服务器被sfewfesfs病毒攻击
sfewfesfs病毒,或者叫nhgbhhj病毒是一种肆虐于linux服务器上的病毒。从名字上能够看出来病毒的创做者对它的名字是随机取的,就是要增长它的隐蔽性。原本觉得这种事情离我很远,可是一次疏忽的操做致使个人我的VPS差点挂掉,在这里记录下来也算是给你们提个醒吧。html
原由
其实原由如今看起来也是有点愚蠢,由于我最近对discourse这个新兴的论坛程序很感兴趣,再加上它有个特性是能够跟disqus和多说同样嵌入到已有的静态网站中。因此我也想在Logecho中试一试它。node
百度了一下它的安装文档。所以我就跟着步骤一步一步开始作了,我为了图省事找了一篇中文文档,事实证实这个安装步骤很是麻烦,我作了几步之后忽然想起来discourse貌似有个docker安装的版本,所以在它的官网上找到了推荐的安装流程,很是简单,几步就作完了。linux
可是上面提到了,我有个安装流程作了一半就没管它了,好死不死的是我正好作到了建立一个名为admin的用户那一步git
$ sudo adduser admin $ sudo adduser admin sudo
为了方便登陆,我还特地把admin的密码改为了12345。作到这里,我就去找其它的安装文档了,这个事情也被我抛到了九霄云外。明眼人立刻就能够看出来我留下这样一个弱口令高权限的帐号是多么危险,我当时也就是想临时用用,用完了立刻删掉的。github
因此悲剧每每在不经意间就发生了。。。docker
出事了
大概到次日中午的时候,我正在VPS上操做一个倒入数据的脚本,忽然发现终端响应特别慢,程序也卡死了。我当时还觉得是网络间歇性抽风就没管它。但过了一回就收到了linode发来的告警邮件,并且一次是两封。CPU,网络负载都超过上限了,我意识到本身多是中招了。安全
但此时因为系统响应缓慢,并且网络拥塞,我已经没法经过ssh连上主机了。下图能够看到当时的系统状况服务器
还好Linode提供了基于网页的实时终端,我一上去就发现了一个名为nhgbhhj的进程占用很是高的负载。在网上一搜索发现确实是一种恶意程序,目的就是不断发包占满你的带宽。因为网上的资料都很是旧了,我发现它们提供的方法并不能有效删除这个程序,因此就本身琢磨了一下网络
分析
首先第一步固然是kill掉这个程序,但确定是治标不治本,不过好在能够立刻把系统负载降下来,这样我就能够利用终端登陆回去了。而后是找到这些进程的本体文件,根据网上的介绍应该放在/tmp目录下面,进去一看果真有一坨奇奇怪怪的文件ssh
把这些文件干掉,并杀掉相应的进程,发现有个conf.n文件总是删不掉,或者说删了之后又本身跑出来了
推测应该还有不少进程没有杀干净,后来发现该目录下还有不少隐藏文件,好比以.ssh开头的
真是狡兔三窟,把这些乌七八糟的东西删掉之后conf.n文件就再也没出来了,判断应该是杀干净了。
补漏
首先要把这个弱密码的admin帐户处理掉,为了更完全一点干脆彻底禁止密码登陆,到/etc/ssh/sshd_config找到
PasswordAuthentication yes
把yes改为no,而后重启ssh服务便可。
总结
首先,网络安全的弦要时刻紧绷,也许你其它方面作得都很好,但就是由于有一点疏忽就可能功亏一篑。
在服务器上作任何一个操做的时候都要想到后果,不要为了图方便就放弃一些安全底限,如今大多数猜口令的扫描器都是时时刻刻全网扫描的,只要是弱口令就没有侥幸逃脱的。不信能够看看你的登陆日志
root@localhost:/tmp# cat /var/log/auth.log | grep admin Jan 19 08:23:48 localhost sshd[22552]: Invalid user www-admin from 180.150.177.103 Jan 19 08:23:48 localhost sshd[22552]: input_userauth_request: invalid user www-admin [preauth] Jan 19 08:23:51 localhost sshd[22552]: Failed password for invalid user www-admin from 180.150.177.103 port 40628 ssh2 Jan 19 08:24:51 localhost sshd[22592]: Invalid user www-admin from 180.150.177.103 Jan 19 08:24:51 localhost sshd[22592]: input_userauth_request: invalid user www-admin [preauth] Jan 19 08:24:53 localhost sshd[22592]: Failed password for invalid user www-admin from 180.150.177.103 port 35412 ssh2 Jan 19 08:26:28 localhost sshd[22658]: Invalid user www-admin from 180.150.177.103 Jan 19 08:26:28 localhost sshd[22658]: input_userauth_request: invalid user www-admin [preauth] Jan 19 08:26:30 localhost sshd[22658]: Failed password for invalid user www-admin from 180.150.177.103 port 58053 ssh2 Jan 19 08:27:29 localhost sshd[22704]: Invalid user www-admin from 180.150.177.103 Jan 19 08:27:29 localhost sshd[22704]: input_userauth_request: invalid user www-admin [preauth] Jan 19 08:27:32 localhost sshd[22704]: Failed password for invalid user www-admin from 180.150.177.103 port 52837 ssh2 Jan 19 11:01:07 localhost sshd[29337]: Invalid user wwwadmin from 180.150.177.103 Jan 19 11:01:07 localhost sshd[29337]: input_userauth_request: invalid user wwwadmin [preauth] Jan 19 11:01:09 localhost sshd[29337]: Failed password for invalid user wwwadmin from 180.150.177.103 port 33113 ssh2 Jan 19 11:02:01 localhost sshd[29366]: Invalid user wwwadmin from 180.150.177.103 Jan 19 11:02:01 localhost sshd[29366]: input_userauth_request: invalid user wwwadmin [preauth] Jan 19 11:02:03 localhost sshd[29366]: Failed password for invalid user wwwadmin from 180.150.177.103 port 56130 ssh2 Jan 19 15:35:37 localhost sshd[7495]: Invalid user gitadmin from 202.85.211.206 Jan 19 15:35:37 localhost sshd[7495]: input_userauth_request: invalid user gitadmin [preauth] Jan 19 15:35:39 localhost sshd[7495]: Failed password for invalid user gitadmin from 202.85.211.206 port 48362 ssh2 Jan 19 15:38:38 localhost sshd[7735]: Invalid user pgadmin from 202.85.211.206 Jan 19 15:38:38 localhost sshd[7735]: input_userauth_request: invalid user pgadmin [preauth] Jan 19 15:38:41 localhost sshd[7735]: Failed password for invalid user pgadmin from 202.85.211.206 port 49705 ssh2 Jan 19 15:38:42 localhost sshd[7739]: Invalid user pgadmin from 202.85.211.206 Jan 19 15:38:42 localhost sshd[7739]: input_userauth_request: invalid user pgadmin [preauth] Jan 19 15:38:44 localhost sshd[7739]: Failed password for invalid user pgadmin from 202.85.211.206 port 50784 ssh2 Jan 19 15:38:45 localhost sshd[7741]: Invalid user pgadmin from 202.85.211.206 Jan 19 15:38:45 localhost sshd[7741]: input_userauth_request: invalid user pgadmin [preauth] Jan 19 15:38:47 localhost sshd[7741]: Failed password for invalid user pgadmin from 202.85.211.206 port 51875 ssh2 Jan 19 15:38:48 localhost sshd[7745]: Invalid user pgadmin from 202.85.211.206 Jan 19 15:38:48 localhost sshd[7745]: input_userauth_request: invalid user pgadmin [preauth] Jan 19 15:38:50 localhost sshd[7745]: Failed password for invalid user pgadmin from 202.85.211.206 port 52905 ssh2 Jan 19 15:38:52 localhost sshd[7760]: Invalid user pgadmin from 202.85.211.206 Jan 19 15:38:52 localhost sshd[7760]: input_userauth_request: invalid user pgadmin [preauth] Jan 19 15:38:53 localhost sshd[7760]: Failed password for invalid user pgadmin from 202.85.211.206 port 54193 ssh2 Jan 19 15:39:19 localhost sshd[7800]: Invalid user wasadmin from 202.85.211.206 Jan 19 15:39:19 localhost sshd[7800]: input_userauth_request: invalid user wasadmin [preauth] Jan 19 15:39:21 localhost sshd[7800]: Failed password for invalid user wasadmin from 202.85.211.206 port 35276 ssh2 Jan 19 15:39:34 localhost sshd[7829]: Invalid user db2admin from 202.85.211.206 Jan 19 15:39:34 localhost sshd[7829]: input_userauth_request: invalid user db2admin [preauth] Jan 19 15:39:35 localhost sshd[7829]: Failed password for invalid user db2admin from 202.85.211.206 port 40124 ssh2 Jan 19 15:40:16 localhost sshd[7880]: Invalid user cvsadmin from 202.85.211.206 Jan 19 15:40:16 localhost sshd[7880]: input_userauth_request: invalid user cvsadmin [preauth] Jan 19 15:40:17 localhost sshd[7880]: Failed password for invalid user cvsadmin from 202.85.211.206 port 54468 ssh2 Jan 19 15:40:18 localhost sshd[7884]: Invalid user cvsadmin from 202.85.211.206 Jan 19 15:40:18 localhost sshd[7884]: input_userauth_request: invalid user cvsadmin [preauth] Jan 19 15:40:21 localhost sshd[7884]: Failed password for invalid user cvsadmin from 202.85.211.206 port 55489 ssh2 Jan 19 15:40:22 localhost sshd[7899]: Invalid user cvsadmin from 202.85.211.206 Jan 19 15:40:22 localhost sshd[7899]: input_userauth_request: invalid user cvsadmin [preauth] Jan 19 15:40:24 localhost sshd[7899]: Failed password for invalid user cvsadmin from 202.85.211.206 port 56596 ssh2 Jan 19 15:40:25 localhost sshd[7901]: Invalid user cvsadmin from 202.85.211.206 Jan 19 15:40:25 localhost sshd[7901]: input_userauth_request: invalid user cvsadmin [preauth] Jan 19 15:40:27 localhost sshd[7901]: Failed password for invalid user cvsadmin from 202.85.211.206 port 57620 ssh2 Jan 19 15:40:28 localhost sshd[7903]: Invalid user cvsadmin from 202.85.211.206 Jan 19 15:40:28 localhost sshd[7903]: input_userauth_request: invalid user cvsadmin [preauth] Jan 19 15:40:30 localhost sshd[7903]: Failed password for invalid user cvsadmin from 202.85.211.206 port 58645 ssh2 Jan 19 17:24:31 localhost sshd[14524]: Invalid user gitadmin from 202.85.211.206 Jan 19 17:24:31 localhost sshd[14524]: input_userauth_request: invalid user gitadmin [preauth] Jan 19 17:24:33 localhost sshd[14524]: Failed password for invalid user gitadmin from 202.85.211.206 port 33227 ssh2 Jan 19 17:27:05 localhost sshd[14779]: Invalid user pgadmin from 202.85.211.206 Jan 19 17:27:05 localhost sshd[14779]: input_userauth_request: invalid user pgadmin [preauth] Jan 19 17:27:07 localhost sshd[14779]: Failed password for invalid user pgadmin from 202.85.211.206 port 33521 ssh2 Jan 19 17:27:08 localhost sshd[14785]: Invalid user pgadmin from 202.85.211.206 Jan 19 17:27:08 localhost sshd[14785]: input_userauth_request: invalid user pgadmin [preauth] Jan 19 17:27:10 localhost sshd[14785]: Failed password for invalid user pgadmin from 202.85.211.206 port 34578 ssh2 Jan 19 17:27:10 localhost sshd[14787]: Invalid user pgadmin from 202.85.211.206 Jan 19 17:27:10 localhost sshd[14787]: input_userauth_request: invalid user pgadmin [preauth] Jan 19 17:27:12 localhost sshd[14787]: Failed password for invalid user pgadmin from 202.85.211.206 port 35593 ssh2 Jan 19 17:27:13 localhost sshd[14791]: Invalid user pgadmin from 202.85.211.206 Jan 19 17:27:13 localhost sshd[14791]: input_userauth_request: invalid user pgadmin [preauth] Jan 19 17:27:15 localhost sshd[14791]: Failed password for invalid user pgadmin from 202.85.211.206 port 36610 ssh2 Jan 19 17:27:15 localhost sshd[14793]: Invalid user pgadmin from 202.85.211.206 Jan 19 17:27:15 localhost sshd[14793]: input_userauth_request: invalid user pgadmin [preauth] Jan 19 17:27:17 localhost sshd[14793]: Failed password for invalid user pgadmin from 202.85.211.206 port 37616 ssh2 Jan 19 17:27:39 localhost sshd[14836]: Invalid user wasadmin from 202.85.211.206 Jan 19 17:27:39 localhost sshd[14836]: input_userauth_request: invalid user wasadmin [preauth] Jan 19 17:27:40 localhost sshd[14836]: Failed password for invalid user wasadmin from 202.85.211.206 port 46739 ssh2 Jan 19 17:27:51 localhost sshd[14854]: Invalid user db2admin from 202.85.211.206 Jan 19 17:27:51 localhost sshd[14854]: input_userauth_request: invalid user db2admin [preauth] Jan 19 17:27:53 localhost sshd[14854]: Failed password for invalid user db2admin from 202.85.211.206 port 51364 ssh2 Jan 19 17:28:28 localhost sshd[14926]: Invalid user cvsadmin from 202.85.211.206 Jan 19 17:28:28 localhost sshd[14926]: input_userauth_request: invalid user cvsadmin [preauth] Jan 19 17:28:30 localhost sshd[14926]: Failed password for invalid user cvsadmin from 202.85.211.206 port 37019 ssh2 Jan 19 17:28:31 localhost sshd[14930]: Invalid user cvsadmin from 202.85.211.206 Jan 19 17:28:31 localhost sshd[14930]: input_userauth_request: invalid user cvsadmin [preauth] Jan 19 17:28:33 localhost sshd[14930]: Failed password for invalid user cvsadmin from 202.85.211.206 port 38037 ssh2 Jan 19 17:28:34 localhost sshd[14932]: Invalid user cvsadmin from 202.85.211.206 Jan 19 17:28:34 localhost sshd[14932]: input_userauth_request: invalid user cvsadmin [preauth] Jan 19 17:28:36 localhost sshd[14932]: Failed password for invalid user cvsadmin from 202.85.211.206 port 39119 ssh2 Jan 19 17:28:37 localhost sshd[14936]: Invalid user cvsadmin from 202.85.211.206 Jan 19 17:28:37 localhost sshd[14936]: input_userauth_request: invalid user cvsadmin [preauth] Jan 19 17:28:39 localhost sshd[14936]: Failed password for invalid user cvsadmin from 202.85.211.206 port 40179 ssh2
此次还好发现地及时,当时我也正好连在线上。若是是不知不觉间中招,颇有可能被服务商中止服务,那就损失大了。
相关文章
- 1. sfewfesfs病毒
- 2. 服务器被门罗币挖矿病毒攻击的处理
- 3. 冲击波病毒攻击-《截获网站服务器数据》
- 4. sfewfesfs病毒,你中了么?
- 5. 服务器(centos7)使用docker被病毒攻击,导致cpu100解决方案
- 6. 服务器(centos7)使用docker被病毒攻击,致使cpu100解决方案
- 7. linux服务器病毒
- 8. linux服务器 sysupdate病毒
- 9. 服务器被攻击的缘由
- 10. 服务器被攻击怎么处理
- 更多相关文章...
- • Git 服务器搭建 - Git 教程
- • 服务器上的 XML - XML 教程
- • Spring Cloud 微服务实战(三) - 服务注册与发现
- • Docker容器实战(七) - 容器眼光下的文件系统
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
欢迎关注本站公众号,获取更多信息
