記一次數據庫被入侵應急響應
記一次數據庫被入侵應急響應php
前記
今天早上我便進行了溯源追蹤,審計了日誌mysql
並得出如下報告。linux
此版本不完整,有時間在補充。ios
發現
審計
:~$ history
1 sudo apt-get update
2 sudo apt-get upgrade
3 sudo add-apt-repository ppa:ondrej/php
4 add-apt-repository ppa:ondrej/apache2
5 sudo add-apt-repository ppa:ondrej/apache2
6 sudo apt-get update
7 sudo apt-get upgrade
8 sudo apt-get install apache2
9 sudo apt-get install mysql-server mysql-client
10 cd /etc/apache2/
11 ls
12 cd sites-available/
13 sudo vi 000-default.conf
14 sudo /etc/init.d/apache2 res
15 sudo /etc/init.d/apache2 restart
16 sudo vi 000-default.conf
17 sudo /etc/init.d/apache2 stop
18 sudo vi 000-default.conf
19 cd ../sites-enabled/
20 ls
21 sudo vi 000-default.conf
22 sudo /etc/init.d/apache2 start
23 cd ../sites-available/
24 ls
25 sudo vi 000-default.conf
26 sudo /etc/init.d/apache2 start
27 cd /var/
28 sudo chmod -R 777 www
29 ls
30 sudo apt-get install php5.6
31 sudo apt-get install php5.6-gd
32 sudo apt-get install php5.6-mysql
33 sudo apt-get install php5.6-mbstring
34 sudo apt-get install php5.6-zip
35 sudo apt-get install php5.6-curl
36 sudo /etc/php/php -m
37 sudo /etc/php/5.6/php -m
38 php -m
39 sudo apt-get install php-xml
40 php -m
41 sudo apt-get install php5-xml
42 sudo apt-get install php-xml
43 sudo apt-get install php-mcrypt
44 sudo apt-get install php-xml
45 php -m
46 sudo apt-get install php5-mcrypt
47 sudo apt-get install php5.6-mcrypt
48 sudo apt-get install php5.6-xml
49 php -m
50 cd /
51 sudo chmod -R 777 var/
52 ls
53 cd /etc/mysql/
54 ls
55 cd mysql.conf.d/
56 ls
57 sudo vi mysqld.cnf
58 mysql -u root -p
59 sudo /etc/init.d/mysql restart
60 mysql -V
61 cd /var/
62 ls
63 sudo mv www www1
64 ls
65 sudols
66 cd /var/
67 ls
68 sodo tar -zxvf www1.tar.gz
69 cd /var/
70 sudo tar -zxvf www1.tar.gz
71 ls
72 rm -rf www1
73 ls
74 cd www/
75 ls
76 cd protected/
77 ls
78 cd config/
79 ls
80 sudo vi dbconfig.php
81 sudo apt-get install libapache2-mod-php5.6
82 sudo reboot now
83 cd /var/www/protected/
84 ls
85 cd config/
86 ls
87 sudo vi dbconfig.php
88 cd /etc/
89 ls
90 cd apache2/
91 ls
92 cd sites-available/
93 ls
94 sudo vi 000-default.conf
95 cd /etc/apache2/
96 ls
97 cd sites-available/
98 ls
99 sudo vi 000-default.conf
100 sudo ln -s /etc/apache2/mods-available/rewrite.load /etc/apache2/mods-enabled/rewrite.load
101 sudo /etc/init.d/apache2 restart
102 ls
103 cd ../sites-enabled/
104 ls
105 cd ../sites-available/
106 ls
107 sudo vi 000-default.conf
108 cd ..
109 ls
110 cd conf-available/
111 ls
112 cd ../mods-available/
113 ls
114 sudo vi rewrite.load
115 cd /usr/lib/
116 ls
117 cd apache2/
118 ls
119 cd modules/
120 ls
121 sudo grep -r "AllowOverride All" /etc/apache2/
122 sudo reboot now
123 sudo a2enmod rewrite
124 sudo /etc/init.d/apache2 restart
125 cd /var/www/
126 ls -a
127 sudo vi .htaccess
128 cd assets/
129 ls
130 cd ..
131 ls
132 ls -a
133 cd /etc/apache2/sites-available/
134 ls
135 sudo vi 000-default.conf
136 sudo /etc/init.d/apache2 restart
137 cd /var/www/
138 ls -al
139 sudo /etc/init.d/apache2 stop
140 sudo /etc/init.d/apache2 start
141 sudo grep -r "Copyright 漏 2014 Xcessbio" /var/www
142 sudo grep -r "CXcessbio Biosciences Inc." /var/www
143 sudo grep -r "Xcessbio Biosciences Inc." /var/www
144 cd /var/
145 sudo sed -i "s/Xcessbio Biosciences Inc/LinkgenLab Biosciences Inc/g" 'grep "Xcessbio Biosciences Inc" -rl www/'
146 sudo sed -i "s/Xcessbio Biosciences Inc/LinkgenLab Biosciences Inc/g" 'grep "Xcessbio Biosciences Inc" -rl /var/www/'
147 sudo sed -i "s/Xcessbio Biosciences Inc/LinkgenLab Biosciences Inc/g" `grep "Xcessbio Biosciences Inc" -rl www/`
148 sudo grep -r "CXcessbio Biosciences Inc." /var/www
149 sudo grep -r "sales@xcessbio.com" /var/www
150 cd www/
151 ls
152 rm -rf xcessbio20190611.sql
153 ls
154 sudo grep -r "sales@xcessbio.com" /var/www
155 cd protected/
156 ls
157 cd ../themes/
158 ls
159 cd default/views/
160 ls
161 cd layouts/
162 ls
163 sed -i 's/@xcessbio.com/@linkgenlab.com/g' main.txt
164 sed -i 's/@xcessbio.com/@linkgenlab.com/g' main.php
165 sudo grep -r "Xcessbio New Products" /var/www
166 sudo grep -r "7144 N Harlem" /var/www
167 sed -i 's/Xcess Bio/Linkgen Lab/g' main.php
168 sudo grep -r "Copyright 漏 2014 Xcessbio - Powered by bioDiscover" /var/www
169 sudo grep -r "Copyright 漏 2014" /var/www
170 cd /var/www/themes/
171 ls
172 cd default/views/layouts/
173 ls
174 sudo vi main.php
175 ls
176 sudo vi main.php
177 閟udo grep -r "XcessBio Backend" /var/www
178 sudgrep -r "XcessBio Backend" /var/www
179 sudo grep -r "XcessBio Backend" /var/www
180 cd var
181 cd /var/
182 ls
183 sudo sed -i "s/XcessBio Backend/LinkgenLab Backend/g" `grep "XcessBio Backend" -rl www/`
184 sudo grep -r "XcessBio Backend" /var/www
185 cd /var/www/
186 ls
187 cd /etc/apache2/
188 ls
189 cd sites-available/
190 ls
191 sudo vi 000-default.conf
192 sudo /etc/init.d/apache2 restart
193 sudo reboot now
194 mysql -u root -p
195 sudo /etc/init.d/mysql restart
196 mysql -u root -p
197 history
linkgenlab@s72-167-224-80:~$
初步估計11.4號-11.5號遭到入侵sql
find . -atime +2 # -atime n, File was last accessed n*24 hours ago.;數據庫
find . -atime +2 # -atime 7, File was last accessed 7*24 hours ago.;apache
從最開始的11.4號破解安全
舉最多的ip訪問次數app
218.92.0.139curl
112.85.42.237
218.92.0.188
112.85.42.227
114.67.64.90
112.250.104.182
140.143.200.251
反擊
iptables -I INPUT -s 114.67.64.90 -j DROP
iptables -I INPUT -s 218.92.0.188 -j DROP 218.92.0.139 112.85.42.237 218.92.0.188 112.85.42.227 114.67.64.90 112.250.104.182 140.143.200.251
禁用多個ip
數據庫
禁用遠程登錄
https://www.abuseipdb.com/check/218.92.0.139
應急
-
及時備份作好還原
-
禁用遠程登錄
-
設置更爲安全級別低的用戶
-
入侵報警檢測
報告
本次事件,由黑客入侵從11.4到如今 經過暴力破解的方式企圖獲取linux主機帳戶密碼
形成數據庫被篡改,緣由是密碼簡單暴力破解所致。
這次已完成數據庫修復,進行了初步還原。
相關文章
- 1. 【應急案例】一次入侵應急響應分析
- 2. 記一次linux服務器入侵應急響應
- 3. 應急響應筆記(Linux)
- 4. 入侵應急分析
- 5. 應急響應系列之OA被入侵挖礦分析報告
- 6. 應急響應
- 7. windows應急響應入侵排查思路
- 8. 6.【應急響應】Linux入侵排查思路
- 9. 應急響應入侵檢測與日誌分析
- 10. 記一次雲安全的安全事件應急響應
- 更多相關文章...
- • 如何僞造ARP響應? - TCP/IP教程
- • HTTP 響應頭信息 - HTTP 教程
- • TiDB 在摩拜單車在線數據業務的應用和實踐
- • Flink 數據傳輸及反壓詳解
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. 【應急案例】一次入侵應急響應分析
- 2. 記一次linux服務器入侵應急響應
- 3. 應急響應筆記(Linux)
- 4. 入侵應急分析
- 5. 應急響應系列之OA被入侵挖礦分析報告
- 6. 應急響應
- 7. windows應急響應入侵排查思路
- 8. 6.【應急響應】Linux入侵排查思路
- 9. 應急響應入侵檢測與日誌分析
- 10. 記一次雲安全的安全事件應急響應