V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
通过以下 Referral 链接购买 DigitalOcean 主机,你将可以帮助 V2EX 持续发展
DigitalOcean - SSD Cloud Servers
Axurez
V2EX  ›  VPS

VPS 被攻击了,二进制文件已掏出,有人有兴趣看看吗?

  •  
  •   Axurez · 2017-02-13 14:55:52 +08:00 · 753 次点击
    这是一个创建于 2877 天前的主题,其中的信息可能已经有所发展或是发生改变。

    压缩包地址 https://box.zjuqsc.com/-mal ,三个文件, Linux 下请谨慎打开。。。

    Linode 告诉我:

    Thanks for taking a closer look at this. I've got a recording of some example traffic we've seen. It appears that your Linode is emitting a Syn flood [1] with a destination port of 9008:

    13:32:24.508094 IP 139.162.108.74.27713 > 122.226.191.98.9008: Flags [S], seq 1816213842:1816214726, win 60143, length 884 13:32:24.508101 IP 139.162.108.74.62227 > 122.226.191.98.9008: Flags [S], seq 4078117166:4078118031, win 65107, length 865 13:32:24.508104 IP 139.162.108.74.43579 > 122.226.191.98.9008: Flags [S], seq 2856034569:2856035451, win 64204, length 882 13:32:24.508106 IP 139.162.108.74.48818 > 122.226.191.98.9008: Flags [S], seq 3199391525:3199392381, win 61478, length 856 10054 packets captured 66946 packets received by filter 55141 packets dropped by kernel 0.87 seconds

    貌似没有登录记录,但是估计应该是被删了。在 /etc/init.d 下放了三个脚本,分别执行这三个可执行文件,脚本形如

    #!/bin/sh
    # chkconfig: 12345 90 90
    # description: ktinazm
    ### BEGIN INIT INFO
    # Provides: ktinazm
    # Required-Start:
    # Required-Stop:
    # Default-Start: 1 2 3 4 5
    # Default-Stop:
    # Short-Description: ktinazm
    ### END INIT INFO
    case $1 in
    start)
    	"/bin/mzanitk"
      break
    	;;
    stop)
      break
    	;;
    *)
    	"/bin/mzanitk"
      break
    	;;
    esac
    
    

    两个是在/bin,一个在/usr/bin

    有人见过这种恶意程序吗?

    目前尚无回复
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   1233 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 26ms · UTC 17:51 · PVG 01:51 · LAX 09:51 · JFK 12:51
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.