如何查询服务器异常网速的占用进程-马春杰杰

近期发现服务器的网速有些异常：

如何查询服务器异常网速的占用进程

与上月的情况如出一辙，上月1.5T的流量在10天内消耗一空，这次我看还有这个架势，赶紧及时制止。查看网速的方法有好几种，分别适合不同的情况，下面分别介绍下。

首先用sudo nethogs命令，查看是哪个进程在占用网速：

如何查询服务器异常网速的占用进程

主要看SENT就可以，可以看到，网速基本上都被116.198.58.85这个IP占用了，然后，再看看这个IP是怎么被占用的：

(base) root@ubuntu:~# sudo lsof -i | grep TCP
fwupdmgr   141983   fwupd-refresh   13u  IPv4 853845216      0t0  TCP ubuntu:34840->199.232.150.49:https (ESTABLISHED)
docker-pr 1822301            root    7u  IPv4  12795464      0t0  TCP localhost:8090 (LISTEN)
docker-pr 1822387            root    7u  IPv4  12795534      0t0  TCP localhost:mysql (LISTEN)
docker-pr 1861219            root    7u  IPv4  13136939      0t0  TCP *:27017 (LISTEN)
docker-pr 1861226            root    7u  IPv6  13136940      0t0  TCP *:27017 (LISTEN)
docker-pr 1861588            root    7u  IPv4  13137921      0t0  TCP *:tproxy (LISTEN)
docker-pr 1861596            root    7u  IPv6  13137922      0t0  TCP *:tproxy (LISTEN)
docker-pr 1862685            root    7u  IPv4  13143207      0t0  TCP *:8089 (LISTEN)
docker-pr 1862692            root    7u  IPv6  13143208      0t0  TCP *:8089 (LISTEN)
openresty 1911635            root    3u  IPv4 901605402      0t0  TCP ubuntu:https->116.198.58.89:55194 (ESTABLISHED)
openresty 1911635            root   10u  IPv4 901580785      0t0  TCP ubuntu:https->116.198.48.29:28678 (ESTABLISHED)

(base) root@ubuntu:~# sudo lsof -i | grep TCP

fwupdmgr 141983 fwupd-refresh 13u IPv4 853845216 0t0 TCP ubuntu:34840->199.232.150.49:https (ESTABLISHED)

docker-pr 1822301 root 7u IPv4 12795464 0t0 TCP localhost:8090 (LISTEN)

docker-pr 1822387 root 7u IPv4 12795534 0t0 TCP localhost:mysql (LISTEN)

docker-pr 1861219 root 7u IPv4 13136939 0t0 TCP *:27017 (LISTEN)

docker-pr 1861226 root 7u IPv6 13136940 0t0 TCP *:27017 (LISTEN)

docker-pr 1861588 root 7u IPv4 13137921 0t0 TCP *:tproxy (LISTEN)

docker-pr 1861596 root 7u IPv6 13137922 0t0 TCP *:tproxy (LISTEN)

docker-pr 1862685 root 7u IPv4 13143207 0t0 TCP *:8089 (LISTEN)

docker-pr 1862692 root 7u IPv6 13143208 0t0 TCP *:8089 (LISTEN)

openresty 1911635 root 3u IPv4 901605402 0t0 TCP ubuntu:https->116.198.58.89:55194 (ESTABLISHED)

openresty 1911635 root 10u IPv4 901580785 0t0 TCP ubuntu:https->116.198.48.29:28678 (ESTABLISHED)

可以看到，主要是openresty这个进程，这是1panel默认使用的服务，由此可以了然，接着查看此IP的连接：

(base) root@ubuntu:~# sudo tcpdump -i any host 116.198.58.89 -nn -tttt
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
2025-10-28 13:42:42.418321 ens3  In  IP 116.198.58.89.24606 > 172.16.0.10.80: Flags [SEW], seq 2756256314, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 11], length 0
2025-10-28 13:42:42.418419 ens3  Out IP 172.16.0.10.80 > 116.198.58.89.24606: Flags [S.], seq 2007984623, ack 2756256315, win 64860, options [mss 1410,nop,nop,sackOK,nop,wscale 7], length 0
2025-10-28 13:42:42.424221 ens3  In  IP 116.198.58.89.24606 > 172.16.0.10.80: Flags [.], ack 1, win 15, length 0
2025-10-28 13:42:42.424221 ens3  In  IP 116.198.58.89.24606 > 172.16.0.10.80: Flags [P.], seq 1:101, ack 1, win 15, length 100: HTTP: HEAD /assets/img/favicon.png HTTP/1.1
2025-10-28 13:42:42.424282 ens3  Out IP 172.16.0.10.80 > 116.198.58.89.24606: Flags [.], ack 101, win 506, length 0
2025-10-28 13:42:42.424426 ens3  Out IP 172.16.0.10.80 > 116.198.58.89.24606: Flags [P.], seq 1:268, ack 101, win 506, length 267: HTTP: HTTP/1.1 301 Moved Permanently
2025-10-28 13:42:42.430094 ens3  In  IP 116.198.58.89.24606 > 172.16.0.10.80: Flags [.], ack 268, win 15, length 0
2025-10-28 13:42:42.451844 ens3  In  IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [SEW], seq 1099166444, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 11], length 0
2025-10-28 13:42:42.451881 ens3  Out IP 172.16.0.10.443 > 116.198.58.89.49618: Flags [S.], seq 3240740966, ack 1099166445, win 64860, options [mss 1410,nop,nop,sackOK,nop,wscale 7], length 0
2025-10-28 13:42:42.457619 ens3  In  IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [.], ack 1, win 15, length 0
2025-10-28 13:42:42.457817 ens3  In  IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [P.], seq 1:286, ack 1, win 15, length 285
2025-10-28 13:42:42.457831 ens3  Out IP 172.16.0.10.443 > 116.198.58.89.49618: Flags [.], ack 286, win 505, length 0
2025-10-28 13:42:42.458951 ens3  Out IP 172.16.0.10.443 > 116.198.58.89.49618: Flags [.], seq 1:1411, ack 286, win 505, length 1410
2025-10-28 13:42:42.458954 ens3  Out IP 172.16.0.10.443 > 116.198.58.89.49618: Flags [.], seq 1411:2821, ack 286, win 505, length 1410
2025-10-28 13:42:42.458955 ens3  Out IP 172.16.0.10.443 > 116.198.58.89.49618: Flags [P.], seq 2821:3170, ack 286, win 505, length 349
2025-10-28 13:42:42.464700 ens3  In  IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [.], ack 1411, win 16, length 0
2025-10-28 13:42:42.464700 ens3  In  IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [.], ack 3170, win 18, length 0
2025-10-28 13:42:42.468710 ens3  In  IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [P.], seq 286:350, ack 3170, win 18, length 64
2025-10-28 13:42:42.468742 ens3  In  IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [P.], seq 350:436, ack 3170, win 18, length 86
2025-10-28 13:42:42.468807 ens3  In  IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [P.], seq 436:560, ack 3170, win 18, length 124
2025-10-28 13:42:42.468884 ens3  Out IP 172.16.0.10.443 > 116.198.58.89.49618: Flags [P.], seq 3170:3457, ack 560, win 503, length 287
2025-10-28 13:42:42.468928 ens3  Out IP 172.16.0.10.443 > 116.198.58.89.49618: Flags [P.], seq 3457:3744, ack 560, win 503, length 287
2025-10-28 13:42:42.469229 ens3  Out IP 172.16.0.10.443 > 116.198.58.89.49618: Flags [P.], seq 3744:3828, ack 560, win 503, length 84
2025-10-28 13:42:42.474692 ens3  In  IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [.], ack 3744, win 21, length 0
2025-10-28 13:42:42.474978 ens3  In  IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [P.], seq 560:591, ack 3828, win 21, length 31
2025-10-28 13:42:42.474978 ens3  In  IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [P.], seq 591:615, ack 3828, win 21, length 24
2025-10-28 13:42:42.475026 ens3  Out IP 172.16.0.10.443 > 116.198.58.89.49618: Flags [.], ack 615, win 503, length 0
2025-10-28 13:42:42.475038 ens3  In  IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [F.], seq 615, ack 3828, win 21, length 0
2025-10-28 13:42:42.475078 ens3  Out IP 172.16.0.10.443 > 116.198.58.89.49618: Flags [F.], seq 3828, ack 616, win 503, length 0
2025-10-28 13:42:42.476364 ens3  In  IP 116.198.58.89.49640 > 172.16.0.10.443: Flags [SEW], seq 1608675265, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 11], length 0
2025-10-28 13:42:42.476397 ens3  Out IP 172.16.0.10.443 > 116.198.58.89.49640: Flags [S.], seq 2306403635, ack 1608675266, win 64860, options [mss 1410,nop,nop,sackOK,nop,wscale 7], length 0
2025-10-28 13:42:42.480823 ens3  In  IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [.], ack 3829, win 21, length 0

(base) root@ubuntu:~# sudo tcpdump -i any host 116.198.58.89 -nn -tttt

tcpdump: data link type LINUX_SLL2

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode

listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes

2025-10-28 13:42:42.418321 ens3 In IP 116.198.58.89.24606 > 172.16.0.10.80: Flags [SEW], seq 2756256314, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 11], length 0

2025-10-28 13:42:42.418419 ens3 Out IP 172.16.0.10.80 > 116.198.58.89.24606: Flags [S.], seq 2007984623, ack 2756256315, win 64860, options [mss 1410,nop,nop,sackOK,nop,wscale 7], length 0

2025-10-28 13:42:42.424221 ens3 In IP 116.198.58.89.24606 > 172.16.0.10.80: Flags [.], ack 1, win 15, length 0

2025-10-28 13:42:42.424221 ens3 In IP 116.198.58.89.24606 > 172.16.0.10.80: Flags [P.], seq 1:101, ack 1, win 15, length 100: HTTP: HEAD /assets/img/favicon.png HTTP/1.1

2025-10-28 13:42:42.424282 ens3 Out IP 172.16.0.10.80 > 116.198.58.89.24606: Flags [.], ack 101, win 506, length 0

2025-10-28 13:42:42.424426 ens3 Out IP 172.16.0.10.80 > 116.198.58.89.24606: Flags [P.], seq 1:268, ack 101, win 506, length 267: HTTP: HTTP/1.1 301 Moved Permanently

2025-10-28 13:42:42.430094 ens3 In IP 116.198.58.89.24606 > 172.16.0.10.80: Flags [.], ack 268, win 15, length 0

2025-10-28 13:42:42.451844 ens3 In IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [SEW], seq 1099166444, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 11], length 0

2025-10-28 13:42:42.451881 ens3 Out IP 172.16.0.10.443 > 116.198.58.89.49618: Flags [S.], seq 3240740966, ack 1099166445, win 64860, options [mss 1410,nop,nop,sackOK,nop,wscale 7], length 0

2025-10-28 13:42:42.457619 ens3 In IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [.], ack 1, win 15, length 0

2025-10-28 13:42:42.457817 ens3 In IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [P.], seq 1:286, ack 1, win 15, length 285

2025-10-28 13:42:42.457831 ens3 Out IP 172.16.0.10.443 > 116.198.58.89.49618: Flags [.], ack 286, win 505, length 0

2025-10-28 13:42:42.458951 ens3 Out IP 172.16.0.10.443 > 116.198.58.89.49618: Flags [.], seq 1:1411, ack 286, win 505, length 1410

2025-10-28 13:42:42.458954 ens3 Out IP 172.16.0.10.443 > 116.198.58.89.49618: Flags [.], seq 1411:2821, ack 286, win 505, length 1410

2025-10-28 13:42:42.458955 ens3 Out IP 172.16.0.10.443 > 116.198.58.89.49618: Flags [P.], seq 2821:3170, ack 286, win 505, length 349

2025-10-28 13:42:42.464700 ens3 In IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [.], ack 1411, win 16, length 0

2025-10-28 13:42:42.464700 ens3 In IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [.], ack 3170, win 18, length 0

2025-10-28 13:42:42.468710 ens3 In IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [P.], seq 286:350, ack 3170, win 18, length 64

2025-10-28 13:42:42.468742 ens3 In IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [P.], seq 350:436, ack 3170, win 18, length 86

2025-10-28 13:42:42.468807 ens3 In IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [P.], seq 436:560, ack 3170, win 18, length 124

2025-10-28 13:42:42.468884 ens3 Out IP 172.16.0.10.443 > 116.198.58.89.49618: Flags [P.], seq 3170:3457, ack 560, win 503, length 287

2025-10-28 13:42:42.468928 ens3 Out IP 172.16.0.10.443 > 116.198.58.89.49618: Flags [P.], seq 3457:3744, ack 560, win 503, length 287

2025-10-28 13:42:42.469229 ens3 Out IP 172.16.0.10.443 > 116.198.58.89.49618: Flags [P.], seq 3744:3828, ack 560, win 503, length 84

2025-10-28 13:42:42.474692 ens3 In IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [.], ack 3744, win 21, length 0

2025-10-28 13:42:42.474978 ens3 In IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [P.], seq 560:591, ack 3828, win 21, length 31

2025-10-28 13:42:42.474978 ens3 In IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [P.], seq 591:615, ack 3828, win 21, length 24

2025-10-28 13:42:42.475026 ens3 Out IP 172.16.0.10.443 > 116.198.58.89.49618: Flags [.], ack 615, win 503, length 0

2025-10-28 13:42:42.475038 ens3 In IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [F.], seq 615, ack 3828, win 21, length 0

2025-10-28 13:42:42.475078 ens3 Out IP 172.16.0.10.443 > 116.198.58.89.49618: Flags [F.], seq 3828, ack 616, win 503, length 0

2025-10-28 13:42:42.476364 ens3 In IP 116.198.58.89.49640 > 172.16.0.10.443: Flags [SEW], seq 1608675265, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 11], length 0

2025-10-28 13:42:42.476397 ens3 Out IP 172.16.0.10.443 > 116.198.58.89.49640: Flags [S.], seq 2306403635, ack 1608675266, win 64860, options [mss 1410,nop,nop,sackOK,nop,wscale 7], length 0

2025-10-28 13:42:42.480823 ens3 In IP 116.198.58.89.49618 > 172.16.0.10.443: Flags [.], ack 3829, win 21, length 0

可以发现，此獠在短时间内大量的快速访问服务器，握手之后立即FIN，因此，直接拉黑名单即可。

sudo ufw deny from 116.198.58.89

后续据我观察，整个116.198.58.0/20和116.198.48.0/20 IP组都存在这个问题，可以断定是垃圾IP，直接整组屏蔽掉即可。

sudo iotop：

如何查询服务器异常网速的占用进程

效果非常明显：

如何查询服务器异常网速的占用进程

如何查询服务器异常网速的占用进程

马春杰杰

相关推荐

留个评论吧~ 抢沙发评论前登陆可免验证码！

文章推荐

最新修改文章

最新评论文章

最新评论

精彩直达

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

微信扫一扫打赏

TG群

微信群

马春杰杰

相关推荐

留个评论吧~ 抢沙发 评论前登陆可免验证码！

文章推荐

最新修改文章

最新评论文章

最新评论

精彩直达

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

微信扫一扫打赏

TG群

微信群

留个评论吧~ 抢沙发评论前登陆可免验证码！