First, the problem
Ali cloud morning received an alarm notification message, said server by mining virus attacks.
Second, Solutions
2.1 top view process
First boarded the server to view the current server process, a look at all four CUP idle rate is 0, there is a process that takes up nearly 400 percent utilization, to kill the process.
2.2 deleted guardian script
Generally this virus is a program, then there will be a guardian of the script to prevent you kill him.
Sure enough, not long to kill, this is called Macron process has emerged, first find the virus program location, and then delete it
into the / usr / bin directory, the script file created today all deleted
file is found to locked, not to delete. By chattr -i 文件名
unlocking locked file, then delete it.
2.3 See other documents
With the find / -maxdepth 1 -newermt "2020-03-09"
command to view modify those directories today. ll -at
In chronological order, one by one investigation out today altered files, prevent hackers left a black door.
crontab -l
: View regular tasks
/etc/passwd
: creating a user see if there
/root/.ssh/authorized_keys
: Access to the landing of the host does not have an exemption certificate
/etc/hosts
: View host resolution file, add a lot of host addresses.