记录一次木马排查过程
2025-07-09
24 min read
提要
收到客户反馈,抓到挖矿木马流量,遂排查进程,并没有发现异常进程,随后让客户提交监控记录,通过对端口和目的ip抓包,找到了对应的线索
排查过程
- 首先通过tcpdump抓包,然后放到wireshark分析,然后通过top、ps、netstat去找进程
- 通过端口找到了对应进程
- 通过进程找到启动程序指向的是/usr/bin/perl
- 启动环境被清空了,没有查到变量
- 检查perl的二进制文件,并没有发现异常,应该是通过perl脚本启动的,但是未能找到perl脚本
- 发现另一个异常进程top,发现top被动了手脚
- 通过从正常服务器查/usr/bin/top查到MD5为443b256b2ed0195c5de32319cc9593f6,原top被挪到了/etc/ppp,/usr/bin/top是被修改过
md5sum --check ~/md5sum.txt
/usr/bin/chattr: FAILED
/usr/bin/cifsiostat: FAILED
/usr/bin/gencat: FAILED
/usr/bin/getconf: FAILED
/usr/bin/getent: FAILED
/usr/bin/iconv: FAILED
/usr/bin/iostat: FAILED
/usr/bin/iptables-xml: FAILED
/usr/bin/locale: FAILED
/usr/bin/localedef: FAILED
/usr/bin/makedb: FAILED
/usr/bin/mpstat: FAILED
/usr/bin/net: FAILED
/usr/bin/netstat: FAILED
/usr/bin/nfsiostat-sysstat: FAILED
/usr/bin/ntpstat: FAILED
/usr/bin/pidstat: FAILED
/usr/bin/pldd: FAILED
/usr/bin/rpcgen: FAILED
/usr/bin/sadf: FAILED
/usr/bin/sar: FAILED
/usr/bin/scp: FAILED
/usr/bin/sftp: FAILED
/usr/bin/slogin: FAILED
/usr/bin/sprof: FAILED
/usr/bin/ssh: FAILED
/usr/bin/ssh-add: FAILED
/usr/bin/ssh-agent: FAILED
/usr/bin/ssh-keygen: FAILED
/usr/bin/ssh-keyscan: FAILED
/usr/bin/strace: FAILED
/usr/bin/strace-log-merge: FAILED
/usr/bin/systemctl: FAILED
/usr/bin/tapestat: FAILED
/usr/bin/top: FAILED
/usr/bin/uptime: FAILED
/usr/bin/w: FAILED
- strace跟踪线程发现不断测试hub.34051.net的地址,同时印证了最初的抓包记录
- 通过《LiME(Linux Memory Extractor)》导出内存映像,放到Volatility3进行分析
[13:55:15] ~\Projects on❯ vol -s C:\Users\sixan\.local\share\volatility3\symbols -f C:\Users\sixan\Works\日志分析\莱士厂家\output.lime linux.sockstat.Sockstat
Volatility 3 Framework 2.26.0
Progress: 100.00 Stacking attempts finished
NetNS Process Name PID TID FD Sock Offset Family Type Proto Source Addr Source Port Destination Addr Destination Port State Filter
4026531956 usr/sbin/httpd 1711 1711 1 0x8bc5990c0c00 AF_UNIX STREAM - - 37255 /run/systemd/journal/stdout 17982 ESTABLISHED -
4026531956 usr/sbin/httpd 1711 1711 2 0x8bc5990c0c00 AF_UNIX STREAM - - 37255 /run/systemd/journal/stdout 17982 ESTABLISHED -
4026531956 usr/sbin/httpd 1711 1711 3 0x8bae395464c0 AF_INET STREAM TCP 192.168.1.236 55908 146.190.178.187 80 ESTABLISHED -
4026531956 9748ce91 1972 1972 15 0x8bae39542e80 AF_INET STREAM TCP 192.168.1.236 35136 209.38.183.60 443 ESTABLISHED -
4026531956 9748ce91 1972 2043 15 0x8bae39542e80 AF_INET STREAM TCP 192.168.1.236 35136 209.38.183.60 443 ESTABLISHED -
4026531956 9748ce91 1972 2044 15 0x8bae39542e80 AF_INET STREAM TCP 192.168.1.236 35136 209.38.183.60 443 ESTABLISHED -
4026531956 9748ce91 1972 2045 15 0x8bae39542e80 AF_INET STREAM TCP 192.168.1.236 35136 209.38.183.60 443 ESTABLISHED -
4026531956 9748ce91 1972 2046 15 0x8bae39542e80 AF_INET STREAM TCP 192.168.1.236 35136 209.38.183.60 443 ESTABLISHED -
4026531956 9748ce91 1972 2047 15 0x8bae39542e80 AF_INET STREAM TCP 192.168.1.236 35136 209.38.183.60 443 ESTABLISHED -
4026531956 9748ce91 1972 2316 15 0x8bae39542e80 AF_INET STREAM TCP 192.168.1.236 35136 209.38.183.60 443 ESTABLISHED -
4026531956 9748ce91 1972 2317 15 0x8bae39542e80 AF_INET STREAM TCP 192.168.1.236 35136 209.38.183.60 443 ESTABLISHED -
4026531956 9748ce91 1972 2318 15 0x8bae39542e80 AF_INET STREAM TCP 192.168.1.236 35136 209.38.183.60 443 ESTABLISHED -
4026531956 9748ce91 1972 2319 15 0x8bae39542e80 AF_INET STREAM TCP 192.168.1.236 35136 209.38.183.60 443 ESTABLISHED -
4026531956 9748ce91 1972 2320 15 0x8bae39542e80 AF_INET STREAM TCP 192.168.1.236 35136 209.38.183.60 443 ESTABLISHED -
4026531956 9748ce91 1972 2321 15 0x8bae39542e80 AF_INET STREAM TCP 192.168.1.236 35136 209.38.183.60 443 ESTABLISHED -
4026531956 9748ce91 1972 2322 15 0x8bae39542e80 AF_INET STREAM TCP 192.168.1.236 35136 209.38.183.60 443 ESTABLISHED -
4026531956 9748ce91 1972 2323 15 0x8bae39542e80 AF_INET STREAM TCP 192.168.1.236 35136 209.38.183.60 443 ESTABLISHED -
4026531956 9748ce91 1972 2324 15 0x8bae39542e80 AF_INET STREAM TCP 192.168.1.236 35136 209.38.183.60 443 ESTABLISHED -
4026531956 9748ce91 1972 2325 15 0x8bae39542e80 AF_INET STREAM TCP 192.168.1.236 35136 209.38.183.60 443 ESTABLISHED -
4026531956 9748ce91 1972 2326 15 0x8bae39542e80 AF_INET STREAM TCP 192.168.1.236 35136 209.38.183.60 443 ESTABLISHED -
4026531956 9748ce91 1972 2327 15 0x8bae39542e80 AF_INET STREAM TCP 192.168.1.236 35136 209.38.183.60 443 ESTABLISHED -
4026531956 9748ce91 1972 2328 15 0x8bae39542e80 AF_INET STREAM TCP 192.168.1.236 35136 209.38.183.60 443 ESTABLISHED -
4026531956 9748ce91 1972 2329 15 0x8bae39542e80 AF_INET STREAM TCP 192.168.1.236 35136 209.38.183.60 443 ESTABLISHED -
4026531956 9748ce91 1972 2330 15 0x8bae39542e80 AF_INET STREAM TCP 192.168.1.236 35136 209.38.183.60 443 ESTABLISHED -
4026531956 9748ce91 1972 2331 15 0x8bae39542e80 AF_INET STREAM TCP 192.168.1.236 35136 209.38.183.60 443 ESTABLISHED -
4026531956 9748ce91 1972 2332 15 0x8bae39542e80 AF_INET STREAM TCP 192.168.1.236 35136 209.38.183.60 443 ESTABLISHED -
4026531956 9748ce91 1972 2333 15 0x8bae39542e80 AF_INET STREAM TCP 192.168.1.236 35136 209.38.183.60 443 ESTABLISHED -
4026531956 9748ce91 1972 2334 15 0x8bae39542e80 AF_INET STREAM TCP 192.168.1.236 35136 209.38.183.60 443 ESTABLISHED -
4026531956 9748ce91 1972 2335 15 0x8bae39542e80 AF_INET STREAM TCP 192.168.1.236 35136 209.38.183.60 443 ESTABLISHED -
4026531956 9748ce91 1972 2336 15 0x8bae39542e80 AF_INET STREAM TCP 192.168.1.236 35136 209.38.183.60 443 ESTABLISHED -
4026531956 9748ce91 1972 2337 15 0x8bae39542e80 AF_INET STREAM TCP 192.168.1.236 35136 209.38.183.60 443 ESTABLISHED -
4026531956 9748ce91 1972 2338 15 0x8bae39542e80 AF_INET STREAM TCP 192.168.1.236 35136 209.38.183.60 443 ESTABLISHED -
4026531956 9748ce91 1972 2339 15 0x8bae39542e80 AF_INET STREAM TCP 192.168.1.236 35136 209.38.183.60 443 ESTABLISHED -
[15:23:14] ~\downloads on❯ vol -s C:\Users\sixan\.local\share\volatility3\symbols -f C:\Users\sixan\Works\日志分析\莱士厂家\output.lime linux.proc.Maps --pid 1972
Volatility 3 Framework 2.26.0
Progress: 100.00 Stacking attempts finished
PID Process Start End Flags PgOff Major Minor Inode File Path File output
1972 9748ce91 0x400000 0xc2d000 r-x 0x0 253 0 188537 /9748ce91 Disabled
1972 9748ce91 0xe2c000 0xe60000 r-- 0x82c000 253 0 188537 /9748ce91 Disabled
1972 9748ce91 0xe60000 0xe6e000 rw- 0x860000 253 0 188537 /9748ce91 Disabled
1972 9748ce91 0xe6e000 0xf0a000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x1544000 0x15c9000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x15c9000 0x2609000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x2aaaaac00000 0x2aab2cc00000 rw- 0x0 0 14 40999 /anon_hugepage (deleted) Disabled
1972 9748ce91 0x2aab2cc00000 0x2aab3cc00000 rw- 0x0 0 14 41000 /anon_hugepage (deleted) Disabled
1972 9748ce91 0x2aab3cc00000 0x2aab3ce00000 rw- 0x0 0 14 41001 /anon_hugepage (deleted) Disabled
1972 9748ce91 0x2aab3ce00000 0x2aab3d000000 rw- 0x0 0 14 18062 /anon_hugepage (deleted) Disabled
1972 9748ce91 0x2aab3d000000 0x2aab3d200000 rw- 0x0 0 14 10812 /anon_hugepage (deleted) Disabled
1972 9748ce91 0x2aab3d200000 0x2aab3d400000 rw- 0x0 0 14 1019 /anon_hugepage (deleted) Disabled
1972 9748ce91 0x2aab3d400000 0x2aab3d600000 rw- 0x0 0 14 14953 /anon_hugepage (deleted) Disabled
1972 9748ce91 0x2aab3d600000 0x2aab3d800000 rw- 0x0 0 14 14235 /anon_hugepage (deleted) Disabled
1972 9748ce91 0x2aab3d800000 0x2aab3da00000 rw- 0x0 0 14 38036 /anon_hugepage (deleted) Disabled
1972 9748ce91 0x2aab3da00000 0x2aab3dc00000 rw- 0x0 0 14 35117 /anon_hugepage (deleted) Disabled
1972 9748ce91 0x2aab3dc00000 0x2aab3de00000 rw- 0x0 0 14 36568 /anon_hugepage (deleted) Disabled
1972 9748ce91 0x2aab3de00000 0x2aab3e000000 rw- 0x0 0 14 37429 /anon_hugepage (deleted) Disabled
1972 9748ce91 0x2aab3e000000 0x2aab3e200000 rw- 0x0 0 14 38994 /anon_hugepage (deleted) Disabled
1972 9748ce91 0x2aab3e200000 0x2aab3e400000 rw- 0x0 0 14 21162 /anon_hugepage (deleted) Disabled
1972 9748ce91 0x2aab3e400000 0x2aab3e600000 rw- 0x0 0 14 23020 /anon_hugepage (deleted) Disabled
1972 9748ce91 0x2aab3e600000 0x2aab3e800000 rw- 0x0 0 14 11687 /anon_hugepage (deleted) Disabled
1972 9748ce91 0x2aab3e800000 0x2aab3ea00000 rw- 0x0 0 14 24283 /anon_hugepage (deleted) Disabled
1972 9748ce91 0x2aab3ea00000 0x2aab3ec00000 rw- 0x0 0 14 39981 /anon_hugepage (deleted) Disabled
1972 9748ce91 0x2aab3ec00000 0x2aab3ee00000 rw- 0x0 0 14 27978 /anon_hugepage (deleted) Disabled
1972 9748ce91 0x2aab3ee00000 0x2aab3f000000 rw- 0x0 0 14 27138 /anon_hugepage (deleted) Disabled
1972 9748ce91 0x2aab3f000000 0x2aab3f200000 rw- 0x0 0 14 28943 /anon_hugepage (deleted) Disabled
1972 9748ce91 0x2aab3f200000 0x2aab3f400000 rw- 0x0 0 14 30853 /anon_hugepage (deleted) Disabled
1972 9748ce91 0x2aab3f400000 0x2aab3f600000 rw- 0x0 0 14 29962 /anon_hugepage (deleted) Disabled
1972 9748ce91 0x2aab3f600000 0x2aab3f800000 rw- 0x0 0 14 31880 /anon_hugepage (deleted) Disabled
1972 9748ce91 0x2aab3f800000 0x2aab3fa00000 rw- 0x0 0 14 24945 /anon_hugepage (deleted) Disabled
1972 9748ce91 0x2aab3fa00000 0x2aab3fc00000 rw- 0x0 0 14 12573 /anon_hugepage (deleted) Disabled
1972 9748ce91 0x7f4b9c000000 0x7f4b9c021000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4b9c021000 0x7f4ba0000000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4ba0000000 0x7f4ba0021000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4ba0021000 0x7f4ba4000000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4ba4000000 0x7f4ba4022000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4ba4022000 0x7f4ba8000000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4ba8000000 0x7f4ba8021000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4ba8021000 0x7f4bac000000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bac000000 0x7f4bac022000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bac022000 0x7f4bb0000000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bb0000000 0x7f4bb0022000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bb0022000 0x7f4bb4000000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bb4000000 0x7f4bb4022000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bb4022000 0x7f4bb8000000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bb8000000 0x7f4bb8022000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bb8022000 0x7f4bbc000000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bbc000000 0x7f4bbc022000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bbc022000 0x7f4bc0000000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bc0000000 0x7f4bc0022000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bc0022000 0x7f4bc4000000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bc4000000 0x7f4bc4022000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bc4022000 0x7f4bc8000000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bc8000000 0x7f4bc8022000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bc8022000 0x7f4bcc000000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bcc000000 0x7f4bcc022000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bcc022000 0x7f4bd0000000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bd0000000 0x7f4bd0022000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bd0022000 0x7f4bd4000000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bd4000000 0x7f4bd4022000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bd4022000 0x7f4bd8000000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bd8000000 0x7f4bd8022000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bd8022000 0x7f4bdc000000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bdc000000 0x7f4bdc022000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bdc022000 0x7f4be0000000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4be0000000 0x7f4be0022000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4be0022000 0x7f4be4000000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4be4000000 0x7f4be4022000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4be4022000 0x7f4be8000000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4be8000000 0x7f4be8022000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4be8022000 0x7f4bec000000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bec000000 0x7f4bec022000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bec022000 0x7f4bf0000000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bf0ffa000 0x7f4bf0ffb000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bf0ffb000 0x7f4bf17fb000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bf17fb000 0x7f4bf17fc000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bf17fc000 0x7f4bf1ffc000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bf1ffc000 0x7f4bf1ffd000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bf1ffd000 0x7f4bf27fd000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bf27fd000 0x7f4bf27fe000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bf27fe000 0x7f4bf2ffe000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bf4000000 0x7f4bf4022000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bf4022000 0x7f4bf8000000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bf8000000 0x7f4bf8022000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bf8022000 0x7f4bfc000000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bfc000000 0x7f4bfc022000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4bfc022000 0x7f4c00000000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c04000000 0x7f4c04022000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c04022000 0x7f4c08000000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c0c000000 0x7f4c0c022000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c0c022000 0x7f4c10000000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c107e9000 0x7f4c107ea000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c107ea000 0x7f4c10fea000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c10fea000 0x7f4c10feb000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c10feb000 0x7f4c117eb000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c117eb000 0x7f4c117ec000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c117ec000 0x7f4c11fec000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c11fec000 0x7f4c11fed000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c11fed000 0x7f4c127ed000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c127ed000 0x7f4c127ee000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c127ee000 0x7f4c12fee000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c12fee000 0x7f4c12fef000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c12fef000 0x7f4c137ef000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c137ef000 0x7f4c137f0000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c137f0000 0x7f4c13ff0000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c13ff0000 0x7f4c13ff1000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c13ff1000 0x7f4c147f1000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c147f1000 0x7f4c147f2000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c147f2000 0x7f4c14ff2000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c14ff2000 0x7f4c14ff3000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c14ff3000 0x7f4c157f3000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c157f3000 0x7f4c157f4000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c157f4000 0x7f4c15ff4000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c15ff4000 0x7f4c15ff5000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c15ff5000 0x7f4c167f5000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c167f5000 0x7f4c167f6000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c167f6000 0x7f4c16ff6000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c16ff6000 0x7f4c16ff7000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c16ff7000 0x7f4c177f7000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c177f7000 0x7f4c177f8000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c177f8000 0x7f4c17ff8000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c17ff8000 0x7f4c17ff9000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c17ff9000 0x7f4c187f9000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c187f9000 0x7f4c187fa000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c187fa000 0x7f4c18ffa000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c18ffa000 0x7f4c18ffb000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c18ffb000 0x7f4c197fb000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c197fb000 0x7f4c197fc000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c197fc000 0x7f4c19ffc000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c19ffc000 0x7f4c19ffd000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c19ffd000 0x7f4c1a7fd000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c1a7fd000 0x7f4c1a7fe000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c1a7fe000 0x7f4c1affe000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c1affe000 0x7f4c1afff000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c1afff000 0x7f4c1b7ff000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c1b7ff000 0x7f4c1b800000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c1b800000 0x7f4c1c000000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c1c000000 0x7f4c1c021000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c1c021000 0x7f4c20000000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c20000000 0x7f4c20022000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c20022000 0x7f4c24000000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c24000000 0x7f4c24021000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c24021000 0x7f4c28000000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c28282000 0x7f4c28442000 rwx 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c28442000 0x7f4c28644000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c28644000 0x7f4c28645000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c28645000 0x7f4c28e45000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c28e45000 0x7f4c28e5b000 r-x 0x0 253 0 16810789 /usr/lib64/libresolv-2.17.so Disabled
1972 9748ce91 0x7f4c28e5b000 0x7f4c2905b000 --- 0x16000 253 0 16810789 /usr/lib64/libresolv-2.17.so Disabled
1972 9748ce91 0x7f4c2905b000 0x7f4c2905c000 r-- 0x16000 253 0 16810789 /usr/lib64/libresolv-2.17.so Disabled
1972 9748ce91 0x7f4c2905c000 0x7f4c2905d000 rw- 0x17000 253 0 16810789 /usr/lib64/libresolv-2.17.so Disabled
1972 9748ce91 0x7f4c2905d000 0x7f4c2905f000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c2905f000 0x7f4c29065000 r-x 0x0 253 0 16810775 /usr/lib64/libnss_dns-2.17.so Disabled
1972 9748ce91 0x7f4c29065000 0x7f4c29264000 --- 0x6000 253 0 16810775 /usr/lib64/libnss_dns-2.17.so Disabled
1972 9748ce91 0x7f4c29264000 0x7f4c29265000 r-- 0x5000 253 0 16810775 /usr/lib64/libnss_dns-2.17.so Disabled
1972 9748ce91 0x7f4c29265000 0x7f4c29266000 rw- 0x6000 253 0 16810775 /usr/lib64/libnss_dns-2.17.so Disabled
1972 9748ce91 0x7f4c29266000 0x7f4c29272000 r-x 0x0 253 0 16810777 /usr/lib64/libnss_files-2.17.so Disabled
1972 9748ce91 0x7f4c29272000 0x7f4c29471000 --- 0xc000 253 0 16810777 /usr/lib64/libnss_files-2.17.so Disabled
1972 9748ce91 0x7f4c29471000 0x7f4c29472000 r-- 0xb000 253 0 16810777 /usr/lib64/libnss_files-2.17.so Disabled
1972 9748ce91 0x7f4c29472000 0x7f4c29473000 rw- 0xc000 253 0 16810777 /usr/lib64/libnss_files-2.17.so Disabled
1972 9748ce91 0x7f4c29473000 0x7f4c29479000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c29479000 0x7f4c2947a000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c2947a000 0x7f4c29c7a000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c29c7a000 0x7f4c29c7b000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c29c7b000 0x7f4c2a47b000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c2a47b000 0x7f4c2a47c000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c2a47c000 0x7f4c2ac7c000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c2ac7c000 0x7f4c2ac7d000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c2ac7d000 0x7f4c2b47d000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c2b47d000 0x7f4c2b47e000 --- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c2b47e000 0x7f4c2bc7e000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c2bc7e000 0x7f4c2be42000 r-x 0x0 253 0 16810761 /usr/lib64/libc-2.17.so Disabled
1972 9748ce91 0x7f4c2be42000 0x7f4c2c041000 --- 0x1c4000 253 0 16810761 /usr/lib64/libc-2.17.so Disabled
1972 9748ce91 0x7f4c2c041000 0x7f4c2c045000 r-- 0x1c3000 253 0 16810761 /usr/lib64/libc-2.17.so Disabled
1972 9748ce91 0x7f4c2c045000 0x7f4c2c047000 rw- 0x1c7000 253 0 16810761 /usr/lib64/libc-2.17.so Disabled
1972 9748ce91 0x7f4c2c047000 0x7f4c2c04c000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c2c04c000 0x7f4c2c14d000 r-x 0x0 253 0 16810769 /usr/lib64/libm-2.17.so Disabled
1972 9748ce91 0x7f4c2c14d000 0x7f4c2c34c000 --- 0x101000 253 0 16810769 /usr/lib64/libm-2.17.so Disabled
1972 9748ce91 0x7f4c2c34c000 0x7f4c2c34d000 r-- 0x100000 253 0 16810769 /usr/lib64/libm-2.17.so Disabled
1972 9748ce91 0x7f4c2c34d000 0x7f4c2c34e000 rw- 0x101000 253 0 16810769 /usr/lib64/libm-2.17.so Disabled
1972 9748ce91 0x7f4c2c34e000 0x7f4c2c350000 r-x 0x0 253 0 16810767 /usr/lib64/libdl-2.17.so Disabled
1972 9748ce91 0x7f4c2c350000 0x7f4c2c550000 --- 0x2000 253 0 16810767 /usr/lib64/libdl-2.17.so Disabled
1972 9748ce91 0x7f4c2c550000 0x7f4c2c551000 r-- 0x2000 253 0 16810767 /usr/lib64/libdl-2.17.so Disabled
1972 9748ce91 0x7f4c2c551000 0x7f4c2c552000 rw- 0x3000 253 0 16810767 /usr/lib64/libdl-2.17.so Disabled
1972 9748ce91 0x7f4c2c552000 0x7f4c2c559000 r-x 0x0 253 0 16810791 /usr/lib64/librt-2.17.so Disabled
1972 9748ce91 0x7f4c2c559000 0x7f4c2c758000 --- 0x7000 253 0 16810791 /usr/lib64/librt-2.17.so Disabled
1972 9748ce91 0x7f4c2c758000 0x7f4c2c759000 r-- 0x6000 253 0 16810791 /usr/lib64/librt-2.17.so Disabled
1972 9748ce91 0x7f4c2c759000 0x7f4c2c75a000 rw- 0x7000 253 0 16810791 /usr/lib64/librt-2.17.so Disabled
1972 9748ce91 0x7f4c2c75a000 0x7f4c2c771000 r-x 0x0 253 0 16810786 /usr/lib64/libpthread-2.17.so Disabled
1972 9748ce91 0x7f4c2c771000 0x7f4c2c970000 --- 0x17000 253 0 16810786 /usr/lib64/libpthread-2.17.so Disabled
1972 9748ce91 0x7f4c2c970000 0x7f4c2c971000 r-- 0x16000 253 0 16810786 /usr/lib64/libpthread-2.17.so Disabled
1972 9748ce91 0x7f4c2c971000 0x7f4c2c972000 rw- 0x17000 253 0 16810786 /usr/lib64/libpthread-2.17.so Disabled
1972 9748ce91 0x7f4c2c972000 0x7f4c2c976000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c2c976000 0x7f4c2c998000 r-x 0x0 253 0 17747261 /usr/lib64/ld-2.17.so Disabled
1972 9748ce91 0x7f4c2c99a000 0x7f4c2cb1a000 rwx 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c2cb1a000 0x7f4c2cb5b000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c2cb5b000 0x7f4c2cb7b000 r-x 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c2cb7b000 0x7f4c2cb7f000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c2cb96000 0x7f4c2cb97000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7f4c2cb97000 0x7f4c2cb98000 r-- 0x21000 253 0 17747261 /usr/lib64/ld-2.17.so Disabled
1972 9748ce91 0x7f4c2cb98000 0x7f4c2cb99000 rw- 0x22000 253 0 17747261 /usr/lib64/ld-2.17.so Disabled
1972 9748ce91 0x7f4c2cb99000 0x7f4c2cb9a000 rw- 0x0 0 0 0 Anonymous Mapping Disabled
1972 9748ce91 0x7ffd6ee52000 0x7ffd6ee73000 rw- 0x0 0 0 0 [stack] Disabled
1972 9748ce91 0x7ffd6ef66000 0x7ffd6ef68000 r-x 0x0 0 0 0 [vdso] Disabled
总结
最后还是没有办法找到启动的脚本,通过分析过程可以得出结论:怀疑是木马通过perl在本地启动了一个http服务,然后定时请求到某个url,然后获取特定语句到本地执行,然后删掉,并替换掉一些用于排查的二进制脚本,由于公司对安全相关的管理缺失以及人员的流动性强,基础技术能力不足,导致服务器一直运行在root权限下,引致严重风险,避免该情况的最好方式是权限分离,定期进行流量监测。