Record Alibaba cloud server mining program processing

Preface

Suddenly, I received a text message from alicloud , Said the server appeared a malicious mining program , Fortunately, there are test servers on this one , I also did data backup before , You can take care of it , But you still have to be careful. Remember to backup it before serious operation

Treatment process

1、 Check the server load against CPU utilization , Determine the progress of the mining process

• Carry out orders ： top , Pictured ： Found a network01 Things occupied by cup Reached 87%, But I'm in the server root tmp I didn't see this thing

• It is confirmed from the above that PID Process number , Check the directory where you're going . Carry out orders , There's no clear location , You can see the executable link

ll /proc/ process ID

• And then directly adopt find / -name network01 Found the following location , When I came to the location directory, I found network01

• Force to kill the mining process , Delete the mining program executable network01, If you're afraid to delete it wrong, you can back it up （ Leave a regret medicine ）;

  kill -9 1459261

After killing the process , top  Command view CPU It's down and back to normal

2、 Check the presence of the miner's address in your server's firewall and remove the malicious address

 iptables -L -n

3、 Check whether the port security status is abnormal

netstat -aulntp

Starting to wonder about this IP Of 133.11.244.74 What is it , After inquiry, it is your own public network ip

Check your own public network IP Domestic website ：http://ip138.com

4、 Check whether the server's timed tasks have been added by attackers , Processing suspicious timing task files , Prevent a second invasion

crontab -l

And

cat /etc/crontab

5、 Check whether there are suspicious programs in the server startup key to ensure that there is no problem after the server restarts

cd  /etc/init.d

cat  /etc/rc.d/rc.local

6、 Checked linux Whether the system user is added with other root Level administrator users

cat /etc/passwd  # user name : password : User ID : Group identification number : Annotative description : Home directory : Sign in Shell

7、 Check the server root Whether to turn on remote permissions , Servers in the production environment PermitRootLogin Should be set  no

cat /etc/ssh/sshd_config

8、 Check SSH Whether there is a mining virus in the public key , To prevent continuous backdoors

cat /root/.ssh/authorized_keys

9、 The port security policy configured by alicloud server security group , Yes 80 port , as well as 443 Ports open , The rest SSH Port to proceed IP release , When you need to log in to the server, you can add the released ones in the alicloud background IP, Try to prevent the server from being maliciously logged in

10、 Regularly check the server for mining behavior , Check if there is webshell back door , Regular upgrade and bug fix for system version , System background login for secondary password verification , Prevent the existence of the system sql Inject holes . Prevent mining virus from infecting other servers in Intranet repeatedly

---

You can also refer to Alibaba cloud's mining procedure practice document ： https://www.alibabacloud.com/help/zh/doc-detail/161236.htm

Conclusion

This mining procedure has deleted the mining procedure execution document , Forced killing of the mining process , Timing task 、 The startup and other items didn't find anything suspicious , It could be the hacker. OK ...... The general return said that the service security guard must do well to prevent the server malicious attack , Finally, I hope it will be helpful for you to refer to this article ！