信息量略大
今天早上阿里云给我发了条信息
Then I checked the cpu status on top
果然,这个服务器明明啥都没运行,结果都东西占了 15的cpu !
再看 ps -aux
发现了这个玩意,在 wget 下载这个玩意。
按照这个域名我去瞅了一下
懵逼,这是病毒还是咋的!!吓得我都动不了了
查了下 下载的 wk 文件,看看写了啥
原来被攻击是这个意思。( 毕竟第一次被攻击,略微兴奋。。)
最后求一个linux 大神帮忙把这个东西去掉......
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
It should be that your SSH has been cracked
Then I checked this wk and it is NsCpuCNMiner
Someone has used your server to mine Bitcoin to make money
It is not a DDCC attack, it is that the SSH port has been cracked
SSH side passwd command to change the password , end the process, delete these files, restart the machine
Then install sshguard to prevent explosions, or use a local key to connect to SSH
Flies don’t bite seamless eggs! Is there any module/plug-in vulnerability installed on your server that allows the system to be invaded?
Our server was also hacked last year and turned into a mining machine. All kinds of deleting processes and deleting abnormal files did not work, but it happened again after a while. In the end, it was found that it was caused by a redis vulnerability. Once it was fixed, it would be fine.
So, you have to find the "root cause" to completely solve the problem.
Strange G-spot - -
Waiting for the interpretation by the experts.