一.背景

最近公司一台虚拟机被攻击,其中一种挖矿病毒、会伪CPU数、即如果用top命令只能看到一个cpu、并且负载不高、实际上整个负载300%以上,及时定时任务关掉也不起作用。

 

二.言归正传开始干掉这个麻烦的病毒(脚本如下):

      #关掉定时任务
      service crond stop
      #删除so库
      busybox rm -f /etc/ld.so.preload
      busybox rm -f /usr/local/lib/libcset.so
      chattr -i /etc/ld.so.preload
      busybox rm -f /etc/ld.so.preload
      busybox rm -f /usr/local/lib/libcset.so
      # 清理异常进程
      busybox ps -ef | busybox grep -v grep | busybox egrep ‘ksoftirqds’ | busybox awk ‘{print $1}’ | busybox xargs kill -9
      busybox ps -ef | busybox grep -v grep | busybox egrep ‘kthrotlds’ | busybox awk ‘{print $1}’ | busybox xargs kill -9
      busybox ps -ef | busybox grep -v grep | busybox egrep ‘kpsmouseds’ | busybox awk ‘{print $1}’ | busybox xargs kill -9
      busybox ps -ef | busybox grep -v grep | busybox egrep ‘kintegrityds’ | busybox awk ‘{print $1}’ | busybox xargs kill -9
      busybox ps -ef | busybox grep -v grep | busybox egrep ‘khugepageds’ | busybox awk ‘{print $1}’ | busybox xargs kill -9
      busybox rm -f /tmp/kthrotlds
      busybox rm -f /tmp/kintegrityds
      busybox rm -f /tmp/khugepageds
      busybox rm -f /tmp/kpsmouseds
      busybox rm -f /etc/cron.d/tomcat
      busybox rm -f /etc/cron.d/root
      busybox rm -f /var/spool/cron/root
      busybox rm -f /var/spool/cron/crontabs/root
      busybox rm -f /etc/rc.d/init.d/kthrotlds
      busybox rm -f /etc/rc.d/init.d/kpsmouseds
      busybox rm -f /etc/rc.d/init.d/kintegrityds
      busybox rm -f /usr/sbin/kthrotlds
      busybox rm -f /usr/sbin/kintegrityds
      busybox rm -f /usr/sbin/kpsmouseds
      busybox rm -f /etc/init.d/netdns
      busybox rm -f /tmp/ld.so.preload*
      ldconfig
      # 再次清理异常进程
      busybox ps -ef | busybox grep -v grep | busybox egrep ‘ksoftirqds’ | busybox awk ‘{print $1}’ | busybox xargs kill -9
      busybox ps -ef | busybox grep -v grep | busybox egrep ‘kthrotlds’ | busybox awk ‘{print $1}’ | busybox xargs kill -9
      busybox ps -ef | busybox grep -v grep | busybox egrep ‘kpsmouseds’ | busybox awk ‘{print $1}’ | busybox xargs kill -9
      busybox ps -ef | busybox grep -v grep | busybox egrep ‘kintegrityds’ | busybox awk ‘{print $1}’ | busybox xargs kill -9
      busybox ps -ef | busybox grep -v grep | busybox egrep ‘khugepageds’ | busybox awk ‘{print $1}’ | busybox xargs kill -9


# 清理开机启动项
chkconfig netdns off
chkconfig –del netdns


service crond start
echo “Done, Please reboot!”


 







							

   
版权声明:本文为521football原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。



本文链接:https://www.cnblogs.com/521football/p/10635235.html