我有一台在 AWS 上运行的服务器和一个来自 cpanel.net 的 cPanel;服务器是 apache,操作系统是 centos 7 今天突然我所有的 10 个网站都没有响应并显示 521 错误。经过几分钟的调查,我发现我的文件管理器上的 home/user 下根本没有文件夹/文件,所有 10 个站点、它们的数据库、电子邮件等都消失了。我在亚马逊有一张快照,因此能够从服务器检索备份,但保留旧备份以供调查。在安全日志上,我可以看到很多连接尝试,但我不太擅长理解正在发生的事情以及某人如何能够连接和删除。我将粘贴下面的日志,以便有人可以帮助我。
亚马逊团队表示,这可能是黑客的错误,也可能是 Cpanel 支持团队的错误,但第二种选择听起来不太正确,因为专业人士不会犯如此愚蠢的错误,而且他们也向我证实,他们没有没有做到。
我与一个自称是黑客的人发生了争执,但不确定情况是否如此。
请阅读本文并给出有关正在发生的事情的任何提示。笔记;这些之前的所有日志都不存在。我还注意到,命令执行非常频繁,例如每秒 3 - 10 个命令。
就这个:
[ec2-user@ip-172-31-13-2 log]$ sudo cat secure
Feb 12 15:19:15 server polkitd[583]: Loading rules from directory /etc/polkit-1/rules.d
Feb 12 15:19:15 server polkitd[583]: Loading rules from directory /usr/share/polkit-1/rules.d
Feb 12 15:19:15 server polkitd[583]: Finished loading, compiling and executing 2 rules
Feb 12 15:19:15 server polkitd[583]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Feb 12 15:19:20 server sshd[1257]: Server listening on 0.0.0.0 port 22.
Feb 12 15:19:20 server sshd[1257]: Server listening on :: port 22.
Feb 12 15:21:22 server sshd[1998]: Invalid user hduser from 111.229.235.119 port 51986
Feb 12 15:21:22 server sshd[1998]: input_userauth_request: invalid user hduser [preauth]
Feb 12 15:21:22 server sshd[1998]: Received disconnect from 111.229.235.119 port 51986:11: Bye Bye [preauth]
Feb 12 15:21:22 server sshd[1998]: Disconnected from 111.229.235.119 port 51986 [preauth]
Feb 12 15:27:12 server polkitd[580]: Loading rules from directory /etc/polkit-1/rules.d
Feb 12 15:27:12 server polkitd[580]: Loading rules from directory /usr/share/polkit-1/rules.d
Feb 12 15:27:12 server polkitd[580]: Finished loading, compiling and executing 2 rules
Feb 12 15:27:12 server polkitd[580]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Feb 12 15:27:19 server sshd[1297]: Server listening on 0.0.0.0 port 22.
Feb 12 15:27:19 server sshd[1297]: Server listening on :: port 22.
Feb 12 15:27:29 server sshd[1833]: Did not receive identification string from 87.251.64.186 port 45362
Feb 12 15:27:30 server sshd[1835]: Connection closed by 87.251.64.186 port 50330 [preauth]
Feb 12 15:27:30 server sshd[1834]: Invalid user 0101 from 87.251.64.186 port 50108
Feb 12 15:27:30 server sshd[1834]: input_userauth_request: invalid user 0101 [preauth]
Feb 12 15:27:30 server sshd[1834]: Connection closed by 87.251.64.186 port 50108 [preauth]
Feb 12 15:29:27 server sshd[1987]: Invalid user aaron from 103.37.151.84 port 49382
Feb 12 15:29:27 server sshd[1987]: input_userauth_request: invalid user aaron [preauth]
Feb 12 15:29:27 server sshd[1987]: Received disconnect from 103.37.151.84 port 49382:11: Bye Bye [preauth]
Feb 12 15:29:27 server sshd[1987]: Disconnected from 103.37.151.84 port 49382 [preauth]
Feb 12 15:34:32 server sshd[2234]: Invalid user agustina from 103.45.184.234 port 53762
Feb 12 15:34:32 server sshd[2234]: input_userauth_request: invalid user agustina [preauth]
Feb 12 15:34:33 server sshd[2234]: Received disconnect from 103.45.184.234 port 53762:11: Bye Bye [preauth]
Feb 12 15:34:33 server sshd[2234]: Disconnected from 103.45.184.234 port 53762 [preauth]
Feb 12 15:38:50 server sshd[2578]: Connection closed by 222.119.218.120 port 13597 [preauth]
Feb 12 15:39:31 server sshd[2617]: Accepted publickey for root from 222.119.218.120 port 55062 ssh2: RSA SHA256:cnhuplyGAzI1x1W2DudZZq7CN6qi1oMqTdtdi5VqnRc
Feb 12 15:39:31 server sshd[2617]: pam_unix(sshd:session): session opened for user root by (uid=0)
Feb 12 15:39:31 server sshd[2617]: pam_lastlog(sshd:session): unable to open /var/log/lastlog: No such file or directory
Feb 12 15:39:33 server sshd[2627]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
Feb 12 15:39:33 server sshd[2627]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
Feb 12 15:41:59 server sshd[2822]: Received disconnect from 123.58.213.220 port 44408:11: Bye Bye [preauth]
Feb 12 15:41:59 server sshd[2822]: Disconnected from 123.58.213.220 port 44408 [preauth]
Feb 12 15:42:49 server sshd[2865]: Did not receive identification string from 81.161.63.103 port 44104
Feb 12 15:42:58 server sshd[2869]: Connection reset by 81.161.63.103 port 43178 [preauth]
Feb 12 15:43:01 server sshd[2867]: Connection reset by 81.161.63.103 port 43168 [preauth]
Feb 12 15:43:01 server sshd[2868]: Connection reset by 81.161.63.103 port 43152 [preauth]
Feb 12 15:43:02 server sshd[2874]: Connection reset by 81.161.63.103 port 43194 [preauth]
Feb 12 15:43:02 server sshd[2877]: Accepted publickey for root from 222.119.218.120 port 16725 ssh2: RSA SHA256:cnhuplyGAzI1x1W2DudZZq7CN6qi1oMqTdtdi5VqnRc
Feb 12 15:43:03 server sshd[2877]: pam_unix(sshd:session): session opened for user root by (uid=0)
Feb 12 15:43:03 server sshd[2877]: pam_lastlog(sshd:session): unable to open /var/log/lastlog: No such file or directory
Feb 12 15:43:04 server sshd[2924]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
Feb 12 15:43:04 server sshd[2924]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
Feb 12 15:43:32 server sshd[3150]: Invalid user liangyzh from 190.104.149.194 port 55456
Feb 12 15:43:32 server sshd[3150]: input_userauth_request: invalid user liangyzh [preauth]
Feb 12 15:43:32 server sshd[3150]: Received disconnect from 190.104.149.194 port 55456:11: Bye Bye [preauth]
Feb 12 15:43:32 server sshd[3150]: Disconnected from 190.104.149.194 port 55456 [preauth]
Feb 12 15:46:00 server polkitd[583]: Loading rules from directory /etc/polkit-1/rules.d
Feb 12 15:46:00 server polkitd[583]: Loading rules from directory /usr/share/polkit-1/rules.d
Feb 12 15:46:00 server polkitd[583]: Finished loading, compiling and executing 2 rules
Feb 12 15:46:00 server polkitd[583]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Feb 12 15:46:10 server sshd[1313]: Server listening on 0.0.0.0 port 22.
Feb 12 15:46:10 server sshd[1313]: Server listening on :: port 22.
Feb 12 15:46:31 server sshd[1840]: Accepted publickey for root from 222.119.218.120 port 26665 ssh2: RSA SHA256:cnhuplyGAzI1x1W2DudZZq7CN6qi1oMqTdtdi5VqnRc
Feb 12 15:46:32 server sshd[1840]: pam_unix(sshd:session): session opened for user root by (uid=0)
Feb 12 15:46:32 server sshd[1840]: pam_lastlog(sshd:session): unable to open /var/log/lastlog: No such file or directory
Feb 12 15:46:33 server sshd[1858]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
Feb 12 15:46:33 server sshd[1858]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
Feb 12 15:49:59 server sshd[2022]: Connection closed by 90.199.242.27 port 62452 [preauth]
Feb 12 15:50:11 server sshd[2043]: Connection closed by 90.199.242.27 port 62453 [preauth]
Feb 12 15:50:31 server sshd[1840]: Received disconnect from 222.119.218.120 port 26665:11: disconnected by user
Feb 12 15:50:31 server sshd[1840]: Disconnected from 222.119.218.120 port 26665
Feb 12 15:50:31 server sshd[1840]: pam_unix(sshd:session): session closed for user root
Feb 12 15:50:45 server sshd[2096]: Accepted publickey for root from 222.119.218.120 port 37066 ssh2: RSA SHA256:cnhuplyGAzI1x1W2DudZZq7CN6qi1oMqTdtdi5VqnRc
Feb 12 15:50:45 server sshd[2096]: pam_unix(sshd:session): session opened for user root by (uid=0)
Feb 12 15:50:45 server sshd[2096]: pam_lastlog(sshd:session): unable to open /var/log/lastlog: No such file or directory
Feb 12 15:50:46 server sshd[2102]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
Feb 12 15:50:46 server sshd[2102]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
Feb 12 15:52:21 server polkitd[583]: Registered Authentication Agent for unix-process:2421:38780 (system bus name :1.24 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8)
Feb 12 15:52:21 server polkitd[583]: Unregistered Authentication Agent for unix-process:2421:38780 (system bus name :1.24, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8) (disconnected from bus)
Feb 12 15:56:53 server sshd[2540]: Received disconnect from 85.62.169.71 port 61169:11: Client disconnecting normally [preauth]
Feb 12 15:56:53 server sshd[2540]: Disconnected from 85.62.169.71 port 61169 [preauth]
Feb 12 15:57:32 server sshd[2096]: Received disconnect from 222.119.218.120 port 37066:11: disconnected by user
Feb 12 15:57:32 server sshd[2096]: Disconnected from 222.119.218.120 port 37066
Feb 12 15:57:32 server sshd[2096]: pam_unix(sshd:session): session closed for user root
Feb 12 15:57:50 server sshd[2767]: Connection closed by 222.119.218.120 port 54211 [preauth]
Feb 12 15:58:09 server sudo: wp-toolkit : TTY=unknown ; PWD=/usr/local/cpanel/3rdparty/wp-toolkit/scripts ; USER=root ; COMMAND=/bin/test -e /etc/passwd
Feb 12 15:58:09 server sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Feb 12 15:58:09 server sudo: pam_unix(sudo:session): session closed for user root
Feb 12 15:58:09 server sudo: wp-toolkit : TTY=unknown ; PWD=/usr/local/cpanel/3rdparty/wp-toolkit/scripts ; USER=root ; COMMAND=/bin/cat /etc/passwd
Feb 12 15:58:09 server sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Feb 12 15:58:09 server sudo: pam_unix(sudo:session): session closed for user root
Feb 12 15:58:09 server sudo: wp-toolkit : TTY=unknown ; PWD=/usr/local/cpanel/3rdparty/wp-toolkit/scripts ; USER=root ; COMMAND=/bin/cat /root/.wp-toolkit-identifier
Feb 12 15:58:09 server sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Feb 12 15:58:09 server sudo: pam_unix(sudo:session): session closed for user root
Feb 12 15:58:10 server sudo: wp-toolkit : TTY=unknown ; PWD=/usr/local/cpanel/3rdparty/wp-toolkit/scripts ; USER=root ; COMMAND=/bin/sh -c whmapi1 get_domain_info --output=json
Feb 12 15:58:10 server sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Feb 12 15:58:10 server sudo: pam_unix(sudo:session): session closed for user root
Feb 12 15:58:10 server sudo: wp-toolkit : TTY=unknown ; PWD=/usr/local/cpanel/3rdparty/wp-toolkit/scripts ; USER=root ; COMMAND=/bin/sh -c whmapi1 listaccts --output=json
Feb 12 15:58:10 server sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Feb 12 15:58:11 server sudo: pam_unix(sudo:session): session closed for user root
Feb 12 15:58:11 server sudo: wp-toolkit : TTY=unknown ; PWD=/usr/local/cpanel/3rdparty/wp-toolkit/scripts ; USER=root ; COMMAND=/bin/sh -c whmapi1 get_users_features_settings user-1=staffdir feature-1=filemanager feature-2=backup feature-3=cron feature-4=phpmyadmin feature-5=mysql feature-6=multiphp feature-7=subdomains feature-8=webprotect feature-9=wp-toolkit feature-10=wp-toolkit-deluxe --output=json
Feb 12 15:58:11 server sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Feb 12 15:58:11 server sudo: pam_unix(sudo:session): session closed for user root
Feb 12 15:59:08 server sshd[2822]: Accepted publickey for root from 222.119.218.120 port 23199 ssh2: RSA SHA256:cnhuplyGAzI1x1W2DudZZq7CN6qi1oMqTdtdi5VqnRc
Feb 12 15:59:08 server sshd[2822]: pam_unix(sshd:session): session opened for user root by (uid=0)
Feb 12 15:59:08 server sshd[2822]: pam_lastlog(sshd:session): unable to open /var/log/lastlog: No such file or directory
Feb 12 15:59:10 server sshd[2828]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
Feb 12 15:59:10 server sshd[2828]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
Feb 12 15:59:50 server sshd[2876]: Accepted publickey for root from 184.94.197.2 port 63442 ssh2: RSA SHA256:ktvoarqhiUkvbQXOEOshtQttY4RN52fOmbxzT1c9U3E
Feb 12 15:59:50 server sshd[2876]: pam_unix(sshd:session): session opened for user root by (uid=0)
Feb 12 15:59:50 server sshd[2876]: pam_lastlog(sshd:session): unable to open /var/log/lastlog: No such file or directory
Feb 12 15:59:50 server sshd[2881]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
Feb 12 15:59:50 server sshd[2881]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
Feb 12 15:59:56 server useradd[2936]: new group: name=cptktywhllsifolm, GID=1006
Feb 12 15:59:56 server useradd[2936]: new user: name=cptktywhllsifolm, UID=1004, GID=1006, home=/home/cptktywhllsifolm, shell=/bin/bash
Feb 12 16:00:39 server sshd[3256]: Invalid user support from 178.128.152.209 port 45928
Feb 12 16:00:39 server sshd[3256]: input_userauth_request: invalid user support [preauth]
Feb 12 16:00:39 server sshd[3256]: Received disconnect from 178.128.152.209 port 45928:11: Bye Bye [preauth]
Feb 12 16:00:39 server sshd[3256]: Disconnected from 178.128.152.209 port 45928 [preauth]
Feb 12 16:00:40 server sshd[3258]: Received disconnect from 178.128.152.209 port 45988:11: Bye Bye [preauth]
Feb 12 16:00:40 server sshd[3258]: Disconnected from 178.128.152.209 port 45988 [preauth]
Feb 12 16:00:40 server sshd[3261]: Received disconnect from 178.128.152.209 port 46018:11: Bye Bye [preauth]
Feb 12 16:00:40 server sshd[3261]: Disconnected from 178.128.152.209 port 46018 [preauth]
Feb 12 16:00:41 server sshd[3263]: Invalid user usuario from 178.128.152.209 port 46058
Feb 12 16:00:41 server sshd[3263]: input_userauth_request: invalid user usuario [preauth]
Feb 12 16:00:41 server sshd[3263]: Received disconnect from 178.128.152.209 port 46058:11: Bye Bye [preauth]
Feb 12 16:00:41 server sshd[3263]: Disconnected from 178.128.152.209 port 46058 [preauth]
Feb 12 16:00:42 server sshd[3266]: Invalid user ubnt from 178.128.152.209 port 46090
Feb 12 16:00:42 server sshd[3266]: input_userauth_request: invalid user ubnt [preauth]
Feb 12 16:00:42 server sshd[3266]: Received disconnect from 178.128.152.209 port 46090:11: Bye Bye [preauth]
Feb 12 16:00:42 server sshd[3266]: Disconnected from 178.128.152.209 port 46090 [preauth]
Feb 12 16:00:42 server sshd[3269]: Invalid user debian from 178.128.152.209 port 46104
Feb 12 16:00:42 server sshd[3269]: input_userauth_request: invalid user debian [preauth]
Feb 12 16:00:42 server sshd[3269]: Received disconnect from 178.128.152.209 port 46104:11: Bye Bye [preauth]
Feb 12 16:00:42 server sshd[3269]: Disconnected from 178.128.152.209 port 46104 [preauth]
Feb 12 16:00:43 server sshd[3271]: Invalid user test from 178.128.152.209 port 46132
Feb 12 16:00:43 server sshd[3271]: input_userauth_request: invalid user test [preauth]
Feb 12 16:00:43 server sshd[3271]: Received disconnect from 178.128.152.209 port 46132:11: Bye Bye [preauth]
Feb 12 16:00:43 server sshd[3271]: Disconnected from 178.128.152.209 port 46132 [preauth]
Feb 12 16:00:44 server sshd[3274]: Invalid user usuario from 178.128.152.209 port 46156
Feb 12 16:00:44 server sshd[3274]: input_userauth_request: invalid user usuario [preauth]
Feb 12 16:00:44 server sshd[3274]: Received disconnect from 178.128.152.209 port 46156:11: Bye Bye [preauth]
Feb 12 16:00:44 server sshd[3274]: Disconnected from 178.128.152.209 port 46156 [preauth]
Feb 12 16:00:45 server sshd[3278]: Received disconnect from 178.128.152.209 port 46170:11: Bye Bye [preauth]
Feb 12 16:00:45 server sshd[3278]: Disconnected from 178.128.152.209 port 46170 [preauth]
Feb 12 16:00:45 server sshd[3281]: Invalid user user from 178.128.152.209 port 46200
Feb 12 16:00:45 server sshd[3281]: input_userauth_request: invalid user user [preauth]
Feb 12 16:00:45 server sshd[3281]: Received disconnect from 178.128.152.209 port 46200:11: Bye Bye [preauth]
Feb 12 16:00:45 server sshd[3281]: Disconnected from 178.128.152.209 port 46200 [preauth]
Feb 12 16:02:10 server polkitd[583]: Registered Authentication Agent for unix-process:3665:97728 (system bus name :1.48 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8)
Feb 12 16:02:10 server polkitd[583]: Unregistered Authentication Agent for unix-process:3665:97728 (system bus name :1.48, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8) (disconnected from bus)
Feb 12 16:02:17 server polkitd[583]: Registered Authentication Agent for unix-process:3711:98441 (system bus name :1.49 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8)
Feb 12 16:02:17 server polkitd[583]: Unregistered Authentication Agent for unix-process:3711:98441 (system bus name :1.49, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8) (disconnected from bus)
Feb 12 16:02:26 server polkitd[583]: Registered Authentication Agent for unix-process:3725:99300 (system bus name :1.50 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8)
Feb 12 16:02:51 server polkitd[556]: Loading rules from directory /etc/polkit-1/rules.d
Feb 12 16:02:51 server polkitd[556]: Loading rules from directory /usr/share/polkit-1/rules.d
Feb 12 16:02:51 server polkitd[556]: Finished loading, compiling and executing 2 rules
Feb 12 16:02:51 server polkitd[556]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Feb 12 16:02:56 server sshd[1208]: Server listening on 0.0.0.0 port 22.
Feb 12 16:02:56 server sshd[1208]: Server listening on :: port 22.
Feb 12 16:04:58 server sshd[1703]: Connection closed by 184.94.197.2 port 52823 [preauth]
Feb 12 16:09:29 server sshd[1749]: Connection closed by 184.94.197.2 port 33422 [preauth]
Feb 12 16:14:43 server sshd[1812]: Invalid user ubuntu from 51.254.63.223 port 33866
Feb 12 16:14:43 server sshd[1812]: input_userauth_request: invalid user ubuntu [preauth]
Feb 12 16:14:43 server sshd[1812]: Received disconnect from 51.254.63.223 port 33866:11: Bye Bye [preauth]
Feb 12 16:14:43 server sshd[1812]: Disconnected from 51.254.63.223 port 33866 [preauth]
请帮忙。
答案1
可以安全日志帮助找出是怎么做到的?
不。
另外,这可能是 security.stackexchange.com 的问题
请参考此讨论:https://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromished-server