /etc/cron.weekly/vgihme
148 rm -f /etc/cron.d/vgihme
149 rm -f /etc/cron.daily/vgihme
150 rm -f /etc/cron.weekly/vgihme
151 rm -f /etc/cron.monthly/vgihme
152 ls -la /etc/cron.* /etc/crontab
153 rm -f /etc/cron.hourly/vgihme
154 ls -la /etc/cron.* /etc/crontab
155 top
156 ls -l /bin
157 ls -l /usr/bin/
158 ls -lt /usr/bin/
159 pkill -f rbkwjdg|hwwqbebuti|jcouedbvo|xcubqznp|bejfxq|sugflfok|kvixwcj|josjwgmqy
160 rm -f /usr/bin/{rbkwjdg,hwwqbebuti,jcouedbvo,xcubqznp,bejfxq,sugflfok,kvixwcj,josjwgmqy}
161 chattr -ia /usr/bin/{rbkwjdg,hwwqbebuti,jcouedbvo,xcubqznp,bejfxq,sugflfok,kvixwcj,josjwgmqy}
162 rm -f /usr/bin/{rbkwjdg,hwwqbebuti,jcouedbvo,xcubqznp,bejfxq,sugflfok,kvixwcj,josjwgmqy}
163 top -c
164 reboot
165 df -h
166 top
167 ls -l /usr/bin/
168 ls -lt /usr/bin/
169 history
170 ls -l /etc/systemd/system/
171 ls -l /etc/systemd/system/multi-user.target.wants/
172 cat /etc/systemd/system/user-akonadi_indexing_agent.service
173 cat /usr/lib/systemd/system/fluentd-jellyfin.service
174 ls -l /etc/systemd/system/dev-head.service
175 ls -l /etc/systemd/system/user-akonadi_indexing_agent.service
176 crontab -l && ls -la /etc/cron*
177 netstat -natp
178 netstat -anpt
179 ls -l /tmp
180 ls -la /tmp
181 ls -l /etc/cron.d
182 ls -la /etc/cron.d
183 ls -l /tmp/.snap*
184 ls -la /tmp/.snap*
185 ls -la /tmp/
186 cat /tmp/.X11-unix/
187 ls -la /tmp/.X11-unix/
188 ls -la /tmp/.XIM-unix/
189 ls -la /tmp/.ICE-unix/
190 top -c
191 ls -l /proc/5023/exe
192 cat /etc/profile.d
193 ls -l /etc/profile.d
194 ps -ef|grep curl
195 crontab -e
196 ls -l /var/tmp/
197 sudo find / -name "-bash" 2>/dev/null
198 sudo yum install net-tools
199 sudo netstat -anpt
200 cat /etc/passwd | cut -f 1 -d : |xargs -I {} crontab -l -u {}
201 * * * * * /tmp/.ICE-unix/.new/-bash > /dev/null 2>&1;
202 cat /etc/passwd | cut -f 1 -d : |xargs -I {} crontab -l -u {}
203 * * * * * /tmp/.ICE-unix/.new/-bash > /dev/null 2>&1;
204 pwd
205 cd /tmp/
206 pwd
207 ls -la
208 cd .ICE-unix/
209 ls -la
210 cd ..
211 ls -la .X11-unix
212 rm -rf .font-unix .ICE-unix .Test-unix .X11-unix .XIM-unix
213 ls -la
214 top -c
215 ls -l /proc/5023
216 ls -l /proc/5023/exe
217 ls -la /etc/cron.daily/
218 ls -l /var/tmp/
219 ls -la /var/tmp/
220 top -c
221 ls -l /usr/lib/systemd/systemd
222 ls -l /usr/lib/systemd/systemd/
223 ls -l /usr/lib/systemd/
224 ls -l /usr/lib/systemd/system
225 ls -lt /usr/lib/systemd/system
226 cat /usr/lib/systemd/system/ldeuqgafd.service
227 systemctl stop ldeuqgafd.service
228 systemctl stop ueujtbxsg.service
229 cat /usr/lib/systemd/system/arp-ethers.service
230 top -c
231 ps -p 5023 -f
232 top -c
233 cat /proc/5023/cmdline
234 ls -l /proc/5023/exe
235 ps -p 5023 -o cmd
236 cat /proc/5023/environ | tr '\0' '\n'
237 ls -la /tmp/
238 lsof -p 5023
239 netstat -anp | grep 5023
240 ps -ef | grep 49660
241 ls /etc/init.d -lh
242 ls /rc.d/init.d -lh
243 ls /rc.d/init.d
244 ls -la /etc/init.d/
245 cat /etc/init.d/vgihme
246 ls -lt /bin/
247 cat /etc/init.d/vgihme
248 ls -l /bin/hwwqbebuti
249 cat /bin/hwwqbebuti
250 rm -rf /etc/init.d/vgihme
251 history
252 chattr -ia /etc/init.d/vgihme
253 ls -la /etc/init.d/
254 chattr -ia /etc/init.d/fmjdm
255 cat /etc/init.d/fmjdm
256 ls -l /tmp/.snap-private-bash
257 ls -la /etc/init.d/
258 cat /etc/init.d/fmjdm
259 rm -rf /etc/init.d/fmjdm
260 rm -rf /etc/init.d/vgihme
261 top -c
262 /etc/init.d/
263 ls -la /etc/init.d/
264 history
265 top -c
266 netstat -anp | grep 15347
267 crontab -r
268 cat /var/spool/cron/root
269 cat /etc/rc.local/.bashrc
270 ls /etc/rc.local/
271 ls -l /root/.ssh
272 ls -l /root/.ssh/authorized_keys
273 rm -rf /root/.ssh/authorized_keys
274 ls -la /tmp/
275 ls -la /tmp/hsperfdata_zlsc/
276 ls -la /tmp/hsperfdata_zlsc/324
277 ls -la /tmp/hsperfdata_zlsc/3243
278 cat /tmp/hsperfdata_zlsc/3243
279 top -c
280 ls -alrt /proc/15347
281 docker ps --no-trunc -a
282 lsof | grep deleted
283 cat .bash_profile
284 cat ~/.bash_profile
285 ls -l /bin/xcubqznp
286 vi ~/.bash_profile
287 chmod -v u+w ~/.bash_profile
288 chattr -ia ~/.bash_profile
289 chmod -v u+w ~/.bash_profile
290 vi ~/.bash_profile
291 source ~/.bash_profile
292 ls -l ~/
293 ls -la ~/
294 ls -la ~/.bash_history
295 cat ~/.bash_history
296 ls -la ~/
297 ls -la ~/.config/
298 ls -la ~/.config/procps/
299 ls -la ~/.ssh/
300 cat ~/.ssh/au
301 cat ~/.ssh/.authorized_keys
302 rm -rf ~/.ssh/.authorized_keys
303 source ~/.bash_profile
304 cat /etc/rc.local
305 top -c
306 kill 15347
307 top -c
308 history
309 top -c
310 ps -p 22375 -f
311 cat /proc/22375/cmdline
312 ls -l /proc/22375/exe
313 cat /proc//environ | tr '\0' '\n'
314 cat /proc/22375/environ | tr '\0' '\n'
315 ls -l /root/
316 ls -la /root/
317 cat /opt/systemd-service.sh
318 ls -l /opt/
319 ls -l /opt/apt-onlyoffice/
320 ls -l /opt/apt-onlyoffice/apt-onlyoffice
321 cat /opt/apt-onlyoffice/apt-onlyoffice
322 rm -rf /opt/apt-onlyoffice/apt-onlyoffice
323 ls -l /
324 ls -la /
325 ls -la /.bash_history
326 cat /.bash_history
327 ls -la /dev/
328 ls -la /
329 ls -lat /etc/
330 ls -lat /etc/ld.so.conf.d
331 ls -lat /etc/ld.so.conf.d/sudo-x86_64.conf
332 cat /etc/ld.so.conf.d/sudo-x86_64.conf
333 ls -lat /etc/shadow-
334 cat /etc/shadow-
335 systemctl status redis
336 systemctl start redis
337 systemctl status redis.service
338 top -c
339 find / -iname systemd-service.sh
340 history
341 top -c
342 cat /proc/22375/environ | tr '\0' '\n'
343 cat /proc/22314/environ | tr '\0' '\n'
344 sudo kill -9 22375 22314
345 top -c
346 cat /proc/28447/environ | tr '\0' '\n'
347 sudo kill -9 28447 28386
348 top -c
349 sudo kill -9 28447 28836
350 sudo kill -9 28836
351 top -c
352 ls -la
353 top -c
354 kill -9 29158
355 ls -la
356 ls -la systemd-private-a73efe933f7a45eab06258b5804f6a72-systemd-apt-varnish.service-LjDtjO
357 rm -rf systemd-private-a73efe933f7a45eab06258b5804f6a72-systemd-apt-varnish.service-LjDtjO
358 ls -la
359 ls -la systemd-private-d3ff8debf8f0422dacfbde4980e0fed1-mariadb.service-H4OEOq
360 ls -la systemd-private-d3ff8debf8f0422dacfbde4980e0fed1-mariadb.service-H4OEOq/tmp/
361 ls -la systemd-private-d3ff8debf8f0422dacfbde4980e0fed1-memcached.service-mUripv
362 ls -la systemd-private-d3ff8debf8f0422dacfbde4980e0fed1-polkit.service-b57HIf
363 ls -la systemd-private-d3ff8debf8f0422dacfbde4980e0fed1-systemd-logind.service-bEk9kK
364 ls -la
365 top
366 top -c
367 kill -9 29743
368 top -c
369 ls -la
370 top -c
371 ls -l /usr/sbin/irqbalance
372 cat /usr/sbin/irqbalance
373 ps -ef |grep libprocesshider
374 cd /bin/
375 ls -lt|head
376 find / -user 1000 ( -ctime -7 -o -mtime -7 ) -type f
377 ls -lt /etc/systemd/system/
378 ls -lt /etc/systemd/system/multi-user.target.wants/
379 cat /etc/systemd/system/dev-head.service
380 systemctl stop dev-head.service fluentd-jellyfin.service user-akonadi_indexing_agent.service
381 cat /usr/lib/systemd/system/fluentd-jellyfin.service
382 ls -l /usr/sbin/fluentd-jellyfin
383 cat /etc/systemd/system/user-akonadi_indexing_agent.service
384 ls -l =/sbin/user-akonadi_indexing_agent
385 ls -l /sbin/user-akonadi_indexing_agent
386 cat /etc/systemd/system/dev-head.service
387 top -c
388 ls -lt /etc/systemd/system/multi-user.target.wants/
389 rm -rf /etc/systemd/system/dev-head.service
390 rm -rf /usr/lib/systemd/system/fluentd-jellyfin.service
391 rm -rf /etc/systemd/system/user-akonadi_indexing_agent.service
392 chattr -ia /etc/systemd/system/dev-head.service
393 chattr -ia /etc/systemd/system/
394 rm -rf /etc/systemd/system/dev-head.service
395 rm -rf /usr/lib/systemd/system/fluentd-jellyfin.service
396 chattr -ia /usr/lib/systemd/system/fluentd-jellyfin.service
397 chattr -ia /etc/systemd/system/user-akonadi_indexing_agent.service
398 rm -rf /usr/lib/systemd/system/fluentd-jellyfin.service
399 rm -rf /etc/systemd/system/user-akonadi_indexing_agent.service
400 top -c
401 reboot
402 top
403 ls -lat /etc/systemd/system/
404 ip addr
405 ls -lat /etc/systemd/system/multi-user.target.wants/
406 systemctl status dev-head.service
407 ls -lat /etc/systemd/system/
408 top -c
409 systemctl status 2123
410 ls -l /etc/rc.d/init.d/
411 cat /etc/rc.d/init.d/cifs-icewm
412 cat /etc/rc.d/init.d/metrics-dmidecode
413 rm -rf /etc/rc.d/init.d/cifs-icewm /etc/rc.d/init.d/metrics-dmidecode
414 chattr -ia /etc/rc.d/init.d/cifs-icewm /etc/rc.d/init.d/metrics-dmidecode
415 rm -rf /etc/rc.d/init.d/cifs-icewm /etc/rc.d/init.d/metrics-dmidecode
416 ls -l
417 top -c
418 systemctl status 2123
419 kill -9 2123
420 top -c
421 reboot
422
423 ip addr
424 top -c
425 systemctl status 3930
426 cat (/usr/lib/systemd/system/crond.service
427 cat /usr/lib/systemd/system/crond.service
428 ls -lat /usr/lib/systemd/system/
429 systemctl status ueujtbxsg.service
430 cat (/usr/lib/systemd/system/ueujtbxsg.service
431 cat /usr/lib/systemd/system/ueujtbxsg.service
432 rm -rf /usr/lib/systemd/system/ueujtbxsg.service
433 chattr -ia /usr/lib/systemd/system/ueujtbxsg.service
434 rm -rf /usr/lib/systemd/system/ueujtbxsg.
435 cat /usr/lib/systemd/system/arp-ethers.service
436 ls -l /sbin/arp
437 cat /usr/lib/systemd/system/ldeuqgafd.service
438 chattr -ia /usr/lib/systemd/system/ldeuqgafd.service
439 rm -rf /usr/lib/systemd/system/ldeuqgafd.service
440 ls -l /sbin/arpueujtbxsg.service
441 chattr -ia /usr/lib/systemd/system/ueujtbxsg.service
442 ls -lat /usr/lib/systemd/system/
443 ls -lat /usr/lib/systemd/
444 ls -lat /usr/lib/systemd/ntp-units.d
445 top -c
446 kill -9 3930
447 cat /usr/lib/systemd/system/crond.service
448 ls -l /usr/lib/systemd/system/crond.service
449 ls -l /usr/lib/systemd/system/
450 top -c
451 docker ps
452 docker ps -a
453 docker start fc1a27a0995f
454 docker status fc1a27a0995f
455 docker ps
456 top -c
457 docker -s
458 docker -ps
459 docker ps
460 docker logs -f fc1a27a0995f
461 top -c
462 ip addr
463 cat /etc/nginx/nginx.conf
464 ls -l /etc/nginx/
465 ls -l /etc/nginx/conf.d/
466 ls -l
467 su zlsc
468 ls -l
469 ls -l
470 top -c
471 reboot
472 top -c
473 ls
474 su zlsc
475 cat /etc/nginx/nginx.conf
476 ps -aux|grep nginx
477 nginx -t
478 tail -f /var/log/nginx/error.log
479 ls -l /var/log/nginx
480 ls -l /var/log/
481 ls -l /var/log/mail
482 ls -l /var/log/maillog
483 nginx -t
484 ls -l/var/log/
485 ls -l /var/log/
486 sudo awk -F: '{print $1,$ 3}' /etc/shadow
487 sudo pkill -u raid-akonadi_maildispatcher_agent
488 sudo userdel -r raid-akonadi_maildispatcher_agent
489 sudo find / -name "akonadi" -exec rm -rf {} ;
490 top -c
491 ls -la /usr/sbin/user-akonadi_indexing_agent
492 chattr -ia /usr/sbin/user-akonadi_indexing_agent
493 chattr -ia /usr/bin/user-akonadi_indexing_agent
494 sudo find / -name "akonadi" -exec rm -rf {} ;
495 nginx -t
496 mkdir /var/log/nginx/
497 nginx -t
498 systemctl start nginx
499 systemctl status nginx
500 systemctl status redis
501 mkdir /var/log/redis/
502 systemctl start redis
503 systemctl status redis
504 ls -l /etc/redis/redis.conf
505 sudo chown -R redis:redis /var/log/redis
506 systemctl start redis
507 systemctl status redis
508 top -c
509 systemctl status 10911
510 ls -l /etc/cron.d/
511 ls -l /etc/cron.d/0hourly
512 cat /etc/cron.d/0hourly
513 cat /etc/cron.d/apt-varnish
514 historry
515 history
516 ls -la /etc/cron.* /etc/crontab
517 rm -rf /etc/cron.d/apt-varnish /etc/cron.d/flatpak-coredns
518 chattr -ia /etc/cron.d/apt-varnish /etc/cron.d/flatpak-coredns
519 rm -rf /etc/cron.d/apt-varnish /etc/cron.d/flatpak-coredns
520 chattr -ia /etc/cron.daily/apt-varnish /etc/cron.daily/flatpak-coredns
521 rm -rf /etc/cron.daily/apt-varnish /etc/cron.daily/flatpak-coredns
522 chattr -ia /etc/cron.daily/apt-varnish /etc/cron.hourly/flatpak-coredns
523 chattr -ia /etc/cron.hourly/apt-varnish /etc/cron.hourly/flatpak-coredns
524 chattr -ia /etc/cron.monthly/apt-varnish /etc/cron.monthly/flatpak-coredns
525 chattr -ia /etc/cron.weekly/apt-varnish /etc/cron.weekly/flatpak-coredns
526 rm -rf /etc/cron.hourly/apt-varnish /etc/cron.hourly/flatpak-coredns
527 rm -rf /etc/cron.monthly/apt-varnish /etc/cron.monthly/flatpak-coredns
528 rm -rf /etc/cron.weekly/apt-varnish /etc/cron.weekly/flatpak-coredns
529 ls -la /etc/cron.* /etc/crontab
530 cat /etc/cron.hourly/0anacron
531 ls -la /etc/cron.* /etc/crontab
532 cat /etc/cron.daily/logrotate
533 cat /etc/logrotate.conf
534 cat /etc/cron.daily/man-db.cron
535 ls -la /etc/cron.* /etc/crontab
536 top -c
537 kill -9 10911
538 top -c
539 ip addr
540 history

LINUX 异常进程追溯执行链路

推荐阅读更多精彩内容