Symptoms
Server CPU resource usage has been in a state of 100%, by topcommand look and found a suspicious process kdevtmpfsi. By google search and found that the virus is mining.
Investigation methods
首先: View kdevtmpfsithe process, use the ps -ef | grep kdevtmpfsicommand to view, see below.
PS: By
ps -efthe command to detectkdevtmpfsiprocess number, directly kill -9 process ID and delete the / tmp / kdevtmpfsi executable file. But the process has not had one minute to run, then you can think of,kdevtmpfsithere are daemons or planned tasks. Bycrontab -lsuspicious scheduled tasks view.
第二步: According to the results of the above known kdevtmpfsiprocess ID 10393, using systemctl status 10393found kdevtmpfsithere daemon, see below.
第三步: Kill off kdevtmpfsi daemon kill -9 30903 30904, and then killall -9 kdevtmpfsimining the virus, and finally delete kdevtmpfsi execution of the program rm -f /tmp/kdevtmpfsi.
Post-mortem
- By
find / -name "*kdevtmpfsi*"searching whether there kdevtmpfsi file command - Linux ssh login to view the audit logs.
CentosAndRedHataudit logs path/var/log/secure,UbuntuandDebianaudit logs path/var/log/auth.log. - Check whether there is suspicious task crontab scheduled tasks
Late protection
- Enable
ssh公钥登陆, disable password. 云主机: Improving security policy, inlet flow is generally only open port 80443 on the line, can not restrict the outlet flow default, if there is a need to limit as required.物理机: Can硬件防火墙or机器上iptablesto open the entrance traffic rules.- This machine is not directly required to provide services, can refuse entrance to all traffic outside the LAN, through
jumperthe machine landed network business machine. - It will have the ability to build security scanning services, regularly check the machine for vulnerabilities and fixes.
小结: Several measures mentioned above, incomplete. Here are just initiate results, additional measures need to combine their own business situation, otherwise the air.
This article from the YP station released!
