伺服器CPU佔用100%，一看程序名為bash的佔用的。幾個相同密碼的虛擬機器都遭了。

查了下，是被用來挖礦了，囧。

[root@localhost ~]# cat /tmp/.bash/bash
#!/bin/bash
cd -- /tmp/.bash
mkdir -- .bash
cp -f -- x86_64 .bash/bash
./.bash/bash  -c
rm -rf .bash

發現就是這個指令碼在不停的執行

From [email protected]  Sun Nov 15 21:32:02 2020
Return-Path: <[email protected]>
X-Original-To: root
Delivered-To: [email protected]
Received: by localhost.localdomain (Postfix, from userid 0)
        id 86AB4404DBE9; Sun, 15 Nov 2020 21:32:02 +0800 (CST)
From: "(Cron Daemon)" <[email protected]>
To: [email protected]
Subject: Cron <root@localhost> /tmp/.bash/bash
Content-Type: text/plain; charset=UTF-8
Auto-Submitted: auto-generated
Precedence: bulk
X-Cron-Env: <XDG_SESSION_ID=1498>
X-Cron-Env: <XDG_RUNTIME_DIR=/run/user/0>
X-Cron-Env: <LANG=zh_CN.UTF-8>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=root>
X-Cron-Env: <USER=root>
Message-Id: <[email protected]>
Date: Sun, 15 Nov 2020 21:32:02 +0800 (CST)

||  ERROR  || already running...

刪除/tmp/.bash資料夾過後，發現email還在發　　

ls /tmp/.bash/
bash    i686    x86_64 
rm -rf /tmp/.bash

檢視計劃任務

[root@localhost ~]# crontab -l
* * * * * /tmp/.bash/bash

[root@localhost ~]# crontab -e
* * * * * /tmp/.bash/bash         ##刪除

先把它幹掉。

刪除以下檔案：

rm -rf /tmp/.xm/stak/ld-linux-x86-64.so.2
rm -rf /sbin/upd
rm -rf /sbin/initct1
rm -rf /sbin/mke3fs
rm -rf /sbin/s1n
rm -rf /sbin/ld-linux-x86-64.so.2
rm -rf /sbin/libpthread.so.1

修改密碼，最好改下SSH埠。