阿里云ECS被封禁端口号解决办法

事情是这样的
我自以为复杂的随机密码,结果还是被破解了,怀疑还是撞库进去的

恩,阿里云就的免费的动态感知就开始报出异常了:SSH远程非交互式一句话异常指令执行

上面这句话不用理解,反正就是从俄怀明州的一个ip用root用户登录到机器上,下载了俩病毒文件,并且happy的运行了起来
并未对服务器上其他程序进行破坏性操作,嗯,我很庆幸。经过查询,貌似是个把你的服务器变成BTC矿机的病毒,并且能够自行对互联网上的其他ip进行攻击扩散病毒

接下来,可以想像到的,这个攻击轻易的就被阿里云发现了,并且封掉了若干dst端口的访问,其中包括了重要的22端口

以上是和阿里云技术客服的一部分对话

那么,关键问题是,我们怎么才能准确的找到病毒,干掉病毒呢

现场截图,我没有留,但是我尽可能还原现场

思路如下:

  • 先确认封禁的端口
  • 进而找到程序的进程号
  • 进而删除病毒程序
  • 再杀掉进程
  • 检查crontab定时任务
  • 结束

假设我们被封禁的端口号是:22

// 切换root权限
sudo su

// 筛选被封禁的端口号连接
netstat -anp | grep :22

最右边一列,为进程号/程序名

假设,这时候问题进程为13411,问题程序为remmina

PS: remmina是我的远程服务器管理工具,一般病毒可能是个随机字符串,特征还是很明显的

// 查看进程的工作目录
pwdx 13411

// 查看程序进程的执行命令
ps -ef | grep 13411

经过上面两部,我们一定能找到程序的执行位置,以及程序本体

// 我们第一步就是删除程序文件
cd /home/bh && rm -f /usr/bin/remmina;
如果有坚强的进程,就顺着pid一直顺上去,不对的程序都干掉

// 现在病毒的执行程序都干掉了,接下来就是要杀进程了
kill -9 13411

// 最后要检查crontab有没有可疑的定时任务
crontab -e

// 干掉奇怪的程序,那么就结束了

以上,基本上可以应对所有被封禁固定端口的场景

如果是非阿里云的服务器,就比较头疼了,要及时发现都是个难事儿。
不过这种挖矿的病毒,占用cpu资源还是比较厉害的,通常通过检查cpu占用率定位程序进程
偷偷的,偷信息的病毒就完蛋了

最关键的还是,不要让别人轻易的登录你的服务器哦

服务器登录,建议初始化的时候,建立好sudo用户,就把root账户封掉吧。然后用户登录要用ssh-key的无密码登录会更加安全哦。这样撞库几乎不可能成功。

往期文章列表

“阿里云ECS被封禁端口号解决办法”的29个回复

  1. Hmm it appears like your site ate my first comment (it was super long) so I guess
    I’ll just sum it up what I wrote and say, I’m thoroughly enjoying your blog.
    I as well am an aspiring blog blogger but I’m still new to everything.
    Do you have any tips and hints for rookie blog writers?

    I’d certainly appreciate it.

  2. I think what you said was very logical. But, what about this?
    what if you were to create a awesome post title?
    I am not saying your content is not solid., but suppose you added something that makes
    people desire more? I mean 阿里云ECS被封禁端口号解决办法
    | BH's Blog is a little boring. You might glance at Yahoo’s front page and see how they create news headlines to get viewers to open the
    links. You might try adding a video or a related pic or two to grab people interested about what you’ve got to say.
    In my opinion, it might bring your website a little bit more interesting.

  3. I was pretty pleased to find this page. I want to to
    thank you for your time for this fantastic read!! I definitely loved every part of it and I have you book-marked to
    look at new information on your site.

  4. I was recommended this blog by my cousin. I am not sure whether this post
    is written by him as nobody else know such detailed about my trouble.
    You are incredible! Thanks!

  5. Great weblog right here! Also your website so much
    up very fast! What web host are you the usage of? Can I get your associate link on your host?
    I desire my web site loaded up as fast as yours lol

发表评论

您的电子邮箱地址不会被公开。 必填项已用*标注