一.背景
最近公司一台虚拟机被攻击,其中一种挖矿病毒、会伪CPU数、即如果用top命令只能看到一个cpu、并且负载不高、实际上整个负载300%以上,及时定时任务关掉也不起作用。
二.言归正传开始干掉这个麻烦的病毒(脚本如下):
-
- #关掉定时任务
-
- service crond stop
-
- #删除so库
-
- busybox rm -f /etc/ld.so.preload
-
- busybox rm -f /usr/local/lib/libcset.so
-
- chattr -i /etc/ld.so.preload
-
- busybox rm -f /etc/ld.so.preload
-
- busybox rm -f /usr/local/lib/libcset.so
-
- # 清理异常进程
-
- busybox ps -ef | busybox grep -v grep | busybox egrep 'ksoftirqds' | busybox awk '{print $1}' | busybox xargs kill -9
-
- busybox ps -ef | busybox grep -v grep | busybox egrep 'kthrotlds' | busybox awk '{print $1}' | busybox xargs kill -9
-
- busybox ps -ef | busybox grep -v grep | busybox egrep 'kpsmouseds' | busybox awk '{print $1}' | busybox xargs kill -9
-
- busybox ps -ef | busybox grep -v grep | busybox egrep 'kintegrityds' | busybox awk '{print $1}' | busybox xargs kill -9
-
- busybox ps -ef | busybox grep -v grep | busybox egrep 'khugepageds' | busybox awk '{print $1}' | busybox xargs kill -9
-
- busybox rm -f /tmp/kthrotlds
-
- busybox rm -f /tmp/kintegrityds
-
- busybox rm -f /tmp/khugepageds
-
- busybox rm -f /tmp/kpsmouseds
-
- busybox rm -f /etc/cron.d/tomcat
-
- busybox rm -f /etc/cron.d/root
-
- busybox rm -f /var/spool/cron/root
-
- busybox rm -f /var/spool/cron/crontabs/root
-
- busybox rm -f /etc/rc.d/init.d/kthrotlds
-
- busybox rm -f /etc/rc.d/init.d/kpsmouseds
-
- busybox rm -f /etc/rc.d/init.d/kintegrityds
-
- busybox rm -f /usr/sbin/kthrotlds
-
- busybox rm -f /usr/sbin/kintegrityds
-
- busybox rm -f /usr/sbin/kpsmouseds
-
- busybox rm -f /etc/init.d/netdns
-
- busybox rm -f /tmp/ld.so.preload*
-
- ldconfig
-
- # 再次清理异常进程
-
- busybox ps -ef | busybox grep -v grep | busybox egrep 'ksoftirqds' | busybox awk '{print $1}' | busybox xargs kill -9
-
- busybox ps -ef | busybox grep -v grep | busybox egrep 'kthrotlds' | busybox awk '{print $1}' | busybox xargs kill -9
-
- busybox ps -ef | busybox grep -v grep | busybox egrep 'kpsmouseds' | busybox awk '{print $1}' | busybox xargs kill -9
-
- busybox ps -ef | busybox grep -v grep | busybox egrep 'kintegrityds' | busybox awk '{print $1}' | busybox xargs kill -9
-
- busybox ps -ef | busybox grep -v grep | busybox egrep 'khugepageds' | busybox awk '{print $1}' | busybox xargs kill -9
# 清理开机启动项
chkconfig netdns off
chkconfig –del netdns
service crond start
echo "Done, Please reboot!"
补充:由于近期很多人咨询有wiki,redis,jenkins中招的情况,建议尽快备份数据,重装系统,默认端口修改复杂端口,服务仅供内部使用。