- 论坛徽章:
- 0
|
本帖最后由 zl342622zl 于 2014-03-03 21:42 编辑
上午,突然被告知服务器对外面攻击,要去关闭web的80端口,可是根本就没有开启80端口
[root@localhost ~]# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 19:51 ? 00:00:00 init [3]
root 2 1 0 19:51 ? 00:00:00 [migration/0]
root 3 1 0 19:51 ? 00:00:00 [ksoftirqd/0]
root 4 1 0 19:51 ? 00:00:00 [watchdog/0]
root 5 1 0 19:51 ? 00:00:00 [migration/1]
root 6 1 0 19:51 ? 00:00:00 [ksoftirqd/1]
root 7 1 0 19:51 ? 00:00:00 [watchdog/1]
root 8 1 0 19:51 ? 00:00:00 [migration/2]
root 9 1 0 19:51 ? 00:00:00 [ksoftirqd/2]
root 10 1 0 19:51 ? 00:00:00 [watchdog/2]
root 11 1 0 19:51 ? 00:00:00 [migration/3]
root 12 1 0 19:51 ? 00:00:00 [ksoftiarqd/3]
root 13 1 0 19:51 ? 00:00:00 [watchdog/3]
root 14 1 0 19:51 ? 00:00:00 [events/0]
root 15 1 0 19:51 ? 00:00:00 [events/1]
root 16 1 0 19:51 ? 00:00:00 [events/2]
root 17 1 0 19:51 ? 00:00:00 [events/3]
root 18 1 0 19:51 ? 00:00:00 [khelper]
root 59 1 0 19:51 ? 00:00:00 [kthread]
root 66 59 0 19:51 ? 00:00:00 [kblockd/0]
root 67 59 0 19:51 ? 00:00:00 [kblockd/1]
root 68 59 0 19:51 ? 00:00:00 [kblockd/2]
root 69 59 0 19:51 ? 00:00:00 [kblockd/3]
root 70 59 0 19:51 ? 00:00:00 [kacpid]
root 248 59 0 19:51 ? 00:00:00 [cqueue/0]
root 249 59 0 19:51 ? 00:00:00 [cqueue/1]
root 250 59 0 19:51 ? 00:00:00 [cqueue/2]
root 251 59 0 19:51 ? 00:00:00 [cqueue/3]
root 254 59 0 19:51 ? 00:00:00 [khubd]
root 256 59 0 19:51 ? 00:00:00 [kseriod]
root 349 59 0 19:51 ? 00:00:00 [khungtaskd]
root 350 59 0 19:51 ? 00:00:00 [pdflush]
root 351 59 0 19:51 ? 00:00:00 [pdflush]
root 352 59 0 19:51 ? 00:00:00 [kswapd0]
root 353 59 0 19:51 ? 00:00:00 [aio/0]
root 354 59 0 19:51 ? 00:00:00 [aio/1]
root 355 59 0 19:51 ? 00:00:00 [aio/2]
root 356 59 0 19:51 ? 00:00:00 [aio/3]
root 522 59 0 19:51 ? 00:00:00 [kpsmoused]
root 569 59 0 19:52 ? 00:00:00 [scsi_eh_0]
root 580 59 0 19:52 ? 00:00:00 [ata/0]
root 581 59 0 19:52 ? 00:00:00 [ata/1]
root 582 59 0 19:52 ? 00:00:00 [ata/2]
root 583 59 0 19:52 ? 00:00:00 [ata/3]
root 584 59 0 19:52 ? 00:00:00 [ata_aux]
root 590 59 0 19:52 ? 00:00:00 [scsi_eh_1]
root 591 59 0 19:52 ? 00:00:00 [scsi_eh_2]
root 592 59 0 19:52 ? 00:00:00 [scsi_eh_3]
root 593 59 0 19:52 ? 00:00:00 [scsi_eh_4]
root 609 59 0 19:52 ? 00:00:00 [kstriped]
root 630 59 0 19:52 ? 00:00:00 [kjournald]
root 655 59 0 19:52 ? 00:00:00 [kauditd]
root 688 1 0 19:52 ? 00:00:00 /sbin/udevd -d
root 1985 59 0 19:52 ? 00:00:00 [kmpathd/0]
root 1986 59 0 19:52 ? 00:00:00 [kmpathd/1]
root 1987 59 0 19:52 ? 00:00:00 [kmpathd/2]
root 1988 59 0 19:52 ? 00:00:00 [kmpathd/3]
root 1989 59 0 19:52 ? 00:00:00 [kmpath_handlerd]
root 2055 59 0 19:52 ? 00:00:00 [kjournald]
root 2492 1 0 19:52 ? 00:00:00 auditd
root 2494 2492 0 19:52 ? 00:00:00 /sbin/audispd
root 2524 1 0 19:52 ? 00:00:00 syslogd -m 0
root 2527 1 0 19:52 ? 00:00:00 klogd -x
root 2581 59 0 19:52 ? 00:00:00 [kondemand/0]
root 2582 59 0 19:52 ? 00:00:00 [kondemand/1]
root 2583 59 0 19:52 ? 00:00:00 [kondemand/2]
root 2584 59 0 19:52 ? 00:00:00 [kondemand/3]
root 2602 1 0 19:52 ? 00:00:00 irqbalance
root 2655 59 0 19:52 ? 00:00:00 [rpciod/0]
root 2656 59 0 19:52 ? 00:00:00 [rpciod/1]
root 2657 59 0 19:52 ? 00:00:00 [rpciod/2]
root 2658 59 0 19:52 ? 00:00:00 [rpciod/3]
root 2699 1 0 19:52 ? 00:00:00 rpc.idmapd
root 2735 1 0 19:52 ? 00:00:00 /usr/sbin/hcid
root 2739 1 0 19:52 ? 00:00:00 /usr/sbin/sdpd
root 2770 1 0 19:52 ? 00:00:00 [krfcommd]
root 2816 1 0 19:52 ? 00:00:00 pcscd
root 2831 1 0 19:52 ? 00:00:00 /usr/sbin/acpid
root 2892 1 0 19:52 ? 00:00:00 /usr/bin/hidd --server
root 2922 1 0 19:52 ? 00:00:00 automount
root 2966 1 0 19:52 ? 00:00:00 /usr/sbin/sshd
smmsp 3140 1 0 19:53 ? 00:00:00 sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue
root 3153 1 0 19:53 ? 00:00:00 gpm -m /dev/input/mice -t exps2
root 3166 1 0 19:53 ? 00:00:00 crond
root 3219 1 0 19:53 ? 00:00:00 /usr/sbin/atd
root 3328 1 4 19:53 ? 00:03:13 /etc/udisks-daemon
root 3359 1 0 19:53 ? 00:00:00 /usr/sbin/smartd -q never
root 3362 1 0 19:53 tty1 00:00:00 /sbin/mingetty tty1
root 3363 1 0 19:53 tty2 00:00:00 /sbin/mingetty tty2
root 3364 1 0 19:53 tty3 00:00:00 /sbin/mingetty tty3
root 3365 1 0 19:53 tty4 00:00:00 /sbin/mingetty tty4
root 3368 1 0 19:53 tty5 00:00:00 /sbin/mingetty tty5
root 3369 1 0 19:53 tty6 00:00:00 /sbin/mingetty tty6
root 15304 1 12 20:49 ? 00:02:35 /etc/udisks-daemon
root 19650 2966 0 21:08 ? 00:00:00 sshd: root@pts/0
root 19652 19650 0 21:08 pts/0 00:00:00 -bash
root 19929 2966 0 21:09 ? 00:00:00 sshd: root@pts/1
root 19931 19929 0 21:09 pts/1 00:00:00 -bash
root 19960 19652 0 21:09 pts/0 00:00:00 ps -ef
这里面我删除了很多非root的进程
查看messages
Mar 2 21:43:30 localhost kernel: ssh-scan[9744]: segfault at 0000000000000000 rip 0000000008048e33 rsp 00000000ffe71e50 error 4
Mar 2 21:43:31 localhost kernel: ssh-scan[9743]: segfault at 0000000000000000 rip 0000000008048e33 rsp 00000000ffe71e50 error 4
Mar 2 21:43:31 localhost kernel: ssh-scan[9746]: segfault at 0000000000000000 rip 0000000008048e33 rsp 00000000ffe71e50 error 4
Mar 2 21:43:31 localhost kernel: ssh-scan[9747]: segfault at 00000000643307fc rip 00000000080a3377 rsp 00000000ffe71e20 error 4
Mar 2 21:43:31 localhost kernel: ssh-scan[9745]: segfault at 00000000643307fc rip 00000000080a3377 rsp 00000000ffe71e20 error 4
Mar 2 21:43:32 localhost kernel: ssh-scan[9655]: segfault at 0000000000000000 rip 0000000008048e33 rsp 00000000ffe71e50 error 4
Mar 2 21:43:34 localhost kernel: ssh-scan[9741]: segfault at 0000000000000000 rip 0000000008048e33 rsp 00000000ffe71e50 error 4
Mar 2 21:43:41 localhost kernel: ssh-scan[9643]: segfault at 0000000000000000 rip 0000000008048e33 rsp 00000000ffe71e50 error 4
Mar 2 21:44:14 localhost kernel: ssh-scan[9640]: segfault at 0000000000000000 rip 0000000008048e33 rsp 00000000ffe71e50 error 4
Mar 2 21:51:05 localhost kernel: device eth0 entered promiscuous mode
Mar 2 22:13:51 localhost kernel: printk: 3 messages suppressed.
Mar 2 22:13:51 localhost kernel: Neighbour table overflow.
Mar 2 22:13:51 localhost last message repeated 9 times
Mar 2 22:13:56 localhost kernel: printk: 30394 messages suppressed.
Mar 2 22:13:56 localhost kernel: Neighbour table overflow.
Mar 2 22:14:01 localhost kernel: printk: 27765 messages suppressed.
Mar 2 22:14:01 localhost kernel: Neighbour table overflow.
Mar 2 22:14:16 localhost kernel: device eth0 left promiscuous mode
Mar 2 22:14:17 localhost kernel: ssh-scan[12607]: segfault at 0000000000000000 rip 0000000008048e33 rsp 00000000ff814240 error 4
Mar 2 22:14:17 localhost kernel: ssh-scan[12518]: segfault at 0000000000000000 rip 0000000008048e33 rsp 00000000ff814240 error 4
Mar 2 22:14:17 localhost kernel: ssh-scan[12471]: segfault at 0000000000000000 rip 0000000008048e33 rsp 00000000ff814240 error 4
Mar 2 22:14:17 localhost kernel: ssh-scan[12045]: segfault at 0000000000000000 rip 0000000008048e33 rsp 00000000ff814240 error 4
Mar 2 22:14:17 localhost kernel: ssh-scan[12314]: segfault at 0000000000000000 rip 0000000008048e33 rsp 00000000ff814240 error 4
Mar 2 22:14:17 localhost kernel: ssh-scan[12515]: segfault at 0000000000000000 rip 0000000008048e33 rsp 00000000ff814240 error 4
Mar 2 22:14:17 localhost kernel: ssh-scan[12147]: segfault at 0000000000000000 rip 0000000008048e33 rsp 00000000ff814240 error 4
Mar 2 22:14:17 localhost kernel: ssh-scan[12170]: segfault at 0000000000000000 rip 0000000008048e33 rsp 00000000ff814240 error 4
Mar 2 22:14:17 localhost kernel: ssh-scan[12583]: segfault at 0000000000000000 rip 0000000008048e33 rsp 00000000ff814240 error 4
Mar 2 22:14:17 localhost kernel: ssh-scan[12622]: segfault at 0000000000000000 rip 0000000008048e33 rsp 00000000ff814240 error 4
Mar 2 22:14:17 localhost kernel: ssh-scan[12654]: segfault at 0000000000000000 rip 0000000008048e33 rsp 00000000ff814240 error 4
Mar 2 22:14:17 localhost kernel: ssh-scan[12599]: segfault at 0000000000000000 rip 0000000008048e33 rsp 00000000ff814240 error 4
Mar 2 22:14:17 localhost kernel: ssh-scan[12879]: segfault at 0000000000000000 rip 0000000008048e33 rsp 00000000ff814240 error 4
Mar 2 22:14:17 localhost kernel: ssh-scan[12585]: segfault at 0000000000000000 rip 0000000008048e33 rsp 00000000ff814240 error 4
Mar 2 22:14:17 localhost kernel: ssh-scan[12340]: segfault at 0000000000000000 rip 0000000008048e33 rsp 00000000ff814240 error 4
..................
ar 3 19:53:10 localhost kernel: ata1: SATA max UDMA/133 cmd 0x9c00 ctl 0x9880 bmdma 0x9400 irq 106
Mar 3 19:53:10 localhost kernel: ata2: SATA max UDMA/133 cmd 0x9800 ctl 0x9480 bmdma 0x9408 irq 106
Mar 3 19:53:10 localhost kernel: ata1: SATA link up 1.5 Gbps (SStatus 113 SControl 300)
Mar 3 19:53:10 localhost kernel: ata1.00: ATAPI: Slimtype DVD A DS8A8SH, KC2D, max UDMA/100
Mar 3 19:53:10 localhost kernel: ata1.00: configured for UDMA/100
Mar 3 19:53:10 localhost kernel: ata2: SATA link down (SStatus 0 SControl 300)
Mar 3 19:53:10 localhost kernel: Vendor: Slimtype Model: DVD A DS8A8SH Rev: KC2D
Mar 3 19:53:10 localhost kernel: Type: CD-ROM ANSI SCSI revision: 05
Mar 3 19:53:10 localhost kernel: ACPI: PCI Interrupt 0000:00:1f.5[B] -> GSI 19 (level, low) -> IRQ 106
Mar 3 19:53:10 localhost kernel: ata_piix 0000:00:1f.5: MAP [ P0 -- P1 -- ]
Mar 3 19:53:10 localhost kernel: scsi3 : ata_piix
Mar 3 19:53:10 localhost kernel: scsi4 : ata_piix
Mar 3 19:53:10 localhost kernel: ata3: SATA max UDMA/133 cmd 0xac00 ctl 0xa880 bmdma 0xa400 irq 106
Mar 3 19:53:10 localhost kernel: ata4: SATA max UDMA/133 cmd 0xa800 ctl 0xa480 bmdma 0xa408 irq 106
Mar 3 19:53:10 localhost kernel: ata3: SATA link down (SStatus 0 SControl 300)
Mar 3 19:53:11 localhost kernel: ata4: SATA link down (SStatus 0 SControl 300)
Mar 3 19:53:11 localhost kernel: Initializing USB Mass Storage driver...
Mar 3 19:53:11 localhost kernel: usbcore: registered new driver usb-storage
Mar 3 19:53:11 localhost kernel: USB Mass Storage support registered.
Mar 3 19:53:11 localhost kernel: device-mapper: uevent: version 1.0.3
Mar 3 19:53:11 localhost kernel: device-mapper: ioctl: 4.11.5-ioctl (2007-12-12) initialised: dm-devel@redhat.com
Mar 3 19:53:11 localhost kernel: device-mapper: dm-raid45: initialized v0.2594l
Mar 3 19:53:11 localhost kernel: kjournald starting. Commit interval 5 seconds
Mar 3 19:53:11 localhost kernel: EXT3-fs: mounted filesystem with ordered data mode.
Mar 3 19:53:11 localhost kernel: SELinux: Disabled at runtime.
Mar 3 19:53:11 localhost kernel: type=1404 audit(1393847557.188:2): selinux=0 auid=4294967295 ses=4294967295
Mar 3 19:53:11 localhost kernel: input: PC Speaker as /class/input/input2
Mar 3 19:53:11 localhost kernel: e1000e: Intel(R) PRO/1000 Network Driver - 1.0.2-k3
Mar 3 19:53:11 localhost kernel: e1000e: Copyright (c) 1999-2008 Intel Corporation.
Mar 3 19:53:11 localhost kernel: ACPI: PCI Interrupt 0000:03:00.0[A] -> GSI 16 (level, low) -> IRQ 177
Mar 3 19:53:11 localhost kernel: sd 0:2:0:0: Attached scsi generic sg0 type 0
Mar 3 19:53:11 localhost kernel: scsi 1:0:0:0: Attached scsi generic sg1 type 5
Mar 3 19:53:11 localhost kernel: eth0: (PCI Express:2.5GB/s:Width x1) 00:e0:81:d8:83:b9
Mar 3 19:53:11 localhost kernel: eth0: Intel(R) PRO/1000 Network Connection
Mar 3 19:53:11 localhost kernel: eth0: MAC: 3, PHY: 8, PBA No: ffffff-0ff
Mar 3 19:53:11 localhost kernel: ACPI: PCI Interrupt 0000:02:00.0[A] -> GSI 17 (level, low) -> IRQ 169
Mar 3 19:53:11 localhost kernel: eth1: (PCI Express:2.5GB/s:Width x1) 00:e0:81:d8:83:ba
Mar 3 19:53:11 localhost kernel: eth1: Intel(R) PRO/1000 Network Connection
Mar 3 19:53:11 localhost kernel: eth1: MAC: 3, PHY: 8, PBA No: ffffff-0ff
Mar 3 19:53:11 localhost kernel: ACPI: PCI Interrupt 0000:00:1f.3[C] -> GSI 18 (level, low) -> IRQ 82
Mar 3 19:53:11 localhost kernel: sr0: scsi3-mmc drive: 24x/24x writer dvd-ram cd/rw xa/form2 cdda tray
Mar 3 19:53:11 localhost kernel: Uniform CD-ROM driver Revision: 3.20
Mar 3 19:53:11 localhost kernel: floppy0: no floppy controllers found
Mar 3 19:53:11 localhost kernel: lp: driver loaded but no devices found
Mar 3 19:53:11 localhost kernel: ACPI: Power Button (FF) [PWRF]
Mar 3 19:53:11 localhost kernel: ACPI: Power Button (CM) [PWRB]
Mar 3 19:53:11 localhost kernel: ACPI: Mapper loaded
Mar 3 19:53:11 localhost kernel: dell-wmi: No known WMI GUID found
Mar 3 19:53:11 localhost kernel: md: Autodetecting RAID arrays.
Mar 3 19:53:11 localhost kernel: md: autorun ...
Mar 3 19:53:11 localhost kernel: md: ... autorun DONE.
Mar 3 19:53:11 localhost kernel: device-mapper: multipath: version 1.0.5 loaded
Mar 3 19:53:11 localhost kernel: loop: loaded (max 8 devices)
Mar 3 19:53:11 localhost kernel: EXT3 FS on sda3, internal journal
Mar 3 19:53:11 localhost kernel: kjournald starting. Commit interval 5 seconds
Mar 3 19:53:11 localhost kernel: EXT3 FS on sda1, internal journal
Mar 3 19:53:12 localhost kernel: EXT3-fs: mounted filesystem with ordered data mode.
Mar 3 19:53:12 localhost kernel: Adding 8193140k swap on /dev/sda2. Priority:-1 extents:1 across:8193140k
Mar 3 19:53:12 localhost kernel: IA-32 Microcode Update Driver: v1.14a <tigran@veritas.com>
Mar 3 19:53:12 localhost kernel: e1000e: eth0 NIC Link is Up 100 Mbps Full Duplex, Flow Control: None
Mar 3 19:53:12 localhost kernel: eth0: 10/100 speed: disabling TSO
Mar 3 19:53:12 localhost kernel: Bluetooth: Core ver 2.10
Mar 3 19:53:12 localhost kernel: NET: Registered protocol family 31
Mar 3 19:53:12 localhost kernel: Bluetooth: HCI device and connection manager initialized
Mar 3 19:53:12 localhost kernel: Bluetooth: HCI socket layer initialized
Mar 3 19:53:12 localhost kernel: Bluetooth: L2CAP ver 2.8
Mar 3 19:53:12 localhost kernel: Bluetooth: L2CAP socket layer initialized
Mar 3 19:53:12 localhost kernel: Bluetooth: RFCOMM socket layer initialized
Mar 3 19:53:12 localhost kernel: Bluetooth: RFCOMM TTY layer initialized
Mar 3 19:53:12 localhost kernel: Bluetooth: RFCOMM ver 1.8
Mar 3 19:53:12 localhost kernel: Bluetooth: HIDP (Human Interface Emulation) ver 1.1
Mar 3 19:53:12 localhost kernel: NET: Registered protocol family 10
Mar 3 19:53:12 localhost kernel: lo: Disabled Privacy Extensions
Mar 3 19:53:12 localhost kernel: IPv6 over IPv4 tunneling driver
Mar 3 20:39:51 localhost avahi-daemon[3245]: Disconnnected from D-Bus, exiting.
Mar 3 20:39:51 localhost avahi-daemon[3245]: Got SIGQUIT, quitting.
Mar 3 20:39:51 localhost avahi-daemon[3245]: Leaving mDNS multicast group on interface eth0.IPv6 with address fe80::2e0:81ff:fed8:83b9.
Mar 3 20:39:51 localhost hcid[2735]: Got disconnected from the system message bus
Mar 3 20:39:51 localhost avahi-daemon[3245]: Leaving mDNS multicast group on interface eth0.IPv4 with address 202.102.86.248.
Mar 3 20:39:56 localhost hcid[2735]: Can't open system message bus connection: Failed to connect to socket /var/run/dbus/system_bus_socket: Connection refused
Mar 3 21:08:19 localhost rpc.statd[2667]: Caught signal 15, un-registering and exiting.
2号的时候突然出现很多的error 4,上午发现的时候,将ssh端口修改成了22022 ,密码都修改了
下午13点多的时候又出现了
刚刚又被通知 这台服务器有对外大流量,结果IP被屏蔽,现在无法登陆了....
[root@localhost ~]# cat /var/log/secure
ar 2 22:45:06 localhost sshd[22350]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.62.9 user=root
Mar 2 22:45:08 localhost sshd[22350]: Failed password for root from 222.186.62.9 port 2071 ssh2
Mar 2 22:45:21 localhost last message repeated 6 times
Mar 2 22:45:21 localhost sshd[22351]: Disconnecting: Too many authentication failures for root
Mar 2 22:45:21 localhost sshd[22350]: PAM 6 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.62.9 user=root
Mar 2 22:45:21 localhost sshd[22350]: PAM service(sshd) ignoring max retries; 7 > 3
Mar 2 22:45:32 localhost sshd[22354]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.62.9 user=root
Mar 2 22:45:34 localhost sshd[22354]: Failed password for root from 222.186.62.9 port 3903 ssh2
Mar 2 22:45:37 localhost sshd[22354]: Failed password for root from 222.186.62.9 port 3903 ssh2
Mar 2 22:46:02 localhost sshd[22355]: fatal: Read from socket failed: Connection reset by peer
Mar 2 22:46:02 localhost sshd[22354]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.62.9 user=root
Mar 2 23:02:49 localhost sshd[24504]: refused connect from ::ffff:61.174.51.216 (::ffff:61.174.51.216)
Mar 3 00:01:54 localhost sshd[12978]: Invalid user a from 50.30.33.44
Mar 3 00:01:54 localhost sshd[12978]: Address 50.30.33.44 maps to uspro792.dedicatedpanel.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Mar 3 00:01:54 localhost sshd[12979]: input_userauth_request: invalid user a
Mar 3 00:01:54 localhost sshd[12978]: pam_unix(sshd:auth): check pass; user unknown
Mar 3 00:01:54 localhost sshd[12978]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=50.30.33.44
Mar 3 00:01:54 localhost sshd[12978]: pam_succeed_if(sshd:auth): error retrieving information about user a
Mar 3 00:01:55 localhost sshd[12978]: Failed password for invalid user a from 50.30.33.44 port 34418 ssh2
Mar 3 00:01:56 localhost sshd[12979]: Received disconnect from 50.30.33.44: 11: Bye Bye
Mar 3 00:01:57 localhost sshd[12980]: Address 50.30.33.44 maps to uspro792.dedicatedpanel.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Mar 3 00:01:57 localhost sshd[12980]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=50.30.33.44 user=root
Mar 3 00:01:59 localhost sshd[12980]: Failed password for root from 50.30.33.44 port 35801 ssh2
Mar 3 00:01:59 localhost sshd[12981]: Received disconnect from 50.30.33.44: 11: Bye Bye
Mar 3 00:02:01 localhost sshd[12982]: Address 50.30.33.44 maps to uspro792.dedicatedpanel.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Mar 3 00:02:01 localhost sshd[12982]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=50.30.33.44 user=root
Mar 3 00:02:03 localhost sshd[12982]: Failed password for root from 50.30.33.44 port 37400 ssh2
Mar 3 00:02:03 localhost sshd[12983]: Received disconnect from 50.30.33.44: 11: Bye Bye
Mar 3 00:02:04 localhost sshd[13092]: Address 50.30.33.44 maps to uspro792.dedicatedpanel.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Mar 3 00:02:04 localhost sshd[13092]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=50.30.33.44 user=root
Mar 3 00:02:07 localhost sshd[13092]: Failed password for root from 50.30.33.44 port 38913 ssh2
Mar 3 00:02:07 localhost sshd[13093]: Received disconnect from 50.30.33.44: 11: Bye Bye
Mar 3 00:02:08 localhost sshd[13094]: Address 50.30.33.44 maps to uspro792.dedicatedpanel.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Mar 3 00:02:08 localhost sshd[13094]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=50.30.33.44 user=root
Mar 3 00:02:10 localhost sshd[13094]: Failed password for root from 50.30.33.44 port 40560 ssh2
Mar 3 00:02:10 localhost sshd[13095]: Received disconnect from 50.30.33.44: 11: Bye Bye
Mar 3 00:02:12 localhost sshd[13096]: Address 50.30.33.44 maps to uspro792.dedicatedpanel.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Mar 3 00:02:12 localhost sshd[13096]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=50.30.33.44 user=root
Mar 3 00:02:13 localhost sshd[13096]: Failed password for root from 50.30.33.44 port 42119 ssh2
Mar 3 00:02:14 localhost sshd[13097]: Received disconnect from 50.30.33.44: 11: Bye Bye
Mar 3 00:02:15 localhost sshd[13098]: Address 50.30.33.44 maps to uspro792.dedicatedpanel.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Mar 3 00:02:15 localhost sshd[13098]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=50.30.33.44 user=root
Mar 3 00:02:17 localhost sshd[13098]: Failed password for root from 50.30.33.44 port 43591 ssh2
Mar 3 00:02:17 localhost sshd[13099]: Received disconnect from 50.30.33.44: 11: Bye Bye
Mar 3 00:02:19 localhost sshd[13100]: Address 50.30.33.44 maps to uspro792.dedicatedpanel.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Mar 3 00:02:19 localhost sshd[13100]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=50.30.33.44 user=root
Mar 3 00:02:20 localhost sshd[13100]: Failed password for root from 50.30.33.44 port 45211 ssh2
Mar 3 00:02:20 localhost sshd[13101]: Received disconnect from 50.30.33.44: 11: Bye Bye
Mar 3 00:02:22 localhost sshd[13102]: Address 50.30.33.44 maps to uspro792.dedicatedpanel.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Mar 3 00:02:22 localhost sshd[13102]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=50.30.33.44 user=root
Mar 3 00:02:24 localhost sshd[13102]: Failed password for root from 50.30.33.44 port 46503 ssh2
Mar 3 00:02:25 localhost sshd[13103]: Received disconnect from 50.30.33.44: 11: Bye Bye
Mar 3 00:02:26 localhost sshd[13104]: Address 50.30.33.44 maps to uspro792.dedicatedpanel.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Mar 3 00:02:26 localhost sshd[13104]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=50.30.33.44 user=root
Mar 3 00:02:28 localhost sshd[13104]: Failed password for root from 50.30.33.44 port 48246 ssh2
Mar 3 00:02:28 localhost sshd[13105]: Received disconnect from 50.30.33.44: 11: Bye Bye
Mar 3 00:02:29 localhost sshd[13106]: Address 50.30.33.44 maps to uspro792.dedicatedpanel.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Mar 3 00:02:29 localhost sshd[13106]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=50.30.33.44 user=root
Mar 3 00:02:31 localhost sshd[13106]: Failed password for root from 50.30.33.44 port 49651 ssh2
Mar 3 00:02:32 localhost sshd[13107]: Received disconnect from 50.30.33.44: 11: Bye Bye
Mar 3 00:02:33 localhost sshd[13108]: Address 50.30.33.44 maps to uspro792.dedicatedpanel.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Mar 3 00:02:33 localhost sshd[13108]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=50.30.33.44 user=root
Mar 3 00:02:35 localhost sshd[13108]: Failed password for root from 50.30.33.44 port 51206 ssh2
Mar 3 00:02:35 localhost sshd[13109]: Received disconnect from 50.30.33.44: 11: Bye Bye
Mar 3 00:02:37 localhost sshd[13110]: Address 50.30.33.44 maps to uspro792.dedicatedpanel.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Mar 3 00:02:37 localhost sshd[13110]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=50.30.33.44 user=root
Mar 3 00:02:38 localhost sshd[13110]: Failed password for root from 50.30.33.44 port 52843 ssh2
Mar 3 00:02:38 localhost sshd[13111]: Received disconnect from 50.30.33.44: 11: Bye Bye
Mar 3 00:02:40 localhost sshd[13112]: Address 50.30.33.44 maps to uspro792.dedicatedpanel.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Mar 3 00:02:40 localhost sshd[13112]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=50.30.33.44 user=root
Mar 3 00:02:42 localhost sshd[13112]: Failed password for root from 50.30.33.44 port 54162 ssh2
Mar 3 00:02:42 localhost sshd[13113]: Received disconnect from 50.30.33.44: 11: Bye Bye
2号凌晨的时候有陌生ip登陆,已经全部j加入到hosts.deny中了
Mar 3 17:28:56 localhost sshd[30000]: Server listening on :: port 22022.
Mar 3 17:28:56 localhost sshd[30000]: error: Bind to port 22022 on 0.0.0.0 failed: Address already in use.
Mar 3 17:29:14 localhost sshd[30198]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=180.109.168.143 user=root
Mar 3 17:29:16 localhost sshd[30198]: Failed password for root from 180.109.168.143 port 64678 ssh2
Mar 3 17:29:26 localhost sshd[30198]: Accepted password for root from 180.109.168.143 port 64678 ssh2
Mar 3 17:29:26 localhost sshd[30198]: pam_unix(sshd:session): session opened for user root by (uid=0)
Mar 3 17:29:28 localhost sshd[30198]: pam_unix(sshd:session): session closed for user root
Mar 3 17:29:30 localhost sshd[30231]: Received disconnect from 180.109.168.143: 9: \347\224\250\346\210\267\346\213\222\347\273\235\346\267\273\345\212\240\346\210\226\346\233\264\346\215\242\344\270\273\346\234\272\345\257\206\351\222\245\343\200\202
Mar 3 18:03:55 localhost sshd[20698]: pam_unix(sshd:session): session closed for user root
Mar 3 19:46:05 localhost sshd[25217]: Accepted password for root from 49.77.249.155 port 29742 ssh2
Mar 3 19:46:05 localhost sshd[25217]: pam_unix(sshd:session): session opened for user root by (uid=0)
Mar 3 19:49:00 localhost sshd[25900]: Received disconnect from 49.77.249.155: 13: The user canceled authentication.
Mar 3 19:49:12 localhost sshd[26097]: Accepted password for root from 49.77.249.155 port 30261 ssh2
Mar 3 19:49:12 localhost sshd[26097]: pam_unix(sshd:session): session opened for user root by (uid=0)
Mar 3 19:49:27 localhost sshd[26097]: pam_unix(sshd:session): session closed for user root
Mar 3 19:49:45 localhost sshd[26129]: Accepted password for root from 49.77.249.155 port 30342 ssh2
Mar 3 19:49:45 localhost sshd[26129]: pam_unix(sshd:session): session opened for user root by (uid=0)
Mar 3 19:49:55 localhost userhelper[26159]: running '/sbin/reboot' with root privileges on behalf of 'root'
Mar 3 19:49:57 localhost sshd[26129]: pam_unix(sshd:session): session closed for user root
Mar 3 19:49:57 localhost sshd[30000]: Received signal 15; terminating.
Mar 3 19:49:57 localhost sshd[25217]: Exiting on signal 15
Mar 3 19:49:57 localhost sshd[25217]: pam_unix(sshd:session): session closed for user root
Mar 3 19:52:57 localhost sshd[2966]: Server listening on :: port 22022.
Mar 3 19:52:57 localhost sshd[2966]: error: Bind to port 22022 on 0.0.0.0 failed: Address already in use.
Mar 3 19:53:02 localhost sshd[2998]: Accepted password for root from 49.77.249.155 port 31328 ssh2
Mar 3 19:53:03 localhost sshd[2998]: pam_unix(sshd:session): session opened for user root by (uid=0)
Mar 3 19:54:26 localhost sshd[2998]: pam_unix(sshd:session): session closed for user root
Mar 3 19:55:11 localhost sshd[3625]: Accepted password for root from 49.77.249.155 port 31483 ssh2
Mar 3 19:55:11 localhost sshd[3625]: pam_unix(sshd:session): session opened for user root by (uid=0)
Mar 3 19:58:58 localhost sshd[3625]: pam_unix(sshd:session): session closed for user root
Mar 3 19:59:27 localhost sshd[4678]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=49.77.249.155 user=root
Mar 3 19:59:29 localhost sshd[4678]: Failed password for root from 49.77.249.155 port 32082 ssh2
Mar 3 19:59:42 localhost last message repeated 2 times
Mar 3 19:59:51 localhost sshd[4678]: Accepted password for root from 49.77.249.155 port 32082 ssh2
Mar 3 19:59:51 localhost sshd[4678]: pam_unix(sshd:session): session opened for user root by (uid=0)
Mar 3 20:00:18 localhost sshd[4913]: Did not receive identification string from UNKNOWN
Mar 3 20:00:21 localhost sshd[4915]: Received disconnect from 49.77.249.155: 13: The user canceled authentication.
Mar 3 20:26:04 localhost sshd[4678]: pam_unix(sshd:session): session closed for user root
Mar 3 20:26:09 localhost sshd[10485]: Accepted password for root from 49.77.249.155 port 32706 ssh2
Mar 3 20:26:09 localhost sshd[10485]: pam_unix(sshd:session): session opened for user root by (uid=0)
Mar 3 20:35:01 localhost sshd[12146]: Accepted password for root from 49.77.249.155 port 33348 ssh2
Mar 3 20:35:01 localhost sshd[12146]: pam_unix(sshd:session): session opened for user root by (uid=0)
Mar 3 20:35:02 localhost sshd[12312]: Accepted password for root from 49.77.249.155 port 33349 ssh2
Mar 3 20:35:02 localhost sshd[12312]: pam_unix(sshd:session): session opened for user root by (uid=0)
Mar 3 20:42:25 localhost sshd[12146]: pam_unix(sshd:session): session closed for user root
Mar 3 20:42:34 localhost sshd[13839]: Accepted password for root from 49.77.249.155 port 30703 ssh2
Mar 3 20:42:34 localhost sshd[13839]: pam_unix(sshd:session): session opened for user root by (uid=0)
Mar 3 20:43:07 localhost sshd[10485]: pam_unix(sshd:session): session closed for user root
Mar 3 20:43:49 localhost sshd[12312]: pam_unix(sshd:session): session closed for user root
Mar 3 20:57:32 localhost sshd[16958]: Accepted password for root from 49.77.249.155 port 33403 ssh2
Mar 3 20:57:32 localhost sshd[16958]: pam_unix(sshd:session): session opened for user root by (uid=0)
Mar 3 20:57:32 localhost sshd[16958]: pam_unix(sshd:session): session closed for user root
Mar 3 21:01:48 localhost sshd[17982]: Accepted password for root from 49.77.249.155 port 29937 ssh2
Mar 3 21:01:48 localhost sshd[17982]: pam_unix(sshd:session): session opened for user root by (uid=0)
Mar 3 21:02:30 localhost sshd[17982]: pam_unix(sshd:session): session closed for user root
Mar 3 21:02:38 localhost sshd[18218]: Accepted password for root from 49.77.249.155 port 30014 ssh2
Mar 3 21:02:38 localhost sshd[18218]: pam_unix(sshd:session): session opened for user root by (uid=0)
Mar 3 21:07:09 localhost sshd[19354]: Accepted password for root from 49.77.249.155 port 31136 ssh2
Mar 3 21:07:09 localhost sshd[19354]: pam_unix(sshd:session): session opened for user root by (uid=0)
Mar 3 21:07:15 localhost sshd[13839]: pam_unix(sshd:session): session closed for user root
Mar 3 21:07:15 localhost sshd[19354]: pam_unix(sshd:session): session closed for user root
Mar 3 21:07:24 localhost sshd[18218]: pam_unix(sshd:session): session closed for user root
Mar 3 21:07:30 localhost sshd[19384]: Accepted password for root from 49.77.249.155 port 31204 ssh2
Mar 3 21:07:30 localhost sshd[19384]: pam_unix(sshd:session): session opened for user root by (uid=0)
Mar 3 21:08:04 localhost sshd[19384]: pam_unix(sshd:session): session closed for user root
Mar 3 21:08:06 localhost sshd[19618]: Accepted password for root from 49.77.249.155 port 31243 ssh2
Mar 3 21:08:06 localhost sshd[19618]: pam_unix(sshd:session): session opened for user root by (uid=0)
Mar 3 21:08:43 localhost sshd[19618]: pam_unix(sshd:session): session closed for user root
Mar 3 21:08:47 localhost sshd[19650]: Accepted password for root from 49.77.249.155 port 31342 ssh2
Mar 3 21:08:47 localhost sshd[19650]: pam_unix(sshd:session): session opened for user root by (uid=0)
Mar 3 21:09:16 localhost sshd[19929]: Accepted password for root from 49.77.249.155 port 31684 ssh2
Mar 3 21:09:16 localhost sshd[19929]: pam_unix(sshd:session): session opened for user root by (uid=0)
Mar 3 21:09:58 localhost sshd[19962]: Accepted password for root from 49.77.249.155 port 31800 ssh2
Mar 3 21:09:58 localhost sshd[19962]: pam_unix(sshd:session): session opened for user root by (uid=0)
远程重启后,没过一会又在攻击其它服务器了..
请问各位大大 这是什么攻击?
中毒了吗
|
|