场景:
周一上班centos服务器ssh不可用,web和数据库等应用不响应。好在vnc可以登录
使用last命令查询,2号之前的登录信息已被清空,并且sshd文件在周六晚上被修改,周日晚上2点服务器被人远程重启
root pts/1 :1.0 Mon Jul 3 11:09 still logged in
root pts/1 :1.0 Mon Jul 3 11:08 – 11:09 (00:01)
root pts/0 :0.0 Mon Jul 3 10:54 still logged in
root tty1 :0 Mon Jul 3 10:53 still logged in
reboot system boot 2.6.32-696.3.2.e Mon Jul 3 10:46 – 11:11 (00:25)
root pts/0 :0.0 Mon Jul 3 10:42 – down (00:01)
root tty1 :0 Mon Jul 3 10:40 – down (00:03)
reboot system boot 2.6.32-696.3.2.e Sun Jul 2 02:31 – 10:44 (1+08:12)
reboot system boot 2.6.32-431.el6.x Sun Jul 2 02:27 – 02:27 (00:00)
Jul 2 03:11:20 oracledb rsyslogd: [origin software=”rsyslogd” swVersion=”5.8.10
” x-pid=”1960″ x-info=”
http://www.rsyslog.com”] rsyslogd was HUPed
Jul 2 03:35:11 oracledb sshd[13864]: Did not receive identification string from
使用less /var/log/messages命令2点结合last命令,判断2点重启后IPATABLES生效,有大量的ssh暴力破解的扫描信息,由于机器是测试环境,上面安装了ORACLE和squid,临时管理了iptables,重启后iptables启动,应该没有再次被再次登录,但是系统中部分文件以及被修改
message文件中部分信息如下:
103.207.37.86
Jul 2 03:35:12 oracledb sshd[13865]: error: Bad prime description in line 186
Jul 2 03:35:12 oracledb sshd[13865]: error: Bad prime description in line 187
Jul 2 03:35:12 oracledb sshd[13865]: error: Bad prime description in line 188
Jul 2 03:35:13 oracledb sshd[13865]: Failed password for illegal user support f
103.207.37.86 port 58311 ssh2
Jul 2 03:45:05 oracledb sshd[13887]: Illegal user support from
103.79.143.234
113.108.21.16
Jul 2 05:10:37 oracledb sshd[14126]: Illegal user support from
103.79.143.234
Jul 2 05:10:37 oracledb sshd[14126]: Failed password for illegal user support f
rom
103.79.143.234 port 57019 ssh2
Jul 2 05:10:43 oracledb sshd[14128]: Did not receive identification string from
解决方法
1.修改root用户密码
2.由于sshd文件被修改,重新安装ssh,并设置只有指定内网IP可以访问
3.配置iptables,使iptables
重装SSHD
配置对应iptables设置
1.iptables配置规则
Original: https://www.cnblogs.com/lodestar/p/7155820.html
Author: lodestar
Title: 一次linux服务器黑客入侵后处理
原创文章受到原创版权保护。转载请注明出处:https://www.johngo689.com/565267/
转载文章受原作者版权保护。转载请注明原作者出处!