服务器中毒
阿里云突然被攻击了,出现了挖矿病毒
就是突然觉得服务器很卡,下载软件很慢,然后阿里云控制台提示出现了性能约束,我透
不会是redies吧?(肯定不是-。-)
[root@iZ9qxqyeu3kf5oZ bin]# top
top - 17:39:43 up 72 days, 3:21, 2 users, load average: 1.35, 1.40, 1.46
Tasks: 92 total, 2 running, 89 sleeping, 0 stopped, 1 zombie
%Cpu0 :100.0 us, 0.0 sy, 0.0 ni, 0.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem : 1882024 total, 399984 free, 925596 used, 556444 buff/cache
KiB Swap: 0 total, 0 free, 0 used. 805940 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
17017 root 20 0 735436 5248 1084 S 99.7 0.3 2652:04 trace
1 root 20 0 43648 3724 2244 S 0.0 0.2 1:36.63 systemd
2 root 20 0 0 0 0 S 0.0 0.0 0:00.21 kthreadd
cpu使用率高达99.7,淦,然后查百度。
[root@iZ9qxqyeu3kf5oZ redis-6.0.6]# ps -ef|grep 17017
root 17017 1 99 Oct31 ? 1-20:19:02 ./trace
root 21972 21924 0 17:46 pts/1 00:00:00 grep --color=auto 17017
外国IP 51.255.34.79来自法国上法兰西格拉沃利讷
[root@iZ9qxqyeu3kf5oZ redis-6.0.6]# netstat -antpl|grep 17017
tcp 0 0 172.17.193.159:41332 51.255.34.79:14444 ESTABLISHED 17017/./trace
还是root运行的,我淦++
赶紧杀掉
kill -s 9 17017
系统正常,现在基本可以判断,root密码已经不安全了,还好是我自己的服务器,赶紧换个密码,加个防火墙。
登录root用户,修改密码,输入两次密码
passwd
查看防火墙状态
systemctl status firewalld
或者
firewall-cmd --state
如果没开,就开一下
systemctl start firewalld
那自己用不就很不方便
配置查看防火墙规则
firewall-cmd --list-all
1、开放端口
firewall-cmd --zone=public --add-port=5672/tcp --permanent # 开放5672端口
firewall-cmd --zone=public --remove-port=5672/tcp --permanent #关闭5672端口
firewall-cmd --reload # 配置立即生效
2、查看防火墙所有开放的端口
firewall-cmd --zone=public --list-ports
查看有没有额外的用户
查看可以登录的用户
cat /etc/passwd | grep -v /sbin/nologin | cut -d : -f 1
查看所有的用户
cut -d : -f 1 /etc/passwd
最下面果然多了一个用户epmd
查看用户的创建时间,很明显没有创建home下的文件夹,通过查看日志查看。
cat /var/log/secure
我淦,看了日志才更加精彩
[root@iZ9qxqyeu3kf5oZ home]# cat /var/log/secure
Nov 1 04:40:31 iZ9qxqyeu3kf5oZ sshd[18950]: Connection closed by 89.248.174.3 port 59086 [preauth]
Nov 1 08:37:32 iZ9qxqyeu3kf5oZ sshd[19169]: Did not receive identification string from 106.15.52.246 port 54138
Nov 1 11:02:31 iZ9qxqyeu3kf5oZ sshd[19319]: Did not receive identification string from 39.107.14.208 port 37522
Nov 1 16:23:02 iZ9qxqyeu3kf5oZ sshd[19610]: Did not receive identification string from 47.100.130.114 port 46930
。。。
Nov 2 15:38:07 iZ9qxqyeu3kf5oZ sshd[21483]: Disconnected from 78.154.225.177 port 33161 [preauth]
Nov 2 15:38:23 iZ9qxqyeu3kf5oZ sshd[21485]: Invalid user admin from 78.154.225.177 port 33404
Nov 2 15:38:23 iZ9qxqyeu3kf5oZ sshd[21485]: input_userauth_request: invalid user admin [preauth]
Nov 2 15:38:24 iZ9qxqyeu3kf5oZ sshd[21485]: pam_unix(sshd:auth): check pass; user unknown
Nov 2 15:38:24 iZ9qxqyeu3kf5oZ sshd[21485]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=78.154.225.177
Nov 2 15:38:26 iZ9qxqyeu3kf5oZ sshd[21485]: Failed password for invalid user admin from 78.154.225.177 port 33404 ssh2
Nov 2 15:38:27 iZ9qxqyeu3kf5oZ sshd[21485]: Received disconnect from 78.154.225.177 port 33404:11: Bye Bye [preauth]
Nov 2 15:38:27 iZ9qxqyeu3kf5oZ sshd[21485]: Disconnected from 78.154.225.177 port 33404 [preauth]
Nov 2 15:38:34 iZ9qxqyeu3kf5oZ sshd[21487]: Invalid user admin from 78.154.225.177 port 33868
Nov 2 15:38:34 iZ9qxqyeu3kf5oZ sshd[21487]: input_userauth_request: invalid user admin [preauth]
Nov 2 15:38:35 iZ9qxqyeu3kf5oZ sshd[21487]: pam_unix(sshd:auth): check pass; user unknown
Nov 2 15:38:35 iZ9qxqyeu3kf5oZ sshd[21487]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=78.154.225.177
Nov 2 15:38:37 iZ9qxqyeu3kf5oZ sshd[21487]: Failed password for invalid user admin from 78.154.225.177 port 33868 ssh2
Nov 2 15:38:38 iZ9qxqyeu3kf5oZ sshd[21487]: Received disconnect from 78.154.225.177 port 33868:11: Bye Bye [preauth]
Nov 2 15:38:38 iZ9qxqyeu3kf5oZ sshd[21487]: Disconnected from 78.154.225.177 port 33868 [preauth]
Nov 2 17:11:29 iZ9qxqyeu3kf5oZ sshd[21872]: Accepted password for hello from 36.27.17.175 port 56022 ssh2
Nov 2 17:11:30 iZ9qxqyeu3kf5oZ sshd[21872]: pam_unix(sshd:session): session opened for user hello by (uid=0)
Nov 2 17:30:18 iZ9qxqyeu3kf5oZ su: pam_unix(su:session): session opened for user root by hello(uid=1002)
Nov 2 17:54:49 iZ9qxqyeu3kf5oZ polkitd[21999]: Loading rules from directory /etc/polkit-1/rules.d
Nov 2 17:54:49 iZ9qxqyeu3kf5oZ polkitd[21999]: Loading rules from directory /usr/share/polkit-1/rules.d
Nov 2 17:54:49 iZ9qxqyeu3kf5oZ polkitd[21999]: Finished loading, compiling and executing 2 rules
Nov 2 17:54:49 iZ9qxqyeu3kf5oZ polkitd[21999]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Nov 2 17:54:49 iZ9qxqyeu3kf5oZ polkitd[21999]: Registered Authentication Agent for unix-process:21994:623382541 (system bus name :1.24557 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Nov 2 17:54:49 iZ9qxqyeu3kf5oZ polkitd[21999]: Unregistered Authentication Agent for unix-process:21994:623382541 (system bus name :1.24557, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Nov 2 18:06:14 iZ9qxqyeu3kf5oZ passwd: pam_unix(passwd:chauthtok): password changed for root
Nov 2 18:06:21 iZ9qxqyeu3kf5oZ su: pam_unix(su:session): session closed for user root
Nov 2 18:06:29 iZ9qxqyeu3kf5oZ su: pam_unix(su:session): session opened for user root by hello(uid=1002)
Nov 2 18:23:53 iZ9qxqyeu3kf5oZ su: pam_unix(su:session): session opened for user epmd by hello(uid=0)
Nov 2 18:23:53 iZ9qxqyeu3kf5oZ su: pam_unix(su:session): session closed for user epmd
最主要的看到了这几句话:
Nov 1 16:23:02 iZ9qxqyeu3kf5oZ sshd[19610]: Did not receive identification string from 47.100.130.114 port 46930
Nov 2 15:38:23 iZ9qxqyeu3kf5oZ sshd[21485]: input_userauth_request: invalid user admin [preauth]
Nov 2 15:38:24 iZ9qxqyeu3kf5oZ sshd[21485]: pam_unix(sshd:auth): check pass; user unknown
Nov 2 15:38:24 iZ9qxqyeu3kf5oZ sshd[21485]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=78.154.225.177
以及最后的,我淦,真的被黑了啊,用户断开了连接。
Nov 2 18:23:53 iZ9qxqyeu3kf5oZ su: pam_unix(su:session): session closed for user epmd
看到慢慢的一页连接,我觉得还是给root连接设置连接次数比较的好。 详情看这里吧
