Question

我在Ubuntu 14.04.5 LTS，EC2实例AWS上运行 Jenkins 2.38

这是top命令

的输出

top - 08:53:12 up 1 day, 39 min,  2 users,  load average: 1.37, 1.37, 1.38
Tasks: 128 total,   2 running, 126 sleeping,   0 stopped,   0 zombie
%Cpu(s): 36.1 us,  0.0 sy,  0.0 ni,  0.0 id,  0.0 wa,  0.0 hi,  0.0 si, 63.9 st
MiB Mem:  2000.484 total, 1916.172 used,   84.312 free,  420.863 buffers
MiB Swap: 4095.996 total,    5.953 used, 4090.043 free.  280.828 cached Mem

  PID USER      PR  NI    VIRT    RES    SHR S %CPU %MEM     TIME+ COMMAND
 3366 jenkins   20   0  231944   2976    560 S 94.9  0.1   1050:34 kxjdhendlvie
 1119 mysql     20   0 1136676 463672   1996 S  1.0 22.6  29:43.49 mysqld
 1578 www-data  20   0  490352   4644   1020 S  0.7  0.2   5:16.63 apache2
28038 root      20   0   23696   1664   1144 R  0.3  0.1   0:00.05 top

kxjdhendlvie有PID = 3366，我以前从未见过这个

我们在谷歌上也没有任何关于Jenkins这个过程的内容

root@build:/proc/3366# ps aux | grep jenkins
jenkins   1233  0.0  0.0  18752   340 ?        S    May29   0:00 /usr/bin/daemon --name=jenkins --inherit --env=JENKINS_HOME=/var/lib/jenkins --output=/var/log/jenkins/jenkins.log --pidfile=/var/run/jenkins/jenkins.pid -- /usr/bin/java -Djava.awt.headless=true -jar /usr/share/jenkins/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=8080
jenkins   1234  0.8 21.8 1655032 448576 ?      Sl   May29  12:56 /usr/bin/java -Djava.awt.headless=true -jar /usr/share/jenkins/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=8080
jenkins   3366 88.1  0.1 231944  2976 ?        Sl   May29 1076:10 ./kxjdhendlvie -c hjyfsnkfs.conf

目录3366

root@build:/proc/3366# ll -rth
total 0
dr-xr-xr-x 141 root    root    0 May 29 08:13 ../
dr-xr-xr-x   9 jenkins jenkins 0 May 29 13:00 ./
-r--r--r--   1 jenkins jenkins 0 May 29 13:00 status
-r--r--r--   1 jenkins jenkins 0 May 29 13:00 stat
-r--r--r--   1 jenkins jenkins 0 May 29 13:00 cmdline
-r--r--r--   1 jenkins jenkins 0 May 29 13:27 statm
-r--------   1 jenkins jenkins 0 May 29 16:27 environ
lrwxrwxrwx   1 jenkins jenkins 0 May 30 06:39 exe -> /var/tmp/kxjdhendlvie (deleted)
-r--r--r--   1 jenkins jenkins 0 May 30 08:36 wchan
-rw-r--r--   1 jenkins jenkins 0 May 30 08:36 uid_map
-r--r--r--   1 jenkins jenkins 0 May 30 08:36 timers
dr-xr-xr-x   6 jenkins jenkins 0 May 30 08:36 task/
-r--r--r--   1 jenkins jenkins 0 May 30 08:36 syscall
-r--r--r--   1 jenkins jenkins 0 May 30 08:36 stack
-r--r--r--   1 jenkins jenkins 0 May 30 08:36 smaps
-rw-r--r--   1 jenkins jenkins 0 May 30 08:36 setgroups
-r--r--r--   1 jenkins jenkins 0 May 30 08:36 sessionid
-r--r--r--   1 jenkins jenkins 0 May 30 08:36 schedstat
-rw-r--r--   1 jenkins jenkins 0 May 30 08:36 sched
lrwxrwxrwx   1 jenkins jenkins 0 May 30 08:36 root -> //
-rw-r--r--   1 jenkins jenkins 0 May 30 08:36 projid_map
-r--r--r--   1 jenkins jenkins 0 May 30 08:36 personality
-r--r--r--   1 jenkins jenkins 0 May 30 08:36 pagemap
-rw-r--r--   1 jenkins jenkins 0 May 30 08:36 oom_score_adj
-r--r--r--   1 jenkins jenkins 0 May 30 08:36 oom_score
-rw-r--r--   1 jenkins jenkins 0 May 30 08:36 oom_adj
-r--r--r--   1 jenkins jenkins 0 May 30 08:36 numa_maps
dr-x--x--x   2 jenkins jenkins 0 May 30 08:36 ns/
dr-xr-xr-x   5 jenkins jenkins 0 May 30 08:36 net/
-r--------   1 jenkins jenkins 0 May 30 08:36 mountstats
-r--r--r--   1 jenkins jenkins 0 May 30 08:36 mounts
-r--r--r--   1 jenkins jenkins 0 May 30 08:36 mountinfo
-rw-------   1 jenkins jenkins 0 May 30 08:36 mem
-r--r--r--   1 jenkins jenkins 0 May 30 08:36 maps
dr-x------   2 jenkins jenkins 0 May 30 08:36 map_files/
-rw-r--r--   1 jenkins jenkins 0 May 30 08:36 loginuid
-r--r--r--   1 jenkins jenkins 0 May 30 08:36 limits
-r--r--r--   1 jenkins jenkins 0 May 30 08:36 latency
-r--------   1 jenkins jenkins 0 May 30 08:36 io
-rw-r--r--   1 jenkins jenkins 0 May 30 08:36 gid_map
dr-x------   2 jenkins jenkins 0 May 30 08:36 fdinfo/
dr-x------   2 jenkins jenkins 0 May 30 08:36 fd/
lrwxrwxrwx   1 jenkins jenkins 0 May 30 08:36 cwd -> /var/tmp/
-r--r--r--   1 jenkins jenkins 0 May 30 08:36 cpuset
-rw-r--r--   1 jenkins jenkins 0 May 30 08:36 coredump_filter
-rw-r--r--   1 jenkins jenkins 0 May 30 08:36 comm
--w-------   1 jenkins jenkins 0 May 30 08:36 clear_refs
-r--r--r--   1 jenkins jenkins 0 May 30 08:36 cgroup
-r--------   1 jenkins jenkins 0 May 30 08:36 auxv
-rw-r--r--   1 jenkins jenkins 0 May 30 08:36 autogroup
dr-xr-xr-x   2 jenkins jenkins 0 May 30 08:36 attr/

我在kxjdhendlvie中看不到任何与/var/tmp/相关的内容，可能已删除，但进程仍在运行

有没有人有相关的想法？请帮我调查一下

./kxjdhendlvie -c hjyfsnkfs.conf

这里是hjyfsnkfs.conf

{
    "url" : "stratum+tcp://188.165.214.76:80",
    "url" : "stratum+tcp://176.31.117.82:80",
    "url" : "stratum+tcp://94.23.8.105:80",
    "url" : "stratum+tcp://37.59.51.212:80",
    "user" : "46v8xnTsBVx6BzPxb1JAGAj2fURbn6ne59sTa6kg8WEbX1yAoArxwUyMENKfFLJZ6A8b2EqDfSEaB5puwMvVyytfLmR2NoN",
    "pass" : "x",
    "algo" : "cryptonight",
    "quiet" : true
}

Answer 1

您的Jenkins实例可能已受到此安全漏洞{（3}}）的攻击！我建议你更新你的Jenkins安装......

詹金斯的未知过程 - “kxjdhendlvie”

1 个答案: