关于研究jboss蠕虫病毒感染清理步骤现象：1./tmp目录下有许多sess_XXXXXXX的文件，数量众多2.查看进程发现有大量名为pnscan的进程cat /var/log/cron |more5.使用netstat –antp 查看那些可疑进程在进行什么样的网络连接6.使用find / -name pnscan* 查找到这个进程位置7.找到可疑进程所在目录ls –lash 查看详细的文件时间大小8.使用ps –ef |grep pnscan |wc –l 可观察pnscan占用进程数清理过程：1.结束病毒的进程，或病毒依靠的服务或进程Test:/usr/bin # killall -9 perlTest:/usr/bin # killall -9 pnscan另一种方式ps -efl|grep perl |awk '{print $4}'|xargs -ti kill -9 {} \ 回车ps -efl|grep pnscan |awk '{print $4}'|xargs -ti kill -9 {} \ 回车2.把可疑文件删除掉Test:/tmp # rm -fr /tmp/sess_*3.把wget卸载掉rpm –e wget4.把目录下的多余文件删除掉Test:/tmp # rm -fr /tmp/sess_*-bash: /bin/rm: Argument list too long若出现以上提示改用以下的命令删除ls |xargs -n 10 rm -fr ls sess*另类病毒感染清理步骤近期发现另一种中毒情况：进程里有许多wget /Curl/sendmail的动作，而且还删除进程无效。

[root@NX-app2 ~]# ps -efUID PID PPID C STIME TTY TIME CMDroot 1 0 0 Jan18 ? 00:59:52 init [5]root 2 1 0 Jan18 ? 00:01:51 [migration/0]root 3 1 0 Jan18 ? 00:00:14 [ksoftirqd/0]root 4 1 0 Jan18 ? 00:00:00 [watchdog/0]root 5 1 0 Jan18 ? 00:00:29 [migration/1]root 300 1 0 09:53 ? 00:00:00 curl /israelis.against.the.war root 302 1 0 09:53 ? 00:00:00 wget /israelis.against.the.war root 304 1 0 09:53 ? 00:00:00 wget /israelis.against.the.war root 306 1 0 09:53 ? 00:00:00 wget /israelis.against.the.war root 308 1 0 09:53 ? 00:00:00 curl /israelis.against.the.war root 310 1 0 09:53 ? 00:00:00 curl /israelis.against.the.war root 312 1 0 09:53 ? 00:00:00 wget /israelis.against.the.war root 314 1 0 09:53 ? 00:00:00 wget /israelis.against.the.war root 316 1 0 09:53 ? 00:00:00 wget /israelis.against.the.war root 318 1 0 09:53 ? 00:00:00 curl /israelis.against.the.war root 320 1 0 09:53 ? 00:00:00 curl /israelis.against.the.war root 322 1 0 09:53 ? 00:00:00 wget /israelis.against.the.war root 324 1 0 09:53 ? 00:00:00 wget /israelis.against.the.war root 326 1 0 09:53 ? 00:00:00 wget /israelis.against.the.war root 328 1 0 09:53 ? 00:00:00 curl /israelis.against.the.war root 330 1 0 09:53 ? 00:00:00 curl /israelis.against.the.war root 332 1 0 09:53 ? 00:00:00 wget /israelis.against.the.war root 334 1 0 09:53 ? 00:00:00 wget /israelis.against.the.war root 336 1 0 09:53 ? 00:00:00 wget /israelis.against.the.war root 338 1 0 09:53 ? 00:00:00 curl /israelis.against.the.war root 340 1 0 09:53 ? 00:00:00 curl /israelis.against.the.war root 342 1 0 09:53 ? 00:00:00 wget /israelis.against.the.war root 344 1 0 09:53 ? 00:00:00 wget /israelis.against.the.war root 346 1 0 09:53 ? 00:00:00 wget /israelis.against.the.war root 348 1 0 09:53 ? 00:00:00 curl /israelis.against.the.war root 350 1 0 09:53 ? 00:00:00 curl /israelis.against.the.war root 352 1 0 09:53 ? 00:00:00 wget /israelis.against.the.war[root@NX-app2 /]# ps -efl|grep curl |awk '{print $4}'|xargs -ti kill -9 {} \>kill -9 303kill -9 305kill -9 306kill -9 307kill -9 309kill -9 310kill -9 318kill -9 319kill -9 320kill -9 321kill -9 323kill -9 324kill -9 331kill -9 333等等，均无效！同时在/root 目录下产生许多index.php.***/step.php***垃圾文件[root@NX-app2 ~]# pwd/root[root@NX-app2 ~]# ls12321.txt index.php.1940 index.php.29.5 index.php.48 index.php.56.101 index.php.69.17 index.php.849 step.php?id=1.112.86 step.php?id=1.69.26anaconda-ks.cfg index.php.19.40 index.php.2950 index.php.4.8 index.php.56.102 index.php.69.18 index.php.85 step.php?id=1.112.87 step.php?id=1.69.27crap.pl index.php.1941 index.php.29.50 index.php.480 index.php.56.103 index.php.69.19 index.php.8.5 step.php?id=1.112.88 step.php?id=1.69.28Desktop index.php.19.41 index.php.2951 index.php.481 index.php.56.104 index.php.692 index.php.850 step.php?id=1.112.89 step.php?id=1.69.29flow.txt index.php.1942 index.php.29.51 index.php.48.1 index.php.56.105 index.php.69.2 index.php.851 step.php?id=1.11.29 step.php?id=1.69.3hs_err_pid375.log index.php.19.42 index.php.2952 index.php.48.10 index.php.56.106 index.php.69.20 index.php.852 step.php?id=1.112.9 step.php?id=1.69.30index.php index.php.1943 index.php.2953 index.php.482 index.php.56.107 index.php.69.21 index.php.853 step.php?id=1.112.90 step.php?id=1.69.31以下此命令可观察删除进程无效，删后还是不断增加[root@NX-app2 ~]# ps -ef |grep curl |wc -l263[root@NX-app2 ~]# ps -ef |grep curl |wc -l433清理办法：寻找curl 位置改目录名，并卸载wget，停止sendmail不让它转发。

最后把垃圾文件删除。