Troubleshooting Process
This section describes how to troubleshoot security issues in a Linux host.
Procedure
- Check whether abnormal processes exist in the host.
Query command: top
Check whether abnormal processes exist based on the CPU usage and process names. For example, the CPU usage of the following suspicious process exceeds 100%:
- Check the file directory based on the PID of the abnormal process.
Query command: lsof -p PID (for example, 25267)
- Locate abnormal files, which are marked with xmr or mine.
- View files: ll -art
- Query the Trojan path: pwd
Detect the file that contains abnormal addresses: strings file_name (for example, config.json) |grep xmr
You are advised to check the following directories: /etc (configuration files), /tmp (temporary files), and /bin (executable files).
- In user commands, /lib refers to library files, /etc refers to configuration files, and /sbin refers to executable files.
- In management commands, /lib refers to library files, /etc refers to configuration files, /usr/ refers to read-only files, and shared read-only and /usr/local refer to third-party software.
- View files: ll -art
- View the permissions of the host user.
Query command: cat /etc/passwd|grep username (for example, bash)
The nologin user does not have the login permission. You are advised to check the users who have the login permission.
- Check the abnormal login records from the host login logs.
Query command: cat file_name (for example, secure) |grep Acc|grep username (for example, oracle)
Find the time that the host is usually logged in to from the success login logs, which may be the time when the Trojan is implanted.
Based on the login time, check the login IP addresses and login frequency (including the number of successful or failed logins). If there are a large number of abnormal IP address logins, brute-force attacks may have taken place.
- If the problem persists, you can submit a service ticket.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot