linode 服务器突然不能 ssh 了

2018-11-19 09:44:12 +08:00
 andy0831liu

我们服务器租用的 linode,使用的 ubuntu server 16.04,昨晚用户问说怎么登陆不上网站,打开缓慢,我就登陆到我们的应用服务器,查日志发现数据库服务器连接超时,然后用 ssh 登陆数据库服务器,半天没有反应,过一会提示 connection timed out,但是 ping 是正常的,telnet 80 端口也没问题(数据库服务器也运行了 apache),但是 telnet 22 端口没有反应,直接跳过这个,然后使用 linode 上的 Launch Lish Console 登录到数据库服务器,使用 ps -ef|grep ssh,发现 sshd 进程是正常的,但是在这台服务器上使用 apt install 任何软件都是超时,从这台服务器 ping 其他 IP 跟域名都是正常的,但是从这台服务器 ssh 到应用服务器也是 connection timed out(以前是正常的),iptables 都是没有开启的,然后 netstat|grep 80,会出现提示 getnameinfo,这种问题应该如何解决? 昨天没有在服务器上做任何操作,是晚上用户反馈才发现问题的.

419 次点击
所在节点    VPS
4 条回复
andy0831liu
2018-11-19 10:03:49 +08:00
收到 linode 发给我消息了

Hello,

We have received a report of malicious activity originating from your Linode. We ask that you investigate this matter as soon as you are able. Once you have completed your investigation, kindly reply to this ticket with the answers to the following questions:

1) What was the source of the issue?
2) What steps did you take to resolve this issue?
3) What steps did you take to prevent this from occurring again?

Being as this activity is in violation of our Terms of Service, we ask that you reply within the next 24 hours. If we do not receive a reply within that time, we may temporarily disrupt service to your Linode in order to prevent further malicious activity.

-------------------------------------------------------------------
I think my Linode is compromised. How can I tell?
-------------------------------------------------------------------
If you believe that your Linode has been compromised, you can start troubleshooting by auditing the following log files and writable directories:

- /var/log/auth.log : Check this log file for signs of unauthorized access and brute-force attempts. Use the ‘ last ’ command to cross reference recent account logins with this file.
- /tmp : This directory is often used by malicious parties to store files
- Web server logs: There may be a vulnerable script or web application. The location of these log files depends on your web server (apache, nginx, etc.) configuration.
- ps aux : Use this command to audit running processes for foreign processes

-------------------------------------------------------------------
My Linode is compromised. What do I do now?
-------------------------------------------------------------------
If you discover that your Linode is compromised, we strongly suggest that you redeploy. It is often very difficult to determine the full scope of a vulnerable system. We have a guide that can assist you with redeploying your server that you can find linked below:

https://www.linode.com/docs/security/recovering-from-a-system-compromise/

During this process, please continue to keep us updated, and let us know if you have any questions.

Regards,
Matt W.
Linode Support



Hello,

I just wanted to reach out and see if you had any new information for us regarding this issue. In order to properly resolve this issue we're going to need responses to the three questions below:

1) What was the source of the issue?
2) What steps did you take to resolve this issue?
3) What steps did you take to prevent this from occurring again?

At this point network restrictions have been placed on this Linode to prevent this malicious activity from continuing to occur.

You will need to use the Linode LISH console to access the Linode and address the issue at this point. To see more information on what the LISH console is and how to use it you can reference the documentation below:

https://www.linode.com/docs/networking/using-the-linode-shell-lish/

Let us know if you have any questions or there's anything that we can assist you with today.

Thanks,
Matt Watts
Linode Support Team


现在我该怎么做,他们好像说已经限制我服务器的网络了,我该怎么回复? 我服务器上并没有部署 wordpress,他们建议重新 deploy,但是服务器上有数据库,现在网络限制了,我没办法把数据弄出来
msg7086
2018-11-19 11:52:30 +08:00
两种做法。一是开一个同区域的机器,把数据通过内网 IP 复制出来。二是新建一个 volume,挂载到旧的机器上,把数据复制出来,等重装系统以后挂载上再拷回去。
andy0831liu
2018-11-19 14:00:03 +08:00
@msg7086 谢谢,主要是 linode 那边限制我网络访问了,任何服务器都访问不了,说我服务器有恶意行为,我查了日志发现有很多其他 IP 试图登录我服务器,然后跟 linode 技术支持沟通了下,让他们把网络限制放开,然后我登录过去用 iptables 限制了可以访问的 IP 的端口,根本原因就是没有加防火墙。
msg7086
2018-11-19 17:39:33 +08:00
最主要是要检查服务器是否被黑了。
如果被黑了,不要多想,直接备份然后重做系统。
如果没被黑,那 iptables 限制好就行了。

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/509123

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX