• 记一次数据库被入侵应急响应


    记一次数据库被入侵应急响应

     

    前记

     

    今天早上我便进行了溯源追踪,审计了日志

    并得出以下报告。

     

    此版本不完整,有时间在补充。

     

     

    发现

     

     

    审计

     

     

    :~$ history
        1  sudo apt-get update
        2  sudo apt-get upgrade
        3  sudo add-apt-repository ppa:ondrej/php
        4  add-apt-repository ppa:ondrej/apache2
        5  sudo add-apt-repository ppa:ondrej/apache2
        6  sudo apt-get update
        7  sudo apt-get upgrade
        8  sudo apt-get install apache2
        9  sudo apt-get install mysql-server mysql-client
       10  cd /etc/apache2/
       11  ls
       12  cd sites-available/
       13  sudo vi 000-default.conf 
       14  sudo /etc/init.d/apache2 res
       15  sudo /etc/init.d/apache2 restart
       16  sudo vi 000-default.conf 
       17  sudo /etc/init.d/apache2 stop
       18  sudo vi 000-default.conf 
       19  cd ../sites-enabled/
       20  ls
       21  sudo vi 000-default.conf 
       22  sudo /etc/init.d/apache2 start
       23  cd ../sites-available/
       24  ls
       25  sudo vi 000-default.conf 
       26  sudo /etc/init.d/apache2 start
       27  cd /var/
       28  sudo chmod -R 777 www
       29  ls
       30  sudo apt-get install php5.6
       31  sudo apt-get install php5.6-gd
       32  sudo apt-get install php5.6-mysql
       33  sudo apt-get install php5.6-mbstring
       34  sudo apt-get install php5.6-zip
       35  sudo apt-get install php5.6-curl
       36  sudo /etc/php/php -m
       37  sudo /etc/php/5.6/php -m
       38  php -m
       39  sudo apt-get install php-xml
       40  php -m
       41  sudo apt-get install php5-xml
       42  sudo apt-get install php-xml
       43  sudo apt-get install php-mcrypt
       44  sudo apt-get install php-xml
       45  php -m
       46  sudo apt-get install php5-mcrypt
       47  sudo apt-get install php5.6-mcrypt
       48  sudo apt-get install php5.6-xml
       49  php -m
       50  cd /
       51  sudo chmod -R 777 var/
       52  ls
       53  cd /etc/mysql/
       54  ls
       55  cd mysql.conf.d/
       56  ls
       57  sudo vi mysqld.cnf 
       58  mysql -u root -p
       59  sudo /etc/init.d/mysql restart
       60  mysql -V
       61  cd /var/
       62  ls
       63  sudo mv www www1
       64  ls
       65  sudols
       66  cd /var/
       67  ls
       68  sodo tar -zxvf www1.tar.gz 
       69  cd /var/
       70  sudo tar -zxvf www1.tar.gz 
       71  ls
       72  rm -rf www1
       73  ls
       74  cd www/
       75  ls
       76  cd protected/
       77  ls
       78  cd config/
       79  ls
       80  sudo vi dbconfig.php 
       81  sudo apt-get install libapache2-mod-php5.6
       82  sudo reboot now
       83  cd /var/www/protected/
       84  ls
       85  cd config/
       86  ls
       87  sudo vi dbconfig.php 
       88  cd /etc/
       89  ls
       90  cd apache2/
       91  ls
       92  cd sites-available/
       93  ls
       94  sudo vi 000-default.conf 
       95  cd /etc/apache2/
       96  ls
       97  cd sites-available/
       98  ls
       99  sudo vi 000-default.conf 
      100  sudo ln -s /etc/apache2/mods-available/rewrite.load /etc/apache2/mods-enabled/rewrite.load
      101  sudo /etc/init.d/apache2 restart
      102  ls
      103  cd ../sites-enabled/
      104  ls
      105  cd ../sites-available/
      106  ls
      107  sudo vi 000-default.conf 
      108  cd ..
      109  ls
      110  cd conf-available/
      111  ls
      112  cd ../mods-available/
      113  ls
      114  sudo vi rewrite.load 
      115  cd /usr/lib/
      116  ls
      117  cd apache2/
      118  ls
      119  cd modules/
      120  ls
      121  sudo grep -r "AllowOverride All"  /etc/apache2/
      122  sudo reboot now
      123  sudo a2enmod rewrite
      124  sudo /etc/init.d/apache2 restart
      125  cd /var/www/
      126  ls -a
      127  sudo vi .htaccess 
      128  cd assets/
      129  ls
      130  cd ..
      131  ls
      132  ls -a
      133  cd /etc/apache2/sites-available/
      134  ls
      135  sudo vi 000-default.conf 
      136  sudo /etc/init.d/apache2 restart
      137  cd /var/www/
      138  ls -al
      139  sudo /etc/init.d/apache2 stop
      140  sudo /etc/init.d/apache2 start
      141  sudo grep -r "Copyright 漏 2014 Xcessbio" /var/www
      142  sudo grep -r "CXcessbio Biosciences Inc." /var/www
      143  sudo grep -r "Xcessbio Biosciences Inc." /var/www
      144  cd /var/
      145  sudo sed -i "s/Xcessbio Biosciences Inc/LinkgenLab Biosciences Inc/g" 'grep "Xcessbio Biosciences Inc" -rl www/' 
      146  sudo sed -i "s/Xcessbio Biosciences Inc/LinkgenLab Biosciences Inc/g" 'grep "Xcessbio Biosciences Inc" -rl /var/www/' 
      147  sudo sed -i "s/Xcessbio Biosciences Inc/LinkgenLab Biosciences Inc/g"  `grep "Xcessbio Biosciences Inc" -rl www/`
      148  sudo grep -r "CXcessbio Biosciences Inc." /var/www
      149  sudo grep -r "sales@xcessbio.com" /var/www
      150  cd www/
      151  ls
      152  rm -rf xcessbio20190611.sql 
      153  ls
      154  sudo grep -r "sales@xcessbio.com" /var/www
      155  cd protected/
      156  ls
      157  cd ../themes/
      158  ls
      159  cd default/views/
      160  ls
      161  cd layouts/
      162  ls
      163  sed  -i 's/@xcessbio.com/@linkgenlab.com/g'  main.txt
      164  sed  -i 's/@xcessbio.com/@linkgenlab.com/g'  main.php
      165  sudo grep -r "Xcessbio New Products" /var/www
      166  sudo grep -r "7144 N Harlem" /var/www
      167  sed  -i 's/Xcess Bio/Linkgen Lab/g'  main.php
      168  sudo grep -r "Copyright 漏 2014 Xcessbio - Powered by bioDiscover" /var/www
      169  sudo grep -r "Copyright 漏 2014" /var/www
      170  cd /var/www/themes/
      171  ls
      172  cd default/views/layouts/
      173  ls
      174  sudo vi main.php 
      175  ls
      176  sudo vi main.php 
      177  閟udo grep -r "XcessBio Backend"  /var/www
      178  sudgrep -r "XcessBio Backend"  /var/www
      179  sudo grep -r "XcessBio Backend"  /var/www
      180  cd var
      181  cd /var/
      182  ls
      183  sudo sed -i "s/XcessBio Backend/LinkgenLab Backend/g"  `grep "XcessBio Backend" -rl www/`
      184  sudo grep -r "XcessBio Backend"  /var/www
      185  cd /var/www/
      186  ls
      187  cd /etc/apache2/
      188  ls
      189  cd sites-available/
      190  ls
      191  sudo vi 000-default.conf 
      192  sudo /etc/init.d/apache2 restart 
      193  sudo reboot now
      194  mysql -u root -p
      195  sudo /etc/init.d/mysql restart
      196  mysql -u root -p
      197  history
    linkgenlab@s72-167-224-80:~$ 
    
    
    

     

     

     

     

     

     

    初步估计11.4号-11.5号遭到入侵

     

     

     

    find . -atime +2 # -atime n,   File  was last accessed n*24 hours ago.;

    find . -atime +2 # -atime 7,   File  was last accessed 7*24 hours ago.;

     

     

     

    从最开始的11.4号破解

    举最多的ip访问次数

    218.92.0.139

    112.85.42.237

    218.92.0.188

    112.85.42.227

    114.67.64.90

    112.250.104.182

    140.143.200.251

     

    反击

     

    iptables -I INPUT -s 114.67.64.90 -j DROP

     

     

    iptables -I INPUT -s 218.92.0.188 -j DROP
    
    218.92.0.139
    112.85.42.237
    218.92.0.188
    112.85.42.227
    114.67.64.90
    112.250.104.182
    140.143.200.251
    
    

     

     

     

     

    禁用多个ip

     

     

    数据库

     

    禁用远程登陆

     

     

    https://www.abuseipdb.com/check/218.92.0.139

     

     

     

    应急

     

    1. 及时备份做好还原

    2. 禁用远程登陆

    3. 设置更为安全级别低的用户

    4. 入侵报警检测

     

    报告

    本次事件,由黑客入侵从11.4到现在 通过暴力破解的方式企图获取linux主机账户密码

    造成数据库被篡改,原因是密码简单暴力破解所致。

    此次已完成数据库修复,进行了初步还原。

     

     

     

     

     

  • 相关阅读:
    JAVA中内存分配策略里的堆与栈
    Java中间件:淘宝网系统高性能利器
    优化Java堆大小的五个技巧
    Java编程程序异常处理方法
    Java内存管理的九个小技巧
    c++ 函数模板
    c setsockopt设置套接字状态
    c++ typedef 类型重定义语句
    c getaddrinfo函数
    c iovec结构体 readv writev
  • 原文地址:https://www.cnblogs.com/klsfct/p/11845692.html
Copyright © 2020-2023  润新知