Today the developer said that the server was jammed, let’s see what happened, and here’s what happened.

At first glance, kSWapd0 is a kernel process, but if you look closely, you will find that USER is a novel, which is not normal at first glance. Root is the normal one and we’ll keep goingObviously, the path is not correct either, and kernel processes don’t normally go into the normal user home directory

The init0 script is written as a mining program, and the novel user plan task is written as a mining program

As you can see, the server was hacked and used for mining. Now let’s get rid of the mining program

kill -9 13949
rm -rf /home/novel/*
rm -rf ./.configrc ./.ssh
userdel  -r novel
Copy the code

In subsequent hardening, you can set SSH to use a more secure key instead of a password to log in.