记一次阿里云主机被挖矿
2025-03-20 21:03 蜡笔小旧 阅读(26) 评论(0) 收藏 举报朋友买了一个传奇sf, 然后我刚好有一台windows主机, 就去安装sf MirServer, 结果报病毒,我也觉得正常就别在意,把杀毒软件关了。然后因为dbc 2000数据库装不上就无法进行下去了。我就没管这台机器了。
结果过了两天,收到了阿里云的短信说“异地登陆”, 我赶紧下了阿里云的app, 远程把机器关闭了。
几天后, 我登上了服务器, 先开了安全组,只允许当前ip登陆。
看到桌面上多了一个"112233"的文件夹
里面两个文件一个xmrig.exe, 查了一下是一个挖矿程序,另外一个config.json
{ "api": { "id": null, "worker-id": null }, "http": { "enabled": false, "host": "127.0.0.1", "port": 0, "access-token": null, "restricted": true }, "autosave": true, "background": false, "colors": true, "title": true, "randomx": { "init": -1, "init-avx2": -1, "mode": "auto", "1gb-pages": false, "rdmsr": true, "wrmsr": true, "cache_qos": false, "numa": true, "scratchpad_prefetch_mode": 1 }, "cpu": { "enabled": true, "huge-pages": true, "huge-pages-jit": false, "hw-aes": null, "priority": null, "memory-pool": false, "yield": true, "asm": true, "argon2-impl": null, "astrobwt-max-size": 550, "astrobwt-avx2": false, "argon2": [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15], "astrobwt": [0, 1], "cn": [ [1, 0], [1, 1], [1, 2], [1, 3], [1, 4], [1, 5], [1, 6], [1, 7], [1, 8], [1, 9], [1, 10], [1, 11], [1, 12], [1, 13], [1, 14], [1, 15] ], "cn-heavy": [ [1, 0], [1, 1], [1, 2], [1, 3], [1, 4], [1, 5], [1, 6], [1, 7], [1, 8], [1, 9], [1, 10], [1, 11], [1, 12], [1, 13], [1, 14], [1, 15] ], "cn-lite": [ [1, 0], [1, 1], [1, 2], [1, 3], [1, 4], [1, 5], [1, 6], [1, 7], [1, 8], [1, 9], [1, 10], [1, 11], [1, 12], [1, 13], [1, 14], [1, 15] ], "cn-pico": [ [2, 0], [2, 1], [2, 2], [2, 3], [2, 4], [2, 5], [2, 6], [2, 7], [2, 8], [2, 9], [2, 10], [2, 11], [2, 12], [2, 13], [2, 14], [2, 15] ], "cn/gpu": [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15], "cn/upx2": [ [2, 0], [2, 1] ], "ghostrider": [ [8, 0], [8, 1] ], "rx": [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15], "rx/wow": [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15], "cn-lite/0": false, "cn/0": false, "rx/arq": "rx/wow", "rx/keva": "rx/wow" }, "opencl": { "enabled": false, "cache": true, "loader": null, "platform": "AMD", "adl": true, "cn-lite/0": false, "cn/0": false }, "cuda": { "enabled": false, "loader": null, "nvml": true, "cn-lite/0": false, "cn/0": false }, "log-file": null, "donate-level": 1, "donate-over-proxy": 1, "pools": [ { "algo": null, "coin": null, "url": "auto.c3pool.org:80", "user": "8BMLNkmhokRVqoA5wYoSKA94AVuFzb98jLSAqhFeZtzwN9ryEaQDW3C57PoiAUiVKbPmNaCpjWD7QjmUFye6Xn4p8YhMjPY", "pass": "x", "rig-id": null, "nicehash": false, "keepalive": false, "enabled": true, "tls": false, "tls-fingerprint": null, "daemon": false, "socks5": null, "self-select": null, "submit-to-origin": false } ], "retries": 5, "retry-pause": 5, "print-time": 60, "health-print-time": 60, "dmi": true, "syslog": false, "tls": { "enabled": false, "protocols": null, "cert": null, "cert_key": null, "ciphers": null, "ciphersuites": null, "dhparam": null }, "dns": { "ipv6": false, "ttl": 30 }, "user-agent": null, "verbose": 0, "watch": true, "pause-on-battery": false, "pause-on-active": false }{ "api": { "id": null, "worker-id": null }, "http": { "enabled": false, "host": "127.0.0.1", "port": 0, "access-token": null, "restricted": true }, "autosave": true, "background": false, "colors": true, "title": true, "randomx": { "init": -1, "init-avx2": -1, "mode": "auto", "1gb-pages": false, "rdmsr": true, "wrmsr": true, "cache_qos": false, "numa": true, "scratchpad_prefetch_mode": 1 }, "cpu": { "enabled": true, "huge-pages": true, "huge-pages-jit": false, "hw-aes": null, "priority": null, "memory-pool": false, "yield": true, "asm": true, "argon2-impl": null, "astrobwt-max-size": 550, "astrobwt-avx2": false, "argon2": [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15], "astrobwt": [0, 1], "cn": [ [1, 0], [1, 1], [1, 2], [1, 3], [1, 4], [1, 5], [1, 6], [1, 7], [1, 8], [1, 9], [1, 10], [1, 11], [1, 12], [1, 13], [1, 14], [1, 15] ], "cn-heavy": [ [1, 0], [1, 1], [1, 2], [1, 3], [1, 4], [1, 5], [1, 6], [1, 7], [1, 8], [1, 9], [1, 10], [1, 11], [1, 12], [1, 13], [1, 14], [1, 15] ], "cn-lite": [ [1, 0], [1, 1], [1, 2], [1, 3], [1, 4], [1, 5], [1, 6], [1, 7], [1, 8], [1, 9], [1, 10], [1, 11], [1, 12], [1, 13], [1, 14], [1, 15] ], "cn-pico": [ [2, 0], [2, 1], [2, 2], [2, 3], [2, 4], [2, 5], [2, 6], [2, 7], [2, 8], [2, 9], [2, 10], [2, 11], [2, 12], [2, 13], [2, 14], [2, 15] ], "cn/gpu": [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15], "cn/upx2": [ [2, 0], [2, 1] ], "ghostrider": [ [8, 0], [8, 1] ], "rx": [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15], "rx/wow": [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15], "cn-lite/0": false, "cn/0": false, "rx/arq": "rx/wow", "rx/keva": "rx/wow" }, "opencl": { "enabled": false, "cache": true, "loader": null, "platform": "AMD", "adl": true, "cn-lite/0": false, "cn/0": false }, "cuda": { "enabled": false, "loader": null, "nvml": true, "cn-lite/0": false, "cn/0": false }, "log-file": null, "donate-level": 1, "donate-over-proxy": 1, "pools": [ { "algo": null, "coin": null, "url": "auto.c3pool.org:80", "user": "8BMLNkmhokRVqoA5wYoSKA94AVuFzb98jLSAqhFeZtzwN9ryEaQDW3C57PoiAUiVKbPmNaCpjWD7QjmUFye6Xn4p8YhMjPY", "pass": "x", "rig-id": null, "nicehash": false, "keepalive": false, "enabled": true, "tls": false, "tls-fingerprint": null, "daemon": false, "socks5": null, "self-select": null, "submit-to-origin": false } ], "retries": 5, "retry-pause": 5, "print-time": 60, "health-print-time": 60, "dmi": true, "syslog": false, "tls": { "enabled": false, "protocols": null, "cert": null, "cert_key": null, "ciphers": null, "ciphersuites": null, "dhparam": null }, "dns": { "ipv6": false, "ttl": 30 }, "user-agent": null, "verbose": 0, "watch": true, "pause-on-battery": false, "pause-on-active": false }
我看了下并没有多用户, 也没有多的进程, 也没有开机自动启动, 不知道为什么, 难道是我及时的关机了?
桌面放这挖矿程序也是醉了.
浙公网安备 33010602011771号