一、服务器感染了kthrotlds挖矿病毒
二、首先停掉定时服务,不然木马会很快下载复制
service cron stop
查看
service cron status
显示还是运行状态,此时可以采用另外一种办法:先设置cron服务禁止自启动,再重启服务器
chkconfig cron off
reboot
重启后,再连接服务器执行
JHSms:/ # service cron status Checking for Cron: unused
显示未运行状态
三、删除相关文件和进程
busybox rm -f /etc/ld.so.preload busybox rm -f /usr/local/lib/libcset.so chattr -i /etc/ld.so.preload busybox rm -f /etc/ld.so.preload busybox rm -f /usr/local/lib/libcset.so # 清理异常进程 busybox ps -ef | busybox grep -v grep | busybox egrep 'ksoftirqds' | busybox awk '{print $1}' | busybox xargs kill -9 busybox ps -ef | busybox grep -v grep | busybox egrep 'kthrotlds' | busybox awk '{print $1}' | busybox xargs kill -9 busybox ps -ef | busybox grep -v grep | busybox egrep 'kpsmouseds' | busybox awk '{print $1}' | busybox xargs kill -9 busybox ps -ef | busybox grep -v grep | busybox egrep 'kintegrityds' | busybox awk '{print $1}' | busybox xargs kill -9 busybox rm -f /tmp/kthrotlds busybox rm -f /tmp/kintegrityds busybox rm -f /tmp/kpsmouseds busybox rm -f /etc/cron.d/tomcat chattr -i /etc/cron.d/root busybox rm -f /etc/cron.d/root chattr -i /var/spool/cron/root busybox rm -f /var/spool/cron/root chattr -i /var/spool/cron/crontabs/root busybox rm -f /var/spool/cron/crontabs/root chattr -i /var/spool/cron/tabs/root busybox rm -f /var/spool/cron/tabs/root busybox rm -f /etc/rc.d/init.d/kthrotlds busybox rm -f /etc/rc.d/init.d/kpsmouseds busybox rm -f /etc/rc.d/init.d/kintegrityds busybox rm -f /usr/sbin/kthrotlds busybox rm -f /usr/sbin/kintegrityds busybox rm -f /usr/sbin/kpsmouseds busybox rm -f /etc/init.d/netdns ldconfig # 再次清理异常进程 busybox ps -ef | busybox grep -v grep | busybox egrep 'ksoftirqds' | busybox awk '{print $1}' | busybox xargs kill -9 busybox ps -ef | busybox grep -v grep | busybox egrep 'kthrotlds' | busybox awk '{print $1}' | busybox xargs kill -9 busybox ps -ef | busybox grep -v grep | busybox egrep 'kpsmouseds' | busybox awk '{print $1}' | busybox xargs kill -9 busybox ps -ef | busybox grep -v grep | busybox egrep 'kintegrityds' | busybox awk '{print $1}' | busybox xargs kill -9 # 清理开机启动项 chkconfig netdns off chkconfig –del netdns
四、恢复定时服务
service cron start
chkconfig cron on