Location>code7788 >text

Remembering the resolution process of a NACOS open public access that led to a server being mined [kdcflush] acosd

Popularity:972 ℃/2024-07-26 13:32:52

preamble

The cause of the matter is like this, yesterday the leadership found me that the server memory is full, affecting the normal operation of other programs, let me test the server before the start of the six JAVA program to stop, then I boarded the server to execute thedocker compose downTurn off the service. Use it out of habit before you leave.htopChecking out the resources panel, I accidentally found a server called[kdcflush] acosdprocesses are eating up the server's CPU performance.

image

I saw this service for the first time, I think it should be run by the company, curiosity drove me to check the information online, I want to know what the role of this middleware (or other programs), so consume the performance may be related to the AI model, if it's fun, they also tossed to play later, but after checking for a while did not find the corresponding information, I feel bad, and then with the leadership to confirm the process! Then I checked with the leader to see if the process was run by us, and finally came to the conclusion that the server was probably being mined.

After realizing the problem, the leadership gave it to me, I have my own server also dealt with a few mining scripts, but their own servers are not just a toss, when my processing program is to copy the data out to the cloud service to reload a system, and then put the information back to the service to run up to solve the problem, but the company's servers can not do this, but fortunately, the ideas are still there, and here to record it! The process of solving the problem

main body (of a book)

I've come across this mining script thing many times, this is the first time I've actually faced him, and with my familiarity with LINUX servers I wasn't able to tackle it directly, so I used thekill -9 29273I killed the process briefly and brutally, then went to preview the material and catch up on my studies, and about an hour and a half later I was ready to come back and fix it, and not surprisingly it was running again behind my back!

image

First of all, each running process will have a PID, which is the first column in the above screenshot, and everything is a file in LINUX, so the process will exist as a file in the/proc/pid/exeCheck out this process file

image

The file for this process points to the/usr/sbin/nacosdfile, instantly figured out that some time ago with a test server to build the NACOS registration center, username and password are the default nacos did not change the default port number did not set up forensics, so openly placed on the public network, the original problem is here!

Kill this script is very simple, but we have to find a way to kill him completely to prevent it from sneaking back, here first check the server there is no suspicious timed tasks

image

Online simply check the titanagent feel quite normal, timed tasks are sort of exhaustive, the next check the system there is no registration of suspicious services, according to theBig Brother articlesI learned that services in LINUX are stored as files in the/etc/systemd/systemdirectory, check here for any suspicious services in that directory

image

Hmm! Doubtful. Let's see what this service is all about

image

Uh-huh! That's right, this service is designed to run this mining script, and if I'm right this service must be set to boot up!

image

This way the dependency idea is sorted out by first using thesystemctl disable system-nacosdcommand to disable bootstrapping of the service, and then use thesystemctl stop system-nacosdcommand to stop the service, and then use thermcommand to delete the service configuration file (I forgot to take a screenshot of this part), then delete the/usr/sbin/nacosdThis script file, it's done.

image

The first time I stopped the script for about an hour and a half or so and went back to look at it, the script ran again on its own, and now it's noon the next day the server is still quiet, so it should have worked!

That's all I have to say, I'm limited in my ability and skills, so if there's anything else I haven't considered, please feel free to point it out!