Early in the morning, pay Bora SMS to say that you won the "prize"? Dealing with server mining virus - kthreaddi

Deal with server mining virus - kthreaddi

- When your server has the following symptoms , Congratulations on winning the prize

 I opened the server early this morning and found that the card was not good , So using top The order was checked , Sure enough , The server has been mined , Here is a complete solution ！

 Due to the soaring of bitcoin , It may drive the production of other mining viruses , This virus can not only occupy crazily cpu Resources can also attack other servers through the port of the server , It can be said that it is harmful to others but not beneficial to oneself , Very vicious ！！！

Have a look first kthreaddi Ugly face
Use ll /proc/3436 have a look Where does it run

When you see it, it appears in www The following documents are and [kthreaddi] The process user is www That may be through web Way to inject , Excluded my first idea through Redis Port entry , Then switch to this file

It doesn't show its original shape ！

There is a link to open such an advertisement of a foreign man ！

【 kthreaddi 】 It's a mining virus Constantly write scheduled tasks Perform the operation

Do you think it will be solved when you find it ？
First, top Command to check the occupied process PID 3436 Kill directly But after a period of time, it will automatically establish the process , Think about it, it's someone else who came in with his ability. How can he say to leave
This kind of immortality is not tenacious , But there is a task that keeps running

Use the view scheduled task command crontab -e Sure enough, there is a scheduled task , What's more annoying is that I can't find this file

Then only Delete all scheduled tasks , That's easy to say , Would rather kill a thousand by mistake , We can't let one go （ Too reckless , It is recommended to back up the files of scheduled tasks first ）

So the world is quiet ！