iProbe/Docs
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
Docs/CloudNative/ErrorProcess/记一次挖矿程序删除处理.md
iProbe ba848e218d first commit
2022-10-18 16:59:37 +08:00

103 lines
No EOL
3.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#### 现象
> **服务器CPU内存暴涨在服务器上操作卡顿**
##### 查看服务器负载及异常进程PID
```
top
```
结果如下(*结果较多,已去掉无关项*)
```
top - 15:52:08 up 13 days, 6:21, 3 users, load average: 3.52, 3.23, 3.04
Tasks: 226 total, 1 running, 225 sleeping, 0 stopped, 0 zombie
%Cpu(s): 1.5 us, 0.5 sy, 98.0 ni, 0.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem : 8173400 total, 50392 free, 7783940 used, 339068 buff/cache
KiB Swap: 0 total, 0 free, 0 used. 146592 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
25586 root 20 0 2439064 2.289g 4 S 190.1 29.4 120:20.64 server
```
键盘输入“c”显示进程完整的COMMAND列如下
```
top - 15:52:23 up 13 days, 6:22, 3 users, load average: 3.72, 3.28, 3.06
Tasks: 227 total, 1 running, 226 sleeping, 0 stopped, 0 zombie
%Cpu(s): 3.0 us, 1.3 sy, 95.7 ni, 0.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem : 8173400 total, 47780 free, 7787388 used, 338232 buff/cache
KiB Swap: 0 total, 0 free, 0 used. 142808 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
25586 root 20 0 2439064 2.289g 4 S 186.1 29.4 120:47.58 /opt/server
```
由以上信息可知,进程执行文件为/opt/serverpid为25586
#### 查看进程执行文件
发现/opt/server文件不存在/proc/25586/目录下也显示exe文件不存在
#### 查看定时任务是否异常
```
cat /etc/passwd | awk -F: '{print $1}' | xargs -I {} crontab -l -u {}
```
发现系统无定时任务
#### 查看/tmp目录下是否存在异常目录或文件
发现/tmp目录正常
#### 查看进程父进程
```
ps -ef | grep server
```
结果为
```
root 25586 1793 99 14:45 ? 02:08:41 /opt/server
```
父进程为1793
#### 查看父进程
```
ll /proc/1793/
```
其中exe为
```
lrwxrwxrwx 1 root root 0 Jan 11 15:56 exe -> /bin/busybox*
```
考虑服务器并没有使用busybox但是docker常用
#### 查看docker进程
```
docker ps -a
```
结果如下
```
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
169486212d4b zqbxacdsx "#(nop)" 3 days ago Up 3 days (healthy) harbor-jobservice
```
果然发现存在奇怪的容器镜像名称为zqbxacdsx
#### 查看docker镜像id
```
docker images
```
结果为aa05538acecf
#### 查看镜像构建过程
```
## aa05538acecf 镜像ID
docker history aa05538acecf --no-trunc
```
发现该镜像只是增加了一个脚本main.sh
#### 查看main.sh内容
进入容器中
```
## 169486212d4b 容器ID
docker exec -it 169486212d4b /bin/sh
```
查看main.sh
```
cat main.sh
```
果然main.sh是一个自动下载挖矿程序的脚本
#### 停止挖矿容器
```
docker stop 169486212d4b
```
#### 删除挖矿容器
```
docker rm 169486212d4b
```
#### 删除挖矿镜像
```
docker rmi aa05538acecf
```
观察一段时间,发现异常进程未重新启动,服务器运行平稳
至此挖矿病毒处理完成。接下来防火墙关闭必要端口docker配置加固
Reference in a new issue View git blame Copy permalink