我使用 ClamAV 扫描并找到这些文件:
[root@ip-172-31-23-37 ~]# sudo clamscan --infected --recursive --exclude-dir="^/sys" /
/tmp/.X25-unix/dota3.tar.gz: Multios.Coinminer.Miner-6781728-2 FOUND
/tmp/.X25-unix/.rsync/a/kswapd0: Multios.Coinminer.Miner-6781728-2 FOUND
我已经删除了这些文件以及父文件夹,但该进程仍在运行:
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
31107 root 20 0 1304592 1.1g 6960 R 98.0 31.2 44:22.94 clamscan
2474 root 20 0 714000 267428 2896 S 50.0 7.0 0:09.11 kswapd0
28253 1008 20 0 712144 264716 0 S 50.0 7.0 2290:36 kswapd0
试图杀死它:
[root@ip-172-31-23-37 /]# ll /proc/2474/exe
lrwxrwxrwx 1 root root 0 Dec 10 16:36 /proc/2474/exe -> /tmp/.X25-unix/.rsync/a/kswapd0 (deleted)
[root@ip-172-31-23-37 /]# killall kswapd0
[root@ip-172-31-23-37 /]# pidof kswapd0
432
[root@ip-172-31-23-37 /]# kill 432
[root@ip-172-31-23-37 /]# kill -9 432
[root@ip-172-31-23-37 /]# pidof kswapd0
432
[root@ip-172-31-23-37 /]# ll /proc/432/exe
ls: cannot read symbolic link /proc/432/exe: No such file or directory
lrwxrwxrwx 1 root root 0 Dec 10 16:37 /proc/432/exe
[root@ip-172-31-23-37 /]# killall kswapd0
[root@ip-172-31-23-37 /]# killall kswapd0
[root@ip-172-31-23-37 /]# killall -9 kswapd0
[root@ip-172-31-23-37 /]# killall -9 kswapd0
即使被杀死这么多次,该进程仍然存在。如何强制杀死它并防止再次返回/运行?