1. 简单密码是因为原本只考虑当局域网服务器,linux的初始用户密码是root和123456
frp使用情况:
Name
ssh
Port
6022
Connections
0
Traffic In
4.61 MB
Traffic Out
7.00 MB
ClientVersion
0.51.0
Status
online
frp使用情况:
Name
ssh
Port
6022
Connections
0
Traffic In
4.61 MB
Traffic Out
7.00 MB
ClientVersion
0.51.0
Status
online
4. yum.log发现一条安装记录(我21点离开的电脑,这条可疑记录是22:32分的):Oct 16 22:32:06 Installed: rsync-3.1.2-12.el7_9.x86_64(我已经卸载),全名为Remote synchronization,是一款开源的、快速的、多功能的数据同步备份工具。它可以实现本地或远程数据同步备份,包括全量及增量的同步。rsync适用于多种操作系统平台,包括unix、linux和windows等。此外,rsync也支持通过scp、ssh等方式来传输文件,甚至可以通过直接的socket连接。rsync具有可使本地和远程两台主机之间的数据快速复制同步镜像,远程备份的功能,这个功能类似ssh带的scp命令,但又优于scp命令的功能,scp每次都是全量拷贝,而rsync可以增量拷贝。当然,Rsync还可以在本地主机的不同分区或目录之间全量及增量的复制数据,这又类似cp命令,但同样也优于cp命令,cp每次都是全量拷贝,而rsync可以增量拷贝。
7. 一个叫secure的日志文件中,好像记录了被爆破的信息,不过IP好像挨改成127.0.0.1了
Oct 16 22:31:12 centos76 sshd[15608]: Failed password for invalid user oracle from 127.0.0.1 port 56552 ssh2
Oct 16 22:31:13 centos76 sshd[15608]: Connection closed by 127.0.0.1 port 56552 [preauth]
Oct 16 22:31:14 centos76 sshd[15610]: Failed password for invalid user oracle from 127.0.0.1 port 56554 ssh2
Oct 16 22:31:14 centos76 sshd[15610]: Connection closed by 127.0.0.1 port 56554 [preauth]
Oct 16 22:31:15 centos76 sshd[15612]: Invalid user oracle from 127.0.0.1 port 56556
Oct 16 22:31:15 centos76 sshd[15612]: input_userauth_request: invalid user oracle [preauth]
Oct 16 22:31:15 centos76 sshd[15612]: pam_unix(sshd:auth): check pass; user unknown
Oct 16 22:31:15 centos76 sshd[15612]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost
Oct 16 22:31:12 centos76 sshd[15608]: Failed password for invalid user oracle from 127.0.0.1 port 56552 ssh2
Oct 16 22:31:13 centos76 sshd[15608]: Connection closed by 127.0.0.1 port 56552 [preauth]
Oct 16 22:31:14 centos76 sshd[15610]: Failed password for invalid user oracle from 127.0.0.1 port 56554 ssh2
Oct 16 22:31:14 centos76 sshd[15610]: Connection closed by 127.0.0.1 port 56554 [preauth]
Oct 16 22:31:15 centos76 sshd[15612]: Invalid user oracle from 127.0.0.1 port 56556
Oct 16 22:31:15 centos76 sshd[15612]: input_userauth_request: invalid user oracle [preauth]
Oct 16 22:31:15 centos76 sshd[15612]: pam_unix(sshd:auth): check pass; user unknown
Oct 16 22:31:15 centos76 sshd[15612]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost
简单密码还敢放到公网上,真是心大. 建议还是重要文件备份出来,然后重装系统. 后门很难查,一般都隐藏在一些常规二进制程序里. 还是重装最省事
9.
【问讯飞星火】
这是什么意思:Oct 16 22:32:01 centos76 CROND[15768]: (root) CMD (/tmp/rmrf/.files/./.b4nd1d0 > /dev/null 2>&1 & disown)
这是一个CRON任务的日志记录。它表示在10月16日22:32:01,CROND服务(一个用于管理定时任务的服务)执行了一个命令。这个命令是:
/tmp/rmrf/.files/./.b4nd1d0 > /dev/null 2>&1 & disown
这个命令的作用是将/tmp/rmrf/.files/./.b4nd1d0文件的内容重定向到/dev/null(即丢弃输出),并将错误信息也重定向到/dev/null。同时,使用&将命令放到后台运行,并使用disown命令使该命令与当前shell分离,这样即使当前shell退出,该命令也不会被终止。
11.
看不出有没有被新增的用户
[root@centos76 ~]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
mysql:x:1000:1000::/home/mysql:/sbin/nologin
nginx:x:1001:1001::/home/nginx:/sbin/nologin
[root@centos76 ~]# lastlog
Username Port From Latest
root pts/0 192.168.1.98 Tue Oct 17 10:37:41 +0800 2023
bin **Never logged in**
daemon **Never logged in**
adm **Never logged in**
lp **Never logged in**
sync **Never logged in**
shutdown **Never logged in**
halt **Never logged in**
mail **Never logged in**
operator **Never logged in**
games **Never logged in**
ftp **Never logged in**
nobody **Never logged in**
systemd-network **Never logged in**
dbus **Never logged in**
polkitd **Never logged in**
sshd **Never logged in**
postfix **Never logged in**
mysql **Never logged in**
nginx **Never logged in**
[root@centos76 ~]#
13.
列出所有service
[root@centos76 ~]# systemctl list-units --type=service
UNIT LOAD ACTIVE SUB DESCRIPTION
UNIT LOAD ACTIVE SUB DESCRIPTION
UNIT LOAD ACTIVE SUB DESCRIPTION
UNIT LOAD ACTIVE SUB DESCRIPTION
UNIT LOAD ACTIVE SUB DESCRIPTION
auditd.service loaded active running Security Auditing Service
containerd.service loaded active running containerd container runtime
crond.service loaded active running Command Scheduler
dbus.service loaded active running D-Bus System Message Bus
docker.service loaded active running Docker Application Container Engine
frpc.service loaded active running frpc service
getty@tty1.service loaded active running Getty on tty1
irqbalance.service loaded active running irqbalance daemon
kdump.service loaded active exited Crash recovery kernel arming
kmod-static-nodes.service loaded active exited Create list of required static device nodes for the current kernel
lvm2-lvmetad.service loaded active running LVM2 metadata daemon
lvm2-monitor.service loaded active exited Monitoring of LVM2 mirrors, snapshots etc. using dmeventd or progress polling
lvm2-pvscan@8:3.service loaded active exited LVM2 PV scan on device 8:3
myservice.service loaded activating auto-restart Example systemd service.
mysql57.service loaded active running LSB: start and stop MySQL
mysql81.service loaded active running LSB: start and stop MySQL
network.service loaded active exited LSB: Bring up/down networking
NetworkManager-wait-online.service loaded active exited Network Manager Wait Online
NetworkManager.service loaded active running Network Manager
polkit.service loaded active running Authorization Manager
postfix.service loaded active running Postfix Mail Transport Agent
rhel-dmesg.service loaded active exited Dump dmesg to /var/log/dmesg
rhel-domainname.service loaded active exited Read and set NIS domainname from /etc/sysconfig/network
rhel-import-state.service loaded active exited Import network configuration from initramfs
rhel-readonly.service loaded active exited Configure read-only root support
rsyslog.service loaded active running System Logging Service
sshd.service loaded active running OpenSSH server daemon
systemd-backlight@backlight:acpi_video0.service loaded active exited Load/Save Screen Backlight Brightness of backlight:acpi_video0
systemd-journal-flush.service loaded active exited Flush Journal to Persistent Storage
systemd-journald.service loaded active running Journal Service
systemd-logind.service loaded active running Login Service
systemd-random-seed.service loaded active exited Load/Save Random Seed
systemd-readahead-collect.service loaded active exited Collect Read-Ahead Data
systemd-readahead-replay.service loaded active exited Replay Read-Ahead Data
systemd-remount-fs.service loaded active exited Remount Root and Kernel File Systems
systemd-sysctl.service loaded active exited Apply Kernel Variables
systemd-tmpfiles-setup-dev.service loaded active exited Create Static Device Nodes in /dev
systemd-tmpfiles-setup.service loaded active exited Create Volatile Files and Directories
systemd-udev-trigger.service loaded active exited udev Coldplug all Devices
systemd-udevd.service loaded active running udev Kernel Device Manager
systemd-update-utmp.service loaded active exited Update UTMP about System Boot/Shutdown
systemd-user-sessions.service loaded active exited Permit User Sessions
systemd-vconsole-setup.service loaded active exited Setup Virtual Console
tuned.service loaded active running Dynamic System Tuning Daemon
15. 我的密码也太简单,才一两天就被改了密码,现在用iptables关掉了业务端口以外的流量
16. 猜到了,我MySQL8.1也沦陷了,里面只有一张测试用的授权表,全部挨加密了(没给我留下解密邮箱)。MySQL5.7没有沦陷,可能是因为他也知道是空的数据库或者我只做了8.1的软连接的原因(通过小黑窗用命令链接mysql默认指向8.1)
17.
他还开了3600端口远程桌面服务(开了也用不了),我只有22端口是用frp暴露的,其它端口都连不上
[Unit]
Description=Example systemd service.
[Service]
Type=simple
Restart=always
RestartSec=3600
ExecStart=/bin/bash /usr/bin/sshd
[Install]
WantedBy=multi-user.target
18. 细思极恐