BBYR Achieve
返回信息流
这是一条镜像帖。来源:北邮人论坛 / linux / #161421同步于 2026/1/21
该镜像源已超过 30 天没有更新,可能在源站已被删除。
Linux机器人发帖

找不到发起网络连接的进程PID

redsand
2026/1/21镜像同步10 回复
一台被反复感染,没有挽回价值,仅剩研究价值的虚拟机,经过一些基本程序重新覆盖处理之后系统恢复到一个比较常规的状态,先查杀后反复运行不同病毒查看它的网络连接并在外围封堵可疑IP。现有疑惑: # netstat -natp ... tcp 0 1 107.148.237.145:60049 118.107.41.250:808 SYN_SENT - tcp 0 1 107.148.237.145:45384 46.203.124.122:8080 SYN_SENT - ... 这两个网络连接无法查到相应的pid,也看不出什么可疑的内核module, 系统为CentOS7.9,遍查AI未果,所以想讨教下人类经验或者线索。
订阅后,新回复会通过你的通知中心匿名送达。
9 条回复
wslyh123机器人#1 · 2026/1/21
sudo运行netstat试试。
redsand机器人#2 · 2026/1/21
上面的就是用root 运行命令的输出
xsc机器人#3 · 2026/1/27
lsof -i TCP -n -P 看看? root@debian:~# lsof -i TCP -n -P COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME redis-ser 640 redis 6u IPv4 17692 0t0 TCP 127.0.0.1:6379 (LISTEN) redis-ser 640 redis 7u IPv6 17693 0t0 TCP [::1]:6379 (LISTEN) taosd 679 root 45u IPv4 16663 0t0 TCP *:6030 (LISTEN) taosd 679 root 100u IPv4 14661 0t0 TCP 127.0.0.1:39818->127.0.1.1:6030 (ESTABLISHED) taosd 679 root 101u IPv4 1009 0t0 TCP 127.0.1.1:6030->127.0.0.1:39818 (ESTABLISHED) taosd 679 root 103u IPv4 19388 0t0 TCP 127.0.0.1:36074->127.0.1.1:6030 (ESTABLISHED) taosd 679 root 104u IPv4 20486 0t0 TCP 127.0.1.1:6030->127.0.0.1:36074 (ESTABLISHED) taosd 679 root 106u IPv4 19389 0t0 TCP 127.0.0.1:58868->127.0.1.1:6030 (ESTABLISHED) taosd 679 root 107u IPv4 20487 0t0 TCP 127.0.1.1:6030->127.0.0.1:58868 (ESTABLISHED) mariadbd 755 mysql 22u IPv4 12755 0t0 TCP 127.0.0.1:3306 (LISTEN) sshd 764 root 3u IPv4 16621 0t0 TCP *:22 (LISTEN) sshd 764 root 4u IPv6 16623 0t0 TCP *:22 (LISTEN) sshd 1352 root 4u IPv4 16764 0t0 TCP 192.168.56.3:22->192.168.56.1:57659 (ESTABLISHED) 我的输出,这能看到吗?这里有deivce,然后咋查我也不知道。我估计是这里没了。
xsc机器人#4 · 2026/1/27
/proc/net里也许能有吧。
xsc机器人#5 · 2026/1/27
https://www.qianwen.com/share/chat/8c1ae64b46384b02a05e9fdf3bdc608b
redsand机器人#6 · 2026/1/28
哎呀,昨天别人问我机器还要不要了我就让它回收了,不过之前ss命令和lsof我都是试过的,包括直接查/proc/net/tcp里面的inode,也想用strace,但是没有找到可疑进程。我再找找我还有没有其它珍藏的病毒机器,接着看看。
redsand机器人#7 · 2026/1/28
[root@C20230314142584 ~]# netstat -natp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:10802 0.0.0.0:* LISTEN 1544/sshd tcp 0 232 107.148.237.145:10802 103.169.217.9:54736 ESTABLISHED 13209/sshd: root@pt tcp 0 1 107.148.237.145:54959 46.203.124.122:8080 SYN_SENT - tcp 0 1 107.148.237.145:34324 118.107.41.250:8011 SYN_SENT - tcp6 0 0 :::10802 :::* LISTEN 1544/sshd [root@C20230314142584 ~]# lsof -i TCP -n -P COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 1544 root 3u IPv4 301437 0t0 TCP *:10802 (LISTEN) sshd 1544 root 4u IPv6 301439 0t0 TCP *:10802 (LISTEN) sshd 13209 root 3u IPv4 15883307 0t0 TCP 107.148.237.145:10802->103.169.217.9:54736 (ESTABLISHED) [root@C20230314142584 ~]# ss -tulnpe | grep "46.203.124.122:8080" [root@C20230314142584 ~]# [root@C20230314142584 proc]# cat /proc/net/tcp sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode 0: 00000000:2A32 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 301437 1 ffff880811e51e00 100 0 0 10 0 1: 91ED946B:CC1F 7A7CCB2E:1F90 02 00000001:00000000 01:000000B1 00000002 0 0 15021948 2 ffff880811859e00 400 0 0 1 5 2: 91ED946B:95E8 FA296B76:0328 02 00000001:00000000 01:000003AC 00000004 0 0 15027492 2 ffff880812be7800 1600 0 0 1 5 3: 91ED946B:2A32 E3DCF478:6221 01 00000024:00000000 01:0000001E 00000000 0 0 15025695 3 ffff880808292d00 31 4 21 6 5 [root@C20230314142584 proc]# ls -l */fd/* | grep 15021948 ls: cannot access 27183/fd/255: No such file or directory ls: cannot access 27183/fd/3: No such file or directory ls: cannot access self/fd/255: No such file or directory ls: cannot access self/fd/3: No such file or directory 在屏幕上找了一下历史输出,内核方面没有用工具排查过。以前有一台病毒机器之前关机了现在看来是被删掉了,回头我再开一台,只要设置上简单密码,应该很快就能染上。
redsand机器人#8 · 2026/1/29
机器放了一晚上我原本的简单密码登录不上了,恢复后上去看了下染上了一个看名字就比较明显的病毒2300e66b,还有一个名字叫cache,封了几个ip,再改回简单密码等着感染别的
redsand机器人#9 · 2026/1/29
已经感染到了我想要的了 [root@test-centos-7 tmp]# netstat -natp | grep ESTABLISHED tcp 0 0 198.2.193.55:38102 158.94.211.246:443 ESTABLISHED - tcp 0 72 198.2.193.55:43726 37.221.64.235:80 ESTABLISHED - 还没来得及用上上面提到的工具,想先检查检查netstat或者ps或者使用的库有没有被替换,结果有所发现 stat /usr/bin/netstat看时间都正常,但是 # ldd /usr/bin/netstat linux-vdso.so.1 => (0x00007fffb4db4000) /usr/local/lib/libprocesshider.so (0x00007fa046a00000) libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fa046397000) libc.so.6 => /lib64/libc.so.6 (0x00007fa045fc9000) libdl.so.2 => /lib64/libdl.so.2 (0x00007fa045dc5000) libpcre.so.1 => /lib64/libpcre.so.1 (0x00007fa045b63000) /lib64/ld-linux-x86-64.so.2 (0x00007fa0467e6000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fa045947000) 注意到/usr/local/lib/libprocesshider.so (0x00007fa046a00000) 正常库函数不大会出现在这个路径 # cat /etc/ld.so.preload /usr/local/lib/libprocesshider.so 清空/etc/ld.so.preload 然后ldconfig,再重新netstat就可以看到进程号了 tcp 0 0 198.2.193.55:38102 158.94.211.246:443 ESTABLISHED 7769/.>_ tcp 0 0 198.2.193.55:47924 104.26.13.205:80 TIME_WAIT - tcp 0 0 198.2.193.55:42014 104.26.12.205:80 TIME_WAIT - tcp 0 149 198.2.193.55:44782 37.221.64.235:80 ESTABLISHED 7769/.>_ tcp 0 1 198.2.193.55:44768 37.221.64.235:80 SYN_SENT 7769/.>_ 再来斩杀一波!