ccs 被挂马了,貌似是挖矿的
畜生行为啊root@linux:~/sftp# ll
total 3340
drwxr-xr-x 2 root root 4096 May 27 01:47 ./
drwx------ 8 root root 4096 May 27 02:31 ../
-rwxrwxrwx 1 root root 3980 May 27 01:56 config.json*
-rwxr-xr-x 1 root root 410 May 27 01:47 xmrig_wrapper.sh*
-rwxrwxrwx 1 root root 3401080 Apr 27 06:36 xmrigx86*
XMRig mining software with watchdog wrapper
路径/etc/systemd/system/xmrigx86.service
2025年5月27日 10:41 /root/sftp/xmrig_wrapper.sh: line 13: 28208 Killed "$SERVICE_PATH" >> "$LOG_FILE" 2>&1
XMRig Cleaner Service
路径/etc/systemd/system/xmrig-cleaner.service
2025年5月27日 10:46 xmrig-cleaner.service: Failed with result 'exit-code
10:46 xmrig-cleaner.service: Main process exited, code=exited, status=203/EXEC
10:46 Started xmrig-cleaner.service - XMRig Cleaner Service.
10:46 xmrig-cleaner.service: Scheduled restart job, restart counter is at 320. root@linux:~/sftp# cat~/sftp/config.json
{
"api": {
"id": null,
"worker-id": null
},
"http": {
"enabled": false,
"host": "127.0.0.1",
"port": 0,
"access-token": null,
"restricted": true
},
"autosave": true,
"background": false,
"colors": false,
"title": true,
"randomx": {
"init": -1,
"init-avx2": 0,
"mode": "auto",
"1gb-pages": false,
"rdmsr": true,
"wrmsr": true,
"cache_qos": false,
"numa": true,
"scratchpad_prefetch_mode": 1
},
"cpu": {
"enabled": true,
"huge-pages": true,
"huge-pages-jit": false,
"hw-aes": null,
"priority": null,
"memory-pool": true,
"yield": true,
"asm": true,
"argon2-impl": null,
"argon2": ,
"cn": [
,
],
"cn-heavy": [
,
],
"cn-lite": [
,
],
"cn-pico": [
,
],
"cn/2": [
,
],
"cn/gpu": [
,
],
"cn/upx2": [
,
],
"flex": ,
"ghostrider": [
,
],
"panthera": ,
"rx": ,
"rx/wow": ,
"cn-lite/0": false,
"cn/0": false,
"rx/xeq": "rx/wow",
"rx/arq": "rx/wow",
"rx/keva": "rx/wow"
},
"log-file": null,
"donate-level": 0,
"donate-over-proxy": 1,
"pools": [
{
"algo": null,
"coin": null,
"url": "auto.c3pool.org:17777",
"user": "88LDNGE7BiYaSVHqDGuew1i6mvX4ufhrB7g1C5YaNCSPcUzG3aVTuTaKw25yrfcu88YrSoQDyUYCifKkfU4zYPSd75YP8Ah",
"pass": "x",
"rig-id": null,
"nicehash": false,
"keepalive": true,
"enabled": true,
"tls": false,
"sni": false,
"tls-fingerprint": null,
"daemon": false,
"socks5": null,
"self-select": null,
"submit-to-origin": false
}
],
"retries": 5,
"retry-pause": 5,
"print-time": 60,
"dmi": true,
"syslog": false,
"tls": {
"enabled": false,
"protocols": null,
"cert": null,
"cert_key": null,
"ciphers": null,
"ciphersuites": null,
"dhparam": null
},
"dns": {
"ipv6": false,
"ttl": 30
},
"user-agent": null,
"verbose": 0,
"watch": true,
"rebench-algo": false,
"bench-algo-time": 20,
"algo-min-time": 0,
"algo-perf": {
"cn/0": 66.65614478114477,
"cn/1": 37.40281571758773,
"cn/2": 37.40281571758773,
"cn/r": 37.40281571758773,
"cn/fast": 74.80563143517546,
"cn/half": 74.80563143517546,
"cn/xao": 37.40281571758773,
"cn/rto": 37.40281571758773,
"cn/rwz": 49.87042095678363,
"cn/zls": 49.87042095678363,
"cn/double": 18.701407858793864,
"cn/ccx": 133.31228956228955,
"cn-lite/0": 151.00882723833544,
"cn-lite/1": 151.00882723833544,
"cn-heavy/xhv": 52.072375341889334,
"cn-pico": 1396.842105263158,
"cn-pico/tlo": 1396.842105263158,
"cn/gpu": 14.73063973063973,
"rx/0": 109.0182047774387,
"rx/arq": 456.74594822142706,
"rx/xeq": 456.74594822142706,
"rx/graft": 106.18817091138708,
"rx/sfx": 109.0182047774387,
"panthera": 712.3013785120488,
"argon2/chukwav2": 1057.678139143248,
"kawpow": -1.0,
"ghostrider": 93.36557670066239,
"flex": 100.65208245687842
},
"pause-on-battery": false,
"pause-on-active": false
} 是不是没有把 qemu-guest-agent 停掉 目前先把这俩服务禁用了,保留现场瞅瞅 我的开不了机了。。。 icest 发表于 2025-5-27 10:52
是不是没有把 qemu-guest-agent 停掉
的确是启动的。我来停掉卸载了这个服务。 等这阵风头过去了,重装一下系统。 我的DD过系统 应该不会被挂马吧 估计你们的机器也有这些病毒挖矿任务:D
还有一个/usr/lib/systemd/system/quotaoff.service可能是毒? 已经停了卸载了。 QQ云 发表于 2025-5-27 10:57
我的开不了机了。。。
我的也无法开机了
然后回复是感谢您在我们全面调查此事期间的耐心等待。感谢您的理解。
正如我们之前的电子邮件中所述,一个事件影响了 ColoCloud 平台。该问题目前已得到完全缓解;但是,您的 VPS 所在的一小部分服务器因该事件而遭受了数据丢失。
我们已经重新创建了您的 VPS,并已将新的访问详情发送给您。请尽快查看。
ColoCloud 团队正在努力确保所有客户都能完全恢复,我们真诚感谢您给予我们为您服务的机会。如果您有任何疑问或需要进一步的帮助,请随时联系我们。我们随时准备为您提供帮助。
Shane W,
Chicagovps.net
页:
[1]