Linux 多核CPU过高一、问题描述​ 近期使用的Linux系统上CPU的多个核心莫名其妙拉满了但是却找不到实际原因。通过命令htop可看htop需要安装二、问题分析​ 由于是在开机的时候就出现这种情况因此怀疑可能是开机自启动软件占用的原因。采用指令查看当前CPU频率lscpu | grep MHz​ 输出结果CPU(s) scaling MHz: 95% CPU max MHz: 5000.0000 CPU min MHz: 800.0000​ 即CPU几乎处于全频但是没有高占用进程怀疑以下两种情况内核线程 / 后台挂起任务如 I/O 等待某个被隐藏的系统守护进程或驱动在“空转”Spinning有些驱动写得有问题时会在底层进入死循环。它们不消耗用户态的 CPU 时间所以在 htop 里看进程 CPU 占用很低但一直在内核态疯狂空转从而把 CPU 核心榨干。查看系统内核报错日志sudo dmesg -T | tail -n 40​ 输出如sudo dmesg -T | tail -n 40 [Mon Jul 13 16:21:15 2026] ACPI Error: Aborting method _SB.PC00.PEG1.PEGP._DSM due to previous error (AE_ALREADY_EXISTS) (20250404/psparse-529) [Mon Jul 13 16:21:15 2026] audit: type1400 audit(1783930875.329:2): apparmorSTATUS operationprofile_load profileunconfined namechrome pid802 commapparmor_parser [Mon Jul 13 16:21:15 2026] audit: type1400 audit(1783930875.329:3): apparmorSTATUS operationprofile_load profileunconfined name1password pid791 commapparmor_parser [Mon Jul 13 16:21:15 2026] audit: type1400 audit(1783930875.329:4): apparmorSTATUS operationprofile_load profileunconfined namebrave pid796 commapparmor_parser [Mon Jul 13 16:21:15 2026] audit: type1400 audit(1783930875.329:5): apparmorSTATUS operationprofile_load profileunconfined namebalena-etcher pid795 commapparmor_parser [Mon Jul 13 16:21:15 2026] audit: type1400 audit(1783930875.329:6): apparmorSTATUS operationprofile_load profileunconfined nameDiscord pid792 commapparmor_parser [Mon Jul 13 16:21:15 2026] audit: type1400 audit(1783930875.329:7): apparmorSTATUS operationprofile_load profileunconfined nameevolution pid809 commapparmor_parser [Mon Jul 13 16:21:15 2026] audit: type1400 audit(1783930875.329:8): apparmorSTATUS operationprofile_load profileunconfined nameQtWebEngineProcess pid794 commapparmor_parser [Mon Jul 13 16:21:15 2026] audit: type1400 audit(1783930875.329:9): apparmorSTATUS operationprofile_load profileunconfined namech-run pid801 commapparmor_parser [Mon Jul 13 16:21:15 2026] audit: type1400 audit(1783930875.329:10): apparmorSTATUS operationprofile_load profileunconfined namevscode pid803 commapparmor_parser [Mon Jul 13 16:21:15 2026] [drm] Initialized nvidia-drm 0.0.0 for 0000:01:00.0 on minor 1 [Mon Jul 13 16:21:15 2026] nvidia 0000:01:00.0: vgaarb: deactivate vga console [Mon Jul 13 16:21:15 2026] nvme nvme0: using unchecked data buffer [Mon Jul 13 16:21:15 2026] NET: Registered PF_QIPCRTR protocol family [Mon Jul 13 16:21:15 2026] fbcon: nvidia-drmdrmfb (fb0) is primary device [Mon Jul 13 16:21:15 2026] fbcon: Deferring console take-over [Mon Jul 13 16:21:15 2026] nvidia 0000:01:00.0: [drm] fb0: nvidia-drmdrmfb frame buffer device [Mon Jul 13 16:21:15 2026] loop14: detected capacity change from 0 to 8 [Mon Jul 13 16:21:15 2026] nvidia_uvm: module uses symbols nvUvmInterfaceDisableAccessCntr from proprietary module nvidia, inheriting taint. [Mon Jul 13 16:21:15 2026] Realtek Internal NBASE-T PHY r8169-0-600:00: attached PHY driver (mii_bus:phy_addrr8169-0-600:00, irqMAC) [Mon Jul 13 16:21:15 2026] r8169 0000:06:00.0 enp6s0: Link is Down [Mon Jul 13 16:21:16 2026] process /usr/bin/403OkD6G started with executable stack [Mon Jul 13 16:21:18 2026] r8169 0000:06:00.0 enp6s0: Link is Up - 100Mbps/Full - flow control rx/tx [Mon Jul 13 16:21:19 2026] rfkill: input handler disabled [Mon Jul 13 16:21:28 2026] systemd-journald[468]: /var/log/journal/7057d44a7b8d40d68054bb27074fc109/user-1000.journal: Journal file uses a different sequence number ID, rotating. [Mon Jul 13 16:21:29 2026] rfkill: input handler enabled [Mon Jul 13 16:21:31 2026] kauditd_printk_skb: 153 callbacks suppressed [Mon Jul 13 16:21:31 2026] audit: type1400 audit(1783930891.842:164): apparmorDENIED operationsymlink classfile profilesnap.snapd-desktop-integration.snapd-desktop-integration name/dev/char/195:255 pid2746 commsnapd-desktop-i requested_maskc denied_maskc fsuid1000 ouid1000 [Mon Jul 13 16:21:31 2026] audit: type1400 audit(1783930891.844:165): apparmorDENIED operationsymlink classfile profilesnap.snapd-desktop-integration.snapd-desktop-integration name/dev/char/195:0 pid2746 commsnapd-desktop-i requested_maskc denied_maskc fsuid1000 ouid1000 [Mon Jul 13 16:21:31 2026] audit: type1400 audit(1783930891.844:166): apparmorDENIED operationsymlink classfile profilesnap.snapd-desktop-integration.snapd-desktop-integration name/dev/char/195:0 pid2746 commsnapd-desktop-i requested_maskc denied_maskc fsuid1000 ouid1000 [Mon Jul 13 16:21:31 2026] audit: type1400 audit(1783930891.845:167): apparmorDENIED operationsymlink classfile profilesnap.snapd-desktop-integration.snapd-desktop-integration name/dev/char/195:0 pid2746 commsnapd-desktop-i requested_maskc denied_maskc fsuid1000 ouid1000 [Mon Jul 13 16:21:31 2026] audit: type1400 audit(1783930891.852:168): apparmorDENIED operationsymlink classfile profilesnap.snapd-desktop-integration.snapd-desktop-integration name/dev/char/195:255 pid2746 commsnapd-desktop-i requested_maskc denied_maskc fsuid1000 ouid1000 [Mon Jul 13 16:21:31 2026] audit: type1400 audit(1783930891.852:169): apparmorDENIED operationsymlink classfile profilesnap.snapd-desktop-integration.snapd-desktop-integration name/dev/char/195:254 pid2746 commsnapd-desktop-i requested_maskc denied_maskc fsuid1000 ouid1000 [Mon Jul 13 16:21:31 2026] audit: type1400 audit(1783930891.852:170): apparmorDENIED operationsymlink classfile profilesnap.snapd-desktop-integration.snapd-desktop-integration name/dev/char/195:0 pid2746 commsnapd-desktop-i requested_maskc denied_maskc fsuid1000 ouid1000 [Mon Jul 13 16:21:31 2026] audit: type1400 audit(1783930891.853:171): apparmorDENIED operationsymlink classfile profilesnap.snapd-desktop-integration.snapd-desktop-integration name/dev/char/195:0 pid2746 commsnapd-desktop-i requested_maskc denied_maskc fsuid1000 ouid1000 [Mon Jul 13 16:21:31 2026] audit: type1107 audit(1783930891.857:172): pid963 uid101 auid4294967295 ses4294967295 subjunconfined msgapparmorDENIED operationdbus_method_call bussystem path/org/freedesktop/DBus interfaceorg.freedesktop.DBus memberListNames masksend nameorg.freedesktop.DBus pid2746 labelsnap.snapd-desktop-integration.snapd-desktop-integration peer_labelunconfined exe/usr/bin/dbus-daemon sauid101 hostname? addr? terminal? [Mon Jul 13 16:21:32 2026] rfkill: input handler disabled [Mon Jul 13 16:35:58 2026] perf: interrupt took too long (2510 2500), lowering kernel.perf_event_max_sample_rate to 79000 [Mon Jul 13 16:43:37 2026] perf: interrupt took too long (3140 3137), lowering kernel.perf_event_max_sample_rate to 63000​ 其中有一行如[Mon Jul 13 16:21:16 2026] process /usr/bin/403OkD6G started with executable stack​ 这个是名字随机、具有可执行堆栈的隐藏进程正规软件不会在/usr/bin下放随机名字这极可能是一个隐藏在后台挖矿或执行恶意任务的木马程序。三、解决方案1、杀死进程第一步检查并杀死那个名为 403OkD6G或类似随机名字的进程运行以下命令看看它还在不在ps -ef | grep -E 403OkD6G|/usr/bin/输出nvidia- 1351 1 0 16:21 ? 00:00:00 /usr/bin/nvidia-persistenced --user nvidia-persistenced --no-persistence-mode --verbose xd 2371 2355 0 16:21 ? 00:00:00 /usr/bin/pipewire xd 2372 2355 0 16:21 ? 00:00:00 /usr/bin/pipewire -c filter-chain.conf xd 2375 2355 0 16:21 ? 00:00:00 /usr/bin/wireplumber xd 2376 2355 0 16:21 ? 00:00:00 /usr/bin/pipewire-pulse xd 2380 2355 0 16:21 ? 00:00:00 /usr/bin/gnome-keyring-daemon --foreground --componentspkcs11,secrets --control-directory/run/user/1000/keyring xd 2389 2355 0 16:21 ? 00:00:00 /usr/bin/dbus-daemon --session --addresssystemd: --nofork --nopidfile --systemd-activation --syslog-only xd 2486 2344 0 16:21 tty2 00:00:00 /usr/libexec/gdm-x-session --run-script env GNOME_SHELL_SESSION_MODEubuntu /usr/bin/gnome-session --sessionubuntu xd 2580 2573 0 16:21 ? 00:00:00 /usr/bin/dbus-daemon --config-file/usr/share/defaults/at-spi2/accessibility.conf --nofork --print-address 11 --addressunix:path/run/user/1000/at-spi/bus_1 xd 2668 2355 0 16:21 ? 00:00:04 /usr/bin/gnome-shell xd 2695 2355 0 16:21 ? 00:00:00 /snap/snapd-desktop-integration/343/usr/bin/snapd-desktop-integration xd 2746 2695 0 16:21 ? 00:00:00 /snap/snapd-desktop-integration/343/usr/bin/snapd-desktop-integration xd 2811 2355 0 16:21 ? 00:00:00 /usr/bin/gjs -m /usr/share/gnome-shell/org.gnome.Shell.Notifications xd 2832 2355 0 16:21 ? 00:00:00 /usr/bin/ibus-daemon --panel disable --xim xd 3147 2355 0 16:21 ? 00:00:00 /usr/bin/gjs -m /usr/share/gnome-shell/org.gnome.ScreenSaver xd 3456 2355 0 16:21 ? 00:00:00 /usr/bin/python3 /usr/bin/gnome-terminal --wait xd 3458 3456 0 16:21 ? 00:00:00 /usr/bin/gnome-terminal.real --wait xd 3537 2355 0 16:21 ? 00:00:00 /usr/bin/python3 /usr/bin/gnome-terminal --wait xd 3540 3537 0 16:21 ? 00:00:00 /usr/bin/gnome-terminal.real --wait xd 4037 2621 0 16:22 ? 00:00:00 /usr/bin/update-notifier xd 6399 2355 0 16:27 ? 00:00:00 /usr/bin/python3 /usr/bin/gnome-terminal --wait xd 6402 6399 0 16:27 ? 00:00:00 /usr/bin/gnome-terminal.real --wait xd 37782 8647 0 16:53 pts/4 00:00:00 grep --colorauto -E 403OkD6G|/usr/bin/第二步全局排查 /usr/bin/ 下的近期可疑文件find /usr/bin/ -type f -mmin -60第三步检查你的定时任务Cron和自启动项crontab -l sudo crontab -l ls -la /etc/cron.d/输出no crontab for xd no crontab for root total 36 drwxr-xr-x 2 root root 4096 Jul 12 04:00 . drwxr-xr-x 145 root root 12288 Jul 13 16:48 .. -rw-r--r-- 1 root root 219 Nov 17 2023 anacron -rw-r--r-- 1 root root 35 Jul 12 04:00 apw0sHy9 -rw-r--r-- 1 root root 201 Apr 8 2024 e2scrub_all -rw-r--r-- 1 root root 102 Mar 31 2024 .placeholder -rw-r--r-- 1 root root 396 Jan 10 2024 sysstat从结果中可看出日志中存在随机乱码可执行文件 403OkD6G|/usr/bin/定时任务目录出现垃圾文件apw0sHy9首先查看/etc/cron.d/apw0sHy9 里面写了什么恶心的东西sudo cat /etc/cron.d/apw0sHy9输出*/1 * * * * root /bin/403OkD6G 1 1​此任务内容相当于每隔一分钟系统就以root权限去执行一次/bin/4030kD6G下面执行删除操作sudo rm -f /etc/cron.d/apw0sHy9 sudo rm -f /bin/403OkD6G sudo pkill -f 403OkD6G​为确保删除完全检查/bin/其他地方还有没有长得像的随机文件ls -lt /bin/ | head -n 20​ 输出total 425976 -rwxr-xr-x 1 root root 9006304 Jul 12 04:01 lsof -rwxr-xr-x 1 root root 9001832 Jul 12 04:01 netstat -rwxr-xr-x 1 root root 9001696 Jul 12 04:00 ss lrwxrwxrwx 1 root root 24 Jul 7 20:01 awesun - /usr/local/awesun/awesun -rwxr-xr-x 2 root root 2346 Jul 3 19:53 gunzip -rwxr-xr-x 1 root root 6480 Jul 3 19:53 gzexe -rwxr-xr-x 1 root root 93424 Jul 3 19:53 gzip -rwxr-xr-x 2 root root 2346 Jul 3 19:53 uncompress -rwxr-xr-x 1 root root 1984 Jul 3 19:53 zcat -rwxr-xr-x 1 root root 1678 Jul 3 19:53 zcmp -rwxr-xr-x 1 root root 6447 Jul 3 19:53 zdiff -rwxr-xr-x 1 root root 29 Jul 3 19:53 zegrep -rwxr-xr-x 1 root root 29 Jul 3 19:53 zfgrep -rwxr-xr-x 1 root root 2081 Jul 3 19:53 zforce -rwxr-xr-x 1 root root 8103 Jul 3 19:53 zgrep -rwxr-xr-x 1 root root 2206 Jul 3 19:53 zless -rwxr-xr-x 1 root root 1842 Jul 3 19:53 zmore -rwxr-xr-x 1 root root 4577 Jul 3 19:53 znew lrwxrwxrwx 1 root root 3 Jul 1 05:25 captoinfo - tic​检查有没有别的定时任务残留sudo grep -r 403OkD6G /etc/cron* /var/spool/cron/​ 输出/etc/cron.daily/6En2M3Ew:/1 * * * * root /bin/403OkD6G 1 1 /etc/cron.hourly/iKYlCnBE:/1 * * * * root /bin/403OkD6G 1 1 /etc/cron.monthly/PCyAcXFH:/1 * * * * root /bin/403OkD6G 1 1 /etc/cron.weekly/WUBJGuRx:/1 * * * * root /bin/403OkD6G 1 1​ 这个木马的设计非常阴险它不仅在 cron.d 里留了后门还在所有常规的定时任务目录daily, hourly, monthly, weekly里全部复制了一份触发脚本并且在 /bin/ 目录下还残留了 lsof、netstat、ss 等被恶意替换/植入的工具注意看它们的修改时间是 Jul 12 04:01。2、清楚木马残留​1. 清理所有的恶意定时任务文件sudo rm -f /etc/cron.d/apw0sHy9 sudo rm -f /etc/cron.daily/6En2M3Ew sudo rm -f /etc/cron.hourly/iKYlCnBE sudo rm -f /etc/cron.monthly/PCyAcXFH sudo rm -f /etc/cron.weekly/WUBJGuRx​2. 删除木马的主程序sudo rm -f /bin/403OkD6G​3. 彻底杀死正在运行的木马进程sudo pkill -f 403OkD6G sudo pkill -f 6En2M3Ew sudo pkill -f iKYlCnBE​4.修复被篡改的系统命令 (lsof, netstat, ss)sudo apt update sudo apt install --reinstall lsof net-tools iproute2 coreutils​ 执行过程中出现报错dpkg: error processing archive /var/cache/apt/archives/iproute2_6.1.0-1ubuntu6.4_amd64.deb (--unpack): unable to make backup link of ./bin/ss before installing new version: Operation not permitted​ 这说明/bin/ss以及其他被篡改的系统文件被赋予了防修改属性Immutable 属性导致即使你是 root 用户系统也无法直接覆盖或删除它们这是高级恶意软件的惯用伎俩用来防止管理员通过包管理器修复系统。3、修复防修改文件1. 解除 /bin/ 下关键文件的锁定属性sudo lsattr /bin/ss /bin/lsof /bin/netstat强制解除这些文件的防修改锁定sudo chattr -i /bin/ss /bin/lsof /bin/netstat2. 手动清理掉这些被篡改的文件sudo rm -f /bin/ss /bin/lsof /bin/netstat3. 再次重新安装这些被破坏的包sudo apt install --reinstall lsof net-tools iproute2 coreutils执行过程中出现错误E: Internal Error, No file name for coreutils:amd64这是因为一开始安装的时候出现中断导致的没有出现这一步的朋友可以跳过这一步操作执行修复损坏的包依赖关系sudo apt --fix-broken install sudo apt clean sudo apt install --reinstall lsof net-tools iproute2 coreutils执行完毕后进行安全检查,查看其属性有没有出现isudo lsattr /bin/ss /bin/lsof /bin/netstat检查通过则重启电脑sudo reboot重启电脑后使用htop命令发现正常了。四、安全防护​ 本次问题是被攻击导致木马入侵因此需要添加安全防护。主要思路如下加固SSH安全配置防火墙修改登录密码1、加固SSH安全修改默认端口,打开SSH配置文件sudo nano /etc/ssh/sshd_config找到#Port 22 这一行没有找到就自行添加修改端口号如Port 2567禁止ROOT用户远程登录,找到#PermitRootLogin prohibit-password 或者 yes 找到就修改找不到则直接添加PermitRootLogin no保存并退出 (Ctrl O, Enter, Ctrl X)。重启SSH服务sudo systemctl restart ssh安装fail2ban防止暴力破解sudo apt install fail2ban sudo systemctl enable --now fail2ban原理如果有人连续 3-5 次输错 SSH 密码fail2ban 会自动调用防火墙把这个人的 IP 地址封禁一段时间默认 10 分钟。2、配置防火墙检查防火墙状态sudo ufw status如果显示 inactive未激活请执行sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow 2567/tcp # 把 2244 换成你实际修改的新 SSH 端口 sudo ufw enable3、修改登录密码修改当前用户密码passwd修改root密码sudo passwd root建议密码包含大小写字母数字特殊符号五、测试ssh端口修改后测试填写linux上ip、username和修改后的端口号能够正常连接即为成功采用mobaxterm测试是否能够使用root密码登录同上username改为root即便输入正确密码也无法直接进入root模式在使用普通用户名登录之后再输入sudo -i即可正常登录root