There is a mining virus in the server

use top Command view , These two mining viruses , Really .
The two of us have the same solution , For example .

Find out PID

ps -ef | grep kdevtmpfsi

Delete process

sudo kill -9 [PID]

Can pass sudo crontab -l See if there are any suspicious planned tasks .

The virus will restart soon , Look at its daemon

systemctl status [ Viruses PID]

[ Failed to transfer the external chain picture , The origin station may have anti-theft chain mechanism , It is suggested to save the pictures and upload them directly

Delete virus daemon

sudo kill -9 30409 30985

Delete Suspicious documents ’

It's usually in tmp Under the table of contents

You can see kdevtmpfsi, These two virus files

Decisive deletion ：

sudo rm kdevtmpfsi

stay /tmp Look under the directory to see ：

These are all deleted

Delete ！

• adopt find / -name "*kdevtmpfsi*" Does the command search have kdevtmpfsi file

No, just
Now? cpu It's down .

After the fact check

• adopt find / -name "*kdevtmpfsi*" Does the command search have kdevtmpfsi file
• see Linux ssh Log in to the audit log .Centos And RedHat The audit log path is /var/log/secure,Ubuntu And Debian The audit log path is /var/log/auth.log.
• Check crontab Is there any suspicious task in the planned task

Later protection

• Enable ssh Public key login , Disable password login .
• Virtual machine ： Perfect security strategy , Inlet flow , Generally only open 80 443 Just port , The outlet flow can be unlimited by default , If there is a need to limit according to demand . The physical machine ： Can pass Hardware firewall perhaps On the machine iptables To open the flow rules at the entrance and exit .
• This machine does not directly need to provide external services , You can reject all traffic at the entrance of the external network card , adopt jumper Machine intranet login service machine .

• Prohibition ip