本文主要是介绍闲置已久的服务器发现被拿来挖矿,刨根找挖矿进程,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
无意间,top -c shift M查看了一下进程,发现其中有两个都是cpu占用100%的,非常奇怪,于是找到文件打开看了一下日志惊呆了,,,
Loaded plugins: fastestmirror
Loaded plugins: fastestmirror
Loaded plugins: fastestmirror
lrwxrwxrwx 1 nginx nginx 0 Apr 11 01:25 /proc/3669/exe -> /tmp/phpupdate
./phpupdate
don't kill
lrwxrwxrwx 1 nginx nginx 0 Apr 11 01:25 /proc/3693/exe -> /tmp/phpguard
./phpguard
don't kill
lrwxrwxrwx 1 nginx nginx 0 Apr 11 01:30 /proc/7607/exe -> /tmp/phpupdate
/tmp/phpupdate
don't kill
./phpupdate
don't kill
/tmp/phpupdate
don't kill
no need download
no need download
not need download
i am here
no need download
nginx 3669 1 99 Apr11 ? 1-19:46:10 ./phpupdate
nginx 7607 1 99 Apr11 ? 1-19:35:56 /tmp/phpupdate
tmp runing.....
not tmps runing
nginx 3693 1 0 Apr11 ? 00:00:06 ./phpguard
tmps runing.....
Loaded plugins: fastestmirror
/usr/bin/curl
/usr/bin/cdt
open : no such file or directoryLoaded plugins: fastestmirror
Loaded plugins: fastestmirror
Loaded plugins: fastestmirror
Software Installed
DER Uninstalled
make: Nothing to be done for `all'.
install -pDm755 bin/masscan /usr/bin/masscan
Masscan Installed
Masscan Already Installed
make[1]: Entering directory `/tmp/masscan-1.0.4/pnscan-1.11'
make[1]: Nothing to be done for `all'.
make[1]: Leaving directory `/tmp/masscan-1.0.4/pnscan-1.11'
./install-sh -c -m 755 pnscan /usr/local/bin
Pnscan Installed
Pnscan Already Installed
[+]redis user :root
[+]redis set dir error 1 ERR Changing directory: No such file or directory
[+]redis set dir error 2 ERR Changing directory: No such file or directory
[+]redis set dir error 3 ERR Changing directory: No such file or directory
[+]redis set stop-writes-on-bgsave error read tcp 172.18.149.101:45972->123.57.144.51:6379: i/o timeout
[+]redis user :redis
[+]redis set dbfilename error dial tcp 123.57.144.51:6379: i/o timeout
[+]redis set dbfilename error dial tcp 123.57.144.51:6379: i/o timeout
[+]redis set key error dial tcp 123.57.144.51:6379: i/o timeout
通过日志发现了一个病毒劫持了nginx在挖矿,我顶
后续附上如何解决
1.先查看contab定时器上的定时任务列表是否含有不是自己添加的定时任务
2.查看linux开机启动的启动文件,进去里面看看是否有多余的开机启动项,找到进程所在的文件位置,确定是挖矿进程后,进行删除并且,重启linux服务器,如果还是有这条进程就需要继续深挖,通过查看后台的日志看是否还有其他进程没处理干净
这篇关于闲置已久的服务器发现被拿来挖矿,刨根找挖矿进程的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
