Troubleshooting Process
This section describes how to troubleshoot security issues in a Linux server.
Procedure
- Check for abnormal processes exist in the server.
Query command: top
Check whether abnormal processes exist based on the CPU usage and process names. For example, the CPU usage of the following suspicious process exceeds 100%:

- Check the file directory based on the PID of the abnormal process.
Query command: lsof -p PID (for example, 25267)

- Locate abnormal files, which are marked with xmr or mine.
- View files: ll -art

- Query the Trojan path: pwd
Detect the file that contains abnormal addresses: strings file_name (for example, config.json) |grep xmr

You are advised to check the following directories: /etc (configuration files), /tmp (temporary files), and /bin (executable files).
- In user commands, /lib refers to library files, /etc refers to configuration files, and /sbin refers to executable files.
- In management commands, /lib refers to library files, /etc refers to configuration files, /usr/ refers to read-only files, and shared read-only and /usr/local refer to third-party software.
- View files: ll -art
- View the permissions of the server user.
Query command: cat /etc/passwd|grep username (for example, bash)

The nologin user does not have the login permission. You are advised to check the users who have the login permission.
- Check the abnormal login records from the server login logs.
Query command: cat file_name (for example, secure) |grep Acc|grep username (for example, oracle)
Review successful login logs for suspicious activities, specifically focusing on the time close to possible Trojan implantation.

Based on the login time, check the login IP addresses and login frequency (including the number of successful or failed logins). If there are a large number of abnormal IP address logins, brute-force attacks may have taken place.

- If the problem persists, you can submit a service ticket.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot