记一次服务器被挖矿处理过程!
-
首先利用watch -n 1 nvidia-smi 命令查看GPU进程时发现几张显卡占用率都是100%
-
通过进程PID查看脚本所在路径
ll /proc/pid
cd /tmp/.dev #发现该目录存在python3的脚本代码 #于是接下来我做了以下两个操作 kill -9 pid #kill掉该进程 rm -rf /tmp/.dev/python3 #删除该脚本 #再检查nvidia-smi发现正常,本以为以及愉快的解决问题了,但是过了一会发现该显卡占有率又是100% #于是 开始百度 网上说是存在定时脚本 也发现了该进程还存在父进程,没有kill干净 cat /proc/pid/status#根据子进程查看父进程 kill -9 PPID crontab -l # 列出目前的时程表 #然而并没有什么用,其定时命令在root下并不存在 #在/tmp/.dev/目录下 ll -a #发现文件的所有者属于test 且创建时间为4月30号 #然后我就开始疯狂搜索test 和 4月30号创建的文件 find / -name test #查找所有test文件 find /etc -mtime 12 #前【n-1,n】天的所有创建文件 #最后在/var/tmp目录下发现了脚本 #同时在/var/spool目录下发现了一系列的定时脚本任务等一系列文件,其中Makefile惊到了我,鉴赏见下面第3部分 #在/home/server/user/test目录下发现了挖矿程序PhoenixMiner 可以断定该挖矿是通过server用户下面的test用户进入到服务器的 #在 /root/.ssh/known_hosts文件中植入了免密登录 不得不说非常厉害,10.80.0.3 #同时利用netstat -ntu命令,发现近期访问的也是该ip #不知道这个ip是本人还是肉鸡
-
Makefile鉴赏 :感觉就是获取服务器的用户、密码、组等相关信息的脚本
# Makefile to (re-)generate db versions of system database files. # Copyright (C) 1996-2013 Free Software Foundation, Inc. # This file is part of the GNU C Library. # Contributed by Ulrich Drepper <drepper@cygnus.com>, 1996. # # The GNU C Library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # The GNU C Library is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # You should have received a copy of the GNU Lesser General Public # License along with the GNU C Library; if not, see # <http://www.gnu.org/licenses/>. DATABASES = $(wildcard /etc/passwd /etc/group /etc/ethers /etc/protocols \ /etc/rpc /etc/services /etc/shadow /etc/gshadow \ /etc/netgroup) VAR_DB = /var/db AWK = awk MAKEDB = makedb --quiet all: $(patsubst %,$(VAR_DB)/%.db,$(notdir $(DATABASES))) $(VAR_DB)/passwd.db: /etc/passwd @echo -n "$(patsubst %.db,%,$(@F))... " @$(AWK) 'BEGIN { FS=":"; OFS=":" } \ /^[ \t]*$$/ { next } \ /^[ \t]*#/ { next } \ /^[^#]/ { printf ".%s ", $$1; print; \ printf "=%s ", $$3; print }' $^ | \ $(MAKEDB) -o $@ - @echo "done." $(VAR_DB)/group.db: /etc/group @echo -n "$(patsubst %.db,%,$(@F))... " @$(AWK) 'BEGIN { FS=":"; OFS=":" } \ /^[ \t]*$$/ { next } \ /^[ \t]*#/ { next } \ /^[^#]/ { printf ".%s ", $$1; print; \ printf "=%s ", $$3; print; \ if ($$4 != "") { \ split($$4, grmems, ","); \ for (memidx in grmems) { \ mem=grmems[memidx]; \ if (members[mem] == "") \ members[mem]=$$3; \ else \ members[mem]=members[mem] "," $$3; \ } \ delete grmems; } } \ END { for (mem in members) \ printf ":%s %s %s\n", mem, mem, members[mem]; }' $^ | \ $(MAKEDB) -o $@ - @echo "done." $(VAR_DB)/ethers.db: /etc/ethers @echo -n "$(patsubst %.db,%,$(@F))... " @$(AWK) '/^[ \t]*$$/ { next } \ /^[ \t]*#/ { next } \ /^[^#]/ { printf ".%s ", $$1; print; \ printf "=%s ", $$2; print }' $^ | \ $(MAKEDB) -o $@ - @echo "done." $(VAR_DB)/protocols.db: /etc/protocols @echo -n "$(patsubst %.db,%,$(@F))... " @$(AWK) '/^[ \t]*$$/ { next } \ /^[ \t]*#/ { next } \ /^[^#]/ { printf ".%s ", $$1; print; \ printf "=%s ", $$2; print; \ for (i = 3; i <= NF && !($$i ~ /^#/); ++i) \ { printf ".%s ", $$i; print } }' $^ | \ $(MAKEDB) -o $@ - @echo "done." $(VAR_DB)/rpc.db: /etc/rpc @echo -n "$(patsubst %.db,%,$(@F))... " @$(AWK) '/^[ \t]*$$/ { next } \ /^[ \t]*#/ { next } \ /^[^#]/ { printf ".%s ", $$1; print; \ printf "=%s ", $$2; print; \ for (i = 3; i <= NF && !($$i ~ /^#/); ++i) \ { printf ".%s ", $$i; print } }' $^ | \ $(MAKEDB) -o $@ - @echo "done." $(VAR_DB)/services.db: /etc/services @echo -n "$(patsubst %.db,%,$(@F))... " @$(AWK) 'BEGIN { FS="[ \t/]+" } \ /^[ \t]*$$/ { next } \ /^[ \t]*#/ { next } \ /^[^#]/ { sub(/[ \t]*#.*$$/, "");\ printf ":%s/%s ", $$1, $$3; print; \ printf ":%s/ ", $$1; print; \ printf "=%s/%s ", $$2, $$3; print; \ printf "=%s/ ", $$2; print; \ for (i = 4; i <= NF && !($$i ~ /^#/); ++i) \ { printf ":%s/%s ", $$i, $$3; print; \ printf ":%s/ ", $$i; print } }' $^ | \ $(MAKEDB) -o $@ - @echo "done." $(VAR_DB)/shadow.db: /etc/shadow @echo -n "$(patsubst %.db,%,$(@F))... " @$(AWK) 'BEGIN { FS=":"; OFS=":" } \ /^[ \t]*$$/ { next } \ /^[ \t]*#/ { next } \ /^[^#]/ { printf ".%s ", $$1; print }' $^ | \ (umask 077 && $(MAKEDB) -o $@ -) @echo "done." @if chgrp shadow $@ 2>/dev/null; then \ chmod g+r $@; \ else \ chown 0 $@; chgrp 0 $@; chmod 600 $@; \ echo; \ echo "Warning: The shadow password database $@"; \ echo "has been set to be readable only by root. You may want"; \ echo "to make it readable by the \`shadow' group depending"; \ echo "on your configuration."; \ echo; \ fi $(VAR_DB)/gshadow.db: /etc/gshadow @echo -n "$(patsubst %.db,%,$(@F))... " @$(AWK) 'BEGIN { FS=":"; OFS=":" } \ /^[ \t]*$$/ { next } \ /^[ \t]*#/ { next } \ /^[^#]/ { printf ".%s ", $$1; print }' $^ | \ (umask 077 && $(MAKEDB) -o $@ -) @echo "done." @if chgrp shadow $@ 2>/dev/null; then \ chmod g+r $@; \ else \ chown 0 $@; chgrp 0 $@; chmod 600 $@; \ echo; \ echo "Warning: The shadow group database $@"; \ echo "has been set to be readable only by root. You may want"; \ echo "to make it readable by the \`shadow' group depending"; \ echo "on your configuration."; \ echo; \ fi $(VAR_DB)/netgroup.db: /etc/netgroup @echo -n "$(patsubst %.db,%,$(@F))... " @$(AWK) 'BEGIN { ini=1 } \ /^[ \t]*$$/ { next } \ /^[ \t]*#/ { next } \ /^[^#]/ { if (sub(/[ \t]*\\$$/, " ") == 0) end="\n"; \ else end=""; \ gsub(/[ \t]+/, " "); \ sub(/^[ \t]*/, ""); \ if (ini == 0) printf "%s%s", $$0, end; \ else printf ".%s %s%s", $$1, $$0, end; \ ini=end == "" ? 0 : 1; } \ END { if (ini==0) printf "\n" }' $^ | \ $(MAKEDB) -o $@ - @echo "done." -
最后将2中的文件统统删掉。上报网管中心,安装杀毒软件!至此告一段落!
脚踏实地,注重基础。
