A record of operations and maintenance, a virus cleanup

background

The server cpu of a certain project server is overloaded. The top command shows that a wave of high-consumption cpu processes are running, and the execution programs are all linux commands, as shown

It can be basically confirmed that it is a mining virus. Unlike previous mining viruses, the names displayed by the virus are all Linux commands (confusing behavior?)

Troubleshoot

Since the names are some commonly used commands, the first thing to confirm is whether these tools are infected by viruses. The way to confirm is to find a non-infected server with the same operating system version and perform md5sum on the commands on both sides. Take the cat command as an example.

• Confirm the location of the cat command

# which cat
/usr/bin/cat

• Execute md5sum

# md5sum /usr/bin/cat
1484a27859e2ca20ad667cc06d595d22  /usr/bin/cat

If the md5 commands on both sides always indicate that the tool is not infected, it is just a confusing behavior of the virus, then how to find the location of the virus's running program? The first way to think of it is to use strace to monitor the local files opened by the virus, but the viruses seem to be all During reading and writing, the file was not opened, or the opening action may have been completed before monitoring. In short, this method does not work.

In Linux, everything is a file. The resources used by the application, including the network, will be allocated a file descriptor. The lsof command can view the file descriptor owned by the application.

Several important information can be seen from here

• The virus did open the /usr/bin/fold command, and because of this, it can be disguised
• The program of guessing the virus is located in /tmp/.python to run with python, but the status is deleted, indicating that the script was deleted after running
• The ip of the virus daemon is 209.141.40.190 The ip is located overseas

So the solution is relatively simple

• Disable python and reclaim its executable permissions

chmod -x /usr/bin/python
##也可以改名
mv /usr/bin/python /usr/bin/pythonx

• kill all processes
• It's best to restart the server

to sum up

In recent years, due to the madness of Bitcoin, the mining virus has become more and more rampant. I am very supportive of the country’s attack on Bitcoin. It has no value and needs to consume a lot of power resources to provide criminals with secret funding channels and provide convenience for money launderers. , It's such a thing, the market value is as high as trillion US dollars, it can only be said that the world is crazy. The condemnation is condemned. In order to protect the security of the server, it is recommended that the server do the following protection

• Close the external network access channel, all accesses are accessed through the gateway
• Disable curl, wget, python commands, most virus scripts will use these commands to download virus execution remotely
• Disable crontab, if the system does not use the function of crontab, close it, and the virus will be resurrected with the help of crontab
• If you do not use root to start the program, the application will inevitably have loopholes. If you start the application with root, it means that once the business system is invaded, the virus can directly control the entire host
• Download the ssh connection tool through the official website, all tools connected to the server must be downloaded from the official website, do not search and download on Baidu, your download may contain viruses