今天我突然发现我的PHP8容器占用了近乎所有的内存和CPU,我觉得很奇怪,就查看了日志。
[07-Jun-2024 15:02:57] NOTICE: fpm is running, pid 1
[07-Jun-2024 15:02:57] NOTICE: ready to handle connections
172.18.0.1 - 07/Jun/2024:15:03:23 +0800 "GET /index.php" 200
172.18.0.1 - 07/Jun/2024:15:04:57 +0800 "GET /index.php" 200
chattr: setting flags on /tmp/: Operation not permitted
chattr: setting flags on /var/tmp/: Operation not permitted
chattr: setting flags on /var/spool/cron: Operation not permitted
chattr: can't open '/var/spool/cron/crontabs': Symbolic link loop
chattr: can't stat '/etc/crontab': No such file or directory
sh: ufw: not found
sh: iptables: not found
sh: sudo: not found
sh: can't create /proc/sys/kernel/nmi_watchdog: Read-only file system
sh: can't create /etc/sysctl.conf: Permission denied
userdel: user 'akay' does not exist
userdel: user 'vfinder' does not exist
chattr: can't stat '/root/.ssh/': Permission denied
chattr: can't stat '/root/.ssh/authorized_keys': Permission denied
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
crontab: must be suid to work properly
crontab: must be suid to work properly
crontab: must be suid to work properly
crontab: must be suid to work properly
crontab: must be suid to work properly
crontab: must be suid to work properly
crontab: must be suid to work properly
crontab: must be suid to work properly
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
sed: /tmp/.X11-unix/01: No such file or directory
cat: can't open '/tmp/.X11-unix/01': No such file or directory
sed: /tmp/.X11-unix/11: No such file or directory
cat: can't open '/tmp/.X11-unix/11': No such file or directory
sed: /tmp/.X11-unix/22: No such file or directory
cat: can't open '/tmp/.X11-unix/22': No such file or directory
sed: /tmp/.systemd.1: No such file or directory
cat: can't open '/tmp/.systemd.1': No such file or directory
sed: /tmp/.systemd.2: No such file or directory
cat: can't open '/tmp/.systemd.2': No such file or directory
sed: /tmp/.systemd.3: No such file or directory
cat: can't open '/tmp/.systemd.3': No such file or directory
cat: can't open '/tmp/.systemd.1': No such file or directory
sh: you need to specify whom to kill
cat: can't open '/tmp/.systemd.2': No such file or directory
sh: you need to specify whom to kill
cat: can't open '/tmp/.systemd.3': No such file or directory
sh: you need to specify whom to kill
sed: /tmp/.pg_stat.0: No such file or directory
cat: can't open '/tmp/.pg_stat.0': No such file or directory
sed: /tmp/.pg_stat.1: No such file or directory
cat: can't open '/tmp/.pg_stat.1': No such file or directory
sed: /home/www-data/data/./oka.pid: No such file or directory
cat: can't open '/home/www-data/data/./oka.pid': No such file or directory
sed: /tmp/.ICE-unix/d: No such file or directory
cat: can't open '/tmp/.ICE-unix/d': No such file or directory
sed: /tmp/.ICE-unix/m: No such file or directory
cat: can't open '/tmp/.ICE-unix/m': No such file or directory
ps: unrecognized option: w
BusyBox v1.36.1 (2023-11-07 18:53:09 UTC) multi-call binary.
Usage: ps [-o COL1,COL2=HEADER] [-T]
Show list of processes
-o COL1,COL2=HEADER Select columns for display
-T Show threads
ps: unrecognized option: w
BusyBox v1.36.1 (2023-11-07 18:53:09 UTC) multi-call binary.
Usage: ps [-o COL1,COL2=HEADER] [-T]
Show list of processes
-o COL1,COL2=HEADER Select columns for display
-T Show threads
kill: invalid number 'USER'
grep: bad regex 'kworker -c\': Trailing backslash
kill: invalid number 'USER'
kill: invalid number 'www-data'
kill: invalid number 'www-data'
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
netstat: showing only processes with your user ID
sh: systemctl: not found
killall: log_rot: no process killed
chattr: can't stat '/etc/ld.so.preload': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/1.sh': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/1.sh.1': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/1.sh.2': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/1.sh.3': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/3.sh': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/3.sh.1': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/3.sh.2': No such file or directory
rm: can't remove '/opt/atlassian/confluence/bin/3.sh.3': No such file or directory
rm: can't remove '/var/tmp/lib': No such file or directory
rm: can't remove '/var/tmp/.lib': No such file or directory
chattr: can't stat '/tmp/lok': No such file or directory
chmod: /tmp/lok: No such file or directory
sh: docker: not found
sh: docker: not found
sh: docker: not found
sh: setenforce: not found
sh: can't create /etc/selinux/config: nonexistent directory
sh: service: not found
sh: systemctl: not found
sh: service: not found
sh: systemctl: not found
/tmp/kinsing is b3039abf2ad5202f4a9363b418002351
crontab: must be suid to work properly
crontab: must be suid to work properly
144.202.29.195 - 07/Jun/2024:15:09:55 +0800 "POST /usr/local/lib/php/PEAR.php" 200
我当场看麻了,里面一堆权限错误,还有奇怪的crontab命令,最重要的是其中的kinsing是一个知名的挖矿病毒。随后我用top查看了系统占用
占用最高的就是那个kdevtmpfsi。
恳请有大佬告诉我接下来该怎么办?
目前的状况是,停止php8容器后,挖矿进程停止了,如果再启动容器,大概几分钟后又会运行。此外,服务器ssh我是只能使用密钥登录,应该不存在ssh被破解的可能,而且服务器端口只开放了ssh、http和https端口,没有开放其它端口
出问题的php8容器是在1panel里官方下载的,也就是建站时直接选择的运行环境