[系统运维] find病毒的清理

开发: C++知识库 Java知识库 JavaScript Python PHP知识库人工智能区块链大数据移动开发嵌入式开发工具数据结构与算法开发测试游戏开发网络协议系统运维
教程: HTML教程 CSS教程 JavaScript教程 Go语言教程 JQuery教程 VUE教程 VUE3教程 Bootstrap教程 SQL数据库教程 C语言教程 C++教程 Java教程 Python教程 Python3教程 C#教程
数码: 电脑笔记本显卡显示器固态硬盘硬盘耳机手机 iphone vivo oppo 小米华为单反装机图拉丁

-> 系统运维 -> find病毒的清理 -> 正文阅读

[系统运维]find病毒的清理

再次遇到耗cpu的病毒

参考之前的处理思路：

-bash这样的木马，你遇到过没?_sqlora的专栏-CSDN博客

此次的问题是/etc/cron.d目录下被上传大量.png格式的病毒文件。

top发现大量find进程，每分钟启动16个

?ps -ef|grep find|wc -l

[root@localhost ~]# mv /bin/find /bin/findbak
[root@localhost ~]# ps -ef|grep find|grep -v grep|awk '{print $2}'|xargs kill -9
[root@localhost ~]# ps -ef|grep find|grep -v grep

发现
[root@localhost ~]# cd /etc/cron.d
[root@localhost cron.d]# ls -al
total 124
drwxr-xr-x. ? 2 root root 4096 Nov 16 16:56 .
drwxr-xr-x. 138 root root 8192 Jan 19 ?2021 ..
-rw-r--r--. ? 1 root root ?128 Aug ?3 ?2017 0hourly
-rw-r----- ? ?1 root root ? 55 Nov 14 02:51 -12684977-fbdd-411b-a18f-a5ade70cfc95.png
-rw-r----- ? ?1 root root ?101 Nov 16 16:56 -216bc9d9-251d-4e61-aee3-653df00faac9.png
-rw-r----- ? ?1 root root ? 40 Nov 14 02:10 -260f4d88-7502-445b-b744-ad2234f4b43b.png
-rw-r----- ? ?1 root root ? 55 Nov 14 02:50 -2fac3752-c9b0-470c-bf48-f1df254ad87f.png
-rw-r----- ? ?1 root root ? 55 Nov 14 02:51 -3c031f61-6902-4922-b691-86c8e3c052ad.png
-rw-r----- ? ?1 root root ?102 Nov 16 00:06 -46db4aab-2747-407b-b1e7-b63b4d22e31c.png
-rw-r----- ? ?1 root root ?139 Nov 15 22:14 -4a9bb7fa-c92a-48f3-aa5d-7a214166d8f6.png
-rw-r----- ? ?1 root root ? 59 Nov 14 02:56 -4d7309ba-6b37-4cba-8250-30e1225bb1e6.png
-rw-r----- ? ?1 root root ? 55 Nov 14 02:53 -51adb274-4a8f-497b-be4c-7cb0c274e0ae.png
-rw-r----- ? ?1 root root ?104 Nov 16 16:29 -6614eceb-119f-4d42-95c3-ec8d22cab6ac.png
-rw-r----- ? ?1 root root ? 92 Nov 15 21:52 -72b7b7ba-f028-4b38-b54e-825bc412825f.png
-rw-r----- ? ?1 root root ?100 Nov 16 16:22 -73431465-623f-4ad8-9fce-ac73a2249dee.png
-rw-r----- ? ?1 root root ? 43 Nov 16 00:03 -78d693fb-ec61-4f03-a73d-738715462ab4.png
-rw-r----- ? ?1 root root ? 41 Nov 14 03:21 -79fc2dc4-ad58-4b0e-89e5-fcd888386f2a.png
-rw-r----- ? ?1 root root ? 99 Nov 16 00:13 -82304d5a-09f4-464d-a2d4-19999b96cf91.png
-rw-r----- ? ?1 root root ? 55 Nov 14 02:49 -9aefea9b-ee13-4c5f-8a5f-4ff85098130f.png
-rw-r----- ? ?1 root root ? 38 Nov 14 02:05 -a2466e36-5d57-47d1-af86-f21423824dd7.png
-rw-r----- ? ?1 root root ?100 Nov 16 16:22 -a855419b-9762-4b5b-b2de-62d34c283147.png
-rw-r----- ? ?1 root root ?129 Nov 16 00:26 -add9d5b1-f6e1-4be3-99d2-00ab511a717e.png
-rw-r----- ? ?1 root root ? 66 Nov 14 03:02 -bf7fc4b6-9089-49a0-a506-3e66cd4699c3.png
-rw-r----- ? ?1 root root ?137 Nov 15 22:07 -c1bb12c5-09eb-4256-9b85-18fc0ea86aef.png
-rw-r----- ? ?1 root root ? 92 Nov 15 23:00 -dcbe14fe-a15a-4b29-8d6d-3b1ecfb1698c.png
-rw-r----- ? ?1 root root ?129 Nov 16 00:26 -e42a2588-5aad-414f-bc0d-7f4d8e71f58c.png
-rw-r----- ? ?1 root root ? 55 Nov 14 02:53 -e63d9364-c7f2-4563-b3c1-cb6cbcc52e00.png
-rw-r--r--. ? 1 root root ?108 Jun 13 ?2017 raid-check
-rw-------. ? 1 root root ?235 Aug ?3 ?2017 sysstat
[root@localhost cron.d]# rm -f ./*.png
[root@localhost cron.d]# ll
total 12
-rw-r--r--. 1 root root 128 Aug ?3 ?2017 0hourly
-rw-r--r--. 1 root root 108 Jun 13 ?2017 raid-check
-rw-------. 1 root root 235 Aug ?3 ?2017 sysstat
[root@localhost cron.d]# ps -ef|grep png
root ? ? ?2363 28585 ?0 21:24 pts/4 ? ?00:00:00 grep --color=auto png
[root@localhost cron.d]# ls -al
total 24
drwxr-xr-x. ? 2 root root ? 54 Nov 22 21:24 .
drwxr-xr-x. 138 root root 8192 Jan 19 ?2021 ..
-rw-r--r--. ? 1 root root ?128 Aug ?3 ?2017 0hourly
-rw-r--r--. ? 1 root root ?108 Jun 13 ?2017 raid-check
-rw-------. ? 1 root root ?235 Aug ?3 ?2017 sysstat

[root@localhost cron.d]# ? ?ls -al
total 24
drwxr-xr-x. ? 2 root root ? 54 Nov 22 21:24 .
drwxr-xr-x. 138 root root 8192 Jan 19 ?2021 ..
-rw-r--r--. ? 1 root root ?128 Aug ?3 ?2017 0hourly
-rw-r--r--. ? 1 root root ?108 Jun 13 ?2017 raid-check
-rw-------. ? 1 root root ?235 Aug ?3 ?2017 sysstat
[root@localhost cron.d]# ps -ef|grep png
root ? ? ?3069 28585 ?0 21:28 pts/4 ? ?00:00:00 grep --color=auto png
[root@localhost cron.d]# tail -f /var/log/cron
Nov 22 21:24:01 localhost CROND[2031]: (root) CMD (bash -c "pwd > /app/apache-tomcat-8.5.59-8090/webapps/leasedline/123/testb123.txt"^M)
Nov 22 21:24:01 localhost CROND[2032]: (root) CMD (cp /etc/passwd /app/apache-tomcat-8.5.59-8090/webapps/leasedline/123/commandresult.txt;^M)
Nov 22 21:24:01 localhost CROND[2042]: (root) CMD (echo pwd > /app/apache-tomcat-8.5.59-8090/webapps/leasedline/123/commandresult.txt;^M)
Nov 22 21:24:01 localhost CROND[2037]: (root) CMD (ipconfig > /app/apache-tomcat-8.5.59-8090/webapps/leasedline/123/result.txt^M)
Nov 22 21:24:01 localhost CROND[2016]: (root) CMD (sh /usr/local/sa/sa-agent/bin/runAgentCron.sh > /dev/null 2>&1)
Nov 22 21:25:01 localhost CROND[2474]: (root) CMD (sh /usr/local/sa/sa-agent/bin/runAgentCron.sh > /dev/null 2>&1)
Nov 22 21:26:01 localhost CROND[2667]: (root) CMD (sh /usr/local/sa/sa-agent/bin/runAgentCron.sh > /dev/null 2>&1)
Nov 22 21:27:01 localhost CROND[2817]: (root) CMD (sh /usr/local/sa/sa-agent/bin/runAgentCron.sh > /dev/null 2>&1)
Nov 22 21:28:01 localhost CROND[2969]: (root) CMD (/usr/sbin/ntpdate ntp-server >>/root/ntpdate.log 2>>/root/ntpdate.log)
Nov 22 21:28:01 localhost CROND[2970]: (root) CMD (sh /usr/local/sa/sa-agent/bin/runAgentCron.sh > /dev/null 2>&1)

Nov 22 21:29:01 localhost CROND[3139]: (root) CMD (sh /usr/local/sa/sa-agent/bin/runAgentCron.sh > /dev/null 2>&1)
^C
[root@localhost cron.d]# ps -ef|grep cron
root ? ? ?1368 ? ? 1 ?0 19:50 ? ? ? ? ?00:00:00 /usr/sbin/crond -n
root ? ? ?3211 28585 ?0 21:29 pts/4 ? ?00:00:00 grep --color=auto cron
[root@localhost cron.d]# kill -9 1368
[root@localhost cron.d]# ps -ef|grep cron
root ? ? ?3235 28585 ?0 21:29 pts/4 ? ?00:00:00 grep --color=auto cron
[root@localhost cron.d]# ps -ef|grep cron
root ? ? ?3238 28585 ?0 21:29 pts/4 ? ?00:00:00 grep --color=auto cron
[root@localhost cron.d]# ps -ef|grep cron
root ? ? ?3273 28585 ?0 21:29 pts/4 ? ?00:00:00 grep --color=auto cron
[root@localhost cron.d]# tail -f /var/log/cron
Nov 22 21:24:01 localhost CROND[2032]: (root) CMD (cp /etc/passwd /app/apache-tomcat-8.5.59-8090/webapps/leasedline/123/commandresult.txt;^M)
Nov 22 21:24:01 localhost CROND[2042]: (root) CMD (echo pwd > /app/apache-tomcat-8.5.59-8090/webapps/leasedline/123/commandresult.txt;^M)
Nov 22 21:24:01 localhost CROND[2037]: (root) CMD (ipconfig > /app/apache-tomcat-8.5.59-8090/webapps/leasedline/123/result.txt^M)
Nov 22 21:24:01 localhost CROND[2016]: (root) CMD (sh /usr/local/sa/sa-agent/bin/runAgentCron.sh > /dev/null 2>&1)
Nov 22 21:25:01 localhost CROND[2474]: (root) CMD (sh /usr/local/sa/sa-agent/bin/runAgentCron.sh > /dev/null 2>&1)
Nov 22 21:26:01 localhost CROND[2667]: (root) CMD (sh /usr/local/sa/sa-agent/bin/runAgentCron.sh > /dev/null 2>&1)
Nov 22 21:27:01 localhost CROND[2817]: (root) CMD (sh /usr/local/sa/sa-agent/bin/runAgentCron.sh > /dev/null 2>&1)
Nov 22 21:28:01 localhost CROND[2969]: (root) CMD (/usr/sbin/ntpdate ntp-server >>/root/ntpdate.log 2>>/root/ntpdate.log)
Nov 22 21:28:01 localhost CROND[2970]: (root) CMD (sh /usr/local/sa/sa-agent/bin/runAgentCron.sh > /dev/null 2>&1)
Nov 22 21:29:01 localhost CROND[3139]: (root) CMD (sh /usr/local/sa/sa-agent/bin/runAgentCron.sh > /dev/null 2>&1)

^C
[root@localhost cron.d]# systemctl restart crond
[root@localhost cron.d]# ps -ef|grep crond
root ? ? ?3441 ? ? 1 ?0 21:31 ? ? ? ? ?00:00:00 /usr/sbin/crond -n
root ? ? ?3456 28585 ?0 21:31 pts/4 ? ?00:00:00 grep --color=auto crond
[root@localhost cron.d]# ll /tmp/*.txt*
-rw-r--r-- 1 root root ? ? 0 Nov 22 21:24 /tmp/aaaaaa.txt?
-rw-r--r-- 1 root root ? ? 0 Nov 22 21:24 /tmp/testa.txt?
-rw-r--r-- 1 root root ? ? 0 Nov 22 21:24 /tmp/testbb.txt?
-rw-r--r-- 1 root root ? ? 0 Nov 22 21:24 /tmp/testcc.txt?
-rw-r--r-- 1 root root 32031 Nov 22 21:24 /tmp/testdd.txt?
[root@localhost cron.d]# rm -rf /tmp/*.txt*
[root@localhost cron.d]# ll /tmp/*.txt*
ls: cannot access /tmp/*.txt*: No such file or directory
[root@localhost cron.d]# ll /tmp/*.txt*
ls: cannot access /tmp/*.txt*: No such file or directory
[root@localhost cron.d]# tail -f /var/log/cron
Nov 22 21:24:01 localhost CROND[2016]: (root) CMD (sh /usr/local/sa/sa-agent/bin/runAgentCron.sh > /dev/null 2>&1)
Nov 22 21:25:01 localhost CROND[2474]: (root) CMD (sh /usr/local/sa/sa-agent/bin/runAgentCron.sh > /dev/null 2>&1)
Nov 22 21:26:01 localhost CROND[2667]: (root) CMD (sh /usr/local/sa/sa-agent/bin/runAgentCron.sh > /dev/null 2>&1)
Nov 22 21:27:01 localhost CROND[2817]: (root) CMD (sh /usr/local/sa/sa-agent/bin/runAgentCron.sh > /dev/null 2>&1)
Nov 22 21:28:01 localhost CROND[2969]: (root) CMD (/usr/sbin/ntpdate ntp-server >>/root/ntpdate.log 2>>/root/ntpdate.log)
Nov 22 21:28:01 localhost CROND[2970]: (root) CMD (sh /usr/local/sa/sa-agent/bin/runAgentCron.sh > /dev/null 2>&1)
Nov 22 21:29:01 localhost CROND[3139]: (root) CMD (sh /usr/local/sa/sa-agent/bin/runAgentCron.sh > /dev/null 2>&1)
Nov 22 21:31:17 localhost crond[3441]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 13% if used.)
Nov 22 21:31:17 localhost crond[3441]: (CRON) INFO (running with inotify support)
Nov 22 21:31:17 localhost crond[3441]: (CRON) INFO (@reboot jobs will be run at computer's startup.)

Nov 22 21:32:01 localhost CROND[3518]: (root) CMD (sh /usr/local/sa/sa-agent/bin/runAgentCron.sh > /dev/null 2>&1)
Nov 22 21:33:01 localhost CROND[3674]: (root) CMD (sh /usr/local/sa/sa-agent/bin/runAgentCron.sh > /dev/null 2>&1)
Nov 22 21:34:01 localhost CROND[3811]: (root) CMD (sh /usr/local/sa/sa-agent/bin/runAgentCron.sh > /dev/null 2>&1)
Nov 22 21:35:01 localhost CROND[3975]: (root) CMD (sh /usr/local/sa/sa-agent/bin/runAgentCron.sh > /dev/null 2>&1)
date^C
[root@localhost cron.d]# sar 1 1000
Linux 3.10.0-693.el7.x86_64 (localhost.localdomain) ? ? 11/22/2021 ? ? ?_x86_64_ ? ? ? ?(16 CPU)

09:36:49 PM ? ? CPU ? ? %user ? ? %nice ? %system ? %iowait ? ?%steal ? ? %idle
09:36:50 PM ? ? all ? ? ?0.00 ? ? ?0.00 ? ? ?0.13 ? ? ?0.00 ? ? ?0.00 ? ? 99.87
09:36:51 PM ? ? all ? ? ?0.06 ? ? ?0.00 ? ? ?0.00 ? ? ?0.00 ? ? ?0.00 ? ? 99.94
09:36:52 PM ? ? all ? ? ?0.00 ? ? ?0.00 ? ? ?0.12 ? ? ?0.00 ? ? ?0.00 ? ? 99.88
09:36:53 PM ? ? all ? ? ?0.06 ? ? ?0.00 ? ? ?0.00 ? ? ?0.00 ? ? ?0.00 ? ? 99.94
09:36:54 PM ? ? all ? ? ?0.06 ? ? ?0.00 ? ? ?0.12 ? ? ?0.00 ? ? ?0.00 ? ? 99.81
09:36:55 PM ? ? all ? ? ?0.00 ? ? ?0.00 ? ? ?0.00 ? ? ?0.00 ? ? ?0.00 ? ?100.00 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
[root@localhost cron.d]# cd /var/spool/cron
[root@localhost cron]# ll
total 4
-rw------- 1 root root 154 Nov 22 21:10 root
[root@localhost cron]# more root
28 * * * * /usr/sbin/ntpdate ntp-server >>/root/ntpdate.log 2>>/root/ntpdate.log
* * * * * sh /usr/local/sa/sa-agent/bin/runAgentCron.sh > /dev/null 2>&1
?

系统运维最新文章

配置小型公司网络WLAN基本业务（AC通过三层

如何用DWDM射频光纤技术实现200公里外的站点

国内顺畅下载k8s.gcr.io的镜像

自动化测试appium

ctfshow ssrf

Linux操作系统学习之实用指令（Centos7/8均

加:2021-11-23 12:46:41 更:2021-11-23 12:48:46

360图书馆购物三丰科技阅读网日历万年历 2024年11日历

-2024/11/16 0:52:29-

图片自动播放器
↓图片自动播放器↓

TxT小说阅读器
↓语音阅读,小说下载,古典文学↓

一键清除垃圾
↓轻轻一点,清除系统垃圾↓

图片批量下载器
↓批量下载图片,美女图库↓

网站联系: qq:121756557 email:121756557@qq.com IT数码