# 挖矿木马排查

## 排查

### 查看可疑进程

```bash
$ htop
```

注意挖矿进程所属的用户。

### 校验所有软件包

```bash
$ rpm -Va
```

防止命令被替换。

### 查看是否修改了动态链接库

查看预加载的动态链接文件：

```bash
$ cat /etc/ld.so.preload
$ echo $LD_PRELOAD
```

## 清除

### 使用iptables阻断与矿池通讯

```bash
$ iptables -A INPUT -s xxx.com -j DROP
$ iptables -A OUTPUT -d xxx.com -j DROP
```

### 关闭定时任务

查看可疑的定时任务并删除

```bash
$ crontab -l
# 或
$ vim /var/spool/cron/root
```

还有一些目录下：

```bash
/etc/crontab、/var/spool/cron、/etc/cron.daily/、/etc/cron.hourly/、/etc/cron.monthly/、/etc/anacrontab
```

### 清除启动项

启动项的目录下：

```bash
/etc/rc0.d/、/etc/rc1.d/、/etc/rc2.d/、/etc/rc3.d/、/etc/rc4.d/、/etc/rc5.d/、/etc/rc6.d/、/etc/rc.d/、/etc/rc.local
```

### 清除公钥文件

查看或删除可疑公钥文件：

```bash
$ vim ~/.ssh/authorized_keys
```

### 杀死挖矿程序

```bash
$ kill -9 pid
# 或
$ pkill ddg.3014
```

### 解锁

使用`chattr`解锁一些加了锁的文件：

```bash
$ chattr -i /file
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://brownfly.gitbook.io/emergency-response/linux/an-li/wa-kuang-mu-ma-pai-cha.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.