Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
V
V
Vadim Timoshenko2018-07-17 11:49:01
linux
Vadim Timoshenko, 2018-07-17 11:49:01

On hosting, the xmrig and gcc virus miner load the CPU by 100%. How to remove from VDS?

I am using VDS. The top command found 2 processes that load the server at 100% - xmrig and gcc.
Killed both (after he killed xmrig - gcc began to eat 130%).
As a result, a normal flight.
In the root folder I found config_1.json with the following config:

{
    "algo": "cryptonight",
    "api": {
        "port": 0,
        "access-token": null,
        "worker-id": null,
        "ipv6": false,
        "restricted": true
    },
    "av": 0,
    "background": true,
    "colors": true,
    "cpu-priority": null,
    "donate-level": 0,
    "log-file": null,
    "max-cpu-usage": 100,
    "pools": [
        {
            "url": "pool1.xaxaxa.eu:28000",
            "user": "lol",
            "pass": "lol",
            "keepalive": true,
            "nicehash": false,
            "variant": -1
        }
    ],
    "print-time": 60,
    "retries": 5,
    "retry-pause": 5,
    "safe": false,
    "syslog": false,
    "threads": null
}

I will delete. Besides changing passwords, what else to do? Processes after all will be launched after restart of the server. Where else to look? And how do you remove viruses on a remote server? Pump out something for yourself?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

5 answer(s)
Report
A
Alexander Aksentiev, 2018-07-17
@PbI6A_KuT

Well, why did you kill them, did not first look where they are?
Look now for xmrig on the server and kill. True, since it was flooded, then you need to look for a hole on some site or change the password from the server to a normal one. Just deleting will not give anything, they will fill it back in exactly the same way.
shta?

Report
O
OnYourLips, 2018-07-17
@OnYourLips

The system has been compromised.
Format and reinstall everything.

Report
G
GavriKos, 2018-07-17
@GavriKos

And how do you remove viruses on a remote server?

Just like locally.

Report
C
CityCat4, 2018-07-17
@CityCat4

In the face of the control there is a button "Reinstall the system" :) Press. Wait. Expand backup. If there is no backup, meditate on the phrases "all admins are divided ..." and "Kroil's way leads to popadalov".

Report
Y
Yuri, 2018-11-10
@riky

Found this at a friend's as well.
I’ll add more,
@reboot /root/gcc -c /root/config_1.json is added to the root cron,
respectively /root/gcc and there is that miner.
there are no other files edited in the same period. they probably work with ready-made software that only the miner uploads, and uploads to a prominent place.
maybe you have vestacp too? in the summer there was some kind of hole discovered.
https://forum.vestacp.com/viewtopic.php?t=17183

Similar questions
D
Dmitry Kuznetsov2017-12-05 15:02:08
Why is the state not saved after page reload or are there other options? 1Reply
S
SOTVM2017-09-29 17:15:19
Set up a local XAMPP server? 0Reply
T
trypzz2020-02-19 13:51:05
How to properly install conflicting packages? 2Reply
U
Urukhayy2017-10-01 09:35:56
Is it possible to use SSHFS to organize a project view in SublimeText 2? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question