里云一臺ECS中招,中招原因可能為版本底,并且WEB界面允許外部訪問,因為我們有外部程序員需要上傳代碼。
受影響的版本:
CPU一直50%,很聰明?。?!
查看進程,有一個GIT用戶運行的exe程序持續(xù)占有50%的CPU,程序結(jié)束后會馬上自動拉起。
切換到Gti用戶下,查看計劃任務(wù):
計劃任務(wù)為空
/tmp/目錄下,沒有發(fā)現(xiàn)和阿里提示相同的文件夾。
通過lsof -p查看進程,發(fā)現(xiàn)境外連接地址,通過IPTABLES禁止訪問此地址后,會自動更換其它地址進行自動連接。
[root@~]# lsof -p 9119
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
exe 9119 git cwd DIR 253,1 4096 2 /
exe 9119 git rtd DIR 253,1 4096 2 /
exe 9119 git txt REG 253,1 1709100 1179650 /tmp/kami (deleted)
exe 9119 git 0r CHR 1,3 0t0 1028 /dev/null
exe 9119 git 1w CHR 1,3 0t0 1028 /dev/null
exe 9119 git 2w CHR 1,3 0t0 1028 /dev/null
exe 9119 git 3r CHR 1,3 0t0 1028 /dev/null
exe 9119 git 4u REG 253,1 4 1188868 /tmp/.x11-unix (deleted)
exe 9119 git 5u a_inode 0,10 0 6387 [eventpoll]
exe 9119 git 6r FIFO 0,9 0t0 1319801218 pipe
exe 9119 git 7w FIFO 0,9 0t0 1319801218 pipe
exe 9119 git 8r FIFO 0,9 0t0 1319801219 pipe
exe 9119 git 9w FIFO 0,9 0t0 1319801219 pipe
exe 9119 git 10u a_inode 0,10 0 6387 [eventfd]
exe 9119 git 11u a_inode 0,10 0 6387 [eventfd]
exe 9119 git 12u a_inode 0,10 0 6387 [eventfd]
exe 9119 git 13r CHR 1,3 0t0 1028 /dev/null
exe 9119 git 14u IPv4 1319801220 0t0 TCP nexus.****.com:48948->504e189a.host.njalla.net:https (ESTABLISHED)
iptables -I OUTPUT -d 80.78.24.154 -j DROP
Chain OUTPUT (policy ACCEPT 108 packets, 114K bytes)
pkts bytes target prot opt in out source destination
6 372 DROP all -- * * 0.0.0.0/0 80.78.24.154
因為本人處理過一起類似的問題,所以知道系統(tǒng)里本身的默認(rèn)命令應(yīng)該是無法查看到此程序,使用busybox來可以很容易的清理,因為時間有限,我給大家一個小妙招,如果找到busybox,可以下載一個docker鏡像,拉起來后,把busybox復(fù)制到本機,然后通過busybox進行病毒的清理工作,就易如反掌。
[root@ ~]# busybox lsof -p |grep 9459
9459 /tmp/kami (deleted) 0 /dev/null
9459 /tmp/kami (deleted) 1 /dev/null
9459 /tmp/kami (deleted) 2 /dev/null
9459 /tmp/kami (deleted) 3 /dev/null
9459 /tmp/kami (deleted) 4 /tmp/.x11-unix (deleted)
9459 /tmp/kami (deleted) 5 anon_inode:[eventpoll]
9459 /tmp/kami (deleted) 6 pipe:[1319802797]
9459 /tmp/kami (deleted) 7 pipe:[1319802797]
9459 /tmp/kami (deleted) 8 pipe:[1319802798]
9459 /tmp/kami (deleted) 9 pipe:[1319802798]
9459 /tmp/kami (deleted) 10 anon_inode:[eventfd]
9459 /tmp/kami (deleted) 11 anon_inode:[eventfd]
9459 /tmp/kami (deleted) 12 anon_inode:[eventfd]
9459 /tmp/kami (deleted) 13 /dev/null
9459 /tmp/kami (deleted) 14 socket:[1319806273]
9459 /tmp/kami (deleted) 15 socket:[1319803995]
至此,進程再也不會被拉起來。
接下來是升級工作。
gitlab-rake gitlab:backup:create #自動備份代碼相關(guān)內(nèi)容
手動備份下面文件
/etc/gitlab/gitlab.rb #配置文件須備份
/var/opt/gitlab/nginx/conf #nginx配置文件
/etc/postfix/main.cfpostfix #郵件配置備份
/etc/gitlab/gitlab-secrets.json #存儲了gitlab的db secret信息
[gitlab-ce]
name=gitlab-ce
baseurl=https://mirrors.tuna.tsinghua.edu.cn/gitlab-ce/yum/el7/
repo_gpgcheck=0
gpgcheck=0
enable=1
gpgkey=https://packages.gitlab.com/gpg.key
gitlab-ctl stop unicorn
gitlab-ctl stop sidekiq
gitlab-ctl stop nginx
yum install -y gitlab-10.8.7
yum install -y gitlab-11.3.4
gitlab-ctl restart
查看可升級的路線圖
8.11.Z -> 8.12.0 -> 8.17.7 -> 9.5.10 -> 10.8.7 -> 11.11.8 -> 12.0.12 -> 12.1.17 -> 12.10.14 -> 13.0.14 -> 13.1.11 -> 13.8.8 -> 13.12.15 -> 14.0.12 -> 14.3.6 -> 14.9.5 -> 14.10.Z -> 15.0.Z -> 15.4.0 -> latest 15.Y.Z
上圖為gitlab官網(wǎng)公司的升級路線圖。
因為時間關(guān)系,我司的Gitlab暫升級到11.3.4,其間升到了10.8.7和11.3.4二個版本。升級后,代碼訪問正常。
#安裝java環(huán)境
下載jdk-8u202-linux-x64.rpm
地址 https://www.oracle.com/java/technologies/javase/javase8-archive-downloads.html
一鍵命令
```powershell
rpm -ivh /root/jdk-8u202-linux-x64.rpm
wait
sed -r -i '/java|CLASSPATH|JAVA_HOME|LD_LIBRARY_PATH/ s/^/#&/' /etc/profile
echo "#set java environment
JAVA_HOME=/usr/java/jdk1.8.0_202-amd64
CLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar
PATH=$JAVA_HOME/bin:$PATH
LD_LIBRARY_PATH=/usr/local/lib:$LD_LIBRARY_PATH
export JAVA_HOME CLASSPATH PATH LD_LIBRARY_PATH" >> /etc/profile
echo -e "\e3[33m jdk_rpm install ok! \e[0m"
ldconfig
source /etc/profile && java -version
```
安裝 libzmq v4.3.4
#java 環(huán)境上一步已配置
#首先安裝構(gòu)建zeromq的依賴工具:
yum install libtool gcc gcc-c++ make libuuid-devel autoconf automake
yum -y install git
git clone https://github.com/zeromq/libzmq.git
#切換目錄
cd libzmq/
#查看tag
git tag
tag只是快照,檢出到本地自定義分支libzmqv4.3.4
git checkout -b libzmqv4.3.4 v4.3.4
#查看是否切換成功
git branch
#配置、構(gòu)建、安裝、驗證:
./autogen.sh
./configure
make -j4 && sudo make install
#驗證 進入目錄
cd /root/libzmq/perf/
./local_lat tcp://127.0.0.1:65432 1 100
#打開另一個終端 進入目錄
cd /root/libzmq/perf/
./remote_lat tcp://127.0.0.1:65432 1 100
#返回 message size: 1 [B] roundtrip count: 100 average latency: 24.860 [us] 表示成功
#安裝jzmq (雷同上面)
git clone https://github.com/zeromq/jzmq.git
git tag
#tag只是快照,檢出到本地自定義分支jzmq3.1.0
git checkout -b jzmq3.1.0 v3.1.0
#查看branch 返回jzmq3.1.0 master
git branch
##編輯Event.cpp ,參考代碼對比 https://github.com/zeromq/jzmq/commit/eb40d6db43ce3545e623dad6cc6721a90885b5ba 替換不然make install報錯
報錯內(nèi)容如下
```powershell
Event.cpp: In function '_jobject* Java_org_zeromq_ZMQ_00024Event_recv(JNIEnv*, jclass, jlong, jint)':
Event.cpp:60:5: error: 'zmq_event_t' was not declared in this scope
zmq_event_t event;
^
Event.cpp:60:17: error: expected ';' before 'event'
zmq_event_t event;
^
Event.cpp:72:13: error: 'event' was not declared in this scope
memcpy(&event.event, data, sizeof(event.event));
^
Event.cpp:148:1: warning: control reaches end of non-void function [-Wreturn-type]
}
^
make[2]: *** [libjzmq_la-Event.lo] Error 1
make[2]: Leaving directory `/root/jzmq/src/main/c++'
make[1]: *** [install] Error 2
make[1]: Leaving directory `/root/jzmq/src/main/c++'
make: *** [install-recursive] Error 1
```
#raw格式查看https://raw.githubusercontent.com/zeromq/jzmq/eb40d6db43ce3545e623dad6cc6721a90885b5ba/src/main/c%2B%2B/Event.cpp 復(fù)制 編輯到 src/main/c++/Event.cpp
vim src/main/c++/Event.cpp
./autogen.sh
./configure
make -j4 && sudo make install
#編譯后文件位置
#so文件
#/usr/local/lib
#jar
#/usr/local/share/java/zmq.jar
```powershell
[root@iZuf6hegfy8iwwureeshuiZ jzmq]# cd /usr/local/lib
[root@iZuf6hegfy8iwwureeshuiZ lib]# ll
total 48944
-rw-r--r-- 1 root root 626664 May 15 11:57 libjzmq.a
-rwxr-xr-x 1 root root 957 May 15 11:57 libjzmq.la
lrwxrwxrwx 1 root root 16 May 15 11:57 libjzmq.so -> libjzmq.so.0.0.0
lrwxrwxrwx 1 root root 16 May 15 11:57 libjzmq.so.0 -> libjzmq.so.0.0.0
-rwxr-xr-x 1 root root 277312 May 15 11:57 libjzmq.so.0.0.0
-rw-r--r-- 1 root root 36889226 May 15 10:39 libzmq.a
-rwxr-xr-x 1 root root 925 May 15 10:39 libzmq.la
lrwxrwxrwx 1 root root 15 May 15 10:39 libzmq.so -> libzmq.so.5.2.4
lrwxrwxrwx 1 root root 15 May 15 10:39 libzmq.so.5 -> libzmq.so.5.2.4
-rwxr-xr-x 1 root root 12304192 May 15 10:39 libzmq.so.5.2.4
drwxr-xr-x 2 root root 4096 May 15 10:39 pkgconfig
drwxr-xr-x 3 root root 4096 Apr 20 12:07 python3.6
[root@iZuf6hegfy8iwwureeshuiZ lib]# stat /usr/local/share/java/zmq.jar
File: ‘/usr/local/share/java/zmq.jar’
Size: 49293 Blocks: 104 IO Block: 4096 regular file
Device: fd01h/64769d Inode: 928023 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2021-05-15 11:57:22.744031172 +0800
Modify: 2021-05-15 11:57:22.744031172 +0800
```
Change: 2021-05-15 11:57:22.744031172 +0800
參考鏈接
http://guangfei.win/2016/04/06/jzmq%E7%BC%96%E8%AF%91/
https://blog.csdn.net/lianshaohua/article/details/92556208