Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "how to solve the server process that cannot be killed." In the operation process of actual cases, many people will encounter such difficulties. Next, let Xiaobian lead you to learn how to deal with these situations. I hope you can read carefully and learn something!

1. Found problems:

The server was found to have been attacked by Trojans today. Suspected mining programs were implanted. CPU soared to 99%, causing other programs to be abnormally stuck.

Clever I came up with a top command to make the program appear in its original form, only to find that a dvjj process ran out of resources.

2. solve problems

Next, look at where the command was initiated and find nothing useful.

Then I change the way, according to PID to view the details of this process: ll /proc/19718

When Linux starts a process, the system will create a folder named PID under/proc. Under this folder, there will be information about our process, including a file named exe that records the absolute path, which can be viewed by ll or ls -l command.

Boy, look at what this dvjj wrote: cat /etc/dvjj, a bunch of Martian text screen, scared me to press a few ctrl+c to quit.

Since I can't understand it, I won't read it. Delete you: rm -rf /etc/dvjj, and prompt me that I have an email, You have new mail in /var/spool/mail/root, so check the email: cat /var/spool/mail/root, crazy output log, it seems that I have been downloading something

No matter, kill it first: kill -9 19718, check the resource again:top. How come you're up again? Moderately depressed. Unkillable cockroach.

Because this program runs automatically, you immediately think of scheduled tasks, so view all scheduled tasks (system level and user level). System-level tasks are as follows:

View scheduled tasks at the user level: cd /var/spool/cron/, root file with only one user and group both root

Crontab -l, seems to be a bunch of auto-downloaded tasks related to redis, executed every few minutes

In this case, delete all the scheduled tasks of the current user: crontab -r, prompt I can not execute, I am a chicken user ah, how can you do this to me...

And the crontab -e editing command has no effect. Finally, I decided to use rm-rf root removal

How come this file can't be edited or deleted, it's so weird!! At this point, two commands can be used:

chattr: You can modify file system attributes to prevent root users from misoperating lsattr: View file system attributes man chattr You can view command usage details

a indicates that only appends e indicates that the file uses blocks mapped to the disk

Remove the file attribute: chattr -ae root, but still can not be deleted, then edit this file, successfully delete the contents inside, a happy heart.

Look at the root file: cat root, nothing. In addition, you need to modify the attributes of these timed task files: chattr +i files to prevent tampering

Modify the permissions of the execution file/etc/dvjj. Since this file has been adding content, delete it first and then create a new file with empty content, and prevent it from being modified: chattr +i /etc/dvjj

Looking at the process tree pstree, you can see that dvjj has 5 background processes, so it is impossible to kill.

View all tasks under this process: ll /proc/11080/task, six programs in total

View ports and files opened by processes, lsof -p PID

Check one of the files: cat/usr/lib64/ld-2.17.so, and find the same garbled code. After querying, you can use the strings command to convert it, such as:

strings /usr/lib64/ld-2.17.so > virvus.txt

And then I looked at it again, back and forth, but I couldn't find anything useful.

In this case, I will modify the Trojan file permissions: chmod 600 /usr/lib64/ld-2.17.so, so that it cannot be executed, and lock the file: chattr + i/usr/lib64/ld-2.17.so

The IP and port of this connection can be seen in the figure above: 47.102.39.92: 13531, sealing this IP and port.

echo sshd:47.102.39.92 >> /etc/hosts.denyiptables -I INPUT -s 47.102.39.92 -ptcp --dport 13531 -j DROPiptables -I OUTPUT -s 47.102.39.92 -ptcp --dport 13531 -j DROP

Next, kill dvjj process again, check the process repeatedly, and finally get this process killed. You think that's it, it's not... Input: netstat -apntl, the server is still trying to shake hands with each other, because IP is banned, so the connection is not possible!!!!

3. Finally, check the startup file

Check the most basic startup configuration file, try to see if there are suspicious programs in the startup file, and remember to delete them if there are any.

ls /etc/rc*/init.dls /etc/rc*/

Check the self-starting services configured by chkconfig method: chkconfig --list

Shut it down, reboot it. Done.

"How to solve the server process can not kill" content is introduced here, thank you for reading. If you want to know more about industry-related knowledge, you can pay attention to the website. Xiaobian will output more high-quality practical articles for everyone!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.