[实践OK]docker容器被入侵?下午发现服务器风扇一直转,然后 top 看了下,发现一个叫'systemdd-dev'的程序把 cpu 跑满了。
下午发现服务器风扇一直转,然后 top 看了下,发现一个叫'systemdd-dev'的程序把 cpu 跑满了。
#uptime
22:53:21 up 46 days, 3:57, 1 user, load average: 10.48, 10.73, 10.82
top看到:
一个叫'systemdd-dev'的程序把 cpu 跑满了。
polkitd 1310107 7584 99 7月23 ? 55-10:12:06 /tmp/.lib/systemdd-dev
ls /tmp/.lib/systemdd-dev
ls: 无法访问'/tmp/.lib/systemdd-dev': 没有那个文件或目录
strace -f -p 1310107
[pid 1366321] sched_yield() = 0
[pid 1366320] sched_yield() = 0
[pid 1366325] sched_yield() = 0
[pid 1366328] sched_yield() = 0
polkitd 1310107 7584 99 7月23 ? 55-09:43:59 /tmp/.lib/systemdd-dev
polkitd:x:998:996:User for polkitd:/:/sbin/nologin
#cat /proc/1310107/status
Name: systemdd-dev
Umask: 0022
State: S (sleeping)
Tgid: 1310107
Ngid: 0
Pid: 1310107
PPid: 7584
TracerPid: 0
Uid: 998 998 998 998
Gid: 998 998 998 998
Mems_allowed_list: 0
voluntary_ctxt_switches: 1498969
nonvoluntary_ctxt_switches: 119
解决办法:
从上面进程的父亲进程号:7584得知是git,于是定位到容器。
#ps -ef|grep 7584
root 7584 7541 0 6月12 ? 00:00:00 /bin/bash /assets/wrapper
root 8523 7584 0 6月12 ? 00:00:18 runsvdir -P /opt/gitlab/service log: .........................................................................................................................
root 11249 7584 0 6月12 ? 00:00:00 /bin/bash /opt/gitlab/bin/gitlab-ctl tail
root 925975 898775 0 22:52 pts/4 00:00:00 grep --color=auto 7584
polkitd 1309744 7584 0 7月23 ? 00:03:21 /bin/bash /tmp/.lib/systemdd-udevd
polkitd 1309748 7584 0 7月23 ? 00:00:17 /var/opt/gitlab/gitlab-workhorse/java
polkitd 1310107 7584 99 7月23 ? 55-10:12:06 /tmp/.lib/systemdd-dev
docker ps -a
1b1a3af4b528 gitlab/gitlab-ce "/assets/wrapper" 15 months ago Up 6 weeks (healthy) 0.0.0.0:8226->22/tcp, 0.0.0.0:8341->80/tcp, 0.0.0.0:8848->443/tcp gitlab
docker stop 1b1a3af4b528
uptime #负载下来了
23:01:18 up 46 days, 4:05, 1 user, load average: 0.09, 2.41, 6.67
可能有黑客入住容器?
#uptime
22:53:21 up 46 days, 3:57, 1 user, load average: 10.48, 10.73, 10.82
top看到:
一个叫'systemdd-dev'的程序把 cpu 跑满了。
polkitd 1310107 7584 99 7月23 ? 55-10:12:06 /tmp/.lib/systemdd-dev
ls /tmp/.lib/systemdd-dev
ls: 无法访问'/tmp/.lib/systemdd-dev': 没有那个文件或目录
strace -f -p 1310107
[pid 1366321] sched_yield() = 0
[pid 1366320] sched_yield() = 0
[pid 1366325] sched_yield() = 0
[pid 1366328] sched_yield() = 0
polkitd 1310107 7584 99 7月23 ? 55-09:43:59 /tmp/.lib/systemdd-dev
polkitd:x:998:996:User for polkitd:/:/sbin/nologin
#cat /proc/1310107/status
Name: systemdd-dev
Umask: 0022
State: S (sleeping)
Tgid: 1310107
Ngid: 0
Pid: 1310107
PPid: 7584
TracerPid: 0
Uid: 998 998 998 998
Gid: 998 998 998 998
Mems_allowed_list: 0
voluntary_ctxt_switches: 1498969
nonvoluntary_ctxt_switches: 119
解决办法:
从上面进程的父亲进程号:7584得知是git,于是定位到容器。
#ps -ef|grep 7584
root 7584 7541 0 6月12 ? 00:00:00 /bin/bash /assets/wrapper
root 8523 7584 0 6月12 ? 00:00:18 runsvdir -P /opt/gitlab/service log: .........................................................................................................................
root 11249 7584 0 6月12 ? 00:00:00 /bin/bash /opt/gitlab/bin/gitlab-ctl tail
root 925975 898775 0 22:52 pts/4 00:00:00 grep --color=auto 7584
polkitd 1309744 7584 0 7月23 ? 00:03:21 /bin/bash /tmp/.lib/systemdd-udevd
polkitd 1309748 7584 0 7月23 ? 00:00:17 /var/opt/gitlab/gitlab-workhorse/java
polkitd 1310107 7584 99 7月23 ? 55-10:12:06 /tmp/.lib/systemdd-dev
docker ps -a
1b1a3af4b528 gitlab/gitlab-ce "/assets/wrapper" 15 months ago Up 6 weeks (healthy) 0.0.0.0:8226->22/tcp, 0.0.0.0:8341->80/tcp, 0.0.0.0:8848->443/tcp gitlab
docker stop 1b1a3af4b528
uptime #负载下来了
23:01:18 up 46 days, 4:05, 1 user, load average: 0.09, 2.41, 6.67
可能有黑客入住容器?
作者:jackxiang@向东博客 专注WEB应用 构架之美 --- 构架之美,在于尽态极妍 | 应用之美,在于药到病除
地址:https://jackxiang.com/post/11444/
版权所有。转载时必须以链接形式注明作者和原始出处及本声明!
[学写利器]AI智能纠错、文本补全、文本润色、例句推荐,这个AI工具这么
[值得注意]FreeBSD12.2到FreeBSD13.2编译器的变化导评论列表
