惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

IntelliJ IDEA : IntelliJ IDEA – the Leading IDE for Professional Development in Java and Kotlin | The JetBrains Blog
IntelliJ IDEA : IntelliJ IDEA – the Leading IDE for Professional Development in Java and Kotlin | The JetBrains Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
博客园_首页
H
Hackread – Cybersecurity News, Data Breaches, AI and More
T
ThreatConnect
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
博客园 - 聂微东
H
Help Net Security
T
Threat Research - Cisco Blogs
Blog — PlanetScale
Blog — PlanetScale
A
Arctic Wolf
G
Google Developers Blog
量子位
U
Unit 42
I
InfoQ
V
V2EX
F
Fox-IT International blog
P
Privacy & Cybersecurity Law Blog
V
Visual Studio Blog
J
Java Code Geeks
大猫的无限游戏
大猫的无限游戏
C
CERT Recently Published Vulnerability Notes
博客园 - 三生石上(FineUI控件)
T
The Exploit Database - CXSecurity.com
T
Tailwind CSS Blog
SecWiki News
SecWiki News
Know Your Adversary
Know Your Adversary
MyScale Blog
MyScale Blog
宝玉的分享
宝玉的分享
The Hacker News
The Hacker News
Project Zero
Project Zero
Application and Cybersecurity Blog
Application and Cybersecurity Blog
月光博客
月光博客
Recent Commits to openclaw:main
Recent Commits to openclaw:main
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
G
GRAHAM CLULEY
C
Cisco Blogs
I
Intezer
Simon Willison's Weblog
Simon Willison's Weblog
O
OpenAI News
Recorded Future
Recorded Future
T
Tenable Blog
W
WeLiveSecurity
腾讯CDC
Stack Overflow Blog
Stack Overflow Blog
T
The Blog of Author Tim Ferriss
www.infosecurity-magazine.com
www.infosecurity-magazine.com
D
Docker
C
Cybersecurity and Infrastructure Security Agency CISA
PCI Perspectives
PCI Perspectives

文章列表

亚马逊的技术哲学 11月初的美国之旅 -- 参加微软的 Microsoft Ignite 2019 如何学习一门新的语言 思路清奇:通过 JavaScript 获取移动设备的型号 一些关于Logecho的新动态 利用dns解析来实现网站的负载均衡 从一些小白问题想到的 使用phar上线你的代码包 Ruby学习第一天 从如何获取可信赖的ip地址聊起 新版 SegmentFault 重构之系统架构 一个用于web开发的泛域名 如何优雅地连接ssh 我是如何看简历的 靠谱的前端工程师在哪里 PHP 5.6新特性之一:内部操作符重载 怎么样使用 Redis 来存储和查询 ip 数据 邮件发送服务AWS SES,Mailgun以及SendCloud 用PHP实现一个Amazon SES的代理服务器 在MySQL字段中使用逗号分隔符 JavaScript 教程 - SegmentFault 思否
服务器被sfewfesfs病毒攻击
joyqi · 2015-01-22 · via

sfewfesfs病毒,或者叫nhgbhhj病毒是一种肆虐于linux服务器上的病毒。从名字上可以看出来病毒的创作者对它的名字是随机取的,就是要增加它的隐蔽性。本来以为这种事情离我很远,但是一次疏忽的操作导致我的个人VPS差点挂掉,在这里记录下来也算是给大家提个醒吧。

起因

其实起因现在看起来也是有点愚蠢,因为我最近对discourse这个新兴的论坛程序很感兴趣,再加上它有个特性是可以跟disqus和多说一样嵌入到已有的静态网站中。所以我也想在Logecho中试一试它。

百度了一下它的安装文档。因此我就跟着步骤一步一步开始做了,我为了图省事找了一篇中文文档,事实证明这个安装步骤非常麻烦,我做了几步以后突然想起来discourse貌似有个docker安装的版本,因此在它的官网上找到了推荐的安装流程,非常简单,几步就做完了。

但是上面提到了,我有个安装流程做了一半就没管它了,好死不死的是我正好做到了创建一个名为admin的用户那一步

$ sudo adduser admin
$ sudo adduser admin sudo

为了方便登录,我还特意把admin的密码改成了12345。做到这里,我就去找其它的安装文档了,这个事情也被我抛到了九霄云外。明眼人马上就可以看出来我留下这样一个弱口令高权限的账号是多么危险,我当时也就是想临时用用,用完了马上删掉的。

所以悲剧往往在不经意间就发生了。。。

出事了

大概到第二天中午的时候,我正在VPS上操作一个倒入数据的脚本,突然发现终端响应特别慢,程序也卡死了。我当时还以为是网络间歇性抽风就没管它。但过了一回就收到了linode发来的告警邮件,而且一次是两封。CPU,网络负载都超过上限了,我意识到自己可能是中招了。

但此时由于系统响应缓慢,而且网络拥塞,我已经无法通过ssh连上主机了。下图可以看到当时的系统情况

网络

CPU

还好Linode提供了基于网页的实时终端,我一上去就发现了一个名为nhgbhhj的进程占用非常高的负载。在网上一搜索发现确实是一种恶意程序,目的就是不断发包占满你的带宽。由于网上的资料都非常旧了,我发现它们提供的方法并不能有效删除这个程序,所以就自己琢磨了一下

分析

首先第一步当然是kill掉这个程序,但肯定是治标不治本,不过好在可以马上把系统负载降下来,这样我就可以利用终端登录回去了。然后是找到这些进程的本体文件,根据网上的介绍应该放在/tmp目录下面,进去一看果然有一坨奇奇怪怪的文件

/tmp

把这些文件干掉,并杀掉相应的进程,发现有个conf.n文件老是删不掉,或者说删了以后又自己跑出来了

conf.n

推测应该还有很多进程没有杀干净,后来发现该目录下还有很多隐藏文件,比如以.ssh开头的

.ssh

真是狡兔三窟,把这些乌七八糟的东西删掉以后conf.n文件就再也没出来了,判断应该是杀干净了。

补漏

首先要把这个弱密码的admin账户处理掉,为了更彻底一点干脆完全禁止密码登录,到/etc/ssh/sshd_config找到

PasswordAuthentication yes

yes改成no,然后重启ssh服务即可。

总结

首先,网络安全的弦要时刻紧绷,也许你其它方面做得都很好,但就是因为有一点疏忽就可能功亏一篑。

在服务器上做任何一个操作的时候都要想到后果,不要为了图方便就放弃一些安全底限,现在大多数猜口令的扫描器都是时时刻刻全网扫描的,只要是弱口令就没有侥幸逃脱的。不信可以看看你的登录日志

root@localhost:/tmp# cat /var/log/auth.log | grep admin
Jan 19 08:23:48 localhost sshd[22552]: Invalid user www-admin from 180.150.177.103
Jan 19 08:23:48 localhost sshd[22552]: input_userauth_request: invalid user www-admin [preauth]
Jan 19 08:23:51 localhost sshd[22552]: Failed password for invalid user www-admin from 180.150.177.103 port 40628 ssh2
Jan 19 08:24:51 localhost sshd[22592]: Invalid user www-admin from 180.150.177.103
Jan 19 08:24:51 localhost sshd[22592]: input_userauth_request: invalid user www-admin [preauth]
Jan 19 08:24:53 localhost sshd[22592]: Failed password for invalid user www-admin from 180.150.177.103 port 35412 ssh2
Jan 19 08:26:28 localhost sshd[22658]: Invalid user www-admin from 180.150.177.103
Jan 19 08:26:28 localhost sshd[22658]: input_userauth_request: invalid user www-admin [preauth]
Jan 19 08:26:30 localhost sshd[22658]: Failed password for invalid user www-admin from 180.150.177.103 port 58053 ssh2
Jan 19 08:27:29 localhost sshd[22704]: Invalid user www-admin from 180.150.177.103
Jan 19 08:27:29 localhost sshd[22704]: input_userauth_request: invalid user www-admin [preauth]
Jan 19 08:27:32 localhost sshd[22704]: Failed password for invalid user www-admin from 180.150.177.103 port 52837 ssh2
Jan 19 11:01:07 localhost sshd[29337]: Invalid user wwwadmin from 180.150.177.103
Jan 19 11:01:07 localhost sshd[29337]: input_userauth_request: invalid user wwwadmin [preauth]
Jan 19 11:01:09 localhost sshd[29337]: Failed password for invalid user wwwadmin from 180.150.177.103 port 33113 ssh2
Jan 19 11:02:01 localhost sshd[29366]: Invalid user wwwadmin from 180.150.177.103
Jan 19 11:02:01 localhost sshd[29366]: input_userauth_request: invalid user wwwadmin [preauth]
Jan 19 11:02:03 localhost sshd[29366]: Failed password for invalid user wwwadmin from 180.150.177.103 port 56130 ssh2
Jan 19 15:35:37 localhost sshd[7495]: Invalid user gitadmin from 202.85.211.206
Jan 19 15:35:37 localhost sshd[7495]: input_userauth_request: invalid user gitadmin [preauth]
Jan 19 15:35:39 localhost sshd[7495]: Failed password for invalid user gitadmin from 202.85.211.206 port 48362 ssh2
Jan 19 15:38:38 localhost sshd[7735]: Invalid user pgadmin from 202.85.211.206
Jan 19 15:38:38 localhost sshd[7735]: input_userauth_request: invalid user pgadmin [preauth]
Jan 19 15:38:41 localhost sshd[7735]: Failed password for invalid user pgadmin from 202.85.211.206 port 49705 ssh2
Jan 19 15:38:42 localhost sshd[7739]: Invalid user pgadmin from 202.85.211.206
Jan 19 15:38:42 localhost sshd[7739]: input_userauth_request: invalid user pgadmin [preauth]
Jan 19 15:38:44 localhost sshd[7739]: Failed password for invalid user pgadmin from 202.85.211.206 port 50784 ssh2
Jan 19 15:38:45 localhost sshd[7741]: Invalid user pgadmin from 202.85.211.206
Jan 19 15:38:45 localhost sshd[7741]: input_userauth_request: invalid user pgadmin [preauth]
Jan 19 15:38:47 localhost sshd[7741]: Failed password for invalid user pgadmin from 202.85.211.206 port 51875 ssh2
Jan 19 15:38:48 localhost sshd[7745]: Invalid user pgadmin from 202.85.211.206
Jan 19 15:38:48 localhost sshd[7745]: input_userauth_request: invalid user pgadmin [preauth]
Jan 19 15:38:50 localhost sshd[7745]: Failed password for invalid user pgadmin from 202.85.211.206 port 52905 ssh2
Jan 19 15:38:52 localhost sshd[7760]: Invalid user pgadmin from 202.85.211.206
Jan 19 15:38:52 localhost sshd[7760]: input_userauth_request: invalid user pgadmin [preauth]
Jan 19 15:38:53 localhost sshd[7760]: Failed password for invalid user pgadmin from 202.85.211.206 port 54193 ssh2
Jan 19 15:39:19 localhost sshd[7800]: Invalid user wasadmin from 202.85.211.206
Jan 19 15:39:19 localhost sshd[7800]: input_userauth_request: invalid user wasadmin [preauth]
Jan 19 15:39:21 localhost sshd[7800]: Failed password for invalid user wasadmin from 202.85.211.206 port 35276 ssh2
Jan 19 15:39:34 localhost sshd[7829]: Invalid user db2admin from 202.85.211.206
Jan 19 15:39:34 localhost sshd[7829]: input_userauth_request: invalid user db2admin [preauth]
Jan 19 15:39:35 localhost sshd[7829]: Failed password for invalid user db2admin from 202.85.211.206 port 40124 ssh2
Jan 19 15:40:16 localhost sshd[7880]: Invalid user cvsadmin from 202.85.211.206
Jan 19 15:40:16 localhost sshd[7880]: input_userauth_request: invalid user cvsadmin [preauth]
Jan 19 15:40:17 localhost sshd[7880]: Failed password for invalid user cvsadmin from 202.85.211.206 port 54468 ssh2
Jan 19 15:40:18 localhost sshd[7884]: Invalid user cvsadmin from 202.85.211.206
Jan 19 15:40:18 localhost sshd[7884]: input_userauth_request: invalid user cvsadmin [preauth]
Jan 19 15:40:21 localhost sshd[7884]: Failed password for invalid user cvsadmin from 202.85.211.206 port 55489 ssh2
Jan 19 15:40:22 localhost sshd[7899]: Invalid user cvsadmin from 202.85.211.206
Jan 19 15:40:22 localhost sshd[7899]: input_userauth_request: invalid user cvsadmin [preauth]
Jan 19 15:40:24 localhost sshd[7899]: Failed password for invalid user cvsadmin from 202.85.211.206 port 56596 ssh2
Jan 19 15:40:25 localhost sshd[7901]: Invalid user cvsadmin from 202.85.211.206
Jan 19 15:40:25 localhost sshd[7901]: input_userauth_request: invalid user cvsadmin [preauth]
Jan 19 15:40:27 localhost sshd[7901]: Failed password for invalid user cvsadmin from 202.85.211.206 port 57620 ssh2
Jan 19 15:40:28 localhost sshd[7903]: Invalid user cvsadmin from 202.85.211.206
Jan 19 15:40:28 localhost sshd[7903]: input_userauth_request: invalid user cvsadmin [preauth]
Jan 19 15:40:30 localhost sshd[7903]: Failed password for invalid user cvsadmin from 202.85.211.206 port 58645 ssh2
Jan 19 17:24:31 localhost sshd[14524]: Invalid user gitadmin from 202.85.211.206
Jan 19 17:24:31 localhost sshd[14524]: input_userauth_request: invalid user gitadmin [preauth]
Jan 19 17:24:33 localhost sshd[14524]: Failed password for invalid user gitadmin from 202.85.211.206 port 33227 ssh2
Jan 19 17:27:05 localhost sshd[14779]: Invalid user pgadmin from 202.85.211.206
Jan 19 17:27:05 localhost sshd[14779]: input_userauth_request: invalid user pgadmin [preauth]
Jan 19 17:27:07 localhost sshd[14779]: Failed password for invalid user pgadmin from 202.85.211.206 port 33521 ssh2
Jan 19 17:27:08 localhost sshd[14785]: Invalid user pgadmin from 202.85.211.206
Jan 19 17:27:08 localhost sshd[14785]: input_userauth_request: invalid user pgadmin [preauth]
Jan 19 17:27:10 localhost sshd[14785]: Failed password for invalid user pgadmin from 202.85.211.206 port 34578 ssh2
Jan 19 17:27:10 localhost sshd[14787]: Invalid user pgadmin from 202.85.211.206
Jan 19 17:27:10 localhost sshd[14787]: input_userauth_request: invalid user pgadmin [preauth]
Jan 19 17:27:12 localhost sshd[14787]: Failed password for invalid user pgadmin from 202.85.211.206 port 35593 ssh2
Jan 19 17:27:13 localhost sshd[14791]: Invalid user pgadmin from 202.85.211.206
Jan 19 17:27:13 localhost sshd[14791]: input_userauth_request: invalid user pgadmin [preauth]
Jan 19 17:27:15 localhost sshd[14791]: Failed password for invalid user pgadmin from 202.85.211.206 port 36610 ssh2
Jan 19 17:27:15 localhost sshd[14793]: Invalid user pgadmin from 202.85.211.206
Jan 19 17:27:15 localhost sshd[14793]: input_userauth_request: invalid user pgadmin [preauth]
Jan 19 17:27:17 localhost sshd[14793]: Failed password for invalid user pgadmin from 202.85.211.206 port 37616 ssh2
Jan 19 17:27:39 localhost sshd[14836]: Invalid user wasadmin from 202.85.211.206
Jan 19 17:27:39 localhost sshd[14836]: input_userauth_request: invalid user wasadmin [preauth]
Jan 19 17:27:40 localhost sshd[14836]: Failed password for invalid user wasadmin from 202.85.211.206 port 46739 ssh2
Jan 19 17:27:51 localhost sshd[14854]: Invalid user db2admin from 202.85.211.206
Jan 19 17:27:51 localhost sshd[14854]: input_userauth_request: invalid user db2admin [preauth]
Jan 19 17:27:53 localhost sshd[14854]: Failed password for invalid user db2admin from 202.85.211.206 port 51364 ssh2
Jan 19 17:28:28 localhost sshd[14926]: Invalid user cvsadmin from 202.85.211.206
Jan 19 17:28:28 localhost sshd[14926]: input_userauth_request: invalid user cvsadmin [preauth]
Jan 19 17:28:30 localhost sshd[14926]: Failed password for invalid user cvsadmin from 202.85.211.206 port 37019 ssh2
Jan 19 17:28:31 localhost sshd[14930]: Invalid user cvsadmin from 202.85.211.206
Jan 19 17:28:31 localhost sshd[14930]: input_userauth_request: invalid user cvsadmin [preauth]
Jan 19 17:28:33 localhost sshd[14930]: Failed password for invalid user cvsadmin from 202.85.211.206 port 38037 ssh2
Jan 19 17:28:34 localhost sshd[14932]: Invalid user cvsadmin from 202.85.211.206
Jan 19 17:28:34 localhost sshd[14932]: input_userauth_request: invalid user cvsadmin [preauth]
Jan 19 17:28:36 localhost sshd[14932]: Failed password for invalid user cvsadmin from 202.85.211.206 port 39119 ssh2
Jan 19 17:28:37 localhost sshd[14936]: Invalid user cvsadmin from 202.85.211.206
Jan 19 17:28:37 localhost sshd[14936]: input_userauth_request: invalid user cvsadmin [preauth]
Jan 19 17:28:39 localhost sshd[14936]: Failed password for invalid user cvsadmin from 202.85.211.206 port 40179 ssh2

这次还好发现地及时,当时我也正好连在线上。如果是不知不觉间中招,很有可能被服务商停止服务,那就损失大了。

转载自:http://www.l4zy.com/posts/hacked-by-sfewfesfs.html

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。