第一种处理方案(彻底)
# 注释掉的定时任务都是 用来启动kswapd0 病毒的
root@insp:/opt/tomcat/webapps# cat /etc/passwd | cut -f 1 -d : |xargs -I {} crontab -l -u {}
no crontab for daemon
no crontab for bin
no crontab for sys
no crontab for sync
no crontab for games
no crontab for man
no crontab for lp
no crontab for mail
no crontab for news
no crontab for uucp
no crontab for proxy
no crontab for www-data
no crontab for backup
no crontab for list
no crontab for irc
no crontab for gnats
no crontab for nobody
no crontab for systemd-network
no crontab for systemd-resolve
no crontab for systemd-timesync
no crontab for messagebus
no crontab for syslog
no crontab for _apt
no crontab for uuidd
no crontab for tcpdump
no crontab for ntp
no crontab for sshd
no crontab for systemd-coredump
no crontab for _chrony
no crontab for mysql
no crontab for redis
# 5 6 * * 0 /home/es/.configrc5/a/upd>/dev/null 2>&1
# @reboot /home/es/.configrc5/a/upd>/dev/null 2>&1
# 5 8 * * 0 /home/es/.configrc5/b/sync>/dev/null 2>&1
# @reboot /home/es/.configrc5/b/sync>/dev/null 2>&1
# 0 0 */3 * * /tmp/.X20z-unix/.rsync/c/aptitude>/dev/null 2>&1
# 进入到es 文件,删除或注释掉停掉es 用户相关的定时任务
root@insp:/var/spool/cron/crontabs# cd /var/spool/cron/crontabs
root@insp:/var/spool/cron/crontabs# ls
es root
root@insp:/var/spool/cron/crontabs# vi es
#5 6 * * 0 /home/es/.configrc5/a/upd>/dev/null 2>&1
#@reboot /home/es/.configrc5/a/upd>/dev/null 2>&1
#5 8 * * 0 /home/es/.configrc5/b/sync>/dev/null 2>&1
#@reboot /home/es/.configrc5/b/sync>/dev/null 2>&1
#0 0 */3 * * /tmp/.X20z-unix/.rsync/c/aptitude>/dev/null 2>&1
第二种处理方案
# 关闭 swappiness
echo vm.swappiness=0 | tee -a /etc/sysctl.conf
# 清理缓存
echo 1 > /proc/sys/vm/drop_caches
第三种处理方案
# top 查看进程,kswapd0的CPU使用率达到了200%左右
root@insp:~# top
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1097 es 20 0 2439888 2.3g 4 S 197.7 30.0 30:13.48 kswapd0
# 注意,这里先不要kill,这里的PID可以为下面做参考;
root@insp:/usr/bin# ps -ef|grep kswapd0
root 88 2 0 19:28 ? 00:00:00 [kswapd0]
es 1097 1 99 19:29 ? 00:28:28 ./kswapd0
root 2629 2583 0 19:44 pts/0 00:00:00 grep --color=auto kswapd0
# 这几个远程 ip除了荷兰就是瑞士
root@insp:~# netstat -antlp
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:48822 45.9.148.99:443 ESTABLISHED 1052/rsync
tcp 0 0 127.0.0.1:50132 45.9.150.161:443 ESTABLISHED 1097/./kswapd0
tcp 0 1 127.0.0.1:59316 45.9.148.234:80 SYN_SENT 1097/./kswapd0
# ********************省略其他****************************
# 记录下这几个的pid,我的是:1052、1097
# 根据PID找到挖矿程序的路径
root@insp:~# ls -l /proc/1052/exe
lrwxrwxrwx 1 es es 0 Jun 12 19:28 /proc/1052/exe -> /usr/bin/perl
root@insp:~# ls -l /proc/1097/exe
lrwxrwxrwx 1 es es 0 Jun 12 19:29 /proc/1097/exe -> /home/es/.configrc5/a/kswapd0
# 删除挖矿木马文件
root@insp:/home# cd /home/
root@insp:/home# ls
es mongod
root@insp:/home# rm -rf es/
root@insp:/usr/bin# cd /usr/bin/
root@insp:/usr/bin# rm -rf perl
# kill掉进程
root@insp:/usr/bin# ps -ef|grep kswapd0
root 88 2 0 19:28 ? 00:00:00 [kswapd0]
es 1097 1 99 19:29 ? 01:09:33 ./kswapd0
root 3693 2583 0 20:06 pts/0 00:00:00 grep --color=auto kswapd0
# 通过 top 、netstat -antlp等命令再次查看,确认进程已经杀掉并且没有重启;
# 参考:
https://blog.csdn.net/tracy622/article/details/128033096
https://www.ngui.cc/el/3668211.html?action=onClick
网友评论