Skip to main content

Preview Question 3

Use context: kubectl config use-context workload-stage

A security scan result shows that there is an unknown miner process running on one of the Nodes in cluster3. The report states that the process is listening on port 6666. Kill the process and delete the binary.

Answer:

We have a look at existing Nodes:

➜ k get node
NAME                     STATUS   ROLES           AGE    VERSION
cluster3-controlplane1   Ready    control-plane   109m   v1.28.5
cluster3-node1           Ready    <none>          105m   v1.28.5

First we check the master:

ssh cluster3-controlplane1

➜ root@cluster3-controlplane1:~# netstat -plnt | grep 6666

➜ root@cluster3-controlplane1:~#

Doesn't look like any process listening on this port. So we check the worker:

ssh cluster3-node1

➜ root@cluster3-node1:~# netstat -plnt | grep 6666
tcp6       0      0 :::6666                 :::*        LISTEN      9591/system-atm  

# There we go! We could also use lsof:

➜ root@cluster3-node1:~# lsof -i :6666
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
system-at 9591 root    3u  IPv6  47760      0t0  TCP *:6666 (LISTEN)

#Before we kill the process we can check the magic /proc directory for the full process path:

➜ root@cluster3-node1:~# ls -lh /proc/9591/exe
lrwxrwxrwx 1 root root 0 Sep 26 16:10 /proc/9591/exe -> /bin/system-atm

# So we finish it:

➜ root@cluster3-node1:~# kill -9 9591

➜ root@cluster3-node1:~# rm /bin/system-atm

Done.