我有一台 Ubuntu 14.04 服务器,我发现/var/auth.log它尝试连接到其他服务器。
这是日志文件:
Aug 31 08:04:49 server_name sshd[16316]: error: connect_to 98.208.82.101 port 22: failed.
Aug 31 08:04:50 server_name sshd[16316]: error: connect_to 98.208.82.126 port 22: failed.
Aug 31 08:04:50 server_name sshd[16316]: error: connect_to 98.208.82.127 port 22: failed.
Aug 31 08:04:51 server_name sshd[16316]: error: connect_to 98.208.82.172 port 22: failed.
Aug 31 08:04:53 server_name sshd[16316]: error: connect_to 98.208.82.213 port 22: failed.
Aug 31 08:04:56 server_name sshd[16316]: error: connect_to 98.208.82.241 port 22: failed.
Aug 31 08:04:58 server_name sshd[16316]: error: connect_to 98.210.209.25 port 22: failed.
Aug 31 08:04:58 server_name sshd[16316]: error: connect_to 98.210.209.29 port 22: failed.
Aug 31 08:04:58 server_name sshd[16316]: error: connect_to 98.210.209.48 port 22: failed.
Aug 31 08:04:59 server_name sshd[16316]: error: connect_to 98.210.209.55 port 22: failed.
Aug 31 08:04:59 server_name sshd[16316]: error: connect_to 98.210.209.61 port 22: failed.
我已经检查过服务器是否存在漏洞,一切正常。直到今天才正确配置了 ssh。
我也进行了病毒扫描,没有感染任何东西。
我还可以检查什么?
答案1
我发现了这个问题。我们被黑客攻击了,有用户尝试攻击其他服务器。
他们利用了 Nagios 配置中的一个漏洞,该漏洞允许“nagios”用户登录。我们禁用了此用户的登录,并终止了进行尝试的进程