1
wlsnx 2017-12-22 12:03:55 +08:00
/root/.git ?
你不是 rsync -a 指定错目录了吧? |
2
defunct9 2017-12-22 12:05:50 +08:00
开 ssh 我上去看看
|
3
mizufik OP |
5
mizufik OP /var/log/secure 里找到几个 gamse 的这些信息。。。
但貌似也没登录成功吧 Dec 21 01:07:08 10-19-46-62 sshd[26743]: Invalid user syncro from 36.97.143.13 Dec 21 01:07:08 10-19-46-62 sshd[26744]: input_userauth_request: invalid user syncro Dec 21 01:07:08 10-19-46-62 sshd[26743]: pam_unix(sshd:auth): check pass; user unknown Dec 21 01:07:08 10-19-46-62 sshd[26743]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=36.97.143.13 Dec 21 01:07:08 10-19-46-62 sshd[26743]: pam_succeed_if(sshd:auth): error retrieving information about user syncro Dec 21 01:07:10 10-19-46-62 sshd[26743]: Failed password for invalid user syncro from 36.97.143.13 port 39767 ssh2 Dec 21 01:07:10 10-19-46-62 sshd[26744]: Received disconnect from 36.97.143.13: 11: Bye Bye Dec 21 01:07:10 10-19-46-62 sshd[26745]: Invalid user sysgames from 36.97.143.13 Dec 21 01:07:10 10-19-46-62 sshd[26746]: input_userauth_request: invalid user sysgames Dec 21 01:07:10 10-19-46-62 sshd[26745]: pam_unix(sshd:auth): check pass; user unknown Dec 21 01:07:10 10-19-46-62 sshd[26745]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=36.97.143.13 Dec 21 01:07:10 10-19-46-62 sshd[26745]: pam_succeed_if(sshd:auth): error retrieving information about user sysgames Dec 21 01:07:12 10-19-46-62 sshd[26745]: Failed password for invalid user sysgames from 36.97.143.13 port 39997 ssh2 Dec 21 01:07:12 10-19-46-62 sshd[26746]: Received disconnect from 36.97.143.13: 11: Bye Bye Dec 21 01:07:13 10-19-46-62 sshd[26747]: Invalid user sysgames from 36.97.143.13 Dec 21 01:07:13 10-19-46-62 sshd[26748]: input_userauth_request: invalid user sysgames Dec 21 01:07:13 10-19-46-62 sshd[26747]: pam_unix(sshd:auth): check pass; user unknown Dec 21 01:07:13 10-19-46-62 sshd[26747]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=36.97.143.13 Dec 21 01:07:13 10-19-46-62 sshd[26747]: pam_succeed_if(sshd:auth): error retrieving information about user sysgames Dec 21 01:07:14 10-19-46-62 sshd[26747]: Failed password for invalid user sysgames from 36.97.143.13 port 40246 ssh2 Dec 21 01:07:14 10-19-46-62 sshd[26748]: Received disconnect from 36.97.143.13: 11: Bye Bye |
6
julyclyde 2017-12-22 13:49:43 +08:00
501 一般是系统里第一个普通用户; games 在这里是 owner group
这么看来,首先你的 /root 目录的 owner 被改了,其次 501 号用户被显示为 501,是因为无法找到 501 对应的用户名,也就是 passwd 文件,或者 nsswitch.conf 已经被破坏了 /root/.git 存在,说明 /root 是一个 git repo。建议进去执行 git remote -v 看一下是从哪儿 clone 回来的 怀疑有人在 /目录执行 sudo git clone XXXrepo root 命令,把你的 root 目录覆盖掉了 |
7
Cooky 2017-12-22 13:56:02 +08:00 via Android
真黑进去能让你发现?不过也没准
|
9
afpro 2017-12-22 15:27:42 +08:00
楼上这哥们不止一处看到他直接让人家给他 ssh 了。。。
|
10
heyang 2017-12-22 18:19:05 +08:00
看看你上边装的有什么服务,去官方跟跟,有一类人扫 IP 段专门钻洞的
查查进程,说不定是挖矿的。。 |
11
ic3z 2017-12-22 20:10:38 +08:00 via Android
ps aux 进程来一份 记得脱敏
|
12
zjp 2017-12-22 20:42:43 +08:00 via Android
哪怕自己玩玩的服务器都不带开 ssh 给别人排查问题的吧。。。
|
13
snnn 2017-12-22 21:55:24 +08:00 via Android
被当跳板机给人用来攻击别的服务器了
|