阿里雲伺服器出現了緊急安全事件:挖礦程序
阿新 • • 發佈:2018-11-06
原因:
使用docker時,被下載挖礦映象,隨docker服務啟動,自動執行,導致server被挖礦,所挖虛擬幣貌似為XMR(門羅幣)。
解決:
kill掉程序,刪除映象。
分析過程:
- 檢視程序
ps -e -o ‘pid,comm,args,pcpu,rsz,vsz,stime,user,uid’
找出CPU佔有率高的陌生程序,我的是這樣的,懷疑某個容器有問題。
[[email protected] ~]# ps -e -o ‘pid,comm,args,pcpu,rsz,vsz,stime,user,uid’
PID COMMAND COMMAND %CPU RSZ VSZ STIME USER UID
9857 docker-entrypoi ./docker-entrypoint -o xmr. 179 5844 78620 10:34 100 100 - 檢視執行的容器資訊
列出所有在執行的容器資訊,我的是這樣的,這個映象不是自己的。
[[email protected] ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2c4bdfa7b385 jritter/first "./docker-entrypoint " 4 months ago Up 6 minutes kickass_perlman - 停止執行中的容器
[[email protected] ~]# docker stop 2c4bdfa7b385
2c4bdfa7b385 - 刪除已經停止的容器
[[email protected] ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2c4bdfa7b385 jritter/first "./docker-entrypoint " 4 months ago Exited (1) 35 minutes ago kickass_perlman
[[email protected] ~]# docker rm 2c4bdfa7b385
2c4bdfa7b385 - 刪除映象
[[email protected]
Untagged: docker.io/jritter/first:latest
Untagged: docker.io/jritter/[email protected]:2ca90fcd06227403c96277868d2d7c8b1c3aa42077dc43e5560381d9a8582b94
Deleted: sha256:c6901df04aaf516faaf466f72d07390b86b16006a93538b69af836844dacd731
Deleted: sha256:f50efcfba233a29635373686ac587e633f052d9597e01de7932b560dbfff2769
Deleted: sha256:cd7100a72410606589a54b932cabd804a17f9ae5b42a1882bd56d263e02b6215 - 重啟docker
cpu恢復正常,問題解決。
[[email protected] ~]# systemctl restart docker