Troubleshooting Process

This section describes how to troubleshoot security issues in a Linux host.

Procedure

Check whether abnormal processes exist in the host.

Query command: top

Check whether abnormal processes exist based on the CPU usage and process names. For example, the CPU usage of the following suspicious process exceeds 100%:
Check the file directory based on the PID of the abnormal process.

Query command: lsof -p PID (for example, 25267)
Locate abnormal files, which are marked with xmr or mine.
1. View files: ll -art
1. Query the Trojan path: pwd
  Detect the file that contains abnormal addresses: strings file_name (for example, config.json) |grep xmr
  You are advised to check the following directories: /etc (configuration files), /tmp (temporary files), and /bin (executable files).
  - In user commands, /lib refers to library files, /etc refers to configuration files, and /sbin refers to executable files.
  - In management commands, /lib refers to library files, /etc refers to configuration files, /usr/ refers to read-only files, and shared read-only and /usr/local refer to third-party software.
1. Check whether the URL (xmr.flooder.org:80) is a mining pool.
View the permissions of the host user.

Query command: cat /etc/passwd|grep username (for example, bash)

The nologin user does not have the login permission. You are advised to check the users who have the login permission.
Check the abnormal login records from the host login logs.

Query command: cat file_name (for example, secure) |grep Acc|grep username (for example, oracle)

Find the time that the host is usually logged in to from the success login logs, which may be the time when the Trojan is implanted.

Based on the login time, check the login IP addresses and login frequency (including the number of successful or failed logins). If there are a large number of abnormal IP address logins, brute-force attacks may have taken place.
If the problem persists, you can submit a service ticket.