今天早上,我的云托管 Fedora 机器莫名其妙地宕机了,我不知道自己需要有多警惕。这件事发生在 4 月 21 日,系统时间刚过 15:00。
在 中last -x,我看到明显的重启(不是我发起的)没有成功,系统启动了大约 1 小时 20 分钟,之后就停止了。
swaldman pts/0 64.71.8.198 Mon Apr 22 01:11 still logged in
reboot system boot 4.18.19-100.fc27 Mon Apr 22 01:11 still running
swaldman pts/0 64.71.8.198 Mon Apr 22 00:40 - 01:10 (00:30)
swaldman tty1 Mon Apr 22 00:37 - 00:39 (00:02)
reboot system boot 4.18.19-100.fc27 Mon Apr 22 00:36 - 01:11 (00:34)
reboot system boot 4.18.19-100.fc27 Sun Apr 21 15:04 - 01:11 (10:07)
swaldman pts/0 198.27.182.181 Sat Apr 13 19:27 - 05:08 (09:40)
swaldman pts/0 198.27.182.181 Fri Apr 12 06:50 - 09:04 (02:14)
swaldman pts/0 198.27.182.181 Thu Apr 11 00:12 - 20:46 (20:33)
像往常一样,有很多失败的尝试,这些尝试可能都是某种攻击。但真正奇怪的是事件发生时输出ssh中有一堆空白条目:lastb
(更新:进一步调查显示,服务 —geth或go-ethereum崩溃,然后在重启之前尝试重启。重启后,该服务持续出现故障,发出错误消息,一些与服务有关geth[774]: ########## BAD BLOCK #########,一些看起来像磁盘问题,kernel: print_req_error: I/O error, dev vda, sector 665884656直到服务器崩溃。目前,它运行正常,包括之前有问题的geth服务。也许我的主机可能出现了硬件问题,他们已经解决了?不过,空白lastb条目看起来真的很奇怪。但它们可能对应于 1 小时 20 分钟的不幸重启期间的失败登录尝试。奇怪的是,记录这些尝试既不会成功也不会失败,而是部分失败,留下这些空白条目。)
andrey ssh:notty 51.77.201.36 Mon Apr 22 00:40 - 00:40 (00:00)
andrey ssh:notty 51.77.201.36 Mon Apr 22 00:40 - 00:40 (00:00)
default ssh:notty 206.189.197.48 Mon Apr 22 00:40 - 00:40 (00:00)
default ssh:notty 206.189.197.48 Mon Apr 22 00:40 - 00:40 (00:00)
root ssh:notty 182.113.224.25 Mon Apr 22 00:39 - 00:39 (00:00)
root ssh:notty 182.113.224.25 Mon Apr 22 00:39 - 00:39 (00:00)
root ssh:notty 182.113.224.25 Mon Apr 22 00:39 - 00:39 (00:00)
root ssh:notty 182.113.224.25 Mon Apr 22 00:39 - 00:39 (00:00)
root ssh:notty 182.113.224.25 Mon Apr 22 00:39 - 00:39 (00:00)
root ssh:notty 182.113.224.25 Mon Apr 22 00:39 - 00:39 (00:00)
swaldman tty1 Mon Apr 22 00:37 - 00:37 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
Thu Jan 1 00:00 - 00:00 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:02 - 15:02 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:02 - 15:02 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:02 - 15:02 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:02 - 15:02 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:02 - 15:02 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:02 - 15:02 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:02 - 15:02 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:02 - 15:02 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:02 - 15:02 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:02 - 15:02 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:02 - 15:02 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:02 - 15:02 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:02 - 15:02 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:02 - 15:02 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:02 - 15:02 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:01 - 15:01 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:01 - 15:01 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:01 - 15:01 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:01 - 15:01 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:01 - 15:01 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:01 - 15:01 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:01 - 15:01 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:01 - 15:01 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:01 - 15:01 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:01 - 15:01 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:01 - 15:01 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:01 - 15:01 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:01 - 15:01 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:01 - 15:01 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:01 - 15:01 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:01 - 15:01 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:01 - 15:01 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:00 - 15:00 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:00 - 15:00 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:00 - 15:00 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:00 - 15:00 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:00 - 15:00 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:00 - 15:00 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:00 - 15:00 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:00 - 15:00 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:00 - 15:00 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:00 - 15:00 (00:00)
hydra ssh:notty 119.197.77.52 Sun Apr 21 15:00 - 15:00 (00:00)
root ssh:notty 218.92.0.167 Sun Apr 21 15:00 - 15:00 (00:00)
有人遇到过这类空白条目吗?
除此之外,我找不到任何入侵的证据。乐观的看法是,某些东西设法导致了崩溃,但除此之外没有成功。显然,悲观的看法是,入侵者掩盖了她的踪迹(除了 中的这些空白条目lastb)。我相信明智的做法是宁可悲观,但如果有人以前遇到过这样的空白条目,我将不胜感激任何见解或经验。
非常感谢!