这个魔改版不地道啊 一直在后台通过变化的IP,转向给TB,偷跑流量。 比如: 203.119.175.212 203.119.169.89 59.82.31.115
netstat -p 观察: Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 192.168.1.5:48388 203.119.175.212:www TIME_WAIT - tcp 0 0 192.168.1.5:48387 203.119.175.212:www TIME_WAIT - 把进程名字也隐藏起来了。
进程:
- # ps
- PID USER VSZ STAT COMMAND
- 1 root 1380 S /sbin/procd
- 2 root 0 SW [kthreadd]
- 3 root 0 SW [ksoftirqd/0]
- 5 root 0 SW< [kworker/0:0H]
- 6 root 0 SW [kworker/u8:0]
- 7 root 0 SW [migration/0]
- 8 root 0 SW [rcu_bh]
- 9 root 0 SW [rcu_sched]
- 10 root 0 SW [migration/1]
- 11 root 0 SW [ksoftirqd/1]
- 12 root 0 SW [kworker/1:0]
- 13 root 0 SW< [kworker/1:0H]
- 14 root 0 SW [migration/2]
- 15 root 0 SW [ksoftirqd/2]
- 16 root 0 SW [kworker/2:0]
- 17 root 0 SW< [kworker/2:0H]
- 18 root 0 SW [migration/3]
- 19 root 0 SW [ksoftirqd/3]
- 21 root 0 SW< [kworker/3:0H]
- 22 root 0 SW< [khelper]
- 23 root 0 SW [kworker/u8:1]
- 88 root 0 SW< [writeback]
- 90 root 0 SW< [bioset]
- 92 root 0 SW< [kblockd]
- 113 root 0 SW [kworker/2:1]
- 114 root 0 SW [kworker/1:1]
- 132 root 0 SW [kworker/0:1]
- 136 root 0 SW [kswapd0]
- 137 root 0 SW [fsnotify_mark]
- 138 root 0 SW< [crypto]
- 195 root 0 SW< [deferwq]
- 214 root 0 SW< [kworker/3:1H]
- 347 root 892 S /sbin/ubusd
- 349 root 768 S /sbin/askfirst ttyS0 /bin/login
- 350 root 768 S /sbin/askfirst ttyS1 /bin/login
- 1063 root 0 SWN [jffs2_gcd_mtd6]
- 1157 root 0 DW [kpalive_kthread]
- 2822 root 1512 S /sbin/syslogd -C16 -c -s 16
- 2824 root 1496 S /sbin/klogd
- 2848 root 1652 S /sbin/netifd
- 3794 root 2264 S /usr/sbin/zebra -d
- 3818 root 2024 S /usr/sbin/watchquagga -d -z -T 60 -R /usr/sbin/quagga.init watchrestart zebra
- 5397 root 1924 S /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
- 5637 root 1212 S /usr/sbin/vsftpd -olisten_address=0.0.0.0 -olisten=YES -olisten_ipv6=NO /var/run/vsftpd/vsftpd.conf
- 5941 root 1044 S /usr/bin/vlmcsd -i /etc/vlmcsd.ini -L 0.0.0.0:1688
- 6827 root 1148 S /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -p 22 -K 300
- 7205 root 1944 S /usr/sbin/dcached -d
- 7335 root 6088 S {realtimed} /usr/bin/lua /usr/sbin/realtimed -p 65527
- 7739 root 1504 S /usr/sbin/ntpd -n -l -p time.pool.aliyun.com -p time.google.com -p 202.120.2.101 -p 0.pool.ntp.org
- 7833 root 784 S /usr/sbin/appd -a dcached,lighttpd -u realtimed,spyder,pingxx
- 7843 root 784 S /usr/sbin/appd -a dcached,lighttpd -u realtimed,spyder,pingxx
- 7971 root 2468 S {eventd} /usr/bin/lua /usr/sbin/eventd
- 8326 root 22524 S /usr/bin/ttyd -i 192.168.0.1 /bin/login
- 8345 root 0 SW< [kworker/0:1H]
- 8550 root 0 SW< [kworker/2:1H]
- 8551 root 0 SW< [kworker/1:1H]
- 9105 root 1500 R ps
- 17619 root 0 SW [kworker/3:3]
- 19890 root 1848 S /usr/sbin/pppd nodetach ipparam wan ifname pppoe-wan lcp-echo-interval 1 lcp-echo-failure 10 nodefaultroute
- 21133 root 1504 S crond -c /etc/crontabs -l 5
- 21230 nobody 1908 S /usr/sbin/dnsmasq --conf-dir=/var/etc/dnsmasq-go.d -r /tmp/resolv.conf.auto -K -D -y -Z -b -E -s lan -S /lan
- 23245 root 1216 R /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -p 22 -K 300
- 23274 root 1504 S -ash
- 24866 root 0 SW [kworker/0:0]
- 24880 root 0 SW [kworker/3:1]
- 29473 root 659m S /usr/bin/违禁软件/违禁软件 -config=/tmp/config.json
- 29954 nobody 9392 S /usr/sbin/pdnsd -c /var/etc/pdnsd.conf -d
复制代码
问题是,如何清除这个魔改版(测试所用的版本号显示为4.3.0.14951)的这个行为?哪位大大指点一下是哪个进程干的
|