It was the first time that the server was hacked and mined by others. With the help of professionals, the mining virus was found and removed. This blog is just a record of mine, and it may not be applicable to all situations, but I still hope it can give you some help.
-
Found the problem : a program used a lot of GPU resources. I asked the owner of the account and found that it was not his program, and it would automatically restart after being killed as root.
This program takes up a lot of GPU resources, and the video memory usage on different graphics cards is surprisingly uniform. Under normal circumstances, the program that the user runs occupies different video memory of different graphics cards. For example,
through the ps -aux command, the command of the program is a folder. Anyone who has used conda knows that the python under /bin is An executable file, not a folder; let alone a pytorch folder
and the folder anaconda3 does not exist at all, the server is installed with miniconda3 (guessing that the intruder invaded other servers first, other old servers do have anaconda3, and then the intruder thought that all servers had anaconda3, so they pretended to be a program in anaconda3)
In addition, I checked the information on the Internet and said that the CPU usage rate is high if it is mined, but the CPU usage rate of this server is not high. , and the GPU usage is very high. Considering that mining requires a lot of graphics card resources, and the intruder may do some camouflage on the CPU usage, I preliminarily determined that the server was hacked and mined by someone else, so I sought professional help. -
Find the virus file :
- Method 1 : Since the intruder has disguised the name of the program, it cannot be directly searched through it. So start with PID, find its files in /proc, and then find the key path
. Display all virus files, you can find the keyword miner
to further check the files inside, you can see ETH (Ethereum), POOL , WALLET and other keywords, the real hammer hit the mining virus.
In addition, looking at the run file, you can find that the virus file is indeed disguised
- Method 2 : Considering that the intruder may use certain methods to hide the virus program, here we locate the virus file by checking the user's scheduled tasks, because the virus file may be killed and the intruder will not manually execute it every time. Started, it will definitely be set to start automatically. The command to view the scheduled tasks is
crontab -l
to check whether there are multiple copies of the virus file on the server, you can use the following command to view the scheduled tasks of all users at once:
for u in $(cat /etc/passwd | cut -d":" -f1) do echo $u>>temp.txt crontab -l -u $u >> temp.txt done cat temp.txt rm temp.txt
- Method 3 : Try to locate unique keywords in virus files, such as "miner"
updatedb locate miner # 由于locate命令不能查找/dev/shm之类的路径,以防万一可以使用find命令,不过会很慢 # find / -name miner
- Method 1 : Since the intruder has disguised the name of the program, it cannot be directly searched through it. So start with PID, find its files in /proc, and then find the key path
-
Countermeasures :
-
Delete the entire virus folder (
python
), kill the related PID, and delete the related scheduled task (use the commandcrontab -e
, or use the command if there is only one scheduled taskcrontab -r
) -
Change passwords for all users, and set a certain password complexity ( cracklib can be used )
-
Remove sudo privileges for all users except administrators
admin="root,sudo,%sudo" # 填入管理员账号(前三个不能删) for i in $(cat /etc/sudoers|grep "ALL=(ALL:ALL) ALL"|cut -f 1|cut -f 1 -d ' ') do echo $i if [ -z "$(echo $admin|grep $i)" ] then echo "*** deluser $i sudo" deluser $i sudo fi done for i in $(getent group sudo|cut -f 4 -d :|tr -s ',' '\n') do echo $i if [ -z "$(echo $admin|grep $i)" ] then echo "*** deluser $i sudo" deluser $i sudo fi done
-
Delete all existing keys & authorizations
updatedb # 删除公钥+密钥 for pub in $(locate .pub|grep .pub$) do u=$(ll $pub|awk '{printf $3}') # 根据UID判断所属用户是否为普通用户 if [ 999 -lt $(id -u $u) ] then pri=$(echo ${ pub%????}) rm $pub rm $pri echo del $u $pub $pri else echo save $u $pub fi done # 删除knowN_hosts for i in $(locate known_hosts|grep known_hosts$) do rm $i echo del $i done # 删除authorized_keys for i in $(locate authorized_keys|grep authorized_keys$) do rm $i echo del $i done # 查看剩余 updatedb locate .pub|grep .pub$ locate known_hosts locate authorized_keys
You may encounter a file that cannot be deleted even with root authority.
If you find that there are attributes other than e in the hidden attributeslsattr
of the file using the command, use the command to remove these attributeschattr
-
Only keys can be used to set remote connections , passwords cannot be used
-
Prohibit using the root account for remote connection
-
Use terminal security antivirus software, intranet security monitoring products, vulnerability scanning equipment and other professional tools
PS: Garbage miners! ! !