burst vps 黑客入侵 大家做好防范措施

黑马王子

这几天接到大量的弱口令扫描，网站暂时不做了，专门花几天时间来整顿一下服务器安全问题。我通过查看记录，发现居然有位香港的入侵了，还好这次我发现及时，把安全措施做足了，后面的还需要查漏补缺。
大家看看是不是已经得到了shell？

1. Last login: Mon Oct 10 05:26:02 2011 from 183.3.192.138
   
2. [root@vps ~]# more /var/log/secure
   
3. Oct  9 03:49:08 vps sshd[8184]: Did not receive identification string from 217.27.88.2
   
4. 36
   
5. Oct  9 03:49:08 vps sshd[8185]: Did not receive identification string from 217.27.88.2
   
6. 36
   
7. Oct  9 03:49:08 vps sshd[8186]: Did not receive identification string from 217.27.88.2
   
8. 36
   
9. Oct  9 03:49:08 vps sshd[8187]: Did not receive identification string from 217.27.88.2
   
10. 36
    
11. Oct  9 03:49:08 vps sshd[8188]: Did not receive identification string from 217.27.88.2
    
12. 36
    
13. Oct  9 03:49:08 vps sshd[8189]: Did not receive identification string from 217.27.88.2
    
14. 36
    
15. Oct  9 03:49:08 vps sshd[8190]: Did not receive identification string from 217.27.88.2
    
16. 36
    
17. Oct  9 03:49:08 vps sshd[8191]: Did not receive identification string from 217.27.88.2
    
18. 36
    
19. Oct  9 03:49:08 vps sshd[9216]: Did not receive identification string from 217.27.88.2
    
20. 36
    
21. Oct  9 03:49:08 vps sshd[9218]: Did not receive identification string from 217.27.88.2
    
22. 36
    
23. Oct  9 03:49:08 vps sshd[9219]: Did not receive identification string from 217.27.88.2
    
24. 36
    
25. Oct  9 03:49:08 vps sshd[9220]: Did not receive identification string from 217.27.88.2
    
26. 36
    
27. Oct  9 03:49:08 vps sshd[9217]: Did not receive identification string from 217.27.88.2
    
28. 36
    
29. Oct  9 03:49:33 vps sshd[9221]: Did not receive identification string from 217.27.88.2
    
30. 36
    
31. Oct  9 03:49:33 vps sshd[9222]: Did not receive identification string from 217.27.88.2
    
32. 36
    
33. Oct  9 04:31:35 vps sshd[9459]: Did not receive identification string from 217.27.88.2
    
34. 36
    
35. Oct  9 04:31:35 vps sshd[9460]: Did not receive identification string from 217.27.88.2
    
36. 36
    
37. Oct  9 04:31:35 vps sshd[9461]: Did not receive identification string from 217.27.88.2
    
38. 36
    
39. Oct  9 04:31:35 vps sshd[9458]: Did not receive identification string from 217.27.88.2
    
40. 36
    
41. Oct  9 04:31:35 vps sshd[9462]: Did not receive identification string from 217.27.88.2
    
42. 36
    
43. Oct  9 04:31:35 vps sshd[9463]: Did not receive identification string from 217.27.88.2
    
44. 36
    
45. Oct  9 04:31:35 vps sshd[9465]: Did not receive identification string from 217.27.88.2
    
46. 36
    
47. Oct  9 04:31:35 vps sshd[9466]: Did not receive identification string from 217.27.88.2
    
48. 36
    
49. Oct  9 04:31:35 vps sshd[9467]: Did not receive identification string from 217.27.88.2
    
50. 36
    
51. Oct  9 04:31:35 vps sshd[9468]: Did not receive identification string from 217.27.88.2
    
52. 36
    
53. Oct  9 04:31:35 vps sshd[9464]: Did not receive identification string from 217.27.88.2
    
54. 36
    
55. Oct  9 04:31:35 vps sshd[9469]: Did not receive identification string from 217.27.88.2
    
56. 36
    
57. Oct  9 04:31:35 vps sshd[9470]: Did not receive identification string from 217.27.88.2
    
58. 36
    
59. Oct  9 04:32:00 vps sshd[9473]: Did not receive identification string from 217.27.88.2
    
60. 36
    
61. Oct  9 04:32:00 vps sshd[9474]: Did not receive identification string from 217.27.88.2
    
62. 36
    
63. Oct  9 04:58:39 vps sshd[9542]: Invalid user cadi from 118.142.10.238
    
64. Oct  8 20:58:39 vps sshd[9545]: input_userauth_request: invalid user cadi
    
65. Oct  9 04:58:39 vps sshd[9542]: pam_unix(sshd:auth): check pass; user unknown
    
66. Oct  9 04:58:39 vps sshd[9542]: pam_unix(sshd:auth): authentication failure; logname=
    
67. uid=0 euid=0 tty=ssh ruser= rhost=118.142.10.238
    
68. Oct  9 04:58:39 vps sshd[9544]: Invalid user cadi from 118.142.10.238
    
69. Oct  8 20:58:39 vps sshd[9548]: input_userauth_request: invalid user cadi
    
70. Oct  9 04:58:39 vps sshd[9544]: pam_unix(sshd:auth): check pass; user unknown
    
71. Oct  9 04:58:39 vps sshd[9544]: pam_unix(sshd:auth): authentication failure; logname=
    
72. uid=0 euid=0 tty=ssh ruser= rhost=118.142.10.238
    
73. Oct  9 04:58:39 vps sshd[9543]: Invalid user cadi from 118.142.10.238
    
74. Oct  8 20:58:39 vps sshd[9547]: input_userauth_request: invalid user cadi
    
75. Oct  9 04:58:39 vps sshd[9543]: pam_unix(sshd:auth): check pass; user unknown
    
76. Oct  9 04:58:39 vps sshd[9543]: pam_unix(sshd:auth): authentication failure; logname=
    
77. uid=0 euid=0 tty=ssh ruser= rhost=118.142.10.238
    
78. Oct  9 04:58:39 vps sshd[9546]: Invalid user cadi from 118.142.10.238
    
79. Oct  8 20:58:39 vps sshd[9551]: input_userauth_request: invalid user cadi
    
80. Oct  9 04:58:39 vps sshd[9546]: pam_unix(sshd:auth): check pass; user unknown
    
81. Oct  9 04:58:39 vps sshd[9546]: pam_unix(sshd:auth): authentication failure; logname=
    
82. uid=0 euid=0 tty=ssh ruser= rhost=118.142.10.238
    
83. Oct  9 04:58:40 vps sshd[9549]: Invalid user cadi from 118.142.10.238
    
84. Oct  9 04:58:40 vps sshd[9550]: Invalid user cadi from 118.142.10.238
    
85. Oct  8 20:58:40 vps sshd[9552]: input_userauth_request: invalid user cadi
    
86. Oct  9 04:58:40 vps sshd[9549]: pam_unix(sshd:auth): check pass; user unknown
    
87. Oct  9 04:58:40 vps sshd[9549]: pam_unix(sshd:auth): authentication failure; logname=
    
88. uid=0 euid=0 tty=ssh ruser= rhost=118.142.10.238
    
89. Oct  8 20:58:40 vps sshd[9553]: input_userauth_request: invalid user cadi
    
90. Oct  9 04:58:40 vps sshd[9550]: pam_unix(sshd:auth): check pass; user unknown
    
91. Oct  9 04:58:40 vps sshd[9550]: pam_unix(sshd:auth): authentication failure; logname=
    
92. uid=0 euid=0 tty=ssh ruser= rhost=118.142.10.238
    
93. Oct  9 04:58:41 vps sshd[9549]: Failed password for invalid user cadi from 118.142.10.
    
94. 238 port 38320 ssh2
    
95. Oct  9 04:58:41 vps sshd[9550]: Failed password for invalid user cadi from 118.142.10.
    
96. 238 port 48303 ssh2
    
97. Oct  8 20:58:42 vps sshd[9552]: Received disconnect from 118.142.10.238: 11: Bye Bye
    
98. Oct  8 20:58:42 vps sshd[9553]: Received disconnect from 118.142.10.238: 11: Bye Bye
    
99. Oct  9 04:58:42 vps sshd[9542]: Failed password for invalid user cadi from 118.142.10.
    
100. 238 port 57013 ssh2
     
101. Oct  9 04:58:42 vps sshd[9544]: Failed password for invalid user cadi from 118.142.10.
     
102. 238 port 58110 ssh2
     
103. Oct  9 04:58:42 vps sshd[9543]: Failed password for invalid user cadi from 118.142.10.
     
104. 238 port 51939 ssh2
     
105. Oct  9 04:58:42 vps sshd[9546]: Failed password for invalid user cadi from 118.142.10.
     
106. 238 port 37519 ssh2
     
107. Oct  8 20:58:42 vps sshd[9545]: Received disconnect from 118.142.10.238: 11: Bye Bye

复制代码

黑马王子

217.27.88.236  这个IP来自意大利的，黑了我好几个84，罪魁祸首啊。
大家注意，意大利盛产 黑/手挡 的。
虽然我修改了安全系数，但如果不禁止和屏蔽这个IP，这场斗争将一直持续下去的。

118.142.10.238一直都在扫端口，似乎快被攻破了，你们赶紧也看看吧、

输入指令：    more /var/log/secure

cnx

收到，多谢，装个fail2ban吧。

黑马王子

原帖由 cnx 于 2011-10-11 08:13 发表
收到，多谢，装个fail2ban吧。

哦，这个可是   IP自动屏蔽工具 ？？
好用不？

挨个搞

原帖由 黑马王子 于 2011-10-11 05:13 发表
217.27.88.236  这个IP来自意大利的，黑了我好几个84，罪魁祸首啊。
大家注意，意大利盛产 黑/手挡 的。
虽然我修改了安全系数，但如果不禁止和屏蔽这个IP，这场斗争将一直持续下去的。

118.142.10.238一直都在扫端口，似乎快被 ...

晕了，基本上vps都被扫过
这个不奇怪
密码加强，修改端口吧

Yikmings

已SSH port

cquyf

坏人真多

lemss

被扫很正常，自己设置个强度密码就行了