suse清除kthrotlds木马病毒

一、服务器感染了kthrotlds挖矿病毒

[root@51yt bin]# cd /bin/
[root@51yt bin]# wget https://busybox.net/downloads/binaries/1.30.0-i686/busybox
[root@51yt bin]# chmod 755 busybox

然后使用命令 busybox top 可以查看到 到底是谁在吃服务器资源

[root@51yt bin]# busybox top

二、首先停掉定时服务，不然木马会很快下载复制

service cron stop

查看

service cron status

显示还是运行状态，此时可以采用另外一种办法：先设置cron服务禁止自启动，再重启服务器

chkconfig cron off
reboot

重启后，再连接服务器执行

JHSms:/ # service cron status
Checking for Cron:                                                                                                                unused

显示未运行状态

三、删除相关文件和进程

busybox rm -f /etc/ld.so.preload
busybox rm -f /usr/local/lib/libcset.so
chattr -i /etc/ld.so.preload
busybox rm -f /etc/ld.so.preload
busybox rm -f /usr/local/lib/libcset.so
 
# 清理异常进程
busybox ps -ef | busybox grep -v grep | busybox egrep 'ksoftirqds' | busybox awk '{print $1}' | busybox xargs kill -9
busybox ps -ef | busybox grep -v grep | busybox egrep 'kthrotlds' | busybox awk '{print $1}' | busybox xargs kill -9
busybox ps -ef | busybox grep -v grep | busybox egrep 'kpsmouseds' | busybox awk '{print $1}' | busybox xargs kill -9
busybox ps -ef | busybox grep -v grep | busybox egrep 'kintegrityds' | busybox awk '{print $1}' | busybox xargs kill -9
 
busybox rm -f /tmp/kthrotlds
busybox rm -f /tmp/kintegrityds
busybox rm -f /tmp/kpsmouseds
busybox rm -f /etc/cron.d/tomcat
chattr -i /etc/cron.d/root
busybox rm -f /etc/cron.d/root
chattr -i /var/spool/cron/root
busybox rm -f /var/spool/cron/root
chattr -i /var/spool/cron/crontabs/root
busybox rm -f /var/spool/cron/crontabs/root
chattr -i /var/spool/cron/tabs/root
busybox rm -f /var/spool/cron/tabs/root
busybox rm -f /etc/rc.d/init.d/kthrotlds
busybox rm -f /etc/rc.d/init.d/kpsmouseds
busybox rm -f /etc/rc.d/init.d/kintegrityds
busybox rm -f /usr/sbin/kthrotlds
busybox rm -f /usr/sbin/kintegrityds
busybox rm -f /usr/sbin/kpsmouseds
busybox rm -f /etc/init.d/netdns
ldconfig
 
# 再次清理异常进程
busybox ps -ef | busybox grep -v grep | busybox egrep 'ksoftirqds' | busybox awk '{print $1}' | busybox xargs kill -9
busybox ps -ef | busybox grep -v grep | busybox egrep 'kthrotlds' | busybox awk '{print $1}' | busybox xargs kill -9
busybox ps -ef | busybox grep -v grep | busybox egrep 'kpsmouseds' | busybox awk '{print $1}' | busybox xargs kill -9
busybox ps -ef | busybox grep -v grep | busybox egrep 'kintegrityds' | busybox awk '{print $1}' | busybox xargs kill -9
 
# 清理开机启动项
chkconfig netdns off
chkconfig –del netdns

 四、恢复定时服务

service cron start
chkconfig cron on