我们的服务器几乎就像被 DDOS 攻击了一样。当我执行 netstat -a 时,我看到了一些我无法理解的东西(可能是因为我的知识非常有限)
root@NC-PH-0456-19:~# netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:smtp *:* LISTEN
tcp 0 0 localhost:8891 *:* LISTEN
tcp 0 0 mail.mydomain.com:https *:* LISTEN
tcp 0 0 ss.itqanserver.com:28 *:* LISTEN
tcp 0 0 localhost:mysql *:* LISTEN
tcp 0 0 *:8686 *:* LISTEN
tcp 0 0 *:webmin *:* LISTEN
tcp 0 0 *:http *:* LISTEN
tcp 0 0 mail.mydomain.com:https 172.68.118.86:34823 SYN_RECV
tcp 0 0 mail.mydomain.com:http 162.158.242.18:25496 TIME_WAIT
tcp 0 0 mail.mydomain.com:http 108.162.245.208:12166 TIME_WAIT
tcp 0 0 mail.mydomain.com:https 162.158.178.208:30815 ESTABLISHED
tcp 0 0 mail.mydomain.com:http 162.158.78.147:34651 ESTABLISHED
tcp 0 0 mail.mydomain.com:https 172.68.118.152:35605 ESTABLISHED
tcp 0 0 mail.mydomain.com:https cf-173-245-62-195:19692 ESTABLISHED
tcp 0 0 mail.mydomain.com:http 162.158.241.150:24994 ESTABLISHED
tcp 0 0 mail.mydomain.com:https 108.162.229.205:29668 ESTABLISHED
tcp 0 0 mail.mydomain.com:http 162.158.178.145:28105 TIME_WAIT
tcp 0 0 mail.mydomain.com:http 103.31.5.234:34946 TIME_WAIT
tcp 0 0 mail.mydomain.com:https 108.162.222.143:13795 ESTABLISHED
tcp 0 0 mail.mydomain.com:http 162.158.38.203:14939 ESTABLISHED
tcp 0 0 mail.mydomain.com:http 188.114.103.17:10907 ESTABLISHED
tcp 0 0 mail.mydomain.com:http cf-199-27-128-213:21775 TIME_WAIT
tcp 0 0 mail.mydomain.com:http 162.158.39.201:28791 TIME_WAIT
tcp 0 0 mail.mydomain.com:https 108.162.221.222:22277 ESTABLISHED
.... and lot more
mail.mydomain.com 甚至与我们的服务器无关,因为它被 Cloudflare 配置为指向某个外部云邮件服务器。并且所有这些 Foregn 地址都属于我们正在使用的 Cloudflare。由于某些原因,数千个 mail.mydomain.com 导致我们的网站瘫痪了数小时……
我们受到攻击/黑客攻击了吗?
另外,我们无法使用 Putty,我们不得不请求支持人员禁用 ufw。如何判断是否有人破解了防火墙?