闲置已久的服务器发现被拿来挖矿,刨根找挖矿进程

无意间，top -c  shift M查看了一下进程，发现其中有两个都是cpu占用100%的，非常奇怪，于是找到文件打开看了一下日志惊呆了，，，

Loaded plugins: fastestmirror
Loaded plugins: fastestmirror
Loaded plugins: fastestmirror
lrwxrwxrwx 1 nginx nginx 0 Apr 11 01:25 /proc/3669/exe -> /tmp/phpupdate
./phpupdate 
don't kill
lrwxrwxrwx 1 nginx nginx 0 Apr 11 01:25 /proc/3693/exe -> /tmp/phpguard
./phpguard 
don't kill
lrwxrwxrwx 1 nginx nginx 0 Apr 11 01:30 /proc/7607/exe -> /tmp/phpupdate
/tmp/phpupdate 
don't kill
./phpupdate 
don't kill
/tmp/phpupdate 
don't kill
no need download
no need download
not need download
i am here
no need download
nginx     3669     1 99 Apr11 ?        1-19:46:10 ./phpupdate
nginx     7607     1 99 Apr11 ?        1-19:35:56 /tmp/phpupdate
tmp runing.....
not tmps runing
nginx     3693     1  0 Apr11 ?        00:00:06 ./phpguard
tmps runing.....
Loaded plugins: fastestmirror
/usr/bin/curl
/usr/bin/cdt
open : no such file or directoryLoaded plugins: fastestmirror
Loaded plugins: fastestmirror
Loaded plugins: fastestmirror
Software Installed
DER Uninstalled
make: Nothing to be done for `all'.
install -pDm755 bin/masscan /usr/bin/masscan
Masscan Installed
Masscan Already Installed
make[1]: Entering directory `/tmp/masscan-1.0.4/pnscan-1.11'
make[1]: Nothing to be done for `all'.
make[1]: Leaving directory `/tmp/masscan-1.0.4/pnscan-1.11'
./install-sh -c -m 755 pnscan /usr/local/bin
Pnscan Installed
Pnscan Already Installed
[+]redis user :root
[+]redis set dir error 1 ERR Changing directory: No such file or directory
[+]redis set dir error 2 ERR Changing directory: No such file or directory
[+]redis set dir error 3 ERR Changing directory: No such file or directory
[+]redis set stop-writes-on-bgsave error read tcp 172.18.149.101:45972->123.57.144.51:6379: i/o timeout
[+]redis user :redis
[+]redis set dbfilename error dial tcp 123.57.144.51:6379: i/o timeout
[+]redis set dbfilename error dial tcp 123.57.144.51:6379: i/o timeout
[+]redis set key error dial tcp 123.57.144.51:6379: i/o timeout

通过日志发现了一个病毒劫持了nginx在挖矿，我顶

后续附上如何解决

1.先查看contab定时器上的定时任务列表是否含有不是自己添加的定时任务

2.查看linux开机启动的启动文件，进去里面看看是否有多余的开机启动项，找到进程所在的文件位置，确定是挖矿进程后，进行删除并且，重启linux服务器，如果还是有这条进程就需要继续深挖，通过查看后台的日志看是否还有其他进程没处理干净