CAS Plat Poisoning

NULL

sshd usually does not occupy such high CPU usage. If sshd is suspected to be caused by poisoning, determine the approximate occurrence time and view the /var/log/operation/ operation log. The following information is found: 

The operation logs show that a mining virus was planted, downloaded the virus file from the Internet, decompressed it to the /var/lib/.cache directory and executed it.    

1.Clearing a Scheduled Task:

You can run the crontab -l command to delete scheduled tasks. However, sometimes scheduled tasks cannot be deleted, indicating that the chattr command is used to add ia attributes to files or directories. Therefore, you need to remove the ia attributes.

2. Since the virus saves the process number in the bash.pid file, kill the corresponding pid.  Other viruses kill according to the situation 

3.Delete virus-related files

According to the operation logs, ai attributes are added to the. Cache directory during virus implantation, so it cannot be deleted directly and needs to be removed by Chattr -ai.

4.Restoring system Changes

Note Some viruses may modify system files or configurations. Restore the viruses as soon as possible.  According to operation logs, sysctl -w vm. Nr_hugepages =128 is also executed on the host. Because the configuration file is not modified, change the original value or restart the host or VM.