服務器被sfewfesfs病毒攻擊

時間 2019-11-11

原文原文鏈接

sfewfesfs病毒，或者叫nhgbhhj病毒是一種肆虐於linux服務器上的病毒。從名字上能夠看出來病毒的創做者對它的名字是隨機取的，就是要增長它的隱蔽性。原本覺得這種事情離我很遠，可是一次疏忽的操做致使個人我的VPS差點掛掉，在這裏記錄下來也算是給你們提個醒吧。html

原由

其實原由如今看起來也是有點愚蠢，由於我最近對discourse這個新興的論壇程序很感興趣，再加上它有個特性是能夠跟disqus和多說同樣嵌入到已有的靜態網站中。因此我也想在Logecho中試一試它。node

百度了一下它的安裝文檔。所以我就跟着步驟一步一步開始作了，我爲了圖省事找了一篇中文文檔，事實證實這個安裝步驟很是麻煩，我作了幾步之後忽然想起來discourse貌似有個docker安裝的版本，所以在它的官網上找到了推薦的安裝流程，很是簡單，幾步就作完了。linux

可是上面提到了，我有個安裝流程作了一半就沒管它了，好死不死的是我正好作到了建立一個名爲admin的用戶那一步git

$ sudo adduser admin
$ sudo adduser admin sudo

爲了方便登陸，我還特地把admin的密碼改爲了12345。作到這裏，我就去找其它的安裝文檔了，這個事情也被我拋到了九霄雲外。明眼人立刻就能夠看出來我留下這樣一個弱口令高權限的帳號是多麼危險，我當時也就是想臨時用用，用完了立刻刪掉的。github

因此悲劇每每在不經意間就發生了。。。docker

出事了

大概到次日中午的時候，我正在VPS上操做一個倒入數據的腳本，忽然發現終端響應特別慢，程序也卡死了。我當時還覺得是網絡間歇性抽風就沒管它。但過了一回就收到了linode發來的告警郵件，並且一次是兩封。CPU，網絡負載都超過上限了，我意識到本身多是中招了。安全

但此時因爲系統響應緩慢，並且網絡擁塞，我已經沒法經過ssh連上主機了。下圖能夠看到當時的系統狀況服務器

還好Linode提供了基於網頁的實時終端，我一上去就發現了一個名爲nhgbhhj的進程佔用很是高的負載。在網上一搜索發現確實是一種惡意程序，目的就是不斷髮包占滿你的帶寬。因爲網上的資料都很是舊了，我發現它們提供的方法並不能有效刪除這個程序，因此就本身琢磨了一下網絡

分析

首先第一步固然是kill掉這個程序，但確定是治標不治本，不過好在能夠立刻把系統負載降下來，這樣我就能夠利用終端登陸回去了。而後是找到這些進程的本體文件，根據網上的介紹應該放在/tmp目錄下面，進去一看果真有一坨奇奇怪怪的文件ssh

把這些文件幹掉，並殺掉相應的進程，發現有個conf.n文件總是刪不掉，或者說刪了之後又本身跑出來了

推測應該還有不少進程沒有殺乾淨，後來發現該目錄下還有不少隱藏文件，好比以.ssh開頭的

真是狡兔三窟，把這些烏七八糟的東西刪掉之後conf.n文件就再也沒出來了，判斷應該是殺乾淨了。

補漏

首先要把這個弱密碼的admin帳戶處理掉，爲了更完全一點乾脆徹底禁止密碼登陸，到/etc/ssh/sshd_config找到

PasswordAuthentication yes

把yes改爲no，而後重啓ssh服務便可。

總結

首先，網絡安全的弦要時刻緊繃，也許你其它方面作得都很好，但就是由於有一點疏忽就可能功虧一簣。

在服務器上作任何一個操做的時候都要想到後果，不要爲了圖方便就放棄一些安全底限，如今大多數猜口令的掃描器都是時時刻刻全網掃描的，只要是弱口令就沒有僥倖逃脫的。不信能夠看看你的登陸日誌

root@localhost:/tmp# cat /var/log/auth.log | grep admin
Jan 19 08:23:48 localhost sshd[22552]: Invalid user www-admin from 180.150.177.103
Jan 19 08:23:48 localhost sshd[22552]: input_userauth_request: invalid user www-admin [preauth]
Jan 19 08:23:51 localhost sshd[22552]: Failed password for invalid user www-admin from 180.150.177.103 port 40628 ssh2
Jan 19 08:24:51 localhost sshd[22592]: Invalid user www-admin from 180.150.177.103
Jan 19 08:24:51 localhost sshd[22592]: input_userauth_request: invalid user www-admin [preauth]
Jan 19 08:24:53 localhost sshd[22592]: Failed password for invalid user www-admin from 180.150.177.103 port 35412 ssh2
Jan 19 08:26:28 localhost sshd[22658]: Invalid user www-admin from 180.150.177.103
Jan 19 08:26:28 localhost sshd[22658]: input_userauth_request: invalid user www-admin [preauth]
Jan 19 08:26:30 localhost sshd[22658]: Failed password for invalid user www-admin from 180.150.177.103 port 58053 ssh2
Jan 19 08:27:29 localhost sshd[22704]: Invalid user www-admin from 180.150.177.103
Jan 19 08:27:29 localhost sshd[22704]: input_userauth_request: invalid user www-admin [preauth]
Jan 19 08:27:32 localhost sshd[22704]: Failed password for invalid user www-admin from 180.150.177.103 port 52837 ssh2
Jan 19 11:01:07 localhost sshd[29337]: Invalid user wwwadmin from 180.150.177.103
Jan 19 11:01:07 localhost sshd[29337]: input_userauth_request: invalid user wwwadmin [preauth]
Jan 19 11:01:09 localhost sshd[29337]: Failed password for invalid user wwwadmin from 180.150.177.103 port 33113 ssh2
Jan 19 11:02:01 localhost sshd[29366]: Invalid user wwwadmin from 180.150.177.103
Jan 19 11:02:01 localhost sshd[29366]: input_userauth_request: invalid user wwwadmin [preauth]
Jan 19 11:02:03 localhost sshd[29366]: Failed password for invalid user wwwadmin from 180.150.177.103 port 56130 ssh2
Jan 19 15:35:37 localhost sshd[7495]: Invalid user gitadmin from 202.85.211.206
Jan 19 15:35:37 localhost sshd[7495]: input_userauth_request: invalid user gitadmin [preauth]
Jan 19 15:35:39 localhost sshd[7495]: Failed password for invalid user gitadmin from 202.85.211.206 port 48362 ssh2
Jan 19 15:38:38 localhost sshd[7735]: Invalid user pgadmin from 202.85.211.206
Jan 19 15:38:38 localhost sshd[7735]: input_userauth_request: invalid user pgadmin [preauth]
Jan 19 15:38:41 localhost sshd[7735]: Failed password for invalid user pgadmin from 202.85.211.206 port 49705 ssh2
Jan 19 15:38:42 localhost sshd[7739]: Invalid user pgadmin from 202.85.211.206
Jan 19 15:38:42 localhost sshd[7739]: input_userauth_request: invalid user pgadmin [preauth]
Jan 19 15:38:44 localhost sshd[7739]: Failed password for invalid user pgadmin from 202.85.211.206 port 50784 ssh2
Jan 19 15:38:45 localhost sshd[7741]: Invalid user pgadmin from 202.85.211.206
Jan 19 15:38:45 localhost sshd[7741]: input_userauth_request: invalid user pgadmin [preauth]
Jan 19 15:38:47 localhost sshd[7741]: Failed password for invalid user pgadmin from 202.85.211.206 port 51875 ssh2
Jan 19 15:38:48 localhost sshd[7745]: Invalid user pgadmin from 202.85.211.206
Jan 19 15:38:48 localhost sshd[7745]: input_userauth_request: invalid user pgadmin [preauth]
Jan 19 15:38:50 localhost sshd[7745]: Failed password for invalid user pgadmin from 202.85.211.206 port 52905 ssh2
Jan 19 15:38:52 localhost sshd[7760]: Invalid user pgadmin from 202.85.211.206
Jan 19 15:38:52 localhost sshd[7760]: input_userauth_request: invalid user pgadmin [preauth]
Jan 19 15:38:53 localhost sshd[7760]: Failed password for invalid user pgadmin from 202.85.211.206 port 54193 ssh2
Jan 19 15:39:19 localhost sshd[7800]: Invalid user wasadmin from 202.85.211.206
Jan 19 15:39:19 localhost sshd[7800]: input_userauth_request: invalid user wasadmin [preauth]
Jan 19 15:39:21 localhost sshd[7800]: Failed password for invalid user wasadmin from 202.85.211.206 port 35276 ssh2
Jan 19 15:39:34 localhost sshd[7829]: Invalid user db2admin from 202.85.211.206
Jan 19 15:39:34 localhost sshd[7829]: input_userauth_request: invalid user db2admin [preauth]
Jan 19 15:39:35 localhost sshd[7829]: Failed password for invalid user db2admin from 202.85.211.206 port 40124 ssh2
Jan 19 15:40:16 localhost sshd[7880]: Invalid user cvsadmin from 202.85.211.206
Jan 19 15:40:16 localhost sshd[7880]: input_userauth_request: invalid user cvsadmin [preauth]
Jan 19 15:40:17 localhost sshd[7880]: Failed password for invalid user cvsadmin from 202.85.211.206 port 54468 ssh2
Jan 19 15:40:18 localhost sshd[7884]: Invalid user cvsadmin from 202.85.211.206
Jan 19 15:40:18 localhost sshd[7884]: input_userauth_request: invalid user cvsadmin [preauth]
Jan 19 15:40:21 localhost sshd[7884]: Failed password for invalid user cvsadmin from 202.85.211.206 port 55489 ssh2
Jan 19 15:40:22 localhost sshd[7899]: Invalid user cvsadmin from 202.85.211.206
Jan 19 15:40:22 localhost sshd[7899]: input_userauth_request: invalid user cvsadmin [preauth]
Jan 19 15:40:24 localhost sshd[7899]: Failed password for invalid user cvsadmin from 202.85.211.206 port 56596 ssh2
Jan 19 15:40:25 localhost sshd[7901]: Invalid user cvsadmin from 202.85.211.206
Jan 19 15:40:25 localhost sshd[7901]: input_userauth_request: invalid user cvsadmin [preauth]
Jan 19 15:40:27 localhost sshd[7901]: Failed password for invalid user cvsadmin from 202.85.211.206 port 57620 ssh2
Jan 19 15:40:28 localhost sshd[7903]: Invalid user cvsadmin from 202.85.211.206
Jan 19 15:40:28 localhost sshd[7903]: input_userauth_request: invalid user cvsadmin [preauth]
Jan 19 15:40:30 localhost sshd[7903]: Failed password for invalid user cvsadmin from 202.85.211.206 port 58645 ssh2
Jan 19 17:24:31 localhost sshd[14524]: Invalid user gitadmin from 202.85.211.206
Jan 19 17:24:31 localhost sshd[14524]: input_userauth_request: invalid user gitadmin [preauth]
Jan 19 17:24:33 localhost sshd[14524]: Failed password for invalid user gitadmin from 202.85.211.206 port 33227 ssh2
Jan 19 17:27:05 localhost sshd[14779]: Invalid user pgadmin from 202.85.211.206
Jan 19 17:27:05 localhost sshd[14779]: input_userauth_request: invalid user pgadmin [preauth]
Jan 19 17:27:07 localhost sshd[14779]: Failed password for invalid user pgadmin from 202.85.211.206 port 33521 ssh2
Jan 19 17:27:08 localhost sshd[14785]: Invalid user pgadmin from 202.85.211.206
Jan 19 17:27:08 localhost sshd[14785]: input_userauth_request: invalid user pgadmin [preauth]
Jan 19 17:27:10 localhost sshd[14785]: Failed password for invalid user pgadmin from 202.85.211.206 port 34578 ssh2
Jan 19 17:27:10 localhost sshd[14787]: Invalid user pgadmin from 202.85.211.206
Jan 19 17:27:10 localhost sshd[14787]: input_userauth_request: invalid user pgadmin [preauth]
Jan 19 17:27:12 localhost sshd[14787]: Failed password for invalid user pgadmin from 202.85.211.206 port 35593 ssh2
Jan 19 17:27:13 localhost sshd[14791]: Invalid user pgadmin from 202.85.211.206
Jan 19 17:27:13 localhost sshd[14791]: input_userauth_request: invalid user pgadmin [preauth]
Jan 19 17:27:15 localhost sshd[14791]: Failed password for invalid user pgadmin from 202.85.211.206 port 36610 ssh2
Jan 19 17:27:15 localhost sshd[14793]: Invalid user pgadmin from 202.85.211.206
Jan 19 17:27:15 localhost sshd[14793]: input_userauth_request: invalid user pgadmin [preauth]
Jan 19 17:27:17 localhost sshd[14793]: Failed password for invalid user pgadmin from 202.85.211.206 port 37616 ssh2
Jan 19 17:27:39 localhost sshd[14836]: Invalid user wasadmin from 202.85.211.206
Jan 19 17:27:39 localhost sshd[14836]: input_userauth_request: invalid user wasadmin [preauth]
Jan 19 17:27:40 localhost sshd[14836]: Failed password for invalid user wasadmin from 202.85.211.206 port 46739 ssh2
Jan 19 17:27:51 localhost sshd[14854]: Invalid user db2admin from 202.85.211.206
Jan 19 17:27:51 localhost sshd[14854]: input_userauth_request: invalid user db2admin [preauth]
Jan 19 17:27:53 localhost sshd[14854]: Failed password for invalid user db2admin from 202.85.211.206 port 51364 ssh2
Jan 19 17:28:28 localhost sshd[14926]: Invalid user cvsadmin from 202.85.211.206
Jan 19 17:28:28 localhost sshd[14926]: input_userauth_request: invalid user cvsadmin [preauth]
Jan 19 17:28:30 localhost sshd[14926]: Failed password for invalid user cvsadmin from 202.85.211.206 port 37019 ssh2
Jan 19 17:28:31 localhost sshd[14930]: Invalid user cvsadmin from 202.85.211.206
Jan 19 17:28:31 localhost sshd[14930]: input_userauth_request: invalid user cvsadmin [preauth]
Jan 19 17:28:33 localhost sshd[14930]: Failed password for invalid user cvsadmin from 202.85.211.206 port 38037 ssh2
Jan 19 17:28:34 localhost sshd[14932]: Invalid user cvsadmin from 202.85.211.206
Jan 19 17:28:34 localhost sshd[14932]: input_userauth_request: invalid user cvsadmin [preauth]
Jan 19 17:28:36 localhost sshd[14932]: Failed password for invalid user cvsadmin from 202.85.211.206 port 39119 ssh2
Jan 19 17:28:37 localhost sshd[14936]: Invalid user cvsadmin from 202.85.211.206
Jan 19 17:28:37 localhost sshd[14936]: input_userauth_request: invalid user cvsadmin [preauth]
Jan 19 17:28:39 localhost sshd[14936]: Failed password for invalid user cvsadmin from 202.85.211.206 port 40179 ssh2

此次還好發現地及時，當時我也正好連在線上。若是是不知不覺間中招，頗有可能被服務商中止服務，那就損失大了。

轉載自：http://www.l4zy.com/posts/hacked-by-sfewfesfs.html