kk Blog —— 通用基础


date [-d @int|str] [+%s|"+%F %T"]
netstat -ltunp
sar -n DEV 1

gps WGS84与GCJ02经纬度坐标转换 wx.getLocation

企业微信 获取地理位置接口

https://developer.work.weixin.qq.com/document/path/90504

经纬度坐标系统

https://blog.csdn.net/feinifi/article/details/120547127

https://blog.csdn.net/weixin_43773218/article/details/132145772

地球并不是一个规则的球体,而是一个椭球体。如何对椭球体进行坐标划定,这里有以下几种:

这里面提到的WGS84,也叫大地坐标系,它是原始坐标系统,为了数据安全和保密,通过地形图非线性保密处理算法(俗称火星加密)加密过的WGS84坐标系,俗称国测局坐标系,或火星坐标系就是我们今天所要提到的GCJ02,目前谷歌地图(中国cn)、腾讯地图、高德地图,使用的都是GCJ02,只有百度地图没有使用这种加密算法,而是使用的是BD09,从名字上可以看出,GCJ02是2002年提出来的算法,BD09则是2009年提出来的,虽然百度地图没有使用GCJ02加密算法,但是他却是在GCJ02基础上做了一个二次加密,所以说,从WGS84坐标系不能直接转BD09,中间需要跨越一个GCJ02,反过来,需要将GCJ02或者BD09转为WGS84就是纠偏算法,相当于逆向解密,同样的DB09直接到不了WGS84,中间还需要转为GCJ02,所以现在的很多算法,如果你看到有百度坐标转大地坐标,基本上需要借助火星坐标来计算。

WGS84与GCJ02经纬度坐标转换

js

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
//地标 转 国测 常量
var x_PI = (3.14159265358979324 * 3000.0) / 180.0;
var PI = 3.1415926535897932384626;
var aaa = 6378245.0; //卫星椭球坐标投影到平面地图坐标系的投影因子。
var eee = 0.00669342162296594323; //椭球的偏心率。


//判断是否在国内,在中国国内的经纬度才需要做偏移
function out_of_china(lng, lat) {
	return (
		lng < 72.004 ||
		lng > 137.8347 ||
		(lat < 0.8293 || lat > 55.8271 || false)
	);
}

//转化经度
function transformlng(lng, lat) {
	var ret =
		300.0 +
		lng +
		2.0 * lat +
		0.1 * lng * lng +
		0.1 * lng * lat +
		0.1 * Math.sqrt(Math.abs(lng));
	ret +=
		((20.0 * Math.sin(6.0 * lng * PI) +
			20.0 * Math.sin(2.0 * lng * PI)) *
			2.0) /
		3.0;
	ret +=
		((20.0 * Math.sin(lng * PI) +
			40.0 * Math.sin((lng / 3.0) * PI)) *
			2.0) /
		3.0;
	ret +=
		((150.0 * Math.sin((lng / 12.0) * PI) +
			300.0 * Math.sin((lng / 30.0) * PI)) *
			2.0) /
		3.0;
	return ret;
}

//转化纬度
function transformlat(lng, lat) {
	var ret =
		-100.0 +
		2.0 * lng +
		3.0 * lat +
		0.2 * lat * lat +
		0.1 * lng * lat +
		0.2 * Math.sqrt(Math.abs(lng));
	ret +=
		((20.0 * Math.sin(6.0 * lng * PI) +
			20.0 * Math.sin(2.0 * lng * PI)) *
			2.0) /
		3.0;
	ret +=
		((20.0 * Math.sin(lat * PI) +
			40.0 * Math.sin((lat / 3.0) * PI)) *
			2.0) /
		3.0;
	ret +=
		((160.0 * Math.sin((lat / 12.0) * PI) +
			320 * Math.sin((lat * PI) / 30.0)) *
			2.0) /
		3.0;
	return ret;
}

//wgs84 to gcj02   地球坐标系 转 火星坐标系
function wgs84_to_gcj02(lng, lat) {
	if (out_of_china(lng, lat)) {
		return [lng, lat];
	} else {
		var dlat = transformlat(lng - 105.0, lat - 35.0);
		var dlng = transformlng(lng - 105.0, lat - 35.0);
		var radlat = (lat / 180.0) * PI;
		var magic = Math.sin(radlat);
		magic = 1 - eee * magic * magic;
		var sqrtmagic = Math.sqrt(magic);
		dlat =
			(dlat * 180.0) /
			(((aaa * (1 - eee)) / (magic * sqrtmagic)) * PI);
		dlng =
			(dlng * 180.0) / ((aaa / sqrtmagic) * Math.cos(radlat) * PI);
		var mglat = lat + dlat;
		var mglng = lng + dlng;

		return [mglng, mglat];
	}
}

//gcj02 to wgs84  火星坐标系 转 地球坐标系
function gcj02_to_wgs84(lng, lat) {
	if (out_of_china(lng, lat)) {
		return [lng, lat]
	}
	else {
		var dlat = transformlat(lng - 105.0, lat - 35.0);
		var dlng = transformlng(lng - 105.0, lat - 35.0);
		var radlat = lat / 180.0 * PI;
		var magic = Math.sin(radlat);
		magic = 1 - eee * magic * magic;
		var sqrtmagic = Math.sqrt(magic);
		dlat = (dlat * 180.0) / ((aaa * (1 - eee)) / (magic * sqrtmagic) * PI);
		dlng = (dlng * 180.0) / (aaa / sqrtmagic * Math.cos(radlat) * PI);
		mglat = lat + dlat;
		mglng = lng + dlng;
		return [lng * 2 - mglng, lat * 2 - mglat]
	}
}
1
2
// 113.45001722075615, 22.20997597617679
<script> console.log(wgs84_to_gcj02(113.444603, 22.212654)); </script>;

php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
//地标 转 国测 常量
public $x_PI = (3.14159265358979324 * 3000.0) / 180.0;
public $PI = 3.1415926535897932384626;
public $aaa = 6378245.0; //卫星椭球坐标投影到平面地图坐标系的投影因子。
public $eee = 0.00669342162296594323; //椭球的偏心率。


//判断是否在国内,在中国国内的经纬度才需要做偏移
function out_of_china($lng, $lat)
{
	if ($lng < 72.004 || $lng > 137.8347 || $lat < 0.8293 || $lat > 55.8271)
		return true;
	return false;
}

//转化经度
function transformlng($lng, $lat)
{
	$ret =
		300.0 +
		$lng +
		2.0 * $lat +
		0.1 * $lng * $lng +
		0.1 * $lng * $lat +
		0.1 * sqrt(abs($lng));
	$ret +=
		((20.0 * sin(6.0 * $lng * $this->PI) +
			20.0 * sin(2.0 * $lng * $this->PI)) *
			2.0) /
		3.0;
	$ret +=
		((20.0 * sin($lng * $this->PI) +
			40.0 * sin(($lng / 3.0) * $this->PI)) *
			2.0) /
		3.0;
	$ret +=
		((150.0 * sin(($lng / 12.0) * $this->PI) +
			300.0 * sin(($lng / 30.0) * $this->PI)) *
			2.0) /
		3.0;
	return $ret;
}

//转化纬度
function transformlat($lng, $lat)
{
	$ret =
		-100.0 +
		2.0 * $lng +
		3.0 * $lat +
		0.2 * $lat * $lat +
		0.1 * $lng * $lat +
		0.2 * sqrt(abs($lng));
	$ret +=
		((20.0 * sin(6.0 * $lng * $this->PI) +
			20.0 * sin(2.0 * $lng * $this->PI)) *
			2.0) /
		3.0;
	$ret +=
		((20.0 * sin($lat * $this->PI) +
			40.0 * sin(($lat / 3.0) * $this->PI)) *
			2.0) /
		3.0;
	$ret +=
		((160.0 * sin(($lat / 12.0) * $this->PI) +
			320 * sin(($lat * $this->PI) / 30.0)) *
			2.0) /
		3.0;
	return $ret;
}

//wgs84 to gcj02   地球坐标系 转 火星坐标系
function wgs84_to_gcj02($lng, $lat)
{
	if ($this->out_of_china($lng, $lat)) {
		return [$lng, $lat];
	} else {
		$dlat = $this->transformlat($lng - 105.0, $lat - 35.0);
		$dlng = $this->transformlng($lng - 105.0, $lat - 35.0);
		$radlat = ($lat / 180.0) * $this->PI;
		$magic = sin($radlat);
		$magic = 1 - $this->eee * $magic * $magic;
		$sqrtmagic = sqrt($magic);
		$dlat = ($dlat * 180.0) / ((($this->aaa * (1 - $this->eee)) / ($magic * $sqrtmagic)) * $this->PI);
		$dlng = ($dlng * 180.0) / (($this->aaa / $sqrtmagic) * cos($radlat) * $this->PI);
		$mglat = $lat + $dlat;
		$mglng = $lng + $dlng;

		return [$mglng, $mglat];
	}
}

//gcj02 to wgs84  火星坐标系 转 地球坐标系
function gcj02_to_wgs84($lng, $lat)
{
	if ($this->out_of_china($lng, $lat)) {
		return [$lng, $lat];
	} else {
		$dlat = $this->transformlat($lng - 105.0, $lat - 35.0);
		$dlng = $this->transformlng($lng - 105.0, $lat - 35.0);
		$radlat = $lat / 180.0 * $this->PI;
		$magic = sin($radlat);
		$magic = 1 - $this->eee * $magic * $magic;
		$sqrtmagic = sqrt($magic);
		$dlat = ($dlat * 180.0) / (($this->aaa * (1 - $this->eee)) / ($magic * $sqrtmagic) * $this->PI);
		$dlng = ($dlng * 180.0) / ($this->aaa / $sqrtmagic * cos($radlat) * $this->PI);
		$mglat = $lat + $dlat;
		$mglng = $lng + $dlng;

		return [$lng * 2 - $mglng, $lat * 2 - $mglat];
	}
}
1
2
// 113.45001722075615, 22.20997597617679
var_dump($this->wgs84_to_gcj02(113.444603, 22.212654));

百度坐标 火星坐标 转换

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
/***
 * 百度坐标是在火星坐标基础上做的二次加密
 * @param gg_lat
 * @param gg_lon
 * @return
 */
public static Gps gcj02_To_Bd09(double gg_lat, double gg_lon) {
	double x = gg_lon, y = gg_lat;
	double z = Math.sqrt(x * x + y * y) + 0.00002 * Math.sin(y * pi);
	double theta = Math.atan2(y, x) + 0.000003 * Math.cos(x * pi);
	double bd_lon = z * Math.cos(theta) + 0.0065;
	double bd_lat = z * Math.sin(theta) + 0.006;
	return new Gps(bd_lat, bd_lon);
}

/***
 * 百度坐标与火星坐标逆向转换
 * @param bd_lat
 * @param bd_lon
 * @return
 */
public static Gps bd09_To_Gcj02(double bd_lat, double bd_lon) {
	double x = bd_lon - 0.0065, y = bd_lat - 0.006;
	double z = Math.sqrt(x * x + y * y) - 0.00002 * Math.sin(y * pi);
	double theta = Math.atan2(y, x) - 0.000003 * Math.cos(x * pi);
	double gg_lon = z * Math.cos(theta);
	double gg_lat = z * Math.sin(theta);
	return new Gps(gg_lat, gg_lon);
}

钉钉API

注册

https://open-dev.dingtalk.com

创建web应用

https://open.dingtalk.com/document/orgapp/microapplication-creation-and-release-process

API 下载, 样例

https://open.dingtalk.com/document/orgapp/how-to-call-apis

https://open.dingtalk.com/document/orgapp/download-the-server-side-sdk?spm=ding_open_doc.document.0.0.a599b17dPaKiMo

1
2
3
4
5
6
7
include "TopSdk.php";
// DingTalkConstant::$METHOD_GET 要与下面调用接口url要求的保持一致
$c = new DingTalkClient(DingTalkConstant::$CALL_TYPE_OAPI, DingTalkConstant::$METHOD_GET , DingTalkConstant::$FORMAT_JSON);
$req = new OapiUserGetRequest();
$req->setUserid("userid1");
$resp = $c->execute($req, $accessToken,"https://oapi.dingtalk.com/user/get");
var_dump($resp)
1
2
3
4
5
6
7
8
9
10
11
12
// 获取部门列表
function DepartmentListsub($depid = 1)
{
	$accessToken = $this->gettoken();

	$c = new DingTalkClient(DingTalkConstant::$CALL_TYPE_OAPI, DingTalkConstant::$METHOD_POST , DingTalkConstant::$FORMAT_JSON);
	$req = new OapiV2DepartmentListsubRequest();
	$req->setDeptId($depid);
	$req->setLanguage("zh_CN");
	$resp = $c->execute($req, $accessToken, "https://oapi.dingtalk.com/topapi/v2/department/listsub");
	var_dump($resp);
}

发送工作通知

https://open.dingtalk.com/document/orgapp/asynchronous-sending-of-enterprise-session-messages

点击工作通知跳转到网页应用

https://open.dingtalk.com/document/orgapp/redirect-micro-applications-to-work-messages

1
2
3
4
5
6
7
8
9
10
function gettoken()
{
	$cget = new DingTalkClient(DingTalkConstant::$CALL_TYPE_OAPI, DingTalkConstant::$METHOD_GET , DingTalkConstant::$FORMAT_JSON);
	$req = new OapiGettokenRequest();
	$req->setAppkey($this->ClientID);
	$req->setAppsecret($this->ClientSecret);
	$resp = $cget->execute($req, '', "https://oapi.dingtalk.com/gettoken");
	// var_dump($resp);
	return $resp->access_token;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
// 发送工作通知
function MessageCorpconversationAsyncsendV2()
{
	$accessToken = $this->gettoken();

	$c = new DingTalkClient(DingTalkConstant::$CALL_TYPE_OAPI, DingTalkConstant::$METHOD_POST , DingTalkConstant::$FORMAT_JSON);

	$req = new OapiMessageCorpconversationAsyncsendV2Request();
	$req->setAgentId($this->AgentId);
	$req->setUseridList('045961');
	$req->setToAllUser(false);

	/*
	$msg = array(
		"msgtype" => "text",
		"text" => ["content"=>"12333"],
		);
	*/
	/*
	$msg = array(
		"msgtype" => "link",
		"link" => [
			"picUrl" => "https://a.com/g.png",
			"messageUrl" => "https://a.com/aa",
			"text" => "text",
			"title" => "title"
			]
		);
	*/
	$msg = array(
		"msgtype" => "link",
		"link" => [
			"picUrl" => "https://a.com/g.png",
			"messageUrl" => "dingtalk://dingtalkclient/action/openapp?corpid={$this->corpId}&container_type=work_platform&app_id=0_{$this->AgentId}&redirect_type=jump&redirect_url=https://a.com/aaa",
			"text" => "text",
			"title" => "title"
			]
		);
	$req->setMsg($msg);

	$resp = $c->execute($req, $accessToken, "https://oapi.dingtalk.com/topapi/message/corpconversation/asyncsend_v2");
	var_dump($resp);
}

批量发送人与机器人会话中机器人消息

https://open.dingtalk.com/document/orgapp/chatbots-send-one-on-one-chat-messages-in-batches

通过免登码获取用户信息

https://open.dingtalk.com/document/orgapp/obtain-the-userid-of-a-user-by-using-the-log-free

https://open.dingtalk.com/document/orgapp/jsapi-get-auth-code

https://open.dingtalk.com/document/orgapp/webapp-read-before-development

只能用js获取code???

跳转不太和谐

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
function auth($startpage = 0)
{
	echo "555<br>";
	echo "<div id='cc'>444</div>";
	echo "<div id='dd'>444</div>";
	echo '<script src="https://g.alicdn.com/dingding/dingtalk-jsapi/3.0.25/dingtalk.open.js"></script>';
	//echo "<script> dd.getAuthCode({ corpId: 'ding07018e',  success: (res) => { document.getElementById('cc').innerHTML = res.code; }, }); document.getElementById('dd').innerHTML = 'ff'; </script>";
	// echo "<script> dd.replacePage({ url: 'http://www.baidu.com' }); /* dd.closePage(); */ </script>";
	echo "<script> dd.getAuthCode({ corpId: 'ding07018e',  success: (res) => { dd.openLink({url: 'https://a.com/ding/getuserinfo?code='+res.code }); dd.closePage(); }, }); document.getElementById('dd').innerHTML = 'ff'; </script>";

	// 根据 code access_token 获取免密用户信息
	// curl -X POST -d "code=75e121d18" "https://oapi.dingtalk.com/topapi/v2/user/getuserinfo?access_token=6c53ee68"

	echo "666<br>";
}

// 获取免密用户信息
function getuserinfo()
{
	$code = $this->input->get('code');

	$accessToken = $this->gettoken();

	$url = "https://oapi.dingtalk.com/topapi/v2/user/getuserinfo?access_token={$accessToken}";

	$header = array('Content-Type: application/json');
	$fields = array('code' => $code);
	$postfields = json_encode($fields);
	$res = $this->Wxapi_model->queryUrl($url, $header, $postfields);
	$res = json_decode($res, true);
	if (isset($res['errcode']) and $res['errcode'] == 0) {
		echo $res['errmsg'], "<br><br>";
		var_dump($res['result']['userid']);
		echo "<br><br>";
		var_dump($res['result']);
		echo "<br><br>";
	}
	var_dump($res);
}

unhide 搜寻隐藏进程, 挖矿病毒处理

https://blog.csdn.net/weixin_48958956/article/details/139812765

https://www.cnblogs.com/bonelee/p/16976768.html

cpu us 达到 100%

top ps 命令无法发现进程

进程如何隐藏

Linux系统中有一个特殊的目录:/proc/,这个目录下的内容,不是硬盘上的文件系统,而是操作系统内核暴露出的内核中进程、线程相关的数据接口,也就是procfs,里面记录了系统上正在运行的进程和线程信息

而ps、top等命令的工作原理,实质上就是遍历这个目录。

知道了原理,想实现隐藏就有以下几个思路:

命令替换

直接替换系统中的ps、top命令工具。可以从GitHub上下载它们的源码,加入对应的过滤逻辑,在遍历进程的时候,剔除挖矿进程,实现隐藏的目的。

模块注入

编写一个动态链接库so文件,在so中,HOOK遍历相关的函数(readdir/readdir64),遍历的时候,过滤挖矿进程。

通过修改LD_PRELOAD环境变量或/etc/ld.so.preload文件,配置动态链接库,实现将其注入到目标进程中。

内核级隐藏

模块注入的方式是在应用层执行函数HOOK,隐藏挖矿进程,更进一步,可以通过加载驱动程序的方式在内核空间HOOK相应的系统调用来实现隐藏。不过这对攻击者的技术要求也更高,遇到这样的病毒清理起来挑战也更大了。

揪出挖矿进程

通过上面的进程隐藏原理看得住来,都是想尽办法隐藏/proc目录下的内容,类似于“障眼法”,所以包含ps、top、ls等等在内的命令,都没办法看到挖矿进程的存在。

但蒙上眼不代表不存在,有一个叫unhide的工具,就能用来查看隐藏进程。

1
unhide proc

systemctl status pid

1
2
3
4
5
6
7
8
9
10
11
12
13
[root@localhost ~]# systemctl status 77206
● 800a7a3e.service - Server Service
    Loaded: loaded (/usr/lib/systemd/system/800a7a3e.service; disabled; vendor preset: disabled)
   Active: activating (auto-restart) since Tue 2024-08-27 09:00:26 CST; 14min ago
  Process: 47625 ExecStart=/usr/bin/800a7a3e0df6442b 800a7a3e (code=exited, status=0/SUCCESS)
 Main PID: 47625 (code=exited, status=0/SUCCESS)
    Tasks: 22
   Memory: 19.4M
   CGroup: /system.slice/800a7a3e.service
           └─77206 /945d4139

systemctl stop xx.service
systemctl disable xx.service

/etc/rc.local被修改, lsattr被修改

先重装 e2fsprogs , 让 lsattr, chattr 可用

1
yum reinstall e2fsprogs
1
2
3
4
5
lsattr /etc/rc.local

chattr -i /etc/rc.local

chattr -a /etc/rc.local

unhide log

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
[root@localhost ~]# time unhide proc
Unhide 20130526
Copyright © 2013 Yago Jesus & Patrick Gouin
License GPLv3+ : GNU GPL version 3 or later
http://www.unhide-forensics.info

NOTE : This version of unhide is for systems using Linux >= 2.6

Used options:
[*]Searching for Hidden processes through /proc stat scanning

Found HIDDEN PID: 77206
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77207
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77208
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77209
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77210
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77211
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77345
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77346
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77347
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77348
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77349
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77350
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77351
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77352
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77353
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77354
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77355
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77356
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77357
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77358
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77359
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/

Found HIDDEN PID: 77360
        Cmdline: "/945d4139"
        Executable: "/945d4139 (deleted)"
        Command: "945d4139"
        $USER=root
        $PWD=/


real    25m58.149s
user    4m55.258s
sys     20m31.360s