Record a virus cleanup in operation and maintenance



The server cpu of a project server is overloaded, and the top command shows that there is a wave of high-consumption cpu processes running, and the execution programs are all linux commands, as shown in the figure

Record a virus cleanup in operation and maintenance

It can basically be confirmed that it is a mining virus. Unlike previous mining viruses, the names displayed by this virus are all Linux commands (confusing behavior?)


Since the names are some commonly used commands, the first thing to confirm is whether these tools are infected by viruses. The way to confirm is to find a server with the same operating system version that is not infected, and run commands on both sides.md5sum, take the cat command as an example

  • Confirm the location of the cat command
# which cat
  • execute md5sum
# md5sum /usr/bin/cat
1484a27859e2ca20ad667cc06d595d22  /usr/bin/cat

If the md5 of the commands on both sides always shows that the tool is not infected, it is just a confusing behavior of the virus, then how to find the location of the running program of the virus, the first way that comes to mind is to use strace to monitor the local files opened by the virus, but the virus seems to be In reading and writing, the file has not been opened, and it may be that the opening action has been completed before monitoring. In short, this method will not work.

Record a virus cleanup in operation and maintenance

In Linux, everything is a file. The resources used by the application, including the network, will allocate a file descriptor. The lsof command can view the file descriptors owned by the application.

Record a virus cleanup in operation and maintenance

Several important information can be seen from here

  • The virus does open the /usr/bin/fold command, and because of this, it can be disguised
  • Guess the virus program is located in /tmp/.python and run with python, but the status is deleted, indicating that the script is deleted after running
  • The virus daemon ip is209.141.40.190The ip is located outside the country

So the solution is relatively simple

  • Disable python, reclaim its executable permissions
chmod -x /usr/bin/python
## can also be renamed
mv /usr/bin/python /usr/bin/pythonx
  • kill all processes
  • It is better to restart the server


In recent years, due to the madness of Bitcoin, the mining virus has become more and more rampant. I am very supportive of the country’s action to crack down on Bitcoin. It has no value and consumes a lot of power resources. It provides criminals with hidden funding channels and provides convenience for money launderers. , is such a thing, the market value is as high as one trillion US dollars, it can only be said that this world is too crazy. Condemnation is condemnation. In order to protect the security of the server, it is recommended that the server do the following protection

  • Close the external network access channel, and all accesses are accessed through the gateway
  • Disable curl, wget, python commands, most virus scripts will use these commands to remotely download viruses and execute them
  • Disable crontab, if the system does not use the function of crontab, turn it off, the virus will be resurrected with the help of crontab
  • If you do not use root to start the program, the application will inevitably have loopholes. If you start the application with root, it means that once the business system is invaded, the virus can directly control the entire host
  • Download the ssh connection tool through the official website. All tools connected to the server must be downloaded from the official website. Do not search and download on Baidu, the one you download may contain a virus

Recommended Today

“Oracle” client PL/SQL DEVELOPER installation and use

Author: threedayman source:Hang Seng LIGHT Cloud Community background Compared with the command line, the client has richer visual interface information. At the same time, in order to run large sql files more conveniently, choose to install the client. Download and install PL/SQL DEVELOPER download address the appropriate version to install. Download Instantclient download address After […]