服务器上存在可疑的 USB 活动

服务器上存在可疑的 USB 活动

我在一个系统管理员团队工作。我们管理着几台服务器。它们都运行 Debian(各种版本)。它们位于数据中心的一个带锁的柜子里。

最近,我在我们的服务器上添加了 logcheck,并开始调整模式的排除列表,以便我的收件箱中只有相关事件。

前几天,我从一些服务器收到了这样的日志行:

Oct 19 17:22:55 hostname kernel: [22489246.934130] usb 1-3: USB disconnect, device number 2
Oct 19 17:23:10 hostname kernel: [22489261.782146] usb 1-3: new high-speed USB device number 3 using xhci_hcd
Oct 19 17:23:10 hostname kernel: [22489261.930822] usb 1-3: New USB device found, idVendor=413c, idProduct=a001, bcdDevice= 0.00
Oct 19 17:23:10 hostname kernel: [22489261.931839] usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
Oct 19 17:23:10 hostname kernel: [22489261.932839] usb 1-3: Product: Gadget USB HUB
Oct 19 17:23:10 hostname kernel: [22489261.933818] usb 1-3: Manufacturer: no manufacturer
Oct 19 17:23:10 hostname kernel: [22489261.934791] usb 1-3: SerialNumber: 0123456789
Oct 19 17:23:10 hostname kernel: [22489261.936236] hub 1-3:1.0: USB hub found
Oct 19 17:23:10 hostname kernel: [22489261.937270] hub 1-3:1.0: 6 ports detected
Oct 19 17:23:40 hostname kernel: [22489292.138234] usb 1-3.1: new high-speed USB device number 4 using xhci_hcd
Oct 19 17:23:40 hostname kernel: [22489292.282886] usb 1-3.1: New USB device found, idVendor=0624, idProduct=0249, bcdDevice= 0.00
Oct 19 17:23:40 hostname kernel: [22489292.283682] usb 1-3.1: New USB device strings: Mfr=4, Product=5, SerialNumber=6
Oct 19 17:23:40 hostname kernel: [22489292.284475] usb 1-3.1: Product: Keyboard/Mouse Function
Oct 19 17:23:40 hostname kernel: [22489292.285256] usb 1-3.1: Manufacturer: Avocent
Oct 19 17:23:40 hostname kernel: [22489292.286093] usb 1-3.1: SerialNumber: 20121018
Oct 19 17:23:40 hostname kernel: [22489292.605240] hidraw: raw HID events driver (C) Jiri Kosina
Oct 19 17:23:40 hostname kernel: [22489292.632594] usbhid: USB HID core driver
Oct 19 17:23:40 hostname kernel: [22489292.699438] input: Avocent Keyboard/Mouse Function as /devices/pci0000:00/0000:00:14.0/usb1/1-3/1-3.1/1-3.1:1.0/0003:0624:0249.0001/input/input3
Oct 19 17:23:40 hostname kernel: [22489292.758415] hid-generic 0003:0624:0249.0001: input,hidraw0: USB HID v1.00 Keyboard [Avocent Keyboard/Mouse Function] on usb-0000:00:14.0-3.1/input0
Oct 19 17:23:40 hostname kernel: [22489292.760141] input: Avocent Keyboard/Mouse Function as /devices/pci0000:00/0000:00:14.0/usb1/1-3/1-3.1/1-3.1:1.1/0003:0624:0249.0002/input/input4
Oct 19 17:23:40 hostname kernel: [22489292.761879] hid-generic 0003:0624:0249.0002: input,hidraw1: USB HID v1.00 Mouse [Avocent Keyboard/Mouse Function] on usb-0000:00:14.0-3.1/input1
Oct 19 17:23:40 hostname kernel: [22489292.763970] input: Avocent Keyboard/Mouse Function as /devices/pci0000:00/0000:00:14.0/usb1/1-3/1-3.1/1-3.1:1.2/0003:0624:0249.0003/input/input5
Oct 19 17:23:40 hostname kernel: [22489292.765991] hid-generic 0003:0624:0249.0003: input,hidraw2: USB HID v1.00 Mouse [Avocent Keyboard/Mouse Function] on usb-0000:00:14.0-3.1/input2
Oct 19 17:23:41 hostname systemd-logind[505]: Watching system buttons on /dev/input/event3 (Avocent Keyboard/Mouse Function)
Oct 19 17:23:41 hostname kernel: [22489292.910229] usb 1-3.3: new high-speed USB device number 5 using xhci_hcd
Oct 19 17:23:41 hostname kernel: [22489293.052536] usb 1-3.3: New USB device found, idVendor=413c, idProduct=a102, bcdDevice= 3.29
Oct 19 17:23:41 hostname kernel: [22489293.053347] usb 1-3.3: New USB device strings: Mfr=1, Product=2, SerialNumber=0
Oct 19 17:23:41 hostname kernel: [22489293.054137] usb 1-3.3: Product: iDRAC Virtual NIC USB Device
Oct 19 17:23:41 hostname kernel: [22489293.054919] usb 1-3.3: Manufacturer: Dell(TM)
Oct 19 17:23:41 hostname systemd-udevd[13345]: Using default interface naming scheme 'v240'.
Oct 19 17:23:41 hostname kernel: [22489293.162373] cdc_ether 1-3.3:1.0 usb0: register 'cdc_ether' at usb-0000:00:14.0-3.3, CDC Ethernet Device, be:11:91:5e:b3:b1
Oct 19 17:23:41 hostname systemd-udevd[13345]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
Oct 19 17:23:41 hostname kernel: [22489293.295645] cdc_ether 1-3.3:1.0 idrac: renamed from usb0
Oct 19 17:23:42 hostname systemd-udevd[13348]: Using default interface naming scheme 'v240'.
Oct 19 17:23:44 hostname kernel: [22489296.471088] usb 1-3.3: USB disconnect, device number 5
Oct 19 17:23:44 hostname kernel: [22489296.471826] cdc_ether 1-3.3:1.0 idrac: unregister 'cdc_ether' usb-0000:00:14.0-3.3, CDC Ethernet Device
Oct 19 17:24:01 hostname kernel: [22489313.623135] usb 1-3.1: USB disconnect, device number 4
Oct 19 17:24:01 hostname acpid: input device has been disconnected, fd 8

我搜索了“Avocent”并找到了一些键盘/视频/鼠标设备。

lspci以下是服务器上的输出:

00:00.0 Host bridge: Intel Corporation Skylake Host Bridge/DRAM Registers (rev 07)
00:01.0 PCI bridge: Intel Corporation Skylake PCIe Controller (x16) (rev 07)
00:01.1 PCI bridge: Intel Corporation Skylake PCIe Controller (x8) (rev 07)
00:01.2 PCI bridge: Intel Corporation Skylake PCIe Controller (x4) (rev 07)
00:14.0 USB controller: Intel Corporation Sunrise Point-H USB 3.0 xHCI Controller (rev 31)
00:14.2 Signal processing controller: Intel Corporation Sunrise Point-H Thermal subsystem (rev 31)
00:16.0 Communication controller: Intel Corporation Sunrise Point-H CSME HECI #1 (rev 31)
00:16.1 Communication controller: Intel Corporation Sunrise Point-H CSME HECI #2 (rev 31)
00:17.0 SATA controller: Intel Corporation Sunrise Point-H SATA controller [AHCI mode] (rev 31)
00:1d.0 PCI bridge: Intel Corporation Sunrise Point-H PCI Express Root Port #9 (rev f1)
00:1d.2 PCI bridge: Intel Corporation Sunrise Point-H PCI Express Root Port #11 (rev f1)
00:1f.0 ISA bridge: Intel Corporation Sunrise Point-H LPC Controller (rev 31)
00:1f.2 Memory controller: Intel Corporation Sunrise Point-H PMC (rev 31)
00:1f.4 SMBus: Intel Corporation Sunrise Point-H SMBus (rev 31)
03:00.0 RAID bus controller: LSI Logic / Symbios Logic MegaRAID SAS-3 3108 [Invader] (rev 02)
04:00.0 Ethernet controller: Broadcom Limited NetXtreme BCM5720 Gigabit Ethernet PCIe
04:00.1 Ethernet controller: Broadcom Limited NetXtreme BCM5720 Gigabit Ethernet PCIe
05:00.0 PCI bridge: Renesas Technology Corp. SH7758 PCIe Switch [PS]
06:00.0 PCI bridge: Renesas Technology Corp. SH7758 PCIe Switch [PS]
07:00.0 PCI bridge: Renesas Technology Corp. SH7758 PCIe-PCI Bridge [PPB]
08:00.0 VGA compatible controller: Matrox Electronics Systems Ltd. G200eR2 (rev 01)

lsusb

Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 003: ID 413c:a001 Dell Computer Corp. Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

有人将某个设备插入服务器的可能性极小,但还是有可能的。我在这里问这个问题是因为如果这是服务器上的正常事件,我可能也会反应过度。

知道这是关于什么的吗?

谢谢

相关内容