Linux의 민족

perfctl malware 자동 생성 파일 삭제

댕구리댕댕구리 2024. 11. 4. 13:29
728x90
반응형
SMALL

 

1. 개요

  • 윈도우에서 실행하는 가상화 서버에서 지속적으로 CPU의 사용량이 100%인 경우가 발생
  • CPU 과사용으로 인해 서버가 계속 다운
  • crontab에서 /root/.config/cron/perfcc 이 자동으로 실행되고 있었음

 

2. 해결방안

  • /root/.config/cron/perfcc 해당 경로의 파일이 지속적으로 생성될 경우 삭제하는 protect-perf.sh 이름의 스크립트 생성

protect-perf.sh
0.00MB

# 1
vi /home/protect-perf.sh

# 2 아래 내용들을 추가

#!/bin/bash

# Check if the /tmp directory exists
if [ -d /tmp ]; then
    # Rename the /tmp/.perf.c file if it exists
    if [ -f /tmp/.perf.c ]; then
        mv /tmp/.perf.c /tmp/test || echo "Failed to rename /tmp/.perf.c"
        echo "Renamed /tmp/.perf.c to /tmp/test"
    else
        echo "/tmp/.perf.c does not exist"
    fi

    # Rename /usr/bin/perfcc if it exists
    if [ -f /usr/bin/perfcc ]; then
        mv /usr/bin/perfcc /usr/bin/zzzzzzzzzzzzzzzzzz || echo "Failed to rename /usr/bin/perfcc"
    fi

    # Rename config files if they exist
    if [ -f /root/.config/cron/perfcc ]; then
        mv /root/.config/cron/perfcc /root/.config/cron/aaaaaaaaaaaa || echo "Failed to rename /root/.config/cron/perfcc"
    fi

    if [ -f /root/.config/procps/perfcc ]; then
        mv /root/.config/procps/perfcc /root/.config/procps/bbbbbbbbbbbb || echo "Failed to rename /root/.config/procps/perfcc"
    fi

    # Delete the renamed files and directories if they exist
    rm -rf /tmp/test || echo "Failed to delete /tmp/test"
    rm -rf /usr/bin/zzzzzzzzzzzzzzzzzz || echo "Failed to delete /usr/bin/zzzzzzzzzzzzzzzzzz"
    rm -rf /root/.config/cron/aaaaaaaaaaaa || echo "Failed to delete /root/.config/cron/aaaaaaaaaaaa"
    rm -rf /root/.config/procps/bbbbbbbbbbbb || echo "Failed to delete /root/.config/procps/bbbbbbbbbbbb"
    
    # Delete the cron config directory if it exists
    if [ -d /root/.config/cron ]; then
        rm -rf /root/.config/cron || echo "Failed to delete /root/.config/cron"
    fi

    # Delete perfclean and perfcc cron jobs if they exist
    rm -rf /etc/cron.*/perfclean || echo "Failed to delete /etc/cron.*/perfclean"
    rm -rf /etc/cron.*/perfcc || echo "Failed to delete /etc/cron.*/perfcc"

    echo "Cleanup completed."
else
    echo "/tmp directory does not exist"
fi

 

  • crontab에 등록
> crontab -e

# 1분마다 해당 스크립트가 실행
*/1 * * * * /bin/bash /home/protect-perf.sh

# crontab 업데이트
> systemctl restart crond.service
> crontab -l

 

3. 참고 블로그

https://forum.yunohost.org/t/here-is-how-i-removed-the-perfctl-malware/23224

 

Here is how I removed the perfctl malware

My YunoHost server Yunohost 11.1.2.2 (testing) VPS Hetzner CX 31 (8Go RAM 2 vCPU intel) Interface admin + SSH` How I caught the malware ? I really don’t know… so I am seriously concerned. There are very few testimonials on the internet about this malwa

forum.yunohost.org

 

728x90
반응형
LIST