Solve the problem of mining virus occupying CPU and deleting ld-linux-x86-64.so.2 files by mistake

The last time has been caught digging mine when a absenteeism, this thought solved, did not expect to even revive.

The CPU is still a ld-linux process, kill off after the same check on the test user's process, sure enough, test user process has 100+, compared to the last time, or with the last script, will test the process also kill off. In order to prevent the malicious addition of users, the test user in the/etc/passwd file after the deletion, to the file added hidden permissions I, specific functions do not know can be checked, here is not much introduction. After the main process Ld-linux kill the CPU directly down.

This is the second time, in order to prevent the third time, decided to thoroughly find the mining virus. So find found the file about Ld-linux, the result is as follows:

/tmp/.xm/stak/ld-linux-x86-64.so.2/usr/lib64/ld-linux-x86-64.so.2 -> ld-2.17.so/usr/share/man/man8/ld-linux.so.8.gz/usr/share/man/man8/ld-linux.8.gz

You can see the record of the first article:/tmp/.xm/stak/ld-linux-x86-64.so.2

is a file in a hidden directory of TMP, there is a ld-linux-x86-64.so.2, and this file and/usr/lib64/ Ld-linux-x86-64.so.2 name is exactly the same, why, you should know that the Linux malicious process is basically disguised as other processes, that is, the name and the name of some files. If not, you look at the process: "This is a process, have not seen, kill!" "So I may be too sorry for the code that itxxx the big Guy wrote.

Transfer the/tmp/.xm/stak/ld-linux-x86-64.so.2 and cancel the permissions (for later time study).

And then the second one. Because Caishuxueqian, also did not pay attention to see/USR/LIB64/LD-LINUX-X86-64.SO.2 and ld-2.17.so is dry, on the MV directly transferred to the root of a folder, the results ... All commands except the CD and PWD commands are not available, and the Xshell connection is not connected, and the connection is always displayed. Later looked up the information, this is a dynamic library of files, in the system is very important. Now there are only three Xshell boxes on the computer that remain connected, and nothing can be done.

Baidu, the group to explore and find solutions.

Tried FTP, tried scp ..... Try to get the ld-linux-x86-64.so.2 back to the original directory, or copy the past from another system. Have not succeeded, the expected result.

Think of a single-user mode to change the root password, and try to solve the problem of this file. The result is to be able to go in, but the file is not interoperability, that is, the file system is not the original system of things, Root should have a ld-linux-x86-64.so.2 file does not exist, there is no way to operate.

Later found the way to rescue mode, CENTOS7 before the department and Centos7 Rescue mode is not the same, the specific self-check.

Here are two pits:

    1.这个ro，当时我找了好久，如果你也找不到的话可以试试在拐角处，一行的末尾是  r/ ，下一行的开头是 o ，明白了吧，

There is a/symbol at the line break;

    2.这个系统的救援模式是不管用的，还是别试了；

OK, here's how to save Ld-linx.

The system's rescue mode is no use, but there is a disc rescue mode, prepare a burning system disk bar.

1. Enter the system BIOS settings and boot into the CD:

2. Select a third troubleshooting:

3. Then choose the second rescue a CentOS Linux system, depending on the option, meaning "save a CentOS Systems":

4. Enter 1, and then enter;

###

This is the disc rescue mode, now the command is the system disk, basic can be used.

The original server system will be attached to the CD-ROM/mnt/sysimage/folder, the inside will find that the file is the same as your previous system (in fact).

This can be manipulated, go to the directory to copy or cut ld-linux-x86-64.so.2 to the original directory, but note the path, (here to knock the Blackboard 3 times), your original system root directory is/mnt/sysimage/!!!!!! (At least my is, not sure can df-h look at), the operation must look carefully, after all, to here may be your last chance, an operation error, may have to brush the system.

There is, this CD-ROM rescue mode, so-called even the system kernel can be saved (just don't know RM-RF * * can also be saved back), so long as the backup data, there is always a solution.

Finally, the release may be some anxious, not comprehensive place also hope to forgive, this article is for reference only;

Solve the problem of mining virus occupying CPU and deleting ld-linux-x86-64.so.2 files by mistake