Ch0 概述
前段时间暴露在公网的部署了我的个人博客以及与开发相关服务的服务器,出现了异常的 CPU 占用情况。连续出现以3秒钟为一个周期的 60% 到 100% 的占用情况。我最开始认为可能是某个后台服务在分析什么任务。于是使用 top 查看后台任务,发现是下面的三个指令一直在循环执行。
ps aux
pkill -f perfcc
pkill -f Diagserver
因为主机安装了 Beszel 性能监视器的 Agent,于是我认为可能是网络故障或者是积压了一些服务器性能查询的任务,导致在一段时间后开始出现连续的以3秒钟为一个周期的循环调用的情况。故重启了服务器,发现 CPU 没有了这个诡异的占用。
等过了一段时间,大概是在一周或者两周之后,又出现了这个奇怪的 CPU 占用。我认为可能是 NPS 代理的不稳定性导致 Beszel 任务出现了积压。于是我重启了服务器,这个占用又没了。大概又过了半个月之后,这个 CPU 占用又出现了,我还是重启了服务器。结果这回过了两天,就再次出现这个问题。于是我不得不仔细排查一下是哪里出的问题了。
CH1 整理问题
就像上面说的,是下面的三个指令一直在按照某一种周期在循环执行,大概是在 3 秒左右。
ps aux
pkill -f perfcc
pkill -f Diagserver
由于这三个指令执行频率极高,以至于 CPU 被 ps、pkill 以及他们的子进程占满。特别是 ps aux 需要读取大量的 /proc 信息,以至于 CPU 占用达到 100%。
第二个问题,这三个指令由一个叫做 1001 的用户调用,这个貌似是一个系统用户。
第三个问题,一般来讲这个诡异的占用是在机器重启后一天到两周之间才发作,因此这个不是常规的 cron 循环,可能是某一个延迟触发或条件触发 的任务。
因此,可能是下面的几个问题导致的
| 类型 | 特征 | 触发条件 |
|---|---|---|
| 延迟启动的 systemed service/timer | systemctl list-timers 显示在未来某时刻才执行 | 系统运行 n 小时/天后的第一次触发 |
| 一次性定时任务 | 只执行一次 | 某个一次性被写入的 at 任务 |
| 条件触发的兼容脚本 | 只在检测到特定状态时才执行 kill | 例如检测到进程占用、内存泄露等 |
| 业务逻辑触发的脚本 | 与业务功能耦合 | 业务层面的定时操作 |
| 外部 cron | 依赖 NTP 时间同步后首次执行 | 网络时间同步后立即触发 |
CH2 制定诊断步骤
SE1 检查所有的 systemd timers
# 列出所有 timer 及下次执行时间
systemctl list-timers --all
# 查看最近一次执行记录
journalctl -u "perfcc" -u "Diagserver" --since "1 hour ago" --no-pager
执行之后结果如下
orangepi@orangepi5plus:~$ systemctl list-timers --all
NEXT LEFT LAST PASSED UNIT ACTIVATES
Tue 2026-02-17 02:50:00 CST 4min 9s left Tue 2026-02-17 02:40:06 CST 5min ago sysstat-collect.timer sysstat-collect.service
Tue 2026-02-17 06:12:48 CST 3h 26min left Mon 2026-02-16 06:34:24 CST 20h ago apt-daily-upgrade.timer apt-daily-upgrade.service
Tue 2026-02-17 11:09:47 CST 8h left Mon 2026-02-16 18:30:16 CST 8h ago apt-daily.timer apt-daily.service
Wed 2026-02-18 00:00:00 CST 21h left Tue 2026-02-17 00:00:00 CST 2h 45min ago dpkg-db-backup.timer dpkg-db-backup.service
Wed 2026-02-18 00:00:00 CST 21h left Tue 2026-02-17 00:00:00 CST 2h 45min ago logrotate.timer logrotate.service
Wed 2026-02-18 00:07:00 CST 21h left Tue 2026-02-17 00:07:18 CST 2h 38min ago sysstat-summary.timer sysstat-summary.service
Wed 2026-02-18 00:34:33 CST 21h left Tue 2026-02-17 00:34:34 CST 2h 11min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Wed 2026-02-18 01:22:38 CST 22h left Tue 2026-02-17 02:33:04 CST 12min ago man-db.timer man-db.service
Sun 2026-02-22 03:10:52 CST 5 days left Sun 2026-02-15 03:10:24 CST 1 day 23h ago e2scrub_all.timer e2scrub_all.service
Mon 2026-02-23 01:10:30 CST 5 days left Mon 2026-02-16 01:10:24 CST 1 day 1h ago fstrim.timer fstrim.service
10 timers listed.
orangepi@orangepi5plus:~$ journalctl -u "perfcc" -u "Diagserver" --since "1 hour ago" --no-pager
-- No entries --
从结果看没有看到相关的定时任务。
SE2 检查 atd 一次性任务
# 查看等待中的 at 任务
atq
# 查看任务详情(假设任务ID是 1)
at -c 1
# 查看 at 任务的执行历史
grep -r "atd" /var/log/ 2>/dev/null | tail -50
执行后发现也没有相关的任务。
SE3 检查 crontab 中低频任务
# 检查用户 1001 的 crontab(包括非活跃的)
crontab -u 1001 -l 2>/dev/null
# 检查系统级低频 cron(比如每天 0 点、每周一等)
ls -la /etc/cron.d/
cat /etc/crontab
# 搜索所有 cron 文件中是否包含 "perfcc" 或 "Diagserver"
grep -r "perfcc\|Diagserver" /etc/cron* /var/spool/cron/ 2>/dev/null
执行之后结果如下
orangepi@orangepi5plus:~$ crontab -u 1001 -l 2>/dev/null
orangepi@orangepi5plus:~$
# 检查系统级低频 cron(比如每天 0 点、每周一等)
ls -la /etc/cron.d/
cat /etc/crontab
# 搜索所有 cron 文件中是否包含 "perfcc" 或 "Diagserver"
grep -r "perfcc\|Diagserver" /etc/cron* /var/spool/cron/ 2>/dev/null
total 28
drwxr-xr-x 2 root root 4096 Nov 20 2024 .
drwxr-xr-x 108 root root 4096 Feb 15 00:28 ..
-rw-r--r-- 1 root root 202 Jan 9 2022 e2scrub_all
-rw-r--r-- 1 root root 127 May 23 2023 orangepi-truncate-logs
-rw-r--r-- 1 root root 103 May 23 2023 orangepi-updates
-rw-r--r-- 1 root root 102 Mar 23 2022 .placeholder
-rw-r--r-- 1 root root 396 Feb 3 2021 sysstat
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
# You can also override PATH, but by default, newer versions inherit it from the environment
#PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
从结果看用户 1001 的 crontab 是空的。
SE4 检查是否有业务脚本在特定条件下触发 kill 并查看系统日志,寻找触发时间点
# 搜索所有可执行脚本中是否包含 "pkill -f perfcc" 或 "pkill -f Diagserver"
find /opt /srv /home /usr/local -type f -name "*.sh" 2>/dev/null | xargs grep -l "pkill.*perfcc\|pkill.*Diagserver" 2>/dev/null
# 如果有 Python/Perl 脚本也搜索
find /opt /srv /home /usr/local -type f \( -name "*.py" -o -name "*.pl" \) 2>/dev/null | xargs grep -l "pkill\|subprocess.*kill" 2>/dev/null
# 查看 syslog 中第一次出现 pkill/ps 的时间点
# (Ubuntu/Debian)
grep -n "pkill\|ps aux" /var/log/syslog | head -20
# 对比时间戳,看是否与某个定时任务/业务操作时间吻合
执行之后结果如下
orangepi@orangepi5plus:~$ find /opt /srv /home /usr/local -type f -name "*.sh" 2>/dev/null | xargs grep -l "pkill.*perfcc\|pkill.*Diagserver" 2>/dev/null
orangepi@orangepi5plus:~$ find /opt /srv /home /usr/local -type f \( -name "*.py" -o -name "*.pl" \) 2>/dev/null | xargs grep -l "pkill\|subprocess.*kill" 2>/dev/null
/home/orangepi/application/difyai/dify/docker/volumes/plugin_daemon/cwd/langgenius/openai_api_compatible-0.0.22@88c295aff1ea52ea6ab56e3869ee37702d91f7b678c547254cf2b48271c8e81f/.venv/lib/python3.12/site-packages/anyio/abc/_subprocesses.py
/home/orangepi/application/difyai/dify/docker/volumes/plugin_daemon/cwd/langgenius/openai_api_compatible-0.0.22@88c295aff1ea52ea6ab56e3869ee37702d91f7b678c547254cf2b48271c8e81f/.venv/lib/python3.12/site-packages/gevent/testing/patched_tests_setup.py
/home/orangepi/application/difyai/dify/docker/volumes/plugin_daemon/cwd/langgenius/siliconflow-0.0.27@3c4e37fef7455da28d36d559dde85201fc0b4f1819b80cd24eba56da15a711f9/.venv/lib/python3.12/site-packages/anyio/abc/_subprocesses.py
/home/orangepi/application/difyai/dify/docker/volumes/plugin_daemon/cwd/langgenius/siliconflow-0.0.27@3c4e37fef7455da28d36d559dde85201fc0b4f1819b80cd24eba56da15a711f9/.venv/lib/python3.12/site-packages/gevent/testing/patched_tests_setup.py
/home/orangepi/application/difyai/dify/docker/volumes/plugin_daemon/cwd/langgenius/moonshot-0.0.8@39b2074f0d4dd3a739eae2e6b8825ee8c7bc0b4ebda817decafe1d368c84fae2/.venv/lib/python3.12/site-packages/anyio/abc/_subprocesses.py
/home/orangepi/application/difyai/dify/docker/volumes/plugin_daemon/cwd/langgenius/moonshot-0.0.8@39b2074f0d4dd3a739eae2e6b8825ee8c7bc0b4ebda817decafe1d368c84fae2/.venv/lib/python3.12/site-packages/gevent/testing/patched_tests_setup.py
/home/orangepi/application/difyai/dify/docker/volumes/plugin_daemon/cwd/langgenius/openrouter-0.0.22@99ef4cf4e08292c28806abaf24f295ed66e04e4b9e74385b487fd0767c7f56df/.venv/lib/python3.12/site-packages/anyio/abc/_subprocesses.py
/home/orangepi/application/difyai/dify/docker/volumes/plugin_daemon/cwd/langgenius/openrouter-0.0.22@99ef4cf4e08292c28806abaf24f295ed66e04e4b9e74385b487fd0767c7f56df/.venv/lib/python3.12/site-packages/gevent/testing/patched_tests_setup.py
/home/orangepi/application/difyai/dify/docker/volumes/plugin_daemon/cwd/langgenius/ollama-0.0.7@8fc496b3892344da47db6125c76fc0dbfd8020753f198032751d83f561d9443e/.venv/lib/python3.12/site-packages/anyio/abc/_subprocesses.py
/home/orangepi/application/difyai/dify/docker/volumes/plugin_daemon/cwd/langgenius/ollama-0.0.7@8fc496b3892344da47db6125c76fc0dbfd8020753f198032751d83f561d9443e/.venv/lib/python3.12/site-packages/gevent/testing/patched_tests_setup.py
orangepi@orangepi5plus:~$ sudo grep -n "pkill\|ps aux" /var/log/syslog | head -20
[sudo] password for orangepi:
orangepi@orangepi5plus:
看了一下 Dify 的这些,应该是 Python 异步相关的内容。
SE5 阶段总结
综上所示,这个不是一般的 cron/systemd timer ,可能是更加隐蔽的方式。
CH3 继续深挖
既然不是一般的定时任务,那么我需要搞清楚 1001 用户是什么。
使用下面的指令查看用户信息
# 查看用户 1001 的信息
id 1001
grep "^1001:" /etc/passwd
# 查看该用户最近登录记录
last -10 | grep 1001
执行之后发现这个用户并不存在
orangepi@orangepi5plus:~$ id 1001
id: ‘1001’: no such user
orangepi@orangepi5plus:~$ grep "^1001:" /etc/passwd
orangepi@orangepi5plus:~$ last -10 | grep 1001
这就很有意思了,说明用户 1001 曾经存在但已被删除,且进程还在运行。或者某一个程序在运行的时候才创建 1001 用户,并且用完就删。我需要查看是否存在其他用户相关的定时任务。
# 检查 /var/spool/cron/crontabs/ 是否有该用户的文件
ls -la /var/spool/cron/crontabs/
# 检查 /etc/cron.d/ 里每个文件的内容
cat /etc/cron.d/*
执行结果如下:
orangepi@orangepi5plus:~$ sudo ls -la /var/spool/cron/crontabs/
total 8
drwx-wx--T 2 root crontab 4096 Mar 23 2022 .
drwxr-xr-x 3 root root 4096 Oct 22 2024 ..
orangepi@orangepi5plus:~$ cat /etc/cron.d/*
30 3 * * 0 root test -e /run/systemd/system || SERVICE_MODE=1 /usr/lib/aarch64-linux-gnu/e2fsprogs/e2scrub_all_cron
10 3 * * * root test -e /run/systemd/system || SERVICE_MODE=1 /sbin/e2scrub_all -A -r
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
*/15 * * * * root /usr/lib/orangepi/orangepi-truncate-logs
@reboot root /usr/lib/orangepi/orangepi-apt-updates
@daily root /usr/lib/orangepi/orangepi-apt-updates
# The first element of the path is a directory where the debian-sa1
# script is located
PATH=/usr/lib/sysstat:/usr/sbin:/usr/sbin:/usr/bin:/sbin:/bin
# Activity reports every 10 minutes everyday
5-55/10 * * * * root command -v debian-sa1 > /dev/null && debian-sa1 1 1
# Additional run at 23:59 to rotate the statistics file
59 23 * * * root command -v debian-sa1 > /dev/null && debian-sa1 60 2
发现有一个 orangepi-truncate-logs 脚本,每15 分钟执行一次,或许与问题有关。但这个只是一个日志截断脚本,不大可能占用满 CPU,也不大可能使用那三个指令。
因此需要查看当前运行的 ps/pkill 进程的实际用户。
# 查看所有 pkill/ps 进程及其详细用户信息
ps -eo pid,ppid,uid,user,cmd | grep -E "pkill|ps aux" | grep -v grep
# 也可以用数字 UID 查看
ps -eo pid,ppid,uid,user,cmd | head -20
同时需要检查 orangepi-truncate-logs 脚本。
# 查看脚本内容
sudo cat /usr/lib/orangepi/orangepi-truncate-logs
# 检查脚本是否在其他地方被调用
grep -r "orangepi-truncate-logs" /etc/ 2>/dev/null
此外需要检查 perfcc 和 Diagserver 是什么进程。
# 搜索这些进程
ps aux | grep -i "perfcc\|Diagserver" | grep -v grep
# 搜索可执行文件
sudo find /usr /opt /home -type f -name "*perfcc*" 2>/dev/null
sudo find /usr /opt /home -type f -name "*Diagserver*" 2>/dev/null
# 检查是否是 systemd 服务
systemctl list-units --all | grep -iE "perf|diag"
我还需要检查系统日志中第一次出现问题的时间
# 查看认证日志(可能包含登录信息)
sudo tail -100 /var/log/auth.log
# 查看最近的系统日志
sudo tail -100 /var/log/syslog
# 搜索特定时间段的日志(如果知道大概是什么时候开始的)
sudo journalctl --since "2026-02-15 00:00:00" --until "2026-02-16 00:00:00" --no-pager | grep -iE "pkill|ps.*aux"
以及是否存在 UID 1001 的残留进程。
# 找到所有以 UID 1001 运行的进程
ps -eo pid,ppid,uid,user,cmd | awk '$3==1001 {print}'
# 或者用 pgrep
pgrep -U 1001 -a
上面几个指令的执行结果如下
orangepi@orangepi5plus:~$ ps -eo pid,ppid,uid,user,cmd | grep -E "pkill|ps aux" | grep -v grep
orangepi@orangepi5plus:~$ ps -eo pid,ppid,uid,user,cmd | head -20
PID PPID UID USER CMD
1 0 0 root /lib/systemd/systemd --system --deserialize 74
2 0 0 root [kthreadd]
3 2 0 root [rcu_gp]
4 2 0 root [rcu_par_gp]
8 2 0 root [mm_percpu_wq]
9 2 0 root [rcu_tasks_rude_]
10 2 0 root [rcu_tasks_trace]
11 2 0 root [ksoftirqd/0]
12 2 0 root [rcu_sched]
13 2 0 root [migration/0]
14 2 0 root [cpuhp/0]
15 2 0 root [cpuhp/1]
16 2 0 root [migration/1]
17 2 0 root [ksoftirqd/1]
19 2 0 root [kworker/1:0H-events_highpri]
20 2 0 root [cpuhp/2]
21 2 0 root [migration/2]
22 2 0 root [ksoftirqd/2]
24 2 0 root [kworker/2:0H-events_highpri]
orangepi@orangepi5plus:~$ sudo cat /usr/lib/orangepi/orangepi-truncate-logs
#!/bin/bash
#
# Copyright (c) Authors: https://www.armbian.com/authors
#
# This file is licensed under the terms of the GNU General Public
# License version 2. This program is licensed "as is" without any
# warranty of any kind, whether express or implied.
#
# truncate, save and clean logs if they get over 75% of the /var/log size
# working only when orangepi-ramlog is enabled
treshold=75 # %
JOURNAL_SIZE=5M # size to shrink systemd-journal
[ -f /etc/default/orangepi-ramlog ] && . /etc/default/orangepi-ramlog
[ "$ENABLED" != true ] && exit 0
logusage=$(df /var/log/ --output=pcent | tail -1 |cut -d "%" -f 1)
if [ $logusage -ge $treshold ]; then
# write to SD
/usr/lib/orangepi/orangepi-ramlog write >/dev/null 2>&1
# rotate logs on "disk"
/usr/sbin/logrotate --force /etc/logrotate.conf
# truncate
/usr/bin/find /var/log -name '*.log' -or -name '*.xz' -or -name 'lastlog' -or -name 'messages' -or -name 'debug' -or -name 'syslog' | xargs -r truncate --size 0
/usr/bin/find /var/log -name 'btmp' -or -name 'wtmp' -or -name 'faillog' -or -name 'firewalld' | xargs -r truncate --size 0
/usr/bin/find /var/log -name 'mail.err' -or -name 'mail.info' -or -name 'mail.warning' | xargs -r truncate --size 0
# remove
/usr/bin/find /var/log -name '*.[0-9]' -or -name '*.gz' | xargs -r rm -f
# vacuum systemd-journald
[ -d /var/log/journal ] && journalctl --quiet --vacuum-size=${JOURNAL_SIZE}
fi
orangepi@orangepi5plus:~$ grep -r "orangepi-truncate-logs" /etc/ 2>/dev/null
/etc/cron.d/orangepi-truncate-logs:*/15 * * * * root /usr/lib/orangepi/orangepi-truncate-logs
orangepi@orangepi5plus:~$ ps aux | grep -i "perfcc\|Diagserver" | grep -v grep
orangepi@orangepi5plus:~$ sudo find /usr /opt /home -type f -name "*perfcc*" 2>/dev/null
orangepi@orangepi5plus:~$ sudo find /usr /opt /home -type f -name "*Diagserver*" 2>/dev/null
orangepi@orangepi5plus:~$ systemctl list-units --all | grep -iE "perf|diag"
orangepi@orangepi5plus:~$ sudo tail -100 /var/log/auth.log
Feb 17 00:17:01 orangepi5plus CRON[2655038]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Feb 17 00:17:01 orangepi5plus CRON[2655038]: pam_unix(cron:session): session closed for user root
Feb 17 00:25:01 orangepi5plus CRON[3036318]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Feb 17 00:25:01 orangepi5plus CRON[3036318]: pam_unix(cron:session): session closed for user root
Feb 17 00:30:01 orangepi5plus CRON[3280760]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Feb 17 00:30:01 orangepi5plus CRON[3280760]: pam_unix(cron:session): session closed for user root
Feb 17 00:35:01 orangepi5plus CRON[3530315]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Feb 17 00:35:01 orangepi5plus CRON[3530315]: pam_unix(cron:session): session closed for user root
Feb 17 00:45:01 orangepi5plus CRON[4007038]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Feb 17 00:45:01 orangepi5plus CRON[4007037]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Feb 17 00:45:01 orangepi5plus CRON[4007038]: pam_unix(cron:session): session closed for user root
Feb 17 00:45:01 orangepi5plus CRON[4007037]: pam_unix(cron:session): session closed for user root
Feb 17 00:55:01 orangepi5plus CRON[294423]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Feb 17 00:55:01 orangepi5plus CRON[294423]: pam_unix(cron:session): session closed for user root
Feb 17 01:00:01 orangepi5plus CRON[542761]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Feb 17 01:00:01 orangepi5plus CRON[542761]: pam_unix(cron:session): session closed for user root
Feb 17 01:05:01 orangepi5plus CRON[795611]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Feb 17 01:05:01 orangepi5plus CRON[795611]: pam_unix(cron:session): session closed for user root
Feb 17 01:15:01 orangepi5plus CRON[1277663]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Feb 17 01:15:01 orangepi5plus CRON[1277664]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Feb 17 01:15:01 orangepi5plus CRON[1277664]: pam_unix(cron:session): session closed for user root
Feb 17 01:15:01 orangepi5plus CRON[1277663]: pam_unix(cron:session): session closed for user root
Feb 17 01:17:01 orangepi5plus CRON[1373985]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Feb 17 01:17:01 orangepi5plus CRON[1373985]: pam_unix(cron:session): session closed for user root
Feb 17 01:25:01 orangepi5plus CRON[1760087]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Feb 17 01:25:01 orangepi5plus CRON[1760087]: pam_unix(cron:session): session closed for user root
Feb 17 01:30:01 orangepi5plus CRON[2009963]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Feb 17 01:30:01 orangepi5plus CRON[2009963]: pam_unix(cron:session): session closed for user root
Feb 17 01:35:01 orangepi5plus CRON[2264198]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Feb 17 01:35:01 orangepi5plus CRON[2264198]: pam_unix(cron:session): session closed for user root
Feb 17 01:45:01 orangepi5plus CRON[2750590]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Feb 17 01:45:01 orangepi5plus CRON[2750589]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Feb 17 01:45:01 orangepi5plus CRON[2750590]: pam_unix(cron:session): session closed for user root
Feb 17 01:45:01 orangepi5plus CRON[2750589]: pam_unix(cron:session): session closed for user root
Feb 17 01:55:01 orangepi5plus CRON[3240792]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Feb 17 01:55:01 orangepi5plus CRON[3240792]: pam_unix(cron:session): session closed for user root
Feb 17 02:00:01 orangepi5plus CRON[3494031]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Feb 17 02:00:01 orangepi5plus CRON[3494031]: pam_unix(cron:session): session closed for user root
Feb 17 02:05:01 orangepi5plus CRON[3750642]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Feb 17 02:05:01 orangepi5plus CRON[3750642]: pam_unix(cron:session): session closed for user root
Feb 17 02:15:01 orangepi5plus CRON[51433]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Feb 17 02:15:01 orangepi5plus CRON[51435]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Feb 17 02:15:01 orangepi5plus CRON[51435]: pam_unix(cron:session): session closed for user root
Feb 17 02:15:01 orangepi5plus CRON[51433]: pam_unix(cron:session): session closed for user root
Feb 17 02:17:01 orangepi5plus CRON[150926]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Feb 17 02:17:01 orangepi5plus CRON[150926]: pam_unix(cron:session): session closed for user root
Feb 17 02:25:01 orangepi5plus CRON[545704]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Feb 17 02:25:01 orangepi5plus CRON[545704]: pam_unix(cron:session): session closed for user root
Feb 17 02:29:15 orangepi5plus sshd[752903]: Accepted password for orangepi from 192.168.31.101 port 59726 ssh2
Feb 17 02:29:15 orangepi5plus sshd[752903]: pam_unix(sshd:session): session opened for user orangepi(uid=1000) by (uid=0)
Feb 17 02:29:15 orangepi5plus systemd-logind[987]: New session 567 of user orangepi.
Feb 17 02:30:01 orangepi5plus CRON[797551]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Feb 17 02:30:01 orangepi5plus CRON[797551]: pam_unix(cron:session): session closed for user root
Feb 17 02:33:05 orangepi5plus sudo: root : PWD=/ ; USER=root ; COMMAND=/usr/bin/ls
Feb 17 02:33:05 orangepi5plus sudo: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Feb 17 02:33:05 orangepi5plus sudo: pam_unix(sudo:session): session closed for user root
Feb 17 02:33:05 orangepi5plus sudo: root : PWD=/ ; USER=root ; COMMAND=/usr/bin/date -s '2026-02-17 02:33:05'
Feb 17 02:33:05 orangepi5plus sudo: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Feb 17 02:33:05 orangepi5plus sudo: pam_unix(sudo:session): session closed for user root
Feb 17 02:35:01 orangepi5plus CRON[1054586]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Feb 17 02:35:01 orangepi5plus CRON[1054586]: pam_unix(cron:session): session closed for user root
Feb 17 02:44:18 orangepi5plus sudo: root : PWD=/ ; USER=root ; COMMAND=/usr/bin/ls
Feb 17 02:44:18 orangepi5plus sudo: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Feb 17 02:44:18 orangepi5plus sudo: pam_unix(sudo:session): session closed for user root
Feb 17 02:44:18 orangepi5plus sudo: root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/swapon --summary
Feb 17 02:44:18 orangepi5plus sudo: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Feb 17 02:44:18 orangepi5plus sudo: pam_unix(sudo:session): session closed for user root
Feb 17 02:45:01 orangepi5plus CRON[1549040]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Feb 17 02:45:01 orangepi5plus CRON[1549041]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Feb 17 02:45:01 orangepi5plus CRON[1549040]: pam_unix(cron:session): session closed for user root
Feb 17 02:45:01 orangepi5plus CRON[1549041]: pam_unix(cron:session): session closed for user root
Feb 17 02:45:07 orangepi5plus sudo: root : TTY=pts/1 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/tee -a /etc/clamav/freshclam.conf
Feb 17 02:45:07 orangepi5plus sudo: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Feb 17 02:45:07 orangepi5plus sudo: pam_unix(sudo:session): session closed for user root
Feb 17 02:47:00 orangepi5plus sudo: orangepi : TTY=pts/0 ; PWD=/home/orangepi ; USER=root ; COMMAND=/usr/bin/grep -n 'pkill\\|ps aux' /var/log/syslog
Feb 17 02:47:00 orangepi5plus sudo: pam_unix(sudo:session): session opened for user root(uid=0) by orangepi(uid=1000)
Feb 17 02:47:00 orangepi5plus sudo: pam_unix(sudo:session): session closed for user root
Feb 17 02:47:07 orangepi5plus sudo: orangepi : TTY=pts/0 ; PWD=/home/orangepi ; USER=root ; COMMAND=/usr/bin/grep -n 'pkill\\|ps aux' /var/log/messages
Feb 17 02:47:07 orangepi5plus sudo: pam_unix(sudo:session): session opened for user root(uid=0) by orangepi(uid=1000)
Feb 17 02:47:07 orangepi5plus sudo: pam_unix(sudo:session): session closed for user root
Feb 17 02:48:25 orangepi5plus sudo: orangepi : TTY=pts/0 ; PWD=/home/orangepi ; USER=root ; COMMAND=/usr/bin/ls -la /var/spool/cron/crontabs/
Feb 17 02:48:25 orangepi5plus sudo: pam_unix(sudo:session): session opened for user root(uid=0) by orangepi(uid=1000)
Feb 17 02:48:25 orangepi5plus sudo: pam_unix(sudo:session): session closed for user root
Feb 17 02:49:37 orangepi5plus sudo: orangepi : TTY=pts/0 ; PWD=/home/orangepi ; USER=root ; COMMAND=/usr/bin/cat /usr/lib/orangepi/orangepi-truncate-logs
Feb 17 02:49:37 orangepi5plus sudo: pam_unix(sudo:session): session opened for user root(uid=0) by orangepi(uid=1000)
Feb 17 02:49:37 orangepi5plus sudo: pam_unix(sudo:session): session closed for user root
Feb 17 02:49:49 orangepi5plus sudo: orangepi : TTY=pts/0 ; PWD=/home/orangepi ; USER=root ; COMMAND=/usr/bin/find /usr /opt /home -type f -name *perfcc*
Feb 17 02:49:49 orangepi5plus sudo: pam_unix(sudo:session): session opened for user root(uid=0) by orangepi(uid=1000)
Feb 17 02:49:50 orangepi5plus sudo: pam_unix(sudo:session): session closed for user root
Feb 17 02:49:54 orangepi5plus sudo: orangepi : TTY=pts/0 ; PWD=/home/orangepi ; USER=root ; COMMAND=/usr/bin/find /usr /opt /home -type f -name *Diagserver*
Feb 17 02:49:54 orangepi5plus sudo: pam_unix(sudo:session): session opened for user root(uid=0) by orangepi(uid=1000)
Feb 17 02:49:55 orangepi5plus sudo: pam_unix(sudo:session): session closed for user root
Feb 17 02:50:17 orangepi5plus sudo: orangepi : TTY=pts/0 ; PWD=/home/orangepi ; USER=root ; COMMAND=/usr/bin/docker ps -adocker ps -a
Feb 17 02:50:17 orangepi5plus sudo: pam_unix(sudo:session): session opened for user root(uid=0) by orangepi(uid=1000)
Feb 17 02:50:17 orangepi5plus sudo: pam_unix(sudo:session): session closed for user root
Feb 17 02:50:19 orangepi5plus sudo: orangepi : TTY=pts/0 ; PWD=/home/orangepi ; USER=root ; COMMAND=/usr/bin/docker ps -a
Feb 17 02:50:19 orangepi5plus sudo: pam_unix(sudo:session): session opened for user root(uid=0) by orangepi(uid=1000)
Feb 17 02:50:19 orangepi5plus sudo: pam_unix(sudo:session): session closed for user root
Feb 17 02:51:24 orangepi5plus sudo: orangepi : TTY=pts/0 ; PWD=/home/orangepi ; USER=root ; COMMAND=/usr/bin/tail -100 /var/log/auth.log
Feb 17 02:51:24 orangepi5plus sudo: pam_unix(sudo:session): session opened for user root(uid=0) by orangepi(uid=1000)
orangepi@orangepi5plus:~$ sudo tail -100 /var/log/syslog
Feb 17 02:48:12 orangepi5plus kernel: [181780.345319] br-a1e0beb759d7: port 1(vethe6cb48b) entered disabled state
Feb 17 02:48:12 orangepi5plus kernel: [181780.345732] vethe75e38c: renamed from eth0
Feb 17 02:48:12 orangepi5plus NetworkManager[44344]: <info> [1771267692.4929] manager: (vethe75e38c): new Veth device (/org/freedesktop/NetworkManager/Devices/6133)
Feb 17 02:48:12 orangepi5plus kernel: [181780.414695] br-a1e0beb759d7: port 1(vethe6cb48b) entered disabled state
Feb 17 02:48:12 orangepi5plus kernel: [181780.417197] device vethe6cb48b left promiscuous mode
Feb 17 02:48:12 orangepi5plus kernel: [181780.417221] br-a1e0beb759d7: port 1(vethe6cb48b) entered disabled state
Feb 17 02:48:12 orangepi5plus NetworkManager[44344]: <info> [1771267692.5600] device (vethe6cb48b): released from master device br-a1e0beb759d7
Feb 17 02:48:12 orangepi5plus systemd[1]: run-docker-netns-0b0cb1a21e75.mount: Deactivated successfully.
Feb 17 02:48:12 orangepi5plus systemd[1]: var-lib-docker-overlay2-aac5510e21067eac727466525fda89768a9d3e43409a1286a277cfcb4f7b3e79-merged.mount: Deactivated successfully.
Feb 17 02:48:21 orangepi5plus 1panel-agent[958778]: [GIN] 2026/02/17 - 02:48:21 | 200 | 1.641477ms | | POST "/api/v2/toolbox/clam/search"
Feb 17 02:49:08 orangepi5plus kernel: [181836.401484] [UFW BLOCK] IN=enP4p65s0 OUT= MAC=01:00:5e:00:00:01:8c:53:c3:55:79:8a:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Feb 17 02:49:12 orangepi5plus containerd[43855]: time="2026-02-17T02:49:12.478657839+08:00" level=info msg="connecting to shim 88a6e473c97346f5ad0527d9995cbe7799f12e048289eba76527f0f5c9751db8" address="unix:///run/containerd/s/d2d12f8ba161daf6cd12af1001dc5b2dbefbc0c21a4148245e03cdc4317ca717" namespace=moby protocol=ttrpc version=3
Feb 17 02:49:12 orangepi5plus systemd[1]: Started libcontainer container 88a6e473c97346f5ad0527d9995cbe7799f12e048289eba76527f0f5c9751db8.
Feb 17 02:49:12 orangepi5plus systemd-udevd[1755918]: Using default interface naming scheme 'v249'.
Feb 17 02:49:12 orangepi5plus NetworkManager[44344]: <info> [1771267752.6309] manager: (vethe2c79c2): new Veth device (/org/freedesktop/NetworkManager/Devices/6134)
Feb 17 02:49:12 orangepi5plus kernel: [181840.539883] br-a1e0beb759d7: port 1(vethe2c79c2) entered blocking state
Feb 17 02:49:12 orangepi5plus kernel: [181840.539896] br-a1e0beb759d7: port 1(vethe2c79c2) entered disabled state
Feb 17 02:49:12 orangepi5plus kernel: [181840.540395] device vethe2c79c2 entered promiscuous mode
Feb 17 02:49:12 orangepi5plus kernel: [181840.604799] eth0: renamed from veth0ee0c73
Feb 17 02:49:12 orangepi5plus NetworkManager[44344]: <info> [1771267752.7197] device (vethe2c79c2): carrier: link connected
Feb 17 02:49:12 orangepi5plus kernel: [181840.628989] IPv6: ADDRCONF(NETDEV_CHANGE): vethe2c79c2: link becomes ready
Feb 17 02:49:12 orangepi5plus kernel: [181840.629102] br-a1e0beb759d7: port 1(vethe2c79c2) entered blocking state
Feb 17 02:49:12 orangepi5plus kernel: [181840.629105] br-a1e0beb759d7: port 1(vethe2c79c2) entered forwarding state
Feb 17 02:49:12 orangepi5plus dockerd[47588]: time="2026-02-17T02:49:12.727792957+08:00" level=info msg="sbJoin: gwep4 ''->'6eba07e82215', gwep6 ''->''" eid=6eba07e82215 ep=overleaf-mongoinit-1 net=overleaf_default nid=a1e0beb759d7
Feb 17 02:49:12 orangepi5plus systemd[1]: docker-88a6e473c97346f5ad0527d9995cbe7799f12e048289eba76527f0f5c9751db8.scope: Deactivated successfully.
Feb 17 02:49:12 orangepi5plus containerd[43855]: time="2026-02-17T02:49:12.927895779+08:00" level=info msg="shim disconnected" id=88a6e473c97346f5ad0527d9995cbe7799f12e048289eba76527f0f5c9751db8 namespace=moby
Feb 17 02:49:12 orangepi5plus containerd[43855]: time="2026-02-17T02:49:12.928523733+08:00" level=info msg="cleaning up after shim disconnected" id=88a6e473c97346f5ad0527d9995cbe7799f12e048289eba76527f0f5c9751db8 namespace=moby
Feb 17 02:49:12 orangepi5plus containerd[43855]: time="2026-02-17T02:49:12.929095979+08:00" level=info msg="cleaning up dead shim" id=88a6e473c97346f5ad0527d9995cbe7799f12e048289eba76527f0f5c9751db8 namespace=moby
Feb 17 02:49:12 orangepi5plus dockerd[47588]: time="2026-02-17T02:49:12.931468961+08:00" level=info msg="ignoring event" container=88a6e473c97346f5ad0527d9995cbe7799f12e048289eba76527f0f5c9751db8 module=libcontainerd namespace=moby topic=/tasks/delete type="*events.TaskDelete"
Feb 17 02:49:13 orangepi5plus kernel: [181840.913241] br-a1e0beb759d7: port 1(vethe2c79c2) entered disabled state
Feb 17 02:49:13 orangepi5plus kernel: [181840.913762] veth0ee0c73: renamed from eth0
Feb 17 02:49:13 orangepi5plus NetworkManager[44344]: <info> [1771267753.0639] manager: (veth0ee0c73): new Veth device (/org/freedesktop/NetworkManager/Devices/6135)
Feb 17 02:49:13 orangepi5plus kernel: [181840.993328] br-a1e0beb759d7: port 1(vethe2c79c2) entered disabled state
Feb 17 02:49:13 orangepi5plus kernel: [181840.995627] device vethe2c79c2 left promiscuous mode
Feb 17 02:49:13 orangepi5plus kernel: [181840.995638] br-a1e0beb759d7: port 1(vethe2c79c2) entered disabled state
Feb 17 02:49:13 orangepi5plus NetworkManager[44344]: <info> [1771267753.1201] device (vethe2c79c2): released from master device br-a1e0beb759d7
Feb 17 02:49:13 orangepi5plus systemd[1]: run-docker-netns-f519d423cc9b.mount: Deactivated successfully.
Feb 17 02:49:13 orangepi5plus systemd[1]: var-lib-docker-overlay2-aac5510e21067eac727466525fda89768a9d3e43409a1286a277cfcb4f7b3e79-merged.mount: Deactivated successfully.
Feb 17 02:49:21 orangepi5plus 1panel-agent[958778]: [GIN] 2026/02/17 - 02:49:21 | 200 | 1.271073ms | | POST "/api/v2/toolbox/clam/search"
Feb 17 02:50:12 orangepi5plus systemd[1]: Starting system activity accounting tool...
Feb 17 02:50:12 orangepi5plus systemd[1]: sysstat-collect.service: Deactivated successfully.
Feb 17 02:50:12 orangepi5plus systemd[1]: Finished system activity accounting tool.
Feb 17 02:50:13 orangepi5plus containerd[43855]: time="2026-02-17T02:50:13.064769549+08:00" level=info msg="connecting to shim 88a6e473c97346f5ad0527d9995cbe7799f12e048289eba76527f0f5c9751db8" address="unix:///run/containerd/s/d2d12f8ba161daf6cd12af1001dc5b2dbefbc0c21a4148245e03cdc4317ca717" namespace=moby protocol=ttrpc version=3
Feb 17 02:50:13 orangepi5plus systemd[1]: Started libcontainer container 88a6e473c97346f5ad0527d9995cbe7799f12e048289eba76527f0f5c9751db8.
Feb 17 02:50:13 orangepi5plus kernel: [181901.114392] br-a1e0beb759d7: port 1(veth31305cb) entered blocking state
Feb 17 02:50:13 orangepi5plus kernel: [181901.114397] br-a1e0beb759d7: port 1(veth31305cb) entered disabled state
Feb 17 02:50:13 orangepi5plus kernel: [181901.114502] device veth31305cb entered promiscuous mode
Feb 17 02:50:13 orangepi5plus NetworkManager[44344]: <info> [1771267813.2076] manager: (veth31305cb): new Veth device (/org/freedesktop/NetworkManager/Devices/6136)
Feb 17 02:50:13 orangepi5plus systemd-udevd[1805678]: Using default interface naming scheme 'v249'.
Feb 17 02:50:13 orangepi5plus kernel: [181901.169199] eth0: renamed from veth0f0f9f7
Feb 17 02:50:13 orangepi5plus NetworkManager[44344]: <info> [1771267813.2920] device (veth31305cb): carrier: link connected
Feb 17 02:50:13 orangepi5plus kernel: [181901.200671] IPv6: ADDRCONF(NETDEV_CHANGE): veth31305cb: link becomes ready
Feb 17 02:50:13 orangepi5plus kernel: [181901.200903] br-a1e0beb759d7: port 1(veth31305cb) entered blocking state
Feb 17 02:50:13 orangepi5plus kernel: [181901.200912] br-a1e0beb759d7: port 1(veth31305cb) entered forwarding state
Feb 17 02:50:13 orangepi5plus dockerd[47588]: time="2026-02-17T02:50:13.302248589+08:00" level=info msg="sbJoin: gwep4 ''->'1a91cefe4c75', gwep6 ''->''" eid=1a91cefe4c75 ep=overleaf-mongoinit-1 net=overleaf_default nid=a1e0beb759d7
Feb 17 02:50:13 orangepi5plus systemd[1]: docker-88a6e473c97346f5ad0527d9995cbe7799f12e048289eba76527f0f5c9751db8.scope: Deactivated successfully.
Feb 17 02:50:13 orangepi5plus containerd[43855]: time="2026-02-17T02:50:13.546416078+08:00" level=info msg="shim disconnected" id=88a6e473c97346f5ad0527d9995cbe7799f12e048289eba76527f0f5c9751db8 namespace=moby
Feb 17 02:50:13 orangepi5plus containerd[43855]: time="2026-02-17T02:50:13.546563660+08:00" level=info msg="cleaning up after shim disconnected" id=88a6e473c97346f5ad0527d9995cbe7799f12e048289eba76527f0f5c9751db8 namespace=moby
Feb 17 02:50:13 orangepi5plus containerd[43855]: time="2026-02-17T02:50:13.546672451+08:00" level=info msg="cleaning up dead shim" id=88a6e473c97346f5ad0527d9995cbe7799f12e048289eba76527f0f5c9751db8 namespace=moby
Feb 17 02:50:13 orangepi5plus dockerd[47588]: time="2026-02-17T02:50:13.552110243+08:00" level=info msg="ignoring event" container=88a6e473c97346f5ad0527d9995cbe7799f12e048289eba76527f0f5c9751db8 module=libcontainerd namespace=moby topic=/tasks/delete type="*events.TaskDelete"
Feb 17 02:50:13 orangepi5plus kernel: [181901.560537] br-a1e0beb759d7: port 1(veth31305cb) entered disabled state
Feb 17 02:50:13 orangepi5plus kernel: [181901.561104] veth0f0f9f7: renamed from eth0
Feb 17 02:50:13 orangepi5plus systemd-udevd[1805772]: Using default interface naming scheme 'v249'.
Feb 17 02:50:13 orangepi5plus NetworkManager[44344]: <info> [1771267813.7167] manager: (veth0f0f9f7): new Veth device (/org/freedesktop/NetworkManager/Devices/6137)
Feb 17 02:50:13 orangepi5plus kernel: [181901.640437] br-a1e0beb759d7: port 1(veth31305cb) entered disabled state
Feb 17 02:50:13 orangepi5plus kernel: [181901.642538] device veth31305cb left promiscuous mode
Feb 17 02:50:13 orangepi5plus kernel: [181901.642547] br-a1e0beb759d7: port 1(veth31305cb) entered disabled state
Feb 17 02:50:13 orangepi5plus NetworkManager[44344]: <info> [1771267813.7627] device (veth31305cb): released from master device br-a1e0beb759d7
Feb 17 02:50:13 orangepi5plus systemd[1]: run-docker-netns-3947f0b4fbe2.mount: Deactivated successfully.
Feb 17 02:50:13 orangepi5plus systemd[1]: var-lib-docker-overlay2-aac5510e21067eac727466525fda89768a9d3e43409a1286a277cfcb4f7b3e79-merged.mount: Deactivated successfully.
Feb 17 02:50:21 orangepi5plus 1panel-agent[958778]: [GIN] 2026/02/17 - 02:50:21 | 200 | 625.327µs | | POST "/api/v2/toolbox/clam/search"
Feb 17 02:51:13 orangepi5plus containerd[43855]: time="2026-02-17T02:51:13.712725430+08:00" level=info msg="connecting to shim 88a6e473c97346f5ad0527d9995cbe7799f12e048289eba76527f0f5c9751db8" address="unix:///run/containerd/s/d2d12f8ba161daf6cd12af1001dc5b2dbefbc0c21a4148245e03cdc4317ca717" namespace=moby protocol=ttrpc version=3
Feb 17 02:51:13 orangepi5plus systemd[1]: Started libcontainer container 88a6e473c97346f5ad0527d9995cbe7799f12e048289eba76527f0f5c9751db8.
Feb 17 02:51:13 orangepi5plus kernel: [181961.741847] br-a1e0beb759d7: port 1(veth14c276f) entered blocking state
Feb 17 02:51:13 orangepi5plus kernel: [181961.741877] br-a1e0beb759d7: port 1(veth14c276f) entered disabled state
Feb 17 02:51:13 orangepi5plus kernel: [181961.742603] device veth14c276f entered promiscuous mode
Feb 17 02:51:13 orangepi5plus systemd-udevd[1855378]: Using default interface naming scheme 'v249'.
Feb 17 02:51:13 orangepi5plus NetworkManager[44344]: <info> [1771267873.8341] manager: (veth14c276f): new Veth device (/org/freedesktop/NetworkManager/Devices/6138)
Feb 17 02:51:13 orangepi5plus kernel: [181961.808332] eth0: renamed from vethb1723a9
Feb 17 02:51:13 orangepi5plus kernel: [181961.840367] IPv6: ADDRCONF(NETDEV_CHANGE): veth14c276f: link becomes ready
Feb 17 02:51:13 orangepi5plus kernel: [181961.840526] br-a1e0beb759d7: port 1(veth14c276f) entered blocking state
Feb 17 02:51:13 orangepi5plus kernel: [181961.840532] br-a1e0beb759d7: port 1(veth14c276f) entered forwarding state
Feb 17 02:51:13 orangepi5plus NetworkManager[44344]: <info> [1771267873.9309] device (veth14c276f): carrier: link connected
Feb 17 02:51:13 orangepi5plus dockerd[47588]: time="2026-02-17T02:51:13.936624151+08:00" level=info msg="sbJoin: gwep4 ''->'59731e38a3e9', gwep6 ''->''" eid=59731e38a3e9 ep=overleaf-mongoinit-1 net=overleaf_default nid=a1e0beb759d7
Feb 17 02:51:13 orangepi5plus kernel: [181961.848593] [UFW BLOCK] IN=enP4p65s0 OUT= MAC=01:00:5e:00:00:01:8c:53:c3:55:79:8a:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Feb 17 02:51:14 orangepi5plus systemd[1]: docker-88a6e473c97346f5ad0527d9995cbe7799f12e048289eba76527f0f5c9751db8.scope: Deactivated successfully.
Feb 17 02:51:14 orangepi5plus dockerd[47588]: time="2026-02-17T02:51:14.213050111+08:00" level=info msg="ignoring event" container=88a6e473c97346f5ad0527d9995cbe7799f12e048289eba76527f0f5c9751db8 module=libcontainerd namespace=moby topic=/tasks/delete type="*events.TaskDelete"
Feb 17 02:51:14 orangepi5plus containerd[43855]: time="2026-02-17T02:51:14.215021465+08:00" level=info msg="shim disconnected" id=88a6e473c97346f5ad0527d9995cbe7799f12e048289eba76527f0f5c9751db8 namespace=moby
Feb 17 02:51:14 orangepi5plus containerd[43855]: time="2026-02-17T02:51:14.215613250+08:00" level=info msg="cleaning up after shim disconnected" id=88a6e473c97346f5ad0527d9995cbe7799f12e048289eba76527f0f5c9751db8 namespace=moby
Feb 17 02:51:14 orangepi5plus containerd[43855]: time="2026-02-17T02:51:14.216133870+08:00" level=info msg="cleaning up dead shim" id=88a6e473c97346f5ad0527d9995cbe7799f12e048289eba76527f0f5c9751db8 namespace=moby
Feb 17 02:51:14 orangepi5plus kernel: [181962.200919] br-a1e0beb759d7: port 1(veth14c276f) entered disabled state
Feb 17 02:51:14 orangepi5plus kernel: [181962.201233] vethb1723a9: renamed from eth0
Feb 17 02:51:14 orangepi5plus NetworkManager[44344]: <info> [1771267874.3433] manager: (vethb1723a9): new Veth device (/org/freedesktop/NetworkManager/Devices/6139)
Feb 17 02:51:14 orangepi5plus kernel: [181962.271253] br-a1e0beb759d7: port 1(veth14c276f) entered disabled state
Feb 17 02:51:14 orangepi5plus kernel: [181962.274403] device veth14c276f left promiscuous mode
Feb 17 02:51:14 orangepi5plus kernel: [181962.274412] br-a1e0beb759d7: port 1(veth14c276f) entered disabled state
Feb 17 02:51:14 orangepi5plus NetworkManager[44344]: <info> [1771267874.3923] device (veth14c276f): released from master device br-a1e0beb759d7
Feb 17 02:51:14 orangepi5plus systemd[1]: run-docker-netns-e03d1c81081b.mount: Deactivated successfully.
Feb 17 02:51:14 orangepi5plus systemd[1]: var-lib-docker-overlay2-aac5510e21067eac727466525fda89768a9d3e43409a1286a277cfcb4f7b3e79-merged.mount: Deactivated successfully.
Feb 17 02:51:21 orangepi5plus 1panel-agent[958778]: [GIN] 2026/02/17 - 02:51:21 | 200 | 1.015566ms | | POST "/api/v2/toolbox/clam/search"
orangepi@orangepi5plus:~$ sudo journalctl --since "2026-02-15 00:00:00" --until "2026-02-16 00:00:00" --no-pager | grep -iE "pkill|ps.*aux"
orangepi@orangepi5plus:~$ ps -eo pid,ppid,uid,user,cmd | awk '$3==1001 {print}'
14888 52496 1001 1001 [sh] <defunct>
20069 52496 1001 1001 [sh] <defunct>
32990 52496 1001 1001 [sh] <defunct>
48209 48159 1001 1001 /opt/java/openjdk/bin/java -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dsun.io.useCanonCaches=false -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Dignore.endorsed.dirs= -classpath /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/usr/local/tomcat -Dcatalina.home=/usr/local/tomcat -Djava.io.tmpdir=/usr/local/tomcat/temp org.apache.catalina.startup.Bootstrap start
49505 49097 1001 1001 /bin/sh ./entrypoint.sh
50606 49505 1001 1001 node /pnpm/global/5/.pnpm/pm2@6.0.13/node_modules/pm2/bin/pm2 start /app/web/server.js --name dify-web --cwd /app/web -i 2 --no-daemon
52496 52275 1001 1001 /bin/node /app/startServer.js
53779 50606 1001 1001 next-server (v15.5.0)
53880 52496 1001 1001 next-server (v15.3.5)
53924 50606 1001 1001 next-server (v15.5.0)
54769 52496 1001 1001 [sh] <defunct>
55843 55763 1001 1001 node /usr/local/bin/pnpm start-docker
57114 52496 1001 1001 [sh] <defunct>
57270 52496 1001 1001 [sh] <defunct>
57329 52496 1001 1001 [sh] <defunct>
57389 55843 1001 1001 node /app/node_modules/.bin/../.pnpm/npm-run-all@4.1.5/node_modules/npm-run-all/bin/npm-run-all/index.js check-db update-tracker start-server
62535 55843 1001 1001 [node] <defunct>
63108 57389 1001 1001 node /usr/local/lib/node_modules/pnpm/bin/pnpm.cjs run start-server
63432 63108 1001 1001 next-server (v
71717 52496 1001 1001 [sh] <defunct>
87543 52496 1001 1001 sh /dev/shm/lpx.sh
93233 52496 1001 1001 [sh] <defunct>
93255 52496 1001 1001 [sh] <defunct>
94092 52496 1001 1001 [sh] <defunct>
94594 52496 1001 1001 [sh] <defunct>
104772 52496 1001 1001 [sh] <defunct>
126235 52496 1001 1001 sh /dev/shm/lpx.sh
141355 52496 1001 1001 [sh] <defunct>
145560 52496 1001 1001 sh /dev/shm/lpx.sh
157198 52496 1001 1001 sh /dev/shm/lpx.sh
172875 52496 1001 1001 [sh] <defunct>
173350 52496 1001 1001 [sh] <defunct>
184563 52496 1001 1001 sh /tmp/hirt.sh
202708 52496 1001 1001 [sh] <defunct>
216980 52496 1001 1001 [sh] <defunct>
223004 52496 1001 1001 sh /tmp/hirt.sh
232142 52496 1001 1001 sh /dev/shm/lpx.sh
245148 52496 1001 1001 sh /dev/shm/lpx.sh
251665 52496 1001 1001 [sh] <defunct>
254437 52496 1001 1001 sh /dev/shm/lpx.sh
281207 52496 1001 1001 sh /dev/shm/lpx.sh
309513 52496 1001 1001 [sh] <defunct>
317559 52496 1001 1001 [sh] <defunct>
320240 52496 1001 1001 [sh] <defunct>
320243 52496 1001 1001 [sh] <defunct>
336527 52496 1001 1001 sh /tmp/hirt.sh
337477 52496 1001 1001 [sh] <defunct>
354220 52496 1001 1001 [sh] <defunct>
355041 52496 1001 1001 sh /dev/shm/lpx.sh
380730 52496 1001 1001 [sh] <defunct>
380823 52496 1001 1001 [sh] <defunct>
387379 52496 1001 1001 [sh] <defunct>
423719 52496 1001 1001 [sh] <defunct>
423744 52496 1001 1001 [sh] <defunct>
442638 52496 1001 1001 sh /tmp/hirt.sh
469697 52496 1001 1001 sh /dev/shm/lpx.sh
469732 52496 1001 1001 sh /dev/shm/lpx.sh
472482 52496 1001 1001 [sh] <defunct>
508172 52496 1001 1001 [sh] <defunct>
525044 52496 1001 1001 [sh] <defunct>
539626 52496 1001 1001 [sh] <defunct>
546519 52496 1001 1001 [sh] <defunct>
569804 52496 1001 1001 sh /dev/shm/lpx.sh
596841 52496 1001 1001 sh /tmp/hirt.sh
614945 52496 1001 1001 sh /tmp/hirt.sh
653375 52496 1001 1001 sh /tmp/hirt.sh
655819 52496 1001 1001 [sh] <defunct>
679568 52496 1001 1001 [sh] <defunct>
706041 52496 1001 1001 [sh] <defunct>
710577 52496 1001 1001 [sh] <defunct>
711550 52496 1001 1001 [sh] <defunct>
712311 52496 1001 1001 sh /dev/shm/lpx.sh
716410 52496 1001 1001 [sh] <defunct>
716436 52496 1001 1001 [sh] <defunct>
716511 52496 1001 1001 [sh] <defunct>
731656 52496 1001 1001 [sh] <defunct>
756703 52496 1001 1001 [sh] <defunct>
756780 52496 1001 1001 sh /dev/shm/lpx.sh
761862 52496 1001 1001 [sh] <defunct>
770746 52496 1001 1001 sh /tmp/hirt.sh
847065 52496 1001 1001 [sh] <defunct>
875200 52496 1001 1001 sh /dev/shm/lpx.sh
881324 52496 1001 1001 [sh] <defunct>
901119 52496 1001 1001 [sh] <defunct>
918670 52496 1001 1001 [sh] <defunct>
918674 52496 1001 1001 [sh] <defunct>
937200 52496 1001 1001 [sh] <defunct>
952761 52496 1001 1001 [sh] <defunct>
952949 52496 1001 1001 [sh] <defunct>
973076 52496 1001 1001 [sh] <defunct>
980406 52496 1001 1001 [sh] <defunct>
982294 52496 1001 1001 [sh] <defunct>
1004650 52496 1001 1001 [sh] <defunct>
1022860 52496 1001 1001 sh /dev/shm/lpx.sh
1056656 52496 1001 1001 [sh] <defunct>
1061739 52496 1001 1001 sh /tmp/hirt.sh
1097002 52496 1001 1001 sh /dev/shm/lpx.sh
1098937 52496 1001 1001 sh /tmp/hirt.sh
1141910 52496 1001 1001 sh /dev/shm/lpx.sh
1152369 52496 1001 1001 [sh] <defunct>
1157059 52496 1001 1001 [sh] <defunct>
1188093 52496 1001 1001 [sh] <defunct>
1215277 52496 1001 1001 [sh] <defunct>
1238147 52496 1001 1001 [sh] <defunct>
1238450 52496 1001 1001 [sh] <defunct>
1256025 52496 1001 1001 [sh] <defunct>
1296602 52496 1001 1001 [sh] <defunct>
1304085 52496 1001 1001 [sh] <defunct>
1304639 52496 1001 1001 [sh] <defunct>
1306396 52496 1001 1001 [sh] <defunct>
1307330 52496 1001 1001 sh /dev/shm/lpx.sh
1316587 52496 1001 1001 [sh] <defunct>
1324448 52496 1001 1001 [sh] <defunct>
1325830 52496 1001 1001 [sh] <defunct>
1335553 52496 1001 1001 sh /tmp/hirt.sh
1338838 52496 1001 1001 [sh] <defunct>
1339031 52496 1001 1001 [sh] <defunct>
1342308 52496 1001 1001 [sh] <defunct>
1343765 52496 1001 1001 sh /dev/shm/lpx.sh
1355262 52496 1001 1001 sh /tmp/hirt.sh
1364256 52496 1001 1001 [sh] <defunct>
1378211 52496 1001 1001 [sh] <defunct>
1384281 52496 1001 1001 [sh] <defunct>
1400072 52496 1001 1001 sh /dev/shm/lpx.sh
1407539 52496 1001 1001 [sh] <defunct>
1430461 52496 1001 1001 [sh] <defunct>
1430557 52496 1001 1001 [sh] <defunct>
1443400 52496 1001 1001 [sh] <defunct>
1471367 52496 1001 1001 [sh] <defunct>
1505179 52496 1001 1001 sh /dev/shm/lpx.sh
1553937 52496 1001 1001 sh /tmp/hirt.sh
1559522 52496 1001 1001 [sh] <defunct>
1575797 52496 1001 1001 [sh] <defunct>
1575958 52496 1001 1001 [sh] <defunct>
1593044 52496 1001 1001 sh /dev/shm/lpx.sh
1614178 52496 1001 1001 [sh] <defunct>
1614477 52496 1001 1001 [sh] <defunct>
1617628 52496 1001 1001 [sh] <defunct>
1656532 52496 1001 1001 sh /dev/shm/lpx.sh
1665739 52496 1001 1001 [sh] <defunct>
1696241 52496 1001 1001 sh /dev/shm/lpx.sh
1699112 52496 1001 1001 [sh] <defunct>
1719233 52496 1001 1001 [sh] <defunct>
1728114 52496 1001 1001 sh /tmp/hirt.sh
1767446 52496 1001 1001 [sh] <defunct>
1767522 52496 1001 1001 [sh] <defunct>
1838665 52496 1001 1001 [sh] <defunct>
1872592 2159762 1001 1001 sleep 10
1872710 596841 1001 1001 sleep 10
1872871 2581748 1001 1001 sleep 10
1873023 2155988 1001 1001 sleep 10
1873044 875200 1001 1001 sleep 10
1873056 232142 1001 1001 sleep 10
1873104 3032443 1001 1001 sleep 10
1873196 614945 1001 1001 sleep 10
1873821 770746 1001 1001 sleep 10
1873842 2435099 1001 1001 sleep 10
1873874 2625025 1001 1001 sleep 10
1873962 653375 1001 1001 sleep 10
1874010 2571177 1001 1001 sleep 10
1874012 52496 1001 1001 sh /dev/shm/lpx.sh
1874024 1914412 1001 1001 sleep 10
1874105 1728114 1001 1001 sleep 10
1874205 3660170 1001 1001 sleep 10
1874210 2142503 1001 1001 sleep 10
1874522 569804 1001 1001 sleep 10
1874622 1874012 1001 1001 sleep 10
1874671 2372872 1001 1001 sleep 10
1874745 2831871 1001 1001 sleep 10
1874749 1141910 1001 1001 sleep 10
1875044 2537229 1001 1001 sleep 10
1875170 2908785 1001 1001 sleep 10
1875225 4163400 1001 1001 sleep 10
1875369 1938244 1001 1001 sleep 10
1875888 469732 1001 1001 sleep 10
1876037 2464075 1001 1001 sleep 10
1876096 1696241 1001 1001 sleep 10
1876208 281207 1001 1001 sleep 10
1876323 157198 1001 1001 sleep 10
1876370 1061739 1001 1001 sleep 10
1876434 2230561 1001 1001 sleep 10
1876511 2471324 1001 1001 sleep 10
1876538 2496469 1001 1001 sleep 10
1876545 3356955 1001 1001 sleep 10
1876567 1553937 1001 1001 sleep 10
1876568 1355262 1001 1001 sleep 10
1876628 245148 1001 1001 sleep 10
1876648 3402957 1001 1001 sleep 10
1876921 2194651 1001 1001 sleep 10
1876937 2825222 1001 1001 sleep 10
1877292 3518121 1001 1001 sleep 10
1877441 1960303 1001 1001 sleep 10
1877544 2007846 1001 1001 sleep 10
1877578 3100264 1001 1001 sleep 10
1877771 87543 1001 1001 sleep 10
1877854 145560 1001 1001 sleep 10
1877870 756780 1001 1001 sleep 10
1878106 1022860 1001 1001 sleep 10
1878123 469697 1001 1001 sleep 10
1878309 442638 1001 1001 sleep 10
1878323 184563 1001 1001 sleep 10
1878420 223004 1001 1001 sleep 10
1878501 1098937 1001 1001 sleep 10
1878518 355041 1001 1001 sleep 10
1878530 1343765 1001 1001 sleep 10
1878584 1400072 1001 1001 sleep 10
1878669 1656532 1001 1001 sleep 10
1879326 1307330 1001 1001 sleep 10
1879381 4123792 1001 1001 sleep 10
1879388 2062468 1001 1001 sleep 10
1879864 2118789 1001 1001 sleep 10
1879930 126235 1001 1001 sleep 10
1879958 3199518 1001 1001 sleep 10
1879981 4183952 1001 1001 sleep 10
1880062 1097002 1001 1001 sleep 10
1880311 1593044 1001 1001 sleep 10
1880312 3806532 1001 1001 ps -eo pid,args
1880313 3806532 1001 1001 grep -E ^[[:space:]]*[0-9]+[[:space:]]+[a-zA-Z-]+[[:space:]]+-c[[:space:]]+[a-zA-Z-]+[[:space:]]*$
1880314 3806532 1001 1001 grep -v grep
1880315 3806532 1001 1001 awk {print $2}
1880316 3806532 1001 1001 xargs kill -9
1880319 3032346 1001 1001 ps aux
1880321 3032346 1001 1001 grep -v grep
1880322 3032346 1001 1001 grep javae\|xmrig\|987645.top\|test2.sh\|supportxmr\|c3pool
1880324 3032346 1001 1001 awk {print $2}
1880325 3032346 1001 1001 xargs -I % kill -9 %
1880332 1505179 1001 1001 ps aux
1880333 1505179 1001 1001 grep -v grep
1880334 1505179 1001 1001 grep javae\|xmrig\|987645.top\|test2.sh\|supportxmr\|c3pool
1880335 336527 1001 1001 pkill -f javae
1880336 1505179 1001 1001 awk {print $1}
1880337 1505179 1001 1001 xargs -I % kill -9 %
1880340 1335553 1001 1001 pkill -9 perfcc
1897054 52496 1001 1001 [sh] <defunct>
1914412 52496 1001 1001 sh /tmp/hirt.sh
1938244 52496 1001 1001 sh /tmp/hirt.sh
1960303 52496 1001 1001 sh /dev/shm/lpx.sh
1964337 52496 1001 1001 [sh] <defunct>
2001200 52496 1001 1001 [sh] <defunct>
2007846 52496 1001 1001 sh /tmp/hirt.sh
2021344 52496 1001 1001 [sh] <defunct>
2029684 52496 1001 1001 [sh] <defunct>
2062468 52496 1001 1001 sh /dev/shm/lpx.sh
2100578 52496 1001 1001 [sh] <defunct>
2100600 52496 1001 1001 [sh] <defunct>
2118789 52496 1001 1001 sh /dev/shm/lpx.sh
2142503 52496 1001 1001 sh /tmp/hirt.sh
2155988 52496 1001 1001 sh /dev/shm/lpx.sh
2159762 52496 1001 1001 sh /tmp/hirt.sh
2160091 52496 1001 1001 [sh] <defunct>
2160232 52496 1001 1001 [sh] <defunct>
2194651 52496 1001 1001 sh /dev/shm/lpx.sh
2205198 52496 1001 1001 [sh] <defunct>
2207491 52496 1001 1001 [sh] <defunct>
2221491 52496 1001 1001 [sh] <defunct>
2223566 52496 1001 1001 [sh] <defunct>
2230561 52496 1001 1001 sh /dev/shm/lpx.sh
2255376 52496 1001 1001 [sh] <defunct>
2266607 52496 1001 1001 [sh] <defunct>
2266856 52496 1001 1001 [sh] <defunct>
2290112 52496 1001 1001 [sh] <defunct>
2311709 52496 1001 1001 [sh] <defunct>
2317761 52496 1001 1001 [sh] <defunct>
2319622 52496 1001 1001 [sh] <defunct>
2319738 52496 1001 1001 [sh] <defunct>
2322894 52496 1001 1001 [sh] <defunct>
2322900 52496 1001 1001 [sh] <defunct>
2325090 52496 1001 1001 [sh] <defunct>
2372872 52496 1001 1001 sh /dev/shm/lpx.sh
2401599 52496 1001 1001 [sh] <defunct>
2414158 52496 1001 1001 [sh] <defunct>
2421217 52496 1001 1001 [sh] <defunct>
2421239 52496 1001 1001 [sh] <defunct>
2432772 52496 1001 1001 sh /tmp/hirt.sh
2435099 52496 1001 1001 sh /tmp/hirt.sh
2464075 52496 1001 1001 sh /dev/shm/lpx.sh
2464717 52496 1001 1001 [sh] <defunct>
2471324 52496 1001 1001 sh /tmp/hirt.sh
2496469 52496 1001 1001 sh /dev/shm/lpx.sh
2512732 52496 1001 1001 [sh] <defunct>
2534415 52496 1001 1001 [sh] <defunct>
2537229 52496 1001 1001 sh /dev/shm/lpx.sh
2571177 52496 1001 1001 sh /tmp/hirt.sh
2581748 52496 1001 1001 sh /tmp/hirt.sh
2595732 52496 1001 1001 [sh] <defunct>
2617057 52496 1001 1001 [sh] <defunct>
2625025 52496 1001 1001 sh /tmp/hirt.sh
2637655 52496 1001 1001 [sh] <defunct>
2648319 52496 1001 1001 [sh] <defunct>
2732474 52496 1001 1001 [sh] <defunct>
2765141 52496 1001 1001 [sh] <defunct>
2782084 52496 1001 1001 sh /tmp/hirt.sh
2822237 52496 1001 1001 [sh] <defunct>
2825222 52496 1001 1001 sh /dev/shm/lpx.sh
2831871 52496 1001 1001 sh /tmp/hirt.sh
2833871 52496 1001 1001 [sh] <defunct>
2881325 52496 1001 1001 [sh] <defunct>
2901970 52496 1001 1001 [sh] <defunct>
2908785 52496 1001 1001 sh /dev/shm/lpx.sh
2922937 52496 1001 1001 [sh] <defunct>
3000710 52496 1001 1001 [sh] <defunct>
3003558 52496 1001 1001 [sh] <defunct>
3010666 52496 1001 1001 [sh] <defunct>
3026116 52496 1001 1001 sh /dev/shm/lpx.sh
3032346 52496 1001 1001 sh /tmp/hirt.sh
3032443 52496 1001 1001 sh /dev/shm/lpx.sh
3042839 52496 1001 1001 [sh] <defunct>
3067241 52496 1001 1001 [sh] <defunct>
3094161 52496 1001 1001 [sh] <defunct>
3094201 52496 1001 1001 [sh] <defunct>
3100264 52496 1001 1001 sh /dev/shm/lpx.sh
3114489 52496 1001 1001 [sh] <defunct>
3181878 52496 1001 1001 [sh] <defunct>
3199518 52496 1001 1001 sh /dev/shm/lpx.sh
3204221 52496 1001 1001 [sh] <defunct>
3209547 52496 1001 1001 [sh] <defunct>
3212622 52496 1001 1001 [sh] <defunct>
3231670 52496 1001 1001 [sh] <defunct>
3238781 52496 1001 1001 [sh] <defunct>
3276264 52496 1001 1001 [sh] <defunct>
3276267 52496 1001 1001 [sh] <defunct>
3281668 52496 1001 1001 [sh] <defunct>
3282165 52496 1001 1001 [sh] <defunct>
3283148 52496 1001 1001 [sh] <defunct>
3334116 52496 1001 1001 [sh] <defunct>
3334173 52496 1001 1001 [sh] <defunct>
3334536 52496 1001 1001 [sh] <defunct>
3342432 52496 1001 1001 [sh] <defunct>
3345142 52496 1001 1001 [sh] <defunct>
3346560 52496 1001 1001 [sh] <defunct>
3347837 52496 1001 1001 [sh] <defunct>
3356040 52496 1001 1001 sh /dev/shm/lpx.sh
3356955 52496 1001 1001 sh /tmp/hirt.sh
3366104 52496 1001 1001 [sh] <defunct>
3391862 52496 1001 1001 [sh] <defunct>
3391939 52496 1001 1001 [sh] <defunct>
3402957 52496 1001 1001 sh /dev/shm/lpx.sh
3431875 52496 1001 1001 [sh] <defunct>
3432450 52496 1001 1001 [sh] <defunct>
3432843 52496 1001 1001 [sh] <defunct>
3453325 52496 1001 1001 [sh] <defunct>
3518121 52496 1001 1001 sh /dev/shm/lpx.sh
3535138 52496 1001 1001 [sh] <defunct>
3540273 52496 1001 1001 [sh] <defunct>
3583969 52496 1001 1001 [sh] <defunct>
3584251 52496 1001 1001 [sh] <defunct>
3634180 52496 1001 1001 sh /tmp/hirt.sh
3657064 52496 1001 1001 [sh] <defunct>
3660170 52496 1001 1001 sh /dev/shm/lpx.sh
3700623 52496 1001 1001 sh /tmp/hirt.sh
3727593 52496 1001 1001 [sh] <defunct>
3748246 52496 1001 1001 [sh] <defunct>
3753583 52496 1001 1001 [sh] <defunct>
3753604 52496 1001 1001 [sh] <defunct>
3753739 52496 1001 1001 [sh] <defunct>
3778971 52496 1001 1001 [sh] <defunct>
3782544 52496 1001 1001 [sh] <defunct>
3806532 52496 1001 1001 sh /dev/shm/lpx.sh
3841094 52496 1001 1001 [sh] <defunct>
3861812 52496 1001 1001 [sh] <defunct>
3936161 52496 1001 1001 [sh] <defunct>
3937684 52496 1001 1001 sh /tmp/hirt.sh
3956878 52496 1001 1001 [sh] <defunct>
3960508 52496 1001 1001 [sh] <defunct>
3961342 52496 1001 1001 [sh] <defunct>
3961906 52496 1001 1001 [sh] <defunct>
4024554 52496 1001 1001 sh /tmp/hirt.sh
4065577 52496 1001 1001 [sh] <defunct>
4123792 52496 1001 1001 sh /dev/shm/lpx.sh
4163400 52496 1001 1001 sh /dev/shm/lpx.sh
4183952 52496 1001 1001 sh /dev/shm/lpx.sh
orangepi@orangepi5plus:~$ pgrep -U 1001 -a
14888 sh
20069 sh
32990 sh
48209 /opt/java/openjdk/bin/java -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dsun.io.useCanonCaches=false -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Dignore.endorsed.dirs= -classpath /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/usr/local/tomcat -Dcatalina.home=/usr/local/tomcat -Djava.io.tmpdir=/usr/local/tomcat/temp org.apache.catalina.startup.Bootstrap start
49505 /bin/sh ./entrypoint.sh
50606 node /pnpm/global/5/.pnpm/pm2@6.0.13/node_modules/pm2/bin/pm2 start /app/web/server.js --name dify-web --cwd /app/web -i 2 --no-daemon
52496 /bin/node /app/startServer.js
53779 next-server (v15.5.0)
53880 next-server (v15.3.5)
53924 next-server (v15.5.0)
54769 sh
55843 node /usr/local/bin/pnpm start-docker
57114 sh
57270 sh
57329 sh
57389 node /app/node_modules/.bin/../.pnpm/npm-run-all@4.1.5/node_modules/npm-run-all/bin/npm-run-all/index.js check-db update-tracker start-server
62535 node
63108 node /usr/local/lib/node_modules/pnpm/bin/pnpm.cjs run start-server
63432 next-server (v
71717 sh
87543 sh /dev/shm/lpx.sh
93233 sh
93255 sh
94092 sh
94594 sh
104772 sh
126235 sh /dev/shm/lpx.sh
141355 sh
145560 sh /dev/shm/lpx.sh
157198 sh /dev/shm/lpx.sh
172875 sh
173350 sh
184563 sh /tmp/hirt.sh
202708 sh
216980 sh
223004 sh /tmp/hirt.sh
232142 sh /dev/shm/lpx.sh
245148 sh /dev/shm/lpx.sh
251665 sh
254437 sh /dev/shm/lpx.sh
281207 sh /dev/shm/lpx.sh
309513 sh
317559 sh
320240 sh
320243 sh
336527 sh /tmp/hirt.sh
337477 sh
354220 sh
355041 sh /dev/shm/lpx.sh
380730 sh
380823 sh
387379 sh
423719 sh
423744 sh
442638 sh /tmp/hirt.sh
469697 sh /dev/shm/lpx.sh
469732 sh /dev/shm/lpx.sh
472482 sh
508172 sh
525044 sh
539626 sh
546519 sh
569804 sh /dev/shm/lpx.sh
596841 sh /tmp/hirt.sh
614945 sh /tmp/hirt.sh
653375 sh /tmp/hirt.sh
655819 sh
679568 sh
706041 sh
710577 sh
711550 sh
712311 sh /dev/shm/lpx.sh
716410 sh
716436 sh
716511 sh
731656 sh
756703 sh
756780 sh /dev/shm/lpx.sh
761862 sh
770746 sh /tmp/hirt.sh
847065 sh
875200 sh /dev/shm/lpx.sh
881324 sh
901119 sh
918670 sh
918674 sh
937200 sh
952761 sh
952949 sh
973076 sh
980406 sh
982294 sh
1004650 sh
1022860 sh /dev/shm/lpx.sh
1056656 sh
1061739 sh /tmp/hirt.sh
1097002 sh /dev/shm/lpx.sh
1098937 sh /tmp/hirt.sh
1141910 sh /dev/shm/lpx.sh
1152369 sh
1157059 sh
1188093 sh
1215277 sh
1238147 sh
1238450 sh
1256025 sh
1296602 sh
1304085 sh
1304639 sh
1306396 sh
1307330 sh /dev/shm/lpx.sh
1316587 sh
1324448 sh
1325830 sh
1335553 sh /tmp/hirt.sh
1338838 sh
1339031 sh
1342308 sh
1343765 sh /dev/shm/lpx.sh
1355262 sh /tmp/hirt.sh
1364256 sh
1378211 sh
1384281 sh
1400072 sh /dev/shm/lpx.sh
1407539 sh
1430461 sh
1430557 sh
1443400 sh
1471367 sh
1505179 sh /dev/shm/lpx.sh
1553937 sh /tmp/hirt.sh
1559522 sh
1575797 sh
1575958 sh
1593044 sh /dev/shm/lpx.sh
1614178 sh
1614477 sh
1617628 sh
1656532 sh /dev/shm/lpx.sh
1665739 sh
1696241 sh /dev/shm/lpx.sh
1699112 sh
1719233 sh
1728114 sh /tmp/hirt.sh
1767446 sh
1767522 sh
1838665 sh
1874012 sh /dev/shm/lpx.sh
1874522 sleep 10
1874622 sleep 10
1874671 sleep 10
1874745 sleep 10
1874749 sleep 10
1875044 sleep 10
1875170 sleep 10
1875225 sleep 10
1875369 sleep 10
1875888 sleep 10
1876037 sleep 10
1876096 sleep 10
1876208 sleep 10
1876323 sleep 10
1876370 sleep 10
1876434 sleep 10
1876511 sleep 10
1876538 sleep 10
1876545 sleep 10
1876567 sleep 10
1876568 sleep 10
1876628 sleep 10
1876648 sleep 10
1876921 sleep 10
1876937 sleep 10
1877292 sleep 10
1877441 sleep 10
1877544 sleep 10
1877578 sleep 10
1877771 sleep 10
1877854 sleep 10
1877870 sleep 10
1878106 sleep 10
1878123 sleep 10
1878309 sleep 10
1878323 sleep 10
1878420 sleep 10
1878501 sleep 10
1878518 sleep 10
1878530 sleep 10
1878584 sleep 10
1878669 sleep 10
1879326 sleep 10
1879381 sleep 10
1879388 sleep 10
1879864 sleep 10
1879930 sleep 10
1879958 sleep 10
1879981 sleep 10
1880062 sleep 10
1880311 sleep 10
1880419 sleep 10
1880632 sleep 10
1880725 sleep 10
1880726 sleep 10
1880781 sleep 10
1880855 sleep 10
1880879 sleep 10
1880885 sleep 10
1880997 sleep 10
1881010 sleep 10
1881030 sleep 10
1881379 sleep 10
1881519 sleep 10
1881562 sleep 10
1881606 sleep 10
1881684 sleep 10
1881719 sleep 10
1881784 sleep 10
1881824 sleep 10
1881846 sleep 10
1881925 sleep 10
1881953 sleep 10
1882099 sleep 10
1882686 sleep 10
1882759 sleep 10
1882772 sleep 10
1882775 sleep 10
1882810 sleep 10
1882948 sleep 10
1897054 sh
1914412 sh /tmp/hirt.sh
1938244 sh /tmp/hirt.sh
1960303 sh /dev/shm/lpx.sh
1964337 sh
2001200 sh
2007846 sh /tmp/hirt.sh
2021344 sh
2029684 sh
2062468 sh /dev/shm/lpx.sh
2100578 sh
2100600 sh
2118789 sh /dev/shm/lpx.sh
2142503 sh /tmp/hirt.sh
2155988 sh /dev/shm/lpx.sh
2159762 sh /tmp/hirt.sh
2160091 sh
2160232 sh
2194651 sh /dev/shm/lpx.sh
2205198 sh
2207491 sh
2221491 sh
2223566 sh
2230561 sh /dev/shm/lpx.sh
2255376 sh
2266607 sh
2266856 sh
2290112 sh
2311709 sh
2317761 sh
2319622 sh
2319738 sh
2322894 sh
2322900 sh
2325090 sh
2372872 sh /dev/shm/lpx.sh
2401599 sh
2414158 sh
2421217 sh
2421239 sh
2432772 sh /tmp/hirt.sh
2435099 sh /tmp/hirt.sh
2464075 sh /dev/shm/lpx.sh
2464717 sh
2471324 sh /tmp/hirt.sh
2496469 sh /dev/shm/lpx.sh
2512732 sh
2534415 sh
2537229 sh /dev/shm/lpx.sh
2571177 sh /tmp/hirt.sh
2581748 sh /tmp/hirt.sh
2595732 sh
2617057 sh
2625025 sh /tmp/hirt.sh
2637655 sh
2648319 sh
2732474 sh
2765141 sh
2782084 sh /tmp/hirt.sh
2822237 sh
2825222 sh /dev/shm/lpx.sh
2831871 sh /tmp/hirt.sh
2833871 sh
2881325 sh
2901970 sh
2908785 sh /dev/shm/lpx.sh
2922937 sh
3000710 sh
3003558 sh
3010666 sh
3026116 sh /dev/shm/lpx.sh
3032346 sh /tmp/hirt.sh
3032443 sh /dev/shm/lpx.sh
3042839 sh
3067241 sh
3094161 sh
3094201 sh
3100264 sh /dev/shm/lpx.sh
3114489 sh
3181878 sh
3199518 sh /dev/shm/lpx.sh
3204221 sh
3209547 sh
3212622 sh
3231670 sh
3238781 sh
3276264 sh
3276267 sh
3281668 sh
3282165 sh
3283148 sh
3334116 sh
3334173 sh
3334536 sh
3342432 sh
3345142 sh
3346560 sh
3347837 sh
3356040 sh /dev/shm/lpx.sh
3356955 sh /tmp/hirt.sh
3366104 sh
3391862 sh
3391939 sh
3402957 sh /dev/shm/lpx.sh
3431875 sh
3432450 sh
3432843 sh
3453325 sh
3518121 sh /dev/shm/lpx.sh
3535138 sh
3540273 sh
3583969 sh
3584251 sh
3634180 sh /tmp/hirt.sh
3657064 sh
3660170 sh /dev/shm/lpx.sh
3700623 sh /tmp/hirt.sh
3727593 sh
3748246 sh
3753583 sh
3753604 sh
3753739 sh
3778971 sh
3782544 sh
3806532 sh /dev/shm/lpx.sh
3841094 sh
3861812 sh
3936161 sh
3937684 sh /tmp/hirt.sh
3956878 sh
3960508 sh
3961342 sh
3961906 sh
4024554 sh /tmp/hirt.sh
4065577 sh
4123792 sh /dev/shm/lpx.sh
4163400 sh /dev/shm/lpx.sh
4183952 sh /dev/shm/lpx.sh
orangepi@orangepi5plus:~$
从这段 Shell 输出来看,运行着大量的恶意脚本。
sh /dev/shm/lpx.sh # 数十个实例
sh /tmp/hirt.sh # 多个实例
CH4 分析
PID 52496 是主进程 (/bin/node /app/startServer.js)
├── 多个 sh 脚本执行
│ ├── sh /dev/shm/lpx.sh
│ ├── sh /tmp/hirt.sh
│ └── sleep 10 (延时循环)
# 这些是试图杀死特定进程的脚本
ps aux | grep javae\|xmrig\|987645.top\|test2.sh\|supportxmr\|c3pool
xargs -I % kill -9 %
pkill -9 perfcc # 试图结束perfcc进程
这些命令表明:
- 攻击者试图终止安全/监控进程(如 perfcc)
- 攻击者在清除其他可能的竞争恶意软件(xmrig是挖矿程序)
- 攻击者在进行持久化控制
此外,系统有数百个僵尸进程
[sh] <defunct>
这说明恶意脚本不断地fork/exec新进程,但父进程没有正确回收子进程。
这些脚本都源于一个 PID 为 52496 的进程,且原始脚本如下
/bin/node /app/startServer.js
应该是一个 Node.js web 服务器。这说明涉及到 Docker 持久化容器。
执行下面的脚本查看 Docker 容器的相关 COMMAND
orangepi@orangepi5plus:~$ sudo docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
...
6e837934a926 lobehub/lobe-chat-database "/bin/node /app/star…" 4 months ago Up 2 days 0.0.0.0:3210->3210/tcp, [::]:3210->3210/tcp lobe-chat
...
可以发现,这是一个来自 LobeChat 的容器。这说明了恶意脚本已经穿透到宿主机了。可能是:
- 容器使用了
--privileged或--network=host模式 - 通过 Volume 挂载将容器内文件写到了宿主机
- 容器存在特权逃逸漏洞
路径如下:
lobe-chat 容器 (漏洞)
↓
命令注入/文件上传/其他漏洞
↓
攻击者获得容器内权限
↓
下载并执行恶意脚本
↓
写入 /dev/shm/lpx.sh 和 /tmp/hirt.sh (宿主机目录)
↓
通过某种方式逃逸到宿主机 或 直接在容器内大量繁殖
↓
大量恶意进程运行,消耗系统资源
CH5 处理
终止所有的恶意进程
pkill -f lpx.sh
pkill -f hirt.sh
# 杀死挖矿相关的进程
pkill -f xmrig
pkill -f javae
pkill -f perfcc
删除恶意脚本文件
rm -f /dev/shm/lpx.sh
rm -f /tmp/hirt.sh
之后终止该容器。
删除之后,发现 CPU 占用出现了明显的下降,但依然不是正常水平。于是需要继续排查。
CH6 后续
安装 ClamAV 开源的防病毒软件,并扫描全盘
# Debian/Ubuntu
sudo apt install clamav clamav-daemon -y
# 更新病毒库(需要先停止clamd服务)
sudo systemctl stop clamav-freshclam
sudo freshclam
# 启动服务
sudo systemctl start clamav-freshclam
sudo systemctl enable clamav-freshclam
# 扫描全盘并生成报告
sudo clamscan -r / -l /tmp/clamav-report.txt
下面是 Summary
Known viruses: 3627519
Engine version: 1.4.3
Scanned directories: 323329
Scanned files: 1486446
Infected files: 8
Total errors: 1355
Data scanned: 89951.79 MB
Data read: 78828.89 MB (ratio 1.14:1)
Time: 41732.808 sec (695 m 32 s)
Start Date: 2026:02:17 03:02:16
End Date: 2026:02:17 14:37:49
发现了 8 个被感染文件,使用下面的指令查看。
sudo grep -i "FOUND" /tmp/clamav-report.txt
发现了 Dify 也存在 Vshell 后门。
/var/lib/docker/overlay2/563ba9df3a49f55d76fe2bdefbed527533a6d2003fbb1c69bebafcfece1fa120/diff/app/web/am64: Unix.Malware.Vshell-10044416-0 FOUND
/var/lib/docker/overlay2/563ba9df3a49f55d76fe2bdefbed527533a6d2003fbb1c69bebafcfece1fa120/diff/app/web/e386: Unix.Malware.Vshell-10044416-0 FOUND
/var/lib/docker/overlay2/563ba9df3a49f55d76fe2bdefbed527533a6d2003fbb1c69bebafcfece1fa120/merged/app/web/am64: Unix.Malware.Vshell-10044416-0 FOUND
/var/lib/docker/overlay2/563ba9df3a49f55d76fe2bdefbed527533a6d2003fbb1c69bebafcfece1fa120/merged/app/web/e386: Unix.Malware.Vshell-10044416-0 FOUND
/var/lib/docker/overlay2/f7121e8e809fdc8d997d865157a1db9dcf5575a565a5d613a2928024e448f58c/diff/app/am64: Unix.Malware.Vshell-10044416-0 FOUND
/var/lib/docker/overlay2/f7121e8e809fdc8d997d865157a1db9dcf5575a565a5d613a2928024e448f58c/diff/app/e386: Unix.Malware.Vshell-10044416-0 FOUND
/var/lib/docker/overlay2/f7121e8e809fdc8d997d865157a1db9dcf5575a565a5d613a2928024e448f58c/merged/app/am64: Unix.Malware.Vshell-10044416-0 FOUND
/var/lib/docker/overlay2/f7121e8e809fdc8d997d865157a1db9dcf5575a565a5d613a2928024e448f58c/merged/app/e386: Unix.Malware.Vshell-10044416-0 FOUND
于是重装了 Dify(安装之后并没有在这个机器上部署工作流,而是在另外一台服务器上使用,也就是说这个机器上的 Dify 是闲置的)。之后发现 CPU 占用降低到了正常水平的 5% 左右的占用。我怀疑是否从 Dify 的 Sandbox 容器逃逸到宿主机上?然后影响 LobeChat 由其创建进程?太诡异了,主要是关闭了 Dify 相关的容器,这个 CPU 占用就降低了,但确实那两个东西是由 LobeChat 创建的。我也不知道是什么原因。
我还检查了服务器的日志审计,发现这段时间有许多来自荷兰、美国和英国的 IP 集中尝试登录服务器。或许这是什么这两天在重启完服务器后一到两天就会出现高占用。我原有的策略是错两次密码就封 IP,他们至少换了 100 个 IP 地址尝试爆破服务器。因此我将策略升级到错一次密码就封禁 IP。
评论区