挖矿病毒kdevtmpfsi查杀经历
问题简介
- 服务器: 阿里云主机服务器
- 系统: Centos7
- 表现: kdevtmpfsi进程占用400%(8核心处理器)CPU
- 时间: 2020-01-07报警, 2020-01-08处理
查杀经过
使用
clamscan
命令搜索所有文件, clamav详情见我之前的博客clamav安装与杀毒1
nohup clamscan / -r --infected -l clamscan.log > clamscan.out &
- 这一步比较花时间
查看扫描结果
1
cat clamscan.log | grep FOUND
/var/lib/docker/overlay/bdd049c71596d743907224a8dd6fdb3fb4ca76e3af8dfd6eee2d034de2be45a1/merged/tmp/kdevtmpfsi: Multios.Coinminer.Miner-6781728-2 FOUND
/var/lib/docker/overlay/bdd049c71596d743907224a8dd6fdb3fb4ca76e3af8dfd6eee2d034de2be45a1/merged/tmp/red2.so: Unix.Trojan.Gafgyt-6981174-0 FOUND
/var/lib/docker/overlay/bdd049c71596d743907224a8dd6fdb3fb4ca76e3af8dfd6eee2d034de2be45a1/upper/tmp/kdevtmpfsi: Multios.Coinminer.Miner-6781728-2 FOUND
/var/lib/docker/overlay/bdd049c71596d743907224a8dd6fdb3fb4ca76e3af8dfd6eee2d034de2be45a1/upper/tmp/red2.so: Unix.Trojan.Gafgyt-6981174-0 FOUND
删除这四个文件,这里直接到相关目录下查看发现
../tmp
目录下往往都是病毒文件(与kinsing
相关,全部删除)top
查看CPU信息确定挖矿进程kdevtmpfsi的进程号[pid]确定启动信息中启动命令,并删除(在这里查到的信息是文件已经被删除了)
1
ls /proc/[pid] -ali
查找父进程进程号
1
systemctl status [pid]
● docker-be9fcab033e6158f8ff7d6ac07d28cfd918375178c27e016aa800cbeef985161.scope - libcontainer container be9fcab033e6158f8ff7d6ac07d28cfd918375178c27e016aa800cbeef985161
Loaded: loaded (/run/systemd/system/docker-be9fcab033e6158f8ff7d6ac07d28cfd918375178c27e016aa800cbeef985161.scope; static; vendor preset: disabled)
Drop-In: /run/systemd/system/docker-be9fcab033e6158f8ff7d6ac07d28cfd918375178c27e016aa800cbeef985161.scope.d
└─50-BlockIOAccounting.conf, 50-CPUAccounting.conf, 50-DefaultDependencies.conf, 50-Delegate.conf, 50-Description.conf, 50-MemoryAccounting.conf, 50-Slice.conf
Active: active (running) since Mon 2019-11-11 11:24:17 UTC; 1 months 27 days ago
Tasks: 38
Memory: 2.3G
CGroup: /system.slice/docker-be9fcab033e6158f8ff7d6ac07d28cfd918375178c27e016aa800cbeef985161.scope
├─ 4475 redis-server *:6379
├─ 8528 sh -c /tmp/.ICEd-unix/vJhOU
├─ 8529 /tmp/.ICEd-unix/vJhOU
└─22822 /tmp/kdevtmpfsi
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
杀死不需要的相关进程,如上面的
4475
,8528
,8529
,22822
查看是否还有需要杀死的进程,如果有,则杀死该进程
1
ps -ef | grep kinsing
top
确定挖矿进程已经被杀死
总结
- 查杀病毒两个小时未发现服务器有明显异常
- 第二天出现了,需要进一步查看,重启机器后问题没有再出现