[Alibaba Cloud] Dear aliyun98****8825:
It has been detected that your Alibaba Cloud service (ECS instance) i-0jl8awxohyxk****axz5 has mining activities. According to relevant regulations and policies, please complete the rectification of mining problems before 00:00 on July 18, 2023, otherwise your service will be shut down. For details, please check the email or message notification on the Alibaba Cloud site.
If you have other questions, you can log in to the Alibaba Cloud official website for online consultation.
I rented a server in Alibaba Cloud. I received a call from a robot in the morning saying that the server was being mined. I was so annoyed. Why is the mining dog still alive?
Recorded on 2023.07.11.
1. Discovery
I first searched the Internet to see if anyone had similar experiences, and found that an up owner at Station B had posted a video documenting the experience and troubleshooting of a server being mined . After briefly watching his video, I have a clearer idea.
Use the command to view the current process
ps -a
Found some strange process but not sure which one it is.
Monitoring server resources on the Alibaba Cloud website shows that a lot of resources are suddenly occupied.
top: query
Search through the CPU usage to query the current resource usage status of the process.
top
top displays process rankings in a full-screen interactive interface, and tracks system resource usage including CPU, memory, etc. in real time. By default, it is refreshed every three seconds. Its function is basically similar to the task manager in Windows systems.
It can be seen that the process xmrig takes up a lot of CPU resources, and Baidu can also search that xmrig is a mining virus.
2. Investigation
I checked it on Baidu and found that it’s really troublesome, maybe I don’t have a strong enough security awareness.
First query the file address of the xmrig virus
ls -l /proc/进程ID/exe
> lrwxrwxrwx 1 root root 0 Jul 11 13:04 /proc/3934534/exe -> /root/.cfg/xmrig
If a hidden address is found, the cd command cannot enter it. If the address cannot be found, it cannot be deleted. Later it was discovered that it was a redirected address. Query with another statement
find / -name xmrig
> /var/lib/docker/overlay2/860d7d30e33967a65150a3f93c5994a9077e1906e0f9ccda73ee1008803b92f1/merged/root/.cfg/xmrig
> /var/lib/docker/overlay2/860d7d30e33967a65150a3f93c5994a9077e1906e0f9ccda73ee1008803b92f1/diff/root/.cfg/xmrig
I found two pieces of virus information, entered the folder and found an open docker container. It turned out that the container had been invaded by a virus.
Two days ago, I opened a docker container to build a python environment, mapped the container's ssh opensshto the public network port, and set the password to a relatively simple one (123456). So was attacked. This is the blog pycharm that opens the docker container port to remotely connect to the python environment in the docker container of the server .
At this point, I can actually just delete the docker container and restart it. I watched online tutorials and practiced.
Minedog also changed the password of my server (although it was just a docker container), so angry!
3. Clear
Still query the file address of the xmrig virus
top
> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
> 11347 root 20 0 2440420 2.0g 4012 S 201.0 14.0 2399:29 xmrig
ls -l /proc/11347/exe
> lrwxrwxrwx 1 root root 0 Jul 11 07:18 /proc/11347/exe -> /root/.cfg/xmrig
This time, you can see multiple virus files by entering the file via cd.
cd /root/.cfg/
ls
> bios.txt ps xmrig
Among them, bios.txt is three IPs (172.18.0.1-3).
Directly delete the entire virus folder
rm -rf /root/.cfg
kill process
kill -9 11347
At this point, the virus has been cleaned up and the server has returned to normal.
I didn’t encounter the problem of scheduled tasks here, because viruses are generally stubborn, which will be introduced in other questions.
4. Other issues
Other blogs mentioned the problem of scheduled tasks, so stick it here for reference.
1. Scheduled task crontab
It was crontab -lfound that there is no scheduled task, but it will be restarted.
cd /etc/Checking the crontab file and found that there is a hidden scheduled task.
When deleting the file through rm rm -rf /etc/crontab, there is no permission.
chattr -ia /etc/crontab
rm -rf /etc/crontab
After deleting it, check a few more crontab files in the ./etc directory and find that the virus has backed up multiple scheduled tasks. As long as they are not your own scheduled tasks, just delete the files.
2. Scheduled tasks 2
5. Delete scheduled tasks rm -rf /var/spool/cron
6. Delete ssh authentication information rm -rf ./ssh/
7. The reason may be caused by programs such as redis.
8. Try to use intranet links and do not expose port numbers or external network addresses.
3. Disable root remote login
How to disable root remote login (use another user to su):
sudo vi /etc/ssh/sshd_config
Close root remote loginFind
PermitRootLogin and set to no:
PermitRootLogin no
Restart ssh service
sudo service ssh restart
Reference content
Detailed tutorial on how to clear the xmrig mining virus from the Linux server. How to
deal with the xmrig virus on the Linux server.
I accidentally discovered that one of my cloud servers was poisoned by the mining machine xmrig. Alas! !
Xmrig mining Trojan troubleshooting process, xmrig takes up a lot of CPU