第一步:堵住木马入侵的源头
由于一开始使用redis并没有设置密码,导致wnTKYg被植入。修补该漏洞的方法(在redis.conf中设置):
①.修改默认端口
# Accept connections on the specified port, default is 6379 (IANA #815344).
# If port 0 is specified Redis will not listen on a TCP socket.
port 端口号
②.增加密码(我只做了这一步)
################################## SECURITY ###################################
# Require clients to issue AUTH <PASSWORD> before processing any other
# commands. This might be useful in environments in which you do not trust
# others with access to the host running redis-server.
#
# This should stay commented out for backward compatibility and because most
# people do not need auth (e.g. they run their own servers).
#
# Warning: since Redis is pretty fast an outside user can try up to
# 150k passwords per second against a good box. This means that you should
# use a very strong password otherwise it will be very easy to break.
#
requirepass xxxxx密码xxxx
③.绑定只允许访问的ip地址
################################## NETWORK #####################################
# By default, if no "bind" configuration directive is specified, Redis listens
# for connections from all the network interfaces available on the server.
# It is possible to listen to just one or multiple selected interfaces using
# the "bind" configuration directive, followed by one or more IP addresses.
#
# Examples:
#
# bind 192.168.1.100 10.0.0.1
bind 127.0.0.1 ::1
第二步:删除唤醒wnTKYg木马程序的源文件,再杀掉wnTKYg进程
①使用 find / -name wnTKYg* 查找文件,发现存在/tmp/wnTKYg,将其删除
②使用 ps -aux|grep ddg 查找带有 ddg.数字 的进程,将其关闭 kill -9 pid
并且将/tmp目录下有的ddg文件夹删除(我的情况没有发现ddg残余的ddg文件)
③查找wnTKYg运行的pid,杀掉进程kill -9 pid
另有其他的解决思路,我是参考一下帖子完成了wnTKYg挖矿木马的清除
http://blog.sina.com.cn/s/blog_c08907b10102wyyl.html