如何删除 kdevtmpfsi cryptominer 恶意软件

问题描述 投票:0回答:1

我使用阿里云ECS搭建服务器。近2个月以来,这已经是第三次被挖矿病毒攻击了,所以我想在这里得到解决方案。以下是我在网上尝试了一些公开的答案,但最终没有成功

top
输出:

    PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND                                                         

 552060 root      20   0 2873424   2.3g   2712 S 129.4   3.7  51:33.70 kdevtmpfsi                                                   

 551850 root      20   0 3070036   2.3g   2712 S 123.5   3.7  47:00.41 kdevtmpfsi                                                   

 552074 root      20   0 3070032   2.3g   2712 S 123.5   3.7  49:39.04 kdevtmpfsi                                                   

  23883 1000      20   0 6785676 408104  26328 S   5.9   0.6   2:09.43 java                                                          

 564739 root      20   0  227268   4788   3868 R   5.9   0.0   0:00.02 top                                                           

      1 root      20   0  170004  12132   9124 S   0.0   0.0   0:03.19 systemd                                                       

      2 root      20   0       0      0      0 S   0.0   0.0   0:00.01 kthreadd                                                      

      3 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 rcu_gp                                                        

      4 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 rcu_par_gp                                                    

      6 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 kworker/0:0H-events_highpri                                   

      8 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 mm_percpu_wq                                                  

      9 root      20   0       0      0      0 S   0.0   0.0   0:00.00 rcu_tasks_rude_                                               

     10 root      20   0       0      0      0 S   0.0   0.0   0:00.00 rcu_tasks_trace                                               

     11 root      20   0       0      0      0 S   0.0   0.0   0:00.25 ksoftirqd/0                                                   

     12 root      20   0       0      0      0 I   0.0   0.0   0:21.31 rcu_sched                                                     

     13 root      rt   0       0      0      0 S   0.0   0.0   0:00.01 migration/0                                                   

     14 root      20   0       0      0      0 S   0.0   0.0   0:00.00 cpuhp/0                                                       

     15 root      20   0       0      0      0 S   0.0   0.0   0:00.00 cpuhp/1                                                       

     16 root      rt   0       0      0      0 S   0.0   0.0   0:00.58 migration/1                                                   

     17 root      20   0       0      0      0 S   0.0   0.0   0:00.78 ksoftirqd/1                                                   

     19 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 kworker/1:0H-events_highpri
  1. kill -9 PID 不起作用(kdevtmpfsi 将在 1 分钟后重新启动)
  2. /tmp 路径下没有 kdevtmpfsi 文件
  3. systemctl status PID 也不起作用
  4. crontab 中没有任何内容
  5. 使用 find / -iname kdevtmpfsi* -exec rm -fv {} ;

尝试过的终端命令:

[root@Stock-DMP tmp]# ps -ef | grep kdevtmpfsi
root      551850   35245 99 15:02 ?        00:49:38 /tmp/kdevtmpfsi
root      552060   35687 99 15:02 ?        00:54:11 /tmp/kdevtmpfsi
root      552074   35462 99 15:02 ?        00:52:16 /tmp/kdevtmpfsi
root      565438  543813  0 15:41 pts/0    00:00:00 grep --color=auto kdevtmpfsi
[root@Stock-DMP tmp]# pwd
/tmp
[root@Stock-DMP tmp]# ll
total 12
-rw------- 1 root root    0 Jan  5 12:12 AliyunAssistClientSingleLock.lock
-rw-r--r-- 1 root root    3 Jan  5 13:00 CmsGoAgent.pid
drwx------ 3 root root 4096 Jan  5 13:00 systemd-private-cef6b94dbb0f4abbb2fb81aed53c1bdf-chronyd.service-iwnjti
drwx------ 3 root root 4096 Jan  5 13:00 systemd-private-cef6b94dbb0f4abbb2fb81aed53c1bdf-systemd-resolved.service-KyX7Wf
[root@Stock-DMP tmp]# systemctl status 551850
Failed to get unit for PID 551850: PID 551850 does not belong to any loaded unit.
[root@Stock-DMP tmp]# systemctl status 552060
Failed to get unit for PID 552060: PID 552060 does not belong to any loaded unit.
[root@Stock-DMP tmp]# systemctl status 552074
Failed to get unit for PID 552074: PID 552074 does not belong to any loaded unit.
[root@Stock-DMP tmp]# systemctl status 555438
Failed to get unit for PID 555438: PID 555438 does not belong to any loaded unit.
[root@Stock-DMP tmp]# ls -l /proc/551850/exe
lrwxrwxrwx 1 root root 0 Jan  6 15:02 /proc/551850/exe -> '/tmp/kdevtmpfsi (deleted)'
[root@Stock-DMP tmp]# ls -l /proc/552060/exe
lrwxrwxrwx 1 root root 0 Jan  6 15:02 /proc/552060/exe -> '/tmp/kdevtmpfsi (deleted)'
[root@Stock-DMP tmp]# ls -l /proc/552074/exe
lrwxrwxrwx 1 root root 0 Jan  6 15:02 /proc/552074/exe -> '/tmp/kdevtmpfsi (deleted)'
[root@Stock-DMP tmp]# ls -l /proc/555438/exe
ls: cannot access '/proc/555438/exe': No such file or directory
[root@Stock-DMP tmp]# crontab -l
no crontab for root
[root@Stock-DMP tmp]# find / -iname kdevtmpfsi* -exec rm -fv {} \;
removed '/var/lib/docker/overlay2/003f8255259b3a7551887255badebc03e3051bf7ccbf39cdabb669be17454cc9/merged/tmp/kdevtmpfsi'
removed '/var/lib/docker/overlay2/ebb11958a3df7d4dc3019a6b7f5d9f6d6e0bad8e6c8330b3cb2d994000b0d70e/merged/tmp/kdevtmpfsi'
removed '/var/lib/docker/overlay2/7782d102817437c1dc0e502b5f2ceb47f485ca9c69961b90f3d1f828074be59d/merged/tmp/kdevtmpfsi'
find: ‘/proc/571578’: No such file or directory
find: ‘/proc/571579’: No such file or directory
[root@Stock-DMP tmp]# find / -iname kinsing* -exec rm -fv {} \;
  1. 我想知道 kdevtmpfsi 在哪里侵入了我的服务器
  2. 如何彻底删除kdevtmpfsi
  3. 后期防御方法(我用的是家庭网络开发,所以很难关闭安全组内的所有端口或者限制指定IP的访问)
linux security cloud mining alibaba-cloud
1个回答
0
投票

我已经从阿里巴巴的文档中解决了这个问题 这是链接,请检查。 https://www.alibabacloud.com/help/en/ecs/processing-of-kdevtmpfsi-mining-virus-implanted-in-linux-instances#:~:text=Run%20the%20top%20command%20to,到%20检查%20%20计划的%20任务

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.