Recently, I received an abnormal text message from Alibaba Cloud every night, indicating that there is a linux abnormal file download:
I found Alibaba Cloud to submit a work order, but there is no such thing:
Therefore, only Baidu found a similar article, which roughly means that a hacker used the default port vulnerability of redis to turn the server into a broiler for mining. There is a process of gpg-agentd, which occupies a very high memory. After inspection, it was indeed recruited;
So the trilogy:
1. Kill the process;
2. Modify the root account password;
3. Modify the default port of redis, and set the password to log in to the configuration.
4. Delete the mining program script: /usr/bin/gpg-agentd
5. Execute the command to view the timing script: crontab -l
With this line of command, if you kill the process, it will start automatically after a period of time, so delete the task;
Since I don't need to use timed tasks, I shut down the service directly:
/sbin/service crond stop
Refer to the original post address:
https://blog.csdn.net/u010064124/article/details/79593060
https://blog.csdn.net/b376924098/article/details/79607334