The server was hijacked by a mining Trojan

Event review
At 12:30 on August 10, 2020, I received a warning from Alibaba Cloud that the server was invaded by a mining Trojan. After that, the system was inaccessible. Log in to the Alibaba Cloud control panel to check the four nodes of the kubernetes cluster. The server CPU usage is at a high level (100%). After that, the investigation was carried out quickly to check and kill the Trojan horse program process, delete the Trojan horse program execution file, close the Trojan horse program container, delete the Trojan horse program mirror image, at 13:15, four nodes The Trojan horse program on the server is cleaned up, the CPU usage of the server returns to normal, and system access is normal.
Processing method
1. According to the Aliyun alarm information, delete the Trojan horse program on the server.
2. The "top" command looks at the process with the highest server occupancy, combines with the "ps" command to find the process number, and kills the Trojan horse process.
3. "docker ps" command to check the docker container carrying the Trojan horse program, delete the Trojan horse container, and clean up the Trojan horse container image.
4. Check the server process again and find that the abnormal process "bash" occupies very high, check the "bash" abnormal service process, kill the "bash" process, the server CPU usage returns to normal, and the system access returns to normal.
5. Clean up junk files on the server
6. Delete irrelevant account authorization for kubernetes
7. Check firewall configuration