Centos——挖矿病毒kdevtmpfsi查杀经历


挖矿病毒kdevtmpfsi查杀经历

问题简介

  • 服务器: 阿里云主机服务器
  • 系统: Centos7
  • 表现: kdevtmpfsi进程占用400%(8核心处理器)CPU
  • 时间: 2020-01-07报警, 2020-01-08处理

查杀经过

  • 使用clamscan命令搜索所有文件, clamav详情见我之前的博客clamav安装与杀毒

    1
    nohup clamscan / -r --infected -l clamscan.log > clamscan.out &
    • 这一步比较花时间
  • 查看扫描结果

    1
    cat clamscan.log | grep FOUND

/var/lib/docker/overlay/bdd049c71596d743907224a8dd6fdb3fb4ca76e3af8dfd6eee2d034de2be45a1/merged/tmp/kdevtmpfsi: Multios.Coinminer.Miner-6781728-2 FOUND
/var/lib/docker/overlay/bdd049c71596d743907224a8dd6fdb3fb4ca76e3af8dfd6eee2d034de2be45a1/merged/tmp/red2.so: Unix.Trojan.Gafgyt-6981174-0 FOUND
/var/lib/docker/overlay/bdd049c71596d743907224a8dd6fdb3fb4ca76e3af8dfd6eee2d034de2be45a1/upper/tmp/kdevtmpfsi: Multios.Coinminer.Miner-6781728-2 FOUND
/var/lib/docker/overlay/bdd049c71596d743907224a8dd6fdb3fb4ca76e3af8dfd6eee2d034de2be45a1/upper/tmp/red2.so: Unix.Trojan.Gafgyt-6981174-0 FOUND

  • 删除这四个文件,这里直接到相关目录下查看发现../tmp目录下往往都是病毒文件(与kinsing相关,全部删除)

  • top查看CPU信息确定挖矿进程kdevtmpfsi的进程号[pid]

  • 确定启动信息中启动命令,并删除(在这里查到的信息是文件已经被删除了)

    1
    ls /proc/[pid] -ali
  • 查找父进程进程号

    1
    systemctl status [pid]

● docker-be9fcab033e6158f8ff7d6ac07d28cfd918375178c27e016aa800cbeef985161.scope - libcontainer container be9fcab033e6158f8ff7d6ac07d28cfd918375178c27e016aa800cbeef985161
Loaded: loaded (/run/systemd/system/docker-be9fcab033e6158f8ff7d6ac07d28cfd918375178c27e016aa800cbeef985161.scope; static; vendor preset: disabled)
Drop-In: /run/systemd/system/docker-be9fcab033e6158f8ff7d6ac07d28cfd918375178c27e016aa800cbeef985161.scope.d
└─50-BlockIOAccounting.conf, 50-CPUAccounting.conf, 50-DefaultDependencies.conf, 50-Delegate.conf, 50-Description.conf, 50-MemoryAccounting.conf, 50-Slice.conf
Active: active (running) since Mon 2019-11-11 11:24:17 UTC; 1 months 27 days ago
Tasks: 38
Memory: 2.3G
CGroup: /system.slice/docker-be9fcab033e6158f8ff7d6ac07d28cfd918375178c27e016aa800cbeef985161.scope
├─ 4475 redis-server *:6379
├─ 8528 sh -c /tmp/.ICEd-unix/vJhOU
├─ 8529 /tmp/.ICEd-unix/vJhOU
└─22822 /tmp/kdevtmpfsi

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

  • 杀死不需要的相关进程,如上面的4475,8528, 8529, 22822

  • 查看是否还有需要杀死的进程,如果有,则杀死该进程

    1
    ps -ef | grep kinsing
  • top确定挖矿进程已经被杀死

总结

  • 查杀病毒两个小时未发现服务器有明显异常
  • 第二天出现了,需要进一步查看,重启机器后问题没有再出现