Today I suddenly found that the server CPU is running full
Guess what abnormal process should occupy the CPU, log in to the server and start killing.
1. Confirm which process is occupying the CPU
Command: top
It is confirmed that the process of ld-linux-x86-64 is abnormal. Google found that it was a mining Trojan.
Reference article https://cloud.tencent.com/developer/article/1798970
2. Confirm the file path of the directory
Command: ll /proc/649, where 649 is the process id of the Trojan
3. To view the details of the Trojan horse, you can omit this step
There are scripts such as cron.d to automatically start
The run script will contact the remote ip to update the trojan
4. Delete process, delete Trojan horse
kill -9 649
rm -rf /mnt/.cache/*
V. Summary
The server has a weak password problem. It is estimated that the attacker cracked the weak password and infiltrated the server to implant a Trojan. All subsequent servers should circumvent the weak password problem.