I haven't logged in to Alibaba Cloud for a while. I received a text message from Alibaba Cloud two days ago, which means: I detected an abnormal file download on my linux server. Please log in to the console to view it. I log in to the console and see the following picture.
system centos
Since I am a novice, there is no free repair button after clicking for a long time, and I can only view it after upgrading the enterprise version. It is impossible to upgrade the enterprise version...
So I ignored it.
I have time to log in to the Alibaba Cloud server today to see what’s going on. I use xshell to connect, and when I enter commands, I get stuck one by one. I thought it was a problem with xshell, so I returned putty to log in, but it’s still the same, it takes a long time to enter a letter , this shows that it is not the problem of xshell, patiently enter the top command to check, there is a 2t3ik.p process that occupies more than 99% of the CPU usage, I quickly kill this process, um, this time use Not stuck.
But I haven't waited for half a minute, and I started to get stuck again. I continued to use the top command to see that it was still 2t3ik.p, but the PID was changed.
I don't know what this process does, but no matter what the process is, I have to kill the process that makes my server freeze, so I searched for this process on Baidu. Unfortunately, the key to 2t3ik.p is on Baidu. Can't find any relevant information
If Baidu doesn't work, then I'll go to Alibaba Cloud's official website to see if there is any solution. Unfortunately, I can't find it, so I'll just Google it. It's better to Google. Although there aren't many relevant results, I can find clues to deal with this 2t3ik. p process, this process file is in the /tmp directory
So I deleted the 2t3ik.p file, but it appeared again within a minute, and the Alibaba Cloud management console prompted an abnormal file download.
Then I will delete this file, and create a new 2t3ik.p file without giving permission. The 2t3ik.p process is gone, but the 2t3ik.m process appears again.
There is a file 2t3ik.m in the /tmp folder
I thought of adding unmodifiable permissions to the /tmp folder, but I don't think it's realistic, because this folder will be used in the future
Then all files starting with 2t3ik are not given permission to modify
use command
chattr +i 2t3ik*
chattr +i ddgs*
Done, no more 2t3ik processes
No more annoying 2t3ik virus
PS: Aliyun's aliyundun really doesn't work, it can't prevent this process
PPS: Alibaba Cloud has to upgrade the enterprise version to view and handle exceptions with one click. How can I get the spare money to upgrade?