总结:
发现主机172.17.0.2存在恶意文件/home/elasticsearch/.configrc/a/kswapd0
> top
发现先后存在两个进程占用大量cpu
kswapd0
tsm
> cat /tmp/up.txt
elasticsearch 123456
> find / -name "dota3.tar.gz"
查看所有用户的定时任务:
> cat /etc/passwd | cut -f 1 -d : |xargs -I {} crontab -l -u {}
定时任务中显示了病毒文件启动的
1 1 */2 * * /home/elasticsearch/.configrc/a/upd>/dev/null 2>&1
@reboot /home/elasticsearch/.configrc/a/upd>/dev/null 2>&1
5 8 * * 0 /home/elasticsearch/.configrc/b/sync>/dev/null 2>&1
@reboot /home/elasticsearch/.configrc/b/sync>/dev/null 2>&1
0 0 */3 * * /tmp/.X25-unix/.rsync/c/aptitude>/dev/null 2>&1
需要先切换到
> su elasticsearch
> crontab -e
> su root
> /sbin/service crond restart
> chmod 000 /tmp/.X25-unix/*
> chattr +i /tmp/.X25-unix/*
> chmod 000 /home/elasticsearch/.configrc/*
> chattr +i /home/elasticsearch/.configrc/*
> userdel -r elasticsearch
userdel: user elasticsearch is currently used by process 4347
停用es
> ps aux | grep elastic
elastic+ 4900 0.0 0.0 107904 612 ? S 18:08 0:00 sleep 25s
root 4917 0.0 0.0 112676 984 pts/0 R+ 18:08 0:00 grep --color=auto elastic
elastic+ 20570 0.0 0.2 136452 3984 ? S 16:32 0:00 rsync
elastic+ 21146 0.0 0.0 113228 1640 ? S 16:36 0:00 /bin/bash ./go
> rm -rf /home/elasticsearch/ //elasticsearch启动es的专用账户,下同
> rm -rf root/.ssh
> rm -rf /home/elasticsearch/.ssh/
> rm -rf /tmp/ 可能提示 rm: 无法删除"/tmp/": 设备或资源忙
恢复账户的正常文件,并修改所有权
> cp -a /etc/skel/.bash_logout /home/elasticsearch/
> cp -a /etc/skel/.bash_profile /home/elasticsearch/
> cp -a /etc/skel/.bashrc /home/elasticsearch/
> chown -R elasticsearch /home/elasticsearch
修改elasticsearch用户密码
防火墙关闭elasticsearch 9200、kibana 5601端口,启用nginx域名代理
加我微信
