Share the treatment method of the server being excavated once 02/27 Update SLTechnology News&Howtos

Share the treatment method of the server being excavated once

2025-02-27 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Shulou(Shulou.com)06/02 Report--

Problem phenomenon: the utilization rate of CPU has been 100% server stutter, and it is suspected that the reason is that the system password is weak, the installed program has loopholes and is exploited by lawbreakers, and other troubleshooting steps:

Use the top command to observe the PID   that occupies cpu programs.

Check the directory where the program is located through PID: ls / proc/XXX/

executes ll / proc/14202 to view the directory where the program is running

Go to this directory and check what files there are  

Change the permissions of all these files to 000,000 so that these programs cannot continue to execute: chmod 00000-R *  

The above can basically find out the directory where the malicious program is located, and then we can kill the program to  .

Just keep watching (this example looks at 30min, and the malicious program continues not to be executed)  

Add:

It is recommended to execute crontab-l to see if there are any suspicious scheduled tasks, and if so, delete them in time (crontab-r)

Through the above troubleshooting steps, we can see that the cron program runs in the / root/.bashtemp/a directory, but there are many such programs in the / root/.bashtemp/ directory, so we should also execute: chmod 000-R * clear the permissions of all malicious programs

Generally speaking, malicious programs can be killed through the above steps, but it is not ruled out that lawbreakers have other backdoor programs. In order to avoid similar situations, it is recommended to save important data and reinstall the operating system.

In the future, please strengthen the security of the server to avoid being invaded again, such as changing the default remote port, configuring firewall rules, setting a more complex password, and so on.

Author: Dong Shuanglei

Didi Yun's full line of standard CVM is a time-limited discount. Registration gives novice gift packages 50% discount in January, 60% discount in March, 60% discount in June, and recruitment of Didi Cloud messengers. A maximum rebate of 50% is recommended.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.