接到报警信息如下:说我们服务器6379存在攻击行为。


执行如下命令进行删除
chattr -ia /root/.ssh/authorized_keys
如果发现wget命令无法使用(yum remove install wget ,yum install wget),通过yum 重新安装回去。
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
748 root 30 10 2980440 3408 2504 S 396.6 0.0 127:59.43 /usr/share/[crypto] --config=/usr/share/[crypto].pid
1831 root 20 0 116968 3116 1348 R 35.2 0.0 1:07.94 /bin/bash /usr/share/[scan]
435 root 20 0 277104 100768 100440 S 8.0 0.6 2:39.96 /usr/lib/systemd/systemd-journald
9 root 20 0 0 0 0 S 4.5 0.0 0:43.06 [rcu_sched]
24 root 20 0 0 0 0 S 2.3 0.0 0:07.73 [ksoftirqd/3]
3325 root 20 0 116848 3056 1388 S 2.3 0.0 0:03.38 /bin/bash /usr/share/[dkscan]
44 root 20 0 0 0 0 S 1.1 0.0 0:07.25 [ksoftirqd/7]
25794 root 20 0 5839012 677440 9996 S 1.1 4.2 0:44.63 java -Djava.security.egd=file:/dev/./urandom -jar /app.jar
29119 root 20 0 13028 1584 792 R 1.1 0.0 0:00.01 jq -r .ip
1 root 20 0 43680 4028 2592 S 0.0 0.0 0:01.46 /usr/lib/systemd/systemd --switched-root --system --deserialize 22
2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 [kthreadd]
4 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 [kworker/0:0H]
6 root 20 0 0 0 0 S 0.0 0.0 0:07.47 [ksoftirqd/0]
7 root rt 0 0 0 0 S 0.0 0.0 0:01.55 [migration/0]
8 root 20 0 0 0 0 S 0.0 0.0 0:00.00 [rcu_bh]
10 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 [lru-add-drain]
13 root rt 0 0 0 0 S 0.0 0.0 0:01.75 [migration/1]
14 root 20 0 0 0 0 S 0.0 0.0 0:07.87 [ksoftirqd/1]
16 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 [kworker/1:0H]
18 root rt 0 0 0 0 S 0.0 0.0 0:01.84 [migration/2]
19 root 20 0 0 0 0 S 0.0 0.0 0:07.53 [ksoftirqd/2]
20 root 20 0 0 0 0 S 0.0 0.0 0:00.00 [kworker/2:0]
21 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 [kworker/2:0H]
23 root rt 0 0 0 0 S 0.0 0.0 0:02.14 [migration/3]
26 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 [kworker/3:0H]
28 root rt 0 0 0 0 S 0.0 0.0 0:01.60 [migration/4]
29 root 20 0 0 0 0 S 0.0 0.0 0:07.55 [ksoftirqd/4]
30 root 20 0 0 0 0 S 0.0 0.0 0:00.00 [kworker/4:0]
31 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 [kworker/4:0H]
33 root rt 0 0 0 0 S 0.0 0.0 0:01.71 [migration/5]
34 root 20 0 0 0 0 S 0.0 0.0 0:07.23 [ksoftirqd/5]
35 root 20 0 0 0 0 S 0.0 0.0 0:00.00 [kworker/5:0]
36 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 [kworker/5:0H]
38 root rt 0 0 0 0 S 0.0 0.0 0:01.90 [migration/6]
39 root 20 0 0 0 0 S 0.0 0.0 0:08.00 [ksoftirqd/6]
40 root 20 0 0 0 0 S 0.0 0.0 0:00.09 [kworker/6:0]
41 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 [kworker/6:0H]
43 root rt 0 0 0 0 S 0.0 0.0 0:02.00 [migration/7]
45 root 20 0 0 0 0 S 0.0 0.0 0:00.08 [kworker/7:0]
46 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 [kworker/7:0H]
48 root 20 0 0 0 0 S 0.0 0.0 0:00.00 [kdevtmpfs]
49 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 [netns]
50 root 20 0 0 0 0 S 0.0 0.0 0:00.00 [khungtaskd]
51 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 [writeback]
52 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 [kintegrityd]
53 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 [bioset]
54 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 [bioset]
55 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 [bioset]
56 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 [kblockd]
57 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 [md]
58 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 [edac-poller]
59 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 [watchdogd]
61 root 20 0 0 0 0 S 0.0 0.0 0:00.11 [kworker/2:1]
67 root 20 0 0 0 0 S 0.0 0.0 0:00.00 [kswapd0]
68 root 25 5 0 0 0 S 0.0 0.0 0:00.00 [ksmd]
[root@VM-0-10-centos share]# kill -9 748
[root@VM-0-10-centos share]# kill -9 1831
[root@VM-0-10-centos share]# mv \[dkscan\] old/
[root@VM-0-10-centos share]#

1、通过redis无密码,直接注入系统,获取服务器权限
2、添加免认证,锁定文件,不能直接删除
3、命令查看负载一切正常,因为黑客替换掉常用命令(top、lsof 、netstat、wget)等
4、运行自己木马程序
5、删除最近所有等历史记录
6、添加计划任务
7、不清理掉源程序,进程是不能杀掉的。会自动重启动。1、病毒程序
pnscan -t 256 -R 6f 73 3a 4c 69 6e 75 70 -W +
/usr/share/scan
/usr/share/crypto
2、据说3分钟扫描全网
masscan 70.0.0.0/8 -p2376 --rate=50000