discovery process
Because I have the habit of using conky, that is, the CPU and memory usage will be displayed on the desktop. Since I am not the only one using the server, I have recently found that the bash process under my classmate’s account has taken up a lot of space. After asking him, , he also said that he had never used bash-related services several times. He always thought it might be a software bug or something like that, so he wanted to check it out carefully this time.
Troubleshooting process
Using top, we can see that the zhy user's bash process occupies a lot of CPU and memory, which is very abnormal.
So I searched for the situation where bash occupies too much CPU, and I found this blog: Ubuntu16.04.06 LTS -bash process The CPU usage is very high and I am infected with a mining virus.
After reading the troubleshooting process in this blog, I followed it and found that it is very similar.
First, I looked at the scheduled task and found that there was indeed a bash file. After checking its contents, I found that the x86_64 file in the zhy user.bash directory was executed.
I saw that the name looked a bit like a system file, but I found under my own user that there was no .bash directory at all, and this scheduled task was not set by my classmate, so there must be something wrong.
I also checked the communication information of the process and found that it was communicating with 178.62.225.127.
I checked the location of this IP and found that it is indeed in a foreign country like that blog post.
I opened the x86_64 file with a hex editor and found that it was packed by upx.
write on the back
The 4090 used by the server may have been targeted by criminals. Thanks to my usual use of conky to display CPU usage information on the desktop, I was able to discover the problem in time. However, since I didn’t know much about this knowledge, I directly deleted the zhy user and its home directory, hoping that there would be no more problems in the future. Bar