我的 VPS 是否受到威胁?

tag-icon tag-icon ubuntu security vps
我的 VPS 是否受到威胁?

今天我偶然通过 ssh 进入我的 VPS 并检查了 htop。我立即想知道为什么 CPU 使用率为 100%,并且我发现了一个未知的(对我而言)屏幕会话正在运行可疑的“masscan”程序。

我完全震惊了,进入屏幕会话,看到一些完全未知的程序正在运行,似乎在扫描互联网、随机 IP 地址和端口。遗憾的是,我忘记在 ctrl+c'ing 应用程序之前截取控制台内容的屏幕截图。

所以事实证明在路径 /var/lib/rmrf/.files 中发生了如此奇怪的事情。该文件夹的内容如下所述。我下载了这个文件夹,以防不祥的陌生人试图清除它的痕迹。我还检查了最后的命令,这表明真人已经输入了这些命令(如下所述)。

请问,谁能建议一下,我的 VPS 到底是怎么回事?!我想,我被黑了或者是机器人网络的一部分或类似的东西?我该怎么继续?我下一步应该采取什么建议的行动? (我暂时停止了VPS)

在该屏幕会话中最后输入的 shell 命令,我知道,我还没有输入它们(打字错误显示,这些命令是由人类输入的,而不是脚本或类似的,我建议):

./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti
./rupe
chmod +x rupe
./rupe
chmod +x masscan
chmod +x .*
chmod +x *
./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti
./rupe
chmod +x *
chmod +x .*
./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti
ls -a
chmod +x main
./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti ;./notti

文件夹内容:

main
masscan
.sbanner
notti
rupe
.filter
... 161 text documents (with hundreds of thousands of ip addresses each)
bios.txt (hundreds of thousands lines, each "open tcp 6122 x.x.x.x 1665657431" - the last number seems to be counted up of something, it increases by one every couple of lines)
fura 
pass (looks like a list of possible passwords for (random?) usersnames [www-data, uftp, Huawei, steam, root, www, postgres .....], 621 lines, each username fills several lines, each with several possible passwords; one of my accounts (obsolete minecraft server) is included, while others are not)
paused.conf (seems to contain informations for the program to load during the next startup in order to continue)
ports (contains 146 lines of seemingly different ports)
prinse.v5 (379 lines of this format: [ 2 ] - [ ACCOUNTNAME@IP-ADDRESS:PORT Pass: PASSWORD ] - [ A - x86_64 | G - NO ]) The very first number differs from line to line
ultimate.lst (475k lines in the format: 116.206.100.0/22 #subnets?, I am no expert)
users.v5 (seemingly a list of possible account names; seems to be structured by different OS and each with possible account names, 5291 lines)
.resturi.v5 (5775 lines, Format: test test XXX.XXX.XXX.XXX 20022 aarch64 4)
.txt (865k lines with IP addresses)

横幅日志:

176.41.224.105 - /multistream/1.0.0
171.6.145.194 - RFB 003.003
111.201.215.224 - SSH-2.0-OpenSSH_8.0
199.15.77.4 - RFB 003.008
188.131.180.65 - HTTP/1.1 302 Redirect
Server: Gnway RProxy Server
Location: http://xiaohe8.ikuai5.com:5353/natforward-yun-404.html?port=6122
Date Thu, 13 Oct 2022 18:37:28 GMT

123.13.215.124 - SSH-2.0-OpenSSH_7.4
8.129.103.205 - SSH-2.0-OpenSSH_7.4
103.131.17.166 - 
111.173.83.64 - D
1.15.74.126 - SSH-2.0-OpenSSH_7.4
202.120.188.70 - SSH-2.0-OpenSSH_7.4
123.57.71.35 - SSH-2.0-OpenSSH_8.0
103.131.17.206 - 
82.156.252.38 - SSH-2.0-OpenSSH_7.4
120.92.50.5 - 
202.148.3.166 - 220 (vsFTPd 2.0.5)
94.103.35.8 - RFB 003.008

相关内容