记一次数据库被入侵应急响应
前记
今天早上我便进行了溯源追踪,审计了日志
并得出以下报告。
此版本不完整,有时间在补充。
发现
审计
:~$ history
1 sudo apt-get update
2 sudo apt-get upgrade
3 sudo add-apt-repository ppa:ondrej/php
4 add-apt-repository ppa:ondrej/apache2
5 sudo add-apt-repository ppa:ondrej/apache2
6 sudo apt-get update
7 sudo apt-get upgrade
8 sudo apt-get install apache2
9 sudo apt-get install mysql-server mysql-client
10 cd /etc/apache2/
11 ls
12 cd sites-available/
13 sudo vi 000-default.conf
14 sudo /etc/init.d/apache2 res
15 sudo /etc/init.d/apache2 restart
16 sudo vi 000-default.conf
17 sudo /etc/init.d/apache2 stop
18 sudo vi 000-default.conf
19 cd ../sites-enabled/
20 ls
21 sudo vi 000-default.conf
22 sudo /etc/init.d/apache2 start
23 cd ../sites-available/
24 ls
25 sudo vi 000-default.conf
26 sudo /etc/init.d/apache2 start
27 cd /var/
28 sudo chmod -R 777 www
29 ls
30 sudo apt-get install php5.6
31 sudo apt-get install php5.6-gd
32 sudo apt-get install php5.6-mysql
33 sudo apt-get install php5.6-mbstring
34 sudo apt-get install php5.6-zip
35 sudo apt-get install php5.6-curl
36 sudo /etc/php/php -m
37 sudo /etc/php/5.6/php -m
38 php -m
39 sudo apt-get install php-xml
40 php -m
41 sudo apt-get install php5-xml
42 sudo apt-get install php-xml
43 sudo apt-get install php-mcrypt
44 sudo apt-get install php-xml
45 php -m
46 sudo apt-get install php5-mcrypt
47 sudo apt-get install php5.6-mcrypt
48 sudo apt-get install php5.6-xml
49 php -m
50 cd /
51 sudo chmod -R 777 var/
52 ls
53 cd /etc/mysql/
54 ls
55 cd mysql.conf.d/
56 ls
57 sudo vi mysqld.cnf
58 mysql -u root -p
59 sudo /etc/init.d/mysql restart
60 mysql -V
61 cd /var/
62 ls
63 sudo mv www www1
64 ls
65 sudols
66 cd /var/
67 ls
68 sodo tar -zxvf www1.tar.gz
69 cd /var/
70 sudo tar -zxvf www1.tar.gz
71 ls
72 rm -rf www1
73 ls
74 cd www/
75 ls
76 cd protected/
77 ls
78 cd config/
79 ls
80 sudo vi dbconfig.php
81 sudo apt-get install libapache2-mod-php5.6
82 sudo reboot now
83 cd /var/www/protected/
84 ls
85 cd config/
86 ls
87 sudo vi dbconfig.php
88 cd /etc/
89 ls
90 cd apache2/
91 ls
92 cd sites-available/
93 ls
94 sudo vi 000-default.conf
95 cd /etc/apache2/
96 ls
97 cd sites-available/
98 ls
99 sudo vi 000-default.conf
100 sudo ln -s /etc/apache2/mods-available/rewrite.load /etc/apache2/mods-enabled/rewrite.load
101 sudo /etc/init.d/apache2 restart
102 ls
103 cd ../sites-enabled/
104 ls
105 cd ../sites-available/
106 ls
107 sudo vi 000-default.conf
108 cd ..
109 ls
110 cd conf-available/
111 ls
112 cd ../mods-available/
113 ls
114 sudo vi rewrite.load
115 cd /usr/lib/
116 ls
117 cd apache2/
118 ls
119 cd modules/
120 ls
121 sudo grep -r "AllowOverride All" /etc/apache2/
122 sudo reboot now
123 sudo a2enmod rewrite
124 sudo /etc/init.d/apache2 restart
125 cd /var/www/
126 ls -a
127 sudo vi .htaccess
128 cd assets/
129 ls
130 cd ..
131 ls
132 ls -a
133 cd /etc/apache2/sites-available/
134 ls
135 sudo vi 000-default.conf
136 sudo /etc/init.d/apache2 restart
137 cd /var/www/
138 ls -al
139 sudo /etc/init.d/apache2 stop
140 sudo /etc/init.d/apache2 start
141 sudo grep -r "Copyright 漏 2014 Xcessbio" /var/www
142 sudo grep -r "CXcessbio Biosciences Inc." /var/www
143 sudo grep -r "Xcessbio Biosciences Inc." /var/www
144 cd /var/
145 sudo sed -i "s/Xcessbio Biosciences Inc/LinkgenLab Biosciences Inc/g" 'grep "Xcessbio Biosciences Inc" -rl www/'
146 sudo sed -i "s/Xcessbio Biosciences Inc/LinkgenLab Biosciences Inc/g" 'grep "Xcessbio Biosciences Inc" -rl /var/www/'
147 sudo sed -i "s/Xcessbio Biosciences Inc/LinkgenLab Biosciences Inc/g" `grep "Xcessbio Biosciences Inc" -rl www/`
148 sudo grep -r "CXcessbio Biosciences Inc." /var/www
149 sudo grep -r "sales@xcessbio.com" /var/www
150 cd www/
151 ls
152 rm -rf xcessbio20190611.sql
153 ls
154 sudo grep -r "sales@xcessbio.com" /var/www
155 cd protected/
156 ls
157 cd ../themes/
158 ls
159 cd default/views/
160 ls
161 cd layouts/
162 ls
163 sed -i 's/@xcessbio.com/@linkgenlab.com/g' main.txt
164 sed -i 's/@xcessbio.com/@linkgenlab.com/g' main.php
165 sudo grep -r "Xcessbio New Products" /var/www
166 sudo grep -r "7144 N Harlem" /var/www
167 sed -i 's/Xcess Bio/Linkgen Lab/g' main.php
168 sudo grep -r "Copyright 漏 2014 Xcessbio - Powered by bioDiscover" /var/www
169 sudo grep -r "Copyright 漏 2014" /var/www
170 cd /var/www/themes/
171 ls
172 cd default/views/layouts/
173 ls
174 sudo vi main.php
175 ls
176 sudo vi main.php
177 閟udo grep -r "XcessBio Backend" /var/www
178 sudgrep -r "XcessBio Backend" /var/www
179 sudo grep -r "XcessBio Backend" /var/www
180 cd var
181 cd /var/
182 ls
183 sudo sed -i "s/XcessBio Backend/LinkgenLab Backend/g" `grep "XcessBio Backend" -rl www/`
184 sudo grep -r "XcessBio Backend" /var/www
185 cd /var/www/
186 ls
187 cd /etc/apache2/
188 ls
189 cd sites-available/
190 ls
191 sudo vi 000-default.conf
192 sudo /etc/init.d/apache2 restart
193 sudo reboot now
194 mysql -u root -p
195 sudo /etc/init.d/mysql restart
196 mysql -u root -p
197 history
linkgenlab@s72-167-224-80:~$
初步估计11.4号-11.5号遭到入侵
find . -atime +2 # -atime n, File was last accessed n*24 hours ago.;
find . -atime +2 # -atime 7, File was last accessed 7*24 hours ago.;
从最开始的11.4号破解
举最多的ip访问次数
218.92.0.139
112.85.42.237
218.92.0.188
112.85.42.227
114.67.64.90
112.250.104.182
140.143.200.251
反击
iptables -I INPUT -s 114.67.64.90 -j DROP
iptables -I INPUT -s 218.92.0.188 -j DROP
218.92.0.139
112.85.42.237
218.92.0.188
112.85.42.227
114.67.64.90
112.250.104.182
140.143.200.251
禁用多个ip
数据库
禁用远程登陆
https://www.abuseipdb.com/check/218.92.0.139
应急
-
及时备份做好还原
-
禁用远程登陆
-
设置更为安全级别低的用户
-
入侵报警检测
报告
本次事件,由黑客入侵从11.4到现在 通过暴力破解的方式企图获取linux主机账户密码
造成数据库被篡改,原因是密码简单暴力破解所致。
此次已完成数据库修复,进行了初步还原。