前言Because inadvertently server CPU up to 96%, access is very slow; when troubleshooting problems even found the server is hung up mining program;
1, a list of names mining program:
NetworkService
sysguard
update.sh
config.json
sysupdates
kow930kd
kow709kd
2, log name list of mining programs
101_og
275_og
2_og
630 OG
sess * ****
3, processing method
1) using the top method to find all suspicious files process PID No.
2) # kill -9 $ PID
3) to find the file is located directory, delete the -l all executable files #ls / proc / $ PID / EXE
4) #rm -rf NetworkServices [were deleted, how many how many deleted]
5) delete /root/.ssh/authorized_keys #rm -rf / root /.ssh/authorized_keys
. 6) remove / var / spool / the cron / daemon #rm -rf / var / spool / the cron / daemon
. 7) if the system has been tampered with commands, the command back to the original state
#mv / bin / wge / bin / wget
#mv / bin / CUR / bin / curl
above command modifies server according to the case
8) See iptables firewall
mining program modification command follows
iptables -F
iptables the -X-
iptables -A the OUTPUT -p TCP -j --dport 3333 the DROP
iptables -A the OUTPUT -p TCP -j --dport the DROP 5555
-A -p TCP --dport the OUTPUT iptables -j 7777 the DROP
iptables -A the OUTPUT -p TCP -j 9999 --dport the DROP
iptables -I the DROP the INPUT -s 43.245.222.57 -j
above ports in the firewall to see if there are, according to Remove In rule chain;