Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
V
V
Vadim Timoshenko2018-07-17 11:49:01
linux
Vadim Timoshenko, 2018-07-17 11:49:01

On hosting, the xmrig and gcc virus miner load the CPU by 100%. How to remove from VDS?

I am using VDS. The top command found 2 processes that load the server at 100% - xmrig and gcc.
Killed both (after he killed xmrig - gcc began to eat 130%).
As a result, a normal flight.
In the root folder I found config_1.json with the following config:

{
    "algo": "cryptonight",
    "api": {
        "port": 0,
        "access-token": null,
        "worker-id": null,
        "ipv6": false,
        "restricted": true
    },
    "av": 0,
    "background": true,
    "colors": true,
    "cpu-priority": null,
    "donate-level": 0,
    "log-file": null,
    "max-cpu-usage": 100,
    "pools": [
        {
            "url": "pool1.xaxaxa.eu:28000",
            "user": "lol",
            "pass": "lol",
            "keepalive": true,
            "nicehash": false,
            "variant": -1
        }
    ],
    "print-time": 60,
    "retries": 5,
    "retry-pause": 5,
    "safe": false,
    "syslog": false,
    "threads": null
}

I will delete. Besides changing passwords, what else to do? Processes after all will be launched after restart of the server. Where else to look? And how do you remove viruses on a remote server? Pump out something for yourself?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

5 answer(s)
Report
A
Alexander Aksentiev, 2018-07-17
@PbI6A_KuT

Well, why did you kill them, did not first look where they are?
Look now for xmrig on the server and kill. True, since it was flooded, then you need to look for a hole on some site or change the password from the server to a normal one. Just deleting will not give anything, they will fill it back in exactly the same way.
shta?

Report
O
OnYourLips, 2018-07-17
@OnYourLips

The system has been compromised.
Format and reinstall everything.

Report
G
GavriKos, 2018-07-17
@GavriKos

And how do you remove viruses on a remote server?

Just like locally.

Report
C
CityCat4, 2018-07-17
@CityCat4

In the face of the control there is a button "Reinstall the system" :) Press. Wait. Expand backup. If there is no backup, meditate on the phrases "all admins are divided ..." and "Kroil's way leads to popadalov".

Report
Y
Yuri, 2018-11-10
@riky

Found this at a friend's as well.
I’ll add more,
@reboot /root/gcc -c /root/config_1.json is added to the root cron,
respectively /root/gcc and there is that miner.
there are no other files edited in the same period. they probably work with ready-made software that only the miner uploads, and uploads to a prominent place.
maybe you have vestacp too? in the summer there was some kind of hole discovered.
https://forum.vestacp.com/viewtopic.php?t=17183

Similar questions
C
chuhnevdan2021-04-13 09:38:42
Hello, I have a Django project, the task is the following, there is a csv file, it is necessary to create a table on the page based on it, what is the mistake? 2Reply
A
Alibek Kulseitov2016-08-04 09:58:07
Show DIV if user moved mouse away from site? 6Reply
R
romaro2021-11-09 09:49:30
How do I upgrade to the latest version of Node on Oracle Linux? 2Reply
A
antbelogurov2020-08-02 15:45:55
Why can't Phpstorm see git in Linux mint? 1Reply
A
Anton Pavlov2014-01-14 18:21:18
Network infrastructure for a small company. On what OS-and based? How to do it better? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question