kill -9 kill the process to no avail, and will soon be automatically recovered
Steps of the search:
Results:
The virus was implanted into one of the docker containers running on the line.
How do I determine which container it is before removing the virus files from the search results?
I don't have a lot of containers running on this machine, so I can copy the file by first docker cp'ing a file into the container. Then go to find this file
If the result is still in the directory of the file where you just searched for the virus (/var/lib/docker/devicemapper/mnt/xxxxx ) you can identify the container. It turned out to be a problem with the php container.
The fastest way to know exactly what container is having problems is to restart a new one first.
My side is nginx + php two service containers, so first started a new php container, modify the configuration file in nginx proxy back-end php server port for the new container IP address. (The nginx container has been mapped to the host directory)
Modify the IP address of the PHP back-end
cd host mapping nginx configuration file location directory
After testing the online environment is normal, delete the original php container. (This is natural also == directly delete the virus file)
Execute the TOP command, CPU usage is normal.
Usually, if the firewall and sellinux are closed, the server should not leak too many useless ports, problems should be the latest through the process name to find the original location of the file to analyze the problem, encountered the mining virus should also pay more attention to /etc/init.d and cron schedule tasks with or without anomalies.
In the future, you can also write a cron or script
.