谢谢你的到来,首先希望你能原谅我的英语!
我租了一个VPS,只使用pptpd服务器。几天前我ssh它并感觉有些不对劲。输入最后一个命令并收到错误,例如方向或文件已被移动。
cat /var/log/secure并得到了很多 ssh 失败的按摩,但是两三个“接受”我确定不是我。所以我更改密码并检查/etc/passwd并将 sshd 端口更改为 1973。一切看起来都正常。
当输入netstat -anpt一个进度名称,如 rc.d/statd 监听一个端口时,这就是泄漏被黑客攻击了吗?
然后我阻止每个输入端口排除 ssh=1973 和 pptp=1723 但它似乎无法正常工作。
他们仍然可以在没有用户的情况下建立连接并运行命令
我该怎么办?
这是我得到的信息希望有用
[root@US-seven ~]# netstat -anpt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:1973 0.0.0.0:* LISTEN 1578/sshd
tcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN 6662/pptpd
tcp 0 0 VPS IP:56585 149.202.219.49:1520 TIME_WAIT -
tcp 0 48 VPS IP:1973 my ip:47087 ESTABLISHED 24672/sshd
tcp 0 1 VPS IP:57480 69.30.224.86:80 SYN_SENT 16610/sdpd
tcp 0 0 VPS IP:55069 149.202.219.49:1520 ESTABLISHED 27236/ls -la
tcp 0 0 VPS IP:1723 my ip:47689 ESTABLISHED 26120/pptpd [59.53.
tcp 0 1 127.0.1.1:43002 127.0.1.1:3306 SYN_SENT 16610/sdpd
tcp 0 0 VPS IP:46561 158.69.219.235:80 TIME_WAIT -
tcp 0 0 :::1973 :::* LISTEN 1578/sshd
[root@US-seven ~]# netstat -anpt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:1973 0.0.0.0:* LISTEN 1578/sshd
tcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN 6662/pptpd
tcp 0 1 VPS IP:57517 69.30.224.86:80 SYN_SENT 16610/sdpd
tcp 0 96 VPS IP:1973 my ip:47087 ESTABLISHED 24672/sshd
tcp 0 0 VPS IP:55069 149.202.219.49:1520 ESTABLISHED 27236/ls -la
tcp 0 1 127.0.1.1:43036 127.0.1.1:3306 SYN_SENT 16610/sdpd
tcp 0 0 VPS IP:1723 my ip:47689 ESTABLISHED 26120/pptpd [59.53.
tcp 0 0 :::1973 :::* LISTEN 1578/sshd
[root@US-seven ~]# skill -9 27236
[root@US-seven ~]# netstat -anpt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:1973 0.0.0.0:* LISTEN 1578/sshd
tcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN 6662/pptpd
tcp 0 1 127.0.1.1:43051 127.0.1.1:3306 SYN_SENT 16610/sdpd
tcp 0 48 VPS IP:1973 my ip:47087 ESTABLISHED 24672/sshd
tcp 0 272 VPS IP:34746 164.132.170.78:1520 ESTABLISHED 27888/pwd
tcp 0 0 VPS IP:46611 158.69.219.235:80 ESTABLISHED 27888/pwd
tcp 0 0 VPS IP:55069 149.202.219.49:1520 TIME_WAIT -
tcp 0 0 VPS IP:34740 164.132.170.78:1520 ESTABLISHED 27886/sh
tcp 0 0 VPS IP:1723 my ip:47689 ESTABLISHED 26120/pptpd [59.53.
tcp 0 1 VPS IP:57533 69.30.224.86:80 SYN_SENT 16610/sdpd
tcp 0 0 :::1973 :::* LISTEN 1578/sshd
[root@US-seven ~]# skill -9 27886
[root@US-seven ~]# skill -9 27888
[root@US-seven ~]# netstat -anpt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:1973 0.0.0.0:* LISTEN 1578/sshd
tcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN 6662/pptpd
tcp 0 48 VPS IP:1973 my ip:47087 ESTABLISHED 24672/sshd
tcp 0 0 VPS IP:55129 149.202.219.49:1520 TIME_WAIT -
tcp 0 0 VPS IP:46611 158.69.219.235:80 TIME_WAIT -
tcp 0 1 VPS IP:57551 69.30.224.86:80 SYN_SENT 16610/sdpd
tcp 0 1 127.0.1.1:43074 127.0.1.1:3306 SYN_SENT 16610/sdpd
tcp 0 0 VPS IP:55069 149.202.219.49:1520 TIME_WAIT -
tcp 0 0 VPS IP:34740 164.132.170.78:1520 TIME_WAIT -
tcp 0 0 VPS IP:1723 my ip:47689 ESTABLISHED 26120/pptpd [59.53.
tcp 0 0 VPS IP:34764 164.132.170.78:1520 ESTABLISHED 28211/id
tcp 0 0 :::1973 :::* LISTEN 1578/sshd
[root@US-seven ~]# netstat -anpt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:1973 0.0.0.0:* LISTEN 1578/sshd
tcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN 6662/pptpd
tcp 0 48 VPS IP:1973 my ip:47087 ESTABLISHED 24672/sshd
tcp 0 0 VPS IP:55129 149.202.219.49:1520 TIME_WAIT -
tcp 0 0 VPS IP:46611 158.69.219.235:80 TIME_WAIT -
tcp 0 0 VPS IP:55069 149.202.219.49:1520 TIME_WAIT -
tcp 0 0 VPS IP:34740 164.132.170.78:1520 TIME_WAIT -
tcp 0 1 VPS IP:57562 69.30.224.86:80 SYN_SENT 16610/sdpd
tcp 0 1 127.0.1.1:43083 127.0.1.1:3306 SYN_SENT 16610/sdpd
tcp 0 0 VPS IP:1723 my ip:47689 ESTABLISHED 26120/pptpd [59.53.
tcp 0 0 VPS IP:34764 164.132.170.78:1520 ESTABLISHED 28211/id
tcp 0 0 :::1973 :::* LISTEN 1578/sshd
[root@US-seven ~]# netstat -anpt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:1973 0.0.0.0:* LISTEN 1578/sshd
tcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN 6662/pptpd
tcp 0 240 VPS IP:1973 my ip:47087 ESTABLISHED 24672/sshd
tcp 0 1 127.0.1.1:44133 127.0.1.1:3306 SYN_SENT 16610/sdpd
tcp 0 1 VPS IP:58614 69.30.224.86:80 SYN_SENT 16610/sdpd
tcp 0 0 VPS IP:1723 my ip:47689 ESTABLISHED 26120/pptpd [59.53.
tcp 0 0 VPS IP:34764 164.132.170.78:1520 ESTABLISHED 28211/id
tcp 0 0 :::1973 :::* LISTEN 1578/sshd
并且有一些命令不是我运行的:
root 2079 1 0 Aug23 ? 00:00:01 auditd
root 6662 1 0 Aug23 ? 00:00:00 /usr/sbin/pptpd
root 6728 467 0 Aug23 ? 00:00:00 /sbin/udevd -d
root 16610 1 0 Aug23 ? 00:04:57 /usr/sbin/sdpd
root 24672 1578 0 13:21 ? 00:00:00 sshd: root@pts/0
root 24734 24672 0 13:21 pts/0 00:00:00 -bash
root 26120 6662 0 13:25 ? 00:00:02 pptpd [my ip:CD78 - 0380]
root 26121 26120 0 13:25 ? 00:00:00 /usr/sbin/pppd local file /etc/ppp/options.pptpd 115200 192.168.0.1:172.24.24.100 ipparam my ip plugin
root 28211 1 0 13:30 ? 00:00:01 id
root 40702 1 0 14:02 ? 00:00:00 /usr/sbin/acpid
root 40705 1 0 14:02 ? 00:00:00 /usr/libexec/gnome-vfs-daemon
root 40709 1 0 14:02 ? 00:00:00 /lib/systemd/systemd --user
root 40713 1 0 14:02 ? 00:00:00 klogd -x
root 40714 1 0 14:02 ? 00:00:00 /lib/systemd/systemd --user
root 40722 1 0 14:02 ? 00:00:00 grep "A"
root 40724 1 0 14:02 ? 00:00:00 ifconfig
root 40727 1 0 14:02 ? 00:00:00 sh
root 40728 1 0 14:02 ? 00:00:00 cat resolv.conf
root 40729 1 0 14:02 ? 00:00:00 whoami
root 40730 24734 3 14:02 pts/0 00:00:00 ps -ef
答案1
后门在哪里没有简单的答案,但您可以找到一些可以更仔细地识别的信息。
拳头:
最好的主意是删除 vps 并部署一个新的。
进程在 root 用户下运行,并且有人以 root 身份访问(可能只是猜对了您的密码),因此:
- 更改 root 密码(并使用强密码)
- 更改 ssh 密钥(从中删除所有旧/未知密钥
/root/.ssh/authorized_keys) - 仅允许从您的 IP 访问 ssh
- 最后但同样重要的是,更新内核(可能存在安全问题)。
还要检查服务器上的所有用户并执行相同的操作。
检查 rpm 包上是否出现任何更改:-(rpm -aV如果二进制文件具有不同的 md5sum、权限等,这是一个大问题。有关更多详细信息,sshd请参阅 VERIFY OPTIONS 部分)。man rpm
用于识别:
不要杀死正在运行的进程,而是尝试调查它们来自哪里。您可以从 开始pstree,它显示父进程。例如。和pstree -s -p <pid>。
您可以在 中找到一些信息/proc/。猫/proc/<pid>/status给你详细信息。您可以通过进程检查使用的文件ls -l /proc/<pid>/fd,ls -l /proc/<pid>cwd显示您链接到当前工作目录。链接到进程检查的可执行文件ls -l /proc/<pid>/exe和参数cat /proc/<pid>/command。您可以通过 找到更多信息/proc/,检查文档了解详情。
祝你幸运:)
为了未来:
在 ssh 上禁用 root,以用户身份访问并用于sudo切换到 root。阻止来自所有 IP(而不是您自己的 IP)的 ssh,并安装和配置fail2banssh 以阻止猜测密码的传入机器人。