设为首页收藏本站

LinuxSir.cn,穿越时空的Linuxsir!

 找回密码
 注册
搜索
热搜: shell linux mysql
LinuxSir.cn,穿越时空的Linuxsir!»论坛 运维技术 —— LinuxSir.cn 网络技术\网络安全讨论 我的linux服务器正在被人攻击,怎么办啊,快救命呀. ...
返回列表 发新帖
查看: 3255|回复: 9

我的linux服务器正在被人攻击,怎么办啊,快救命呀.

[复制链接]
grayrain
发表于 2004-12-2 10:03:50 | 显示全部楼层 |阅读模式
我这几天发现有ftp空间的资源被不定时的删除,查看日志文件发现有人正在攻击我的服务器,我该怎么办呀,救命呀.下面是摘自三个日志文件的部分内容:
xferlog被他删除文件是留下的日志记录)
Tue Nov 30 20:43:13 2004 0 n219077188049.netvigator.com 0 /var/nethd/1.jpg a _ d r exchange ftp 1 * c
Tue Nov 30 20:43:13 2004 0 n219077188049.netvigator.com 0 /var/nethd/2.jpg a _ d r exchange ftp 1 * c
Tue Nov 30 20:43:13 2004 0 n219077188049.netvigator.com 0 /var/nethd/3.jpg a _ d r exchange ftp 1 * c
Tue Nov 30 20:43:13 2004 0 n219077188049.netvigator.com 0 /var/nethd/4.jpg a _ d r exchange ftp 1 * c
Tue Nov 30 20:43:13 2004 0 n219077188049.netvigator.com 0 /var/nethd/5_拷贝.jpg a _ d r exchange ftp 1 * c
Tue Nov 30 20:43:14 2004 0 n219077188049.netvigator.com 0 /var/nethd/6_.jpg a _ d r exchange ftp 1 * c
Tue Nov 30 20:43:14 2004 0 n219077188049.netvigator.com 0 /var/nethd/7_.jpg a _ d r exchange ftp 1 * c
Tue Nov 30 20:43:14 2004 0 n219077188049.netvigator.com 0 /var/nethd/8_.jpg a _ d r exchange ftp 1 * c

messages:
Nov 30 03:27:13 server proftpd[2091]: server (blk-224-208-224.eastlink.ca[24.224.208.224]) - FTP session opened.
Nov 30 03:27:15 server proftpd[2091]: server (blk-224-208-224.eastlink.ca[24.224.208.224]) - PAM(exchange): Authentication failure.
Nov 30 03:27:17 dulcet proftpd[2091]: server (blk-224-208-224.eastlink.ca[24.224.208.224]) - wtmp /var/log/wtmp: No such file or directory
Nov 30 03:29:10 server proftpd[2091]: server (blk-224-208-224.eastlink.ca[24.224.208.224]) - wtmp /var/log/wtmp: No such file or directory
Nov 30 03:29:11 server proftpd[2091]: server (blk-224-208-224.eastlink.ca[24.224.208.224]) - FTP session closed.
Nov 30 04:02:03 server syslogd 1.4.1: restart.
Nov 30 20:43:04 server proftpd[11787]: server (n219077188049.netvigator.com[219.77.188.49]) - FTP session opened.
Nov 30 20:43:05 server proftpd[11787]: server (n219077188049.netvigator.com[219.77.188.49]) - PAM(exchange): Authentication failure.
Nov 30 20:43:05 server proftpd[11787]: server (n219077188049.netvigator.com[219.77.188.49]) - wtmp /var/log/wtmp: No such file or directory
Nov 30 20:43:39 server proftpd[11787]: server (n219077188049.netvigator.com[219.77.188.49]) - wtmp /var/log/wtmp: No such file or directory
Nov 30 20:43:39 server proftpd[11787]: server (n219077188049.netvigator.com[219.77.188.49]) - FTP session closed.
Dec  1 06:08:04 dulcet sshd(pam_unix)[25479]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61-220-103-26.hinet-ip.hinet.net  user=nobody
Dec  1 06:08:10 dulcet sshd(pam_unix)[25482]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61-220-103-26.hinet-ip.hinet.net  user=root
Dec  1 06:08:14 dulcet sshd(pam_unix)[25484]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61-220-103-26.hinet-ip.hinet.net  user=root
Dec  1 06:08:18 dulcet sshd(pam_unix)[25485]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61-220-103-26.hinet-ip.hinet.net  user=root
Dec  1 06:08:21 dulcet sshd(pam_unix)[25486]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61-220-103-26.hinet-ip.hinet.net  user=root
Dec  1 06:08:25 dulcet sshd(pam_unix)[25488]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61-220-103-26.hinet-ip.hinet.net  user=root

secure:
Nov 30 20:43:05 dulcet proftpd[11787]: server (n219077188049.netvigator.com[219.77.188.49]) - USER exchange: Login successful.
Nov 30 22:32:58 dulcet proftpd[17032]: server (n219077188049.netvigator.com[219.77.188.49]) - USER exchange: Login successful.
Dec  1 00:01:55 dulcet proftpd[20353]: server (n219077188049.netvigator.com[219.77.188.49]) - USER exchange: Login successful.
Dec  1 05:58:42 dulcet sshd[25356]: Did not receive identification string from 61.220.103.26.
Dec  1 06:08:07 dulcet sshd[25479]: Failed password for nobody from 61.220.103.26 port 58251 ssh2
Dec  1 06:08:07 dulcet sshd[25479]: Received disconnect from 61.220.103.26: 11: Bye Bye
Dec  1 06:08:08 dulcet sshd[25480]: input_userauth_request: illegal user patrick
Dec  1 06:08:08 dulcet sshd[25480]: Failed password for illegal user patrick from 61.220.103.26 port 58619 ssh2
Dec  1 06:08:08 dulcet sshd[25480]: Received disconnect from 61.220.103.26: 11: Bye Bye
Dec  1 06:08:09 dulcet sshd[25481]: input_userauth_request: illegal user patrick
Dec  1 06:08:09 dulcet sshd[25481]: Failed password for illegal user patrick from 61.220.103.26 port 58793 ssh2
Dec  1 06:08:09 dulcet sshd[25481]: Received disconnect from 61.220.103.26: 11: Bye Bye
Dec  1 06:08:12 dulcet sshd[25482]: Failed password for ROOT from 61.220.103.26 port 58861 ssh2
Dec  1 06:08:13 dulcet sshd[25482]: Received disconnect from 61.220.103.26: 11: Bye Bye
Dec  1 06:08:16 dulcet sshd[25484]: Failed password for ROOT from 61.220.103.26 port 59291 ssh2



从这些迹象看到我的服务器正被攻击,有没有办法阻击他或者查处他呀,要不总有天会被他毁了的.2555555555555555555555555555555555555555
回复

使用道具 举报

发表于 2004-12-3 00:24:02 | 显示全部楼层
8大看日志也
61.220.103.26这个是他的ip么,可以封掉么?
回复 支持 反对

使用道具 举报

orphen
发表于 2004-12-3 00:46:07 | 显示全部楼层
查看你的服务器都开了哪些端口,有什么服务,有没有升级到最新的服务软件版本,有什么服务是不必要的,用户密码是否过于简单?
最好是格式化后重装系统,因为不能确认他没有安装rootkit或其他后门
回复 支持 反对

使用道具 举报

发表于 2004-12-3 09:34:23 | 显示全部楼层

我的更多

Nov 29 01:46:56 myweb sshd[14417]: Could not reverse map address 203.85.14.25.
Nov 29 01:47:01 myweb sshd[14419]: Could not reverse map address 203.85.14.25.
Nov 29 01:47:11 myweb sshd[14423]: Did not receive identification string from 203.85.14.25
Nov 30 17:26:01 myweb sshd[31464]: Did not receive identification string from 210.22.184.202
Nov 30 17:26:01 myweb sshd[31465]: Did not receive identification string from 210.22.184.202
Nov 30 17:39:01 myweb sshd[31535]: Could not reverse map address 210.22.184.202.
Nov 30 17:39:01 myweb sshd[31534]: Could not reverse map address 210.22.184.202.
Nov 30 17:39:03 myweb sshd[31535]: Failed password for nobody from 210.22.184.202 port 38448 ssh2
Nov 30 17:39:03 myweb sshd[31534]: Failed password for nobody from 210.22.184.202 port 38441 ssh2
Nov 30 17:39:06 myweb sshd[31540]: Could not reverse map address 210.22.184.202.
Nov 30 17:39:06 myweb sshd[31541]: Could not reverse map address 210.22.184.202.
Nov 30 17:39:08 myweb sshd[31544]: Could not reverse map address 210.22.184.202.
Nov 30 17:39:08 myweb sshd[31545]: Could not reverse map address 210.22.184.202.
Nov 30 17:39:16 myweb sshd[31548]: Could not reverse map address 210.22.184.202.
Nov 30 17:39:16 myweb sshd[31549]: Could not reverse map address 210.22.184.202.
Nov 30 17:39:18 myweb sshd[31549]: Failed password for root from 210.22.184.202 port 38567 ssh2
Nov 30 17:39:18 myweb sshd[31548]: Failed password for root from 210.22.184.202 port 38566 ssh2
Nov 30 17:46:31 myweb sshd[31928]: Failed password for root from 210.22.184.202 port 59273 ssh2
Nov 30 17:46:33 myweb sshd[31930]: Could not reverse map address 210.22.184.202.
Nov 30 17:56:50 myweb sshd[31978]: Could not reverse map address 61.134.26.203.
Nov 30 17:56:50 myweb sshd[31978]: Accepted password for root from 61.134.26.203 port 3288 ssh2
Nov 30 17:56:50 myweb sshd[31978]: subsystem request for sftp
Nov 30 23:34:43 myweb sshd[932]: Did not receive identification string from 61.221.79.115
Nov 30 23:45:03 myweb sshd[964]: Failed password for nobody from 61.221.79.115 port 41692 ssh2
Nov 30 23:45:20 myweb sshd[976]: Failed password for root from 61.221.79.115 port 41875 ssh2
Nov 30 23:45:26 myweb sshd[978]: Failed password for root from 61.221.79.115 port 42001 ssh2
Nov 30 23:45:34 myweb sshd[980]: Failed password for root from 61.221.79.115 port 42083 ssh2
Nov 30 23:45:41 myweb sshd[982]: Failed password for root from 61.221.79.115 port 42218 ssh2
Nov 30 23:45:50 myweb sshd[985]: Failed password for root from 61.221.79.115 port 42308 ssh2
Nov 30 23:46:39 myweb sshd[1014]: Failed password for mysql from 61.221.79.115 port 44499 ssh2
Nov 30 23:46:44 myweb sshd[1016]: Failed password for operator from 61.221.79.115 port 44955 ssh2
Nov 30 23:46:48 myweb sshd[1018]: Failed password for adm from 61.221.79.115 port 45404 ssh2
Nov 30 23:46:53 myweb sshd[1020]: Failed password for apache from 61.221.79.115 port 45855 ssh2
Nov 30 23:47:02 myweb sshd[1026]: Failed password for adm from 61.221.79.115 port 46747 ssh2
Nov 30 23:47:08 myweb sshd[1030]: Failed password for root from 61.221.79.115 port 46797 ssh2
Nov 30 23:47:12 myweb sshd[1032]: Failed password for root from 61.221.79.115 port 47648 ssh2
Nov 30 23:47:18 myweb sshd[1034]: Failed password for root from 61.221.79.115 port 47690 ssh2
Nov 30 23:47:29 myweb sshd[1040]: Failed password for root from 61.221.79.115 port 48973 ssh2
Nov 30 23:47:39 myweb sshd[1042]: Did not receive identification string from 61.221.79.115
Dec  1 04:53:25 myweb sshd[2454]: Failed password for root from 195.102.145.50 port 33441 ssh2

总计319行,中间的省掉了。只有把它的IP给封掉!
回复 支持 反对

使用道具 举报

grayrain
 楼主| 发表于 2004-12-3 09:43:34 | 显示全部楼层

我现在已经把有问题的IP封掉了,再请教怎样知道哪些端口是做什么用的呢?

我现在已经把有问题的IP封掉了,再请教怎样知道哪些端口是做什么用的呢?

我列出端口,但是不知道哪些有用哪些是没用的?
回复 支持 反对

使用道具 举报

orphen
发表于 2004-12-3 12:49:34 | 显示全部楼层
有没有用要看你的服务器是干什么的?
除了你的服务器提供的服务外,都是没用的
回复 支持 反对

使用道具 举报

发表于 2004-12-4 00:25:15 | 显示全部楼层
who能详细说明下日志的意思??
回复 支持 反对

使用道具 举报

wuhu
发表于 2004-12-9 09:12:16 | 显示全部楼层
建议用另一个电脑对你的服务器scan一下!
回复 支持 反对

使用道具 举报

konds
发表于 2004-12-12 10:50:54 | 显示全部楼层
封IP不能真正解决问题.
1.先检查一下你服务器上跑的服务.关闭多余的服务.
2.从新设定root密码.不要做简单密码. 如果你喜欢.可创见个GID UID为0的用户替换ROOT.然后注掉ROOT.(有些服务或程序会用到ROOT的.请先检查)
3.设置FAIRWALL请遵循先否后是的原则.
4.请密切关注服务器动向
用netstat ps pstree last w 以及LOG
mrtg也是个不错的选择
5.用crond+shell实现自己的一些想法进行发挥创作
6.注意MYSQL的安全性
7.关于history
请设置/etc/profile中
HISTSIZE=3  (一个较小的数值会比较好点)
回复 支持 反对

使用道具 举报

发表于 2005-1-10 00:05:19 | 显示全部楼层
Tue Nov 30 20:43:14 2004 0 n219077188049.netvigator.com 0 /var/nethd/8_.jpg a _ d r exchange ftp 1 * c

好象挺正常啊!   我的日志里也如此反应,那是我copy留下的记录,没什么的!
回复 支持 反对

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则

快速回复 返回顶部 返回列表