前两天操作服务器发现服务器巨慢,以为是磁盘或内存满了,查了一圈发现都没问题,那就只能看看 CPU 了,htop 一看都是 100%
刚开始简单以为服务器出问题了,发现前面那些进程非常奇怪,竟然只是简单的 -bash 才想到难道是被用来挖矿了?
看了一下详细命令就看到了 xmr-stak, 顺便上网搜了一下,果然不出所料是 门罗币, 也不知道程序目录是啥 kill 掉以后一会就又起来了,就看了一下 crontab 顺便找到了程序目录
crontab -r 去掉定时任务,再看看程序目录
然后看到了类似钱包地址的配置文件,有没有玩币的大神看看这钱包里面有多少币了
/*
* pool_address - Pool address should be in the form "pool.supportxmr.com:3333". Only stratum pools are supported.
* wallet_address - Your wallet, or pool login.
* rig_id - Rig identifier for pool-side statistics (needs pool support).
* pool_password - Can be empty in most cases or "x".
* use_nicehash - Limit the nonce to 3 bytes as required by nicehash.
* use_tls - This option will make us connect using Transport Layer Security.
* tls_fingerprint - Server's SHA256 fingerprint. If this string is non-empty then we will check the server's cert against it.
* pool_weight - Pool weight is a number telling the miner how important the pool is. Miner will mine mostly at the pool
* with the highest weight, unless the pool fails. Weight must be an integer larger than 0.
*
* We feature pools up to 1MH/s. For a more complete list see M5M400's pool list at www.moneropools.com
*/
"pool_list" :
[
{"pool_address" : "107.191.99.227:80", "wallet_address" : "41pfDaqsDe11MH28Y2PggiRRtQNUvFL22eYdjacm5ZrGWBoVxAP52me2Bd7Z77BBfGWtcyT4uwiPpVBGp7Huq125JBXihUj", "pool_password" : "x", "use_nicehash" : false, "rig_id" : "", "use_tls" : false, "tls_fingerprint" : "", "pool_weight" : 1 },
],
/*
* Currency to mine. Supported values:
*
* aeon7 (use this for Aeon's new PoW)
* cryptonight (try this if your coin is not listed)
* cryptonight_lite
* edollar
* electroneum
* graft
* intense
* karbo
* monero7 (use this for Monero's new PoW)
* sumokoin
*
*/
"currency" : "monero7",
最后,为啥服务器被植入了挖矿程序呢? 因为 [服务器密码太简单] 了。。
这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。
V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。
V2EX is a community of developers, designers and creative people.