VPS 被攻击了,二进制文件已掏出,有人有兴趣看看吗?

2017-02-13 14:55:52 +08:00
 Axurez

压缩包地址 https://box.zjuqsc.com/-mal ,三个文件, Linux 下请谨慎打开。。。

Linode 告诉我:

Thanks for taking a closer look at this. I've got a recording of some example traffic we've seen. It appears that your Linode is emitting a Syn flood [1] with a destination port of 9008:

13:32:24.508094 IP 139.162.108.74.27713 > 122.226.191.98.9008: Flags [S], seq 1816213842:1816214726, win 60143, length 884 13:32:24.508101 IP 139.162.108.74.62227 > 122.226.191.98.9008: Flags [S], seq 4078117166:4078118031, win 65107, length 865 13:32:24.508104 IP 139.162.108.74.43579 > 122.226.191.98.9008: Flags [S], seq 2856034569:2856035451, win 64204, length 882 13:32:24.508106 IP 139.162.108.74.48818 > 122.226.191.98.9008: Flags [S], seq 3199391525:3199392381, win 61478, length 856 10054 packets captured 66946 packets received by filter 55141 packets dropped by kernel 0.87 seconds

貌似没有登录记录,但是估计应该是被删了。在 /etc/init.d 下放了三个脚本,分别执行这三个可执行文件,脚本形如

#!/bin/sh
# chkconfig: 12345 90 90
# description: ktinazm
### BEGIN INIT INFO
# Provides: ktinazm
# Required-Start:
# Required-Stop:
# Default-Start: 1 2 3 4 5
# Default-Stop:
# Short-Description: ktinazm
### END INIT INFO
case $1 in
start)
	"/bin/mzanitk"
  break
	;;
stop)
  break
	;;
*)
	"/bin/mzanitk"
  break
	;;
esac

两个是在/bin,一个在/usr/bin

有人见过这种恶意程序吗?

732 次点击
所在节点    VPS
0 条回复

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/340134

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX