preamble
The cause of the matter is like this, yesterday the leadership found me that the server memory is full, affecting the normal operation of other programs, let me test the server before the start of the six JAVA program to stop, then I boarded the server to execute thedocker compose down
Turn off the service. Use it out of habit before you leave.htop
Checking out the resources panel, I accidentally found a server called[kdcflush] acosd
processes are eating up the server's CPU performance.
I saw this service for the first time, I think it should be run by the company, curiosity drove me to check the information online, I want to know what the role of this middleware (or other programs), so consume the performance may be related to the AI model, if it's fun, they also tossed to play later, but after checking for a while did not find the corresponding information, I feel bad, and then with the leadership to confirm the process! Then I checked with the leader to see if the process was run by us, and finally came to the conclusion that the server was probably being mined.
After realizing the problem, the leadership gave it to me, I have my own server also dealt with a few mining scripts, but their own servers are not just a toss, when my processing program is to copy the data out to the cloud service to reload a system, and then put the information back to the service to run up to solve the problem, but the company's servers can not do this, but fortunately, the ideas are still there, and here to record it! The process of solving the problem
main body (of a book)
I've come across this mining script thing many times, this is the first time I've actually faced him, and with my familiarity with LINUX servers I wasn't able to tackle it directly, so I used thekill -9 29273
I killed the process briefly and brutally, then went to preview the material and catch up on my studies, and about an hour and a half later I was ready to come back and fix it, and not surprisingly it was running again behind my back!
First of all, each running process will have a PID, which is the first column in the above screenshot, and everything is a file in LINUX, so the process will exist as a file in the/proc/pid/exe
Check out this process file
The file for this process points to the/usr/sbin/nacosd
file, instantly figured out that some time ago with a test server to build the NACOS registration center, username and password are the default nacos did not change the default port number did not set up forensics, so openly placed on the public network, the original problem is here!
Kill this script is very simple, but we have to find a way to kill him completely to prevent it from sneaking back, here first check the server there is no suspicious timed tasks
Online simply check the titanagent feel quite normal, timed tasks are sort of exhaustive, the next check the system there is no registration of suspicious services, according to theBig Brother articlesI learned that services in LINUX are stored as files in the/etc/systemd/system
directory, check here for any suspicious services in that directory
Hmm! Doubtful. Let's see what this service is all about
Uh-huh! That's right, this service is designed to run this mining script, and if I'm right this service must be set to boot up!
This way the dependency idea is sorted out by first using thesystemctl disable system-nacosd
command to disable bootstrapping of the service, and then use thesystemctl stop system-nacosd
command to stop the service, and then use therm
command to delete the service configuration file (I forgot to take a screenshot of this part), then delete the/usr/sbin/nacosd
This script file, it's done.
The first time I stopped the script for about an hour and a half or so and went back to look at it, the script ran again on its own, and now it's noon the next day the server is still quiet, so it should have worked!
That's all I have to say, I'm limited in my ability and skills, so if there's anything else I haven't considered, please feel free to point it out!