One day, fine, on time to go off work and friends have a small party, after full of wine and food is discussing the second activity, then the mobile phone message sounded, with a look. Oh, my God. Server worm. Then I said sorry to my friends. Go home, turn on your computer and start removing the virus.
First, open Aliyun and take a look at the logs. Here or points like ali cloud cloud shield, server protection and early warning is true to do very cattle force. The log indicates that the server has been implanted with a mining program and informs the process
It was implanted in a container, but not on my host. Several container services are mounted on the current host. And the host machine has port restrictions, should be unable to run out.
Step by step check the cause:
Execute top to see the mining program crazy CPU usage.
Ps check the running directory of the process, and find that TMP does not exist this file, guess it is probably the process in the Docker container.
Execute Docker Stats to see how the container is doing. Can find containers with high CPU usage.
Run the docker top container ID command to view details about container processes
Why was it implanted?
-
The Redis bug.
This image does not integrate redis. PASS
-
Does the mirror itself have a virus?
Many images may integrate third-party plug-ins, or JAR packages. You can use the docker inspect < image ID > command to check the metadata of the image. My mirror is their own package upload, and local re – download image did not find any abnormal. Big probability PASS
-
Remote execution vulnerability?
There is a good chance that there is a problem. The Docker container opens 9999(for xxL-job distributed transactions) and 8085 for spring-boot services (most likely excluded). That should be xxL-Job’s pot. Xxl-job remote execution vulnerability causes kDevtmpfsi mining virus:
Help.aliyun.com/noticelist/…
The final solution
1. Port 9999 is configured with an IP address restriction. Only xxljob-admin can be invoked from the source server IP address.
2. Xxl-job Add authorization authentication and configure xxl.job. AccessToken to prevent unauthorized access vulnerabilities.