AWS で動作するサーバーと cpanel.net の cPanel があります。サーバーはapacheで、OSはcentos 7です。今日、突然私の10のウェブサイトがすべて応答しなくなり、521エラーが表示されました。数分間調査したところ、私のファイルマネージャのホーム/ユーザーの下にフォルダ/ファイルがまったくなく、10のサイト、そのデータベース、電子メールなどがすべて消えたことがわかりました。 Amazonにスナップショットがあるため、サーバーからバックアップを取得できますが、調査のために以前のバックアップを保持します。セキュリティログで多くの接続試行を見ることができますが、何が起こっているのか、誰かがどのように接続して削除できるのかよく理解していません。誰かが私を助けるために、以下にログを貼り付けます。
Amazonチームはそれがハッカーの間違いかもしれないし、Cpanelサポートチームの間違いかもしれないと言ったが、専門家はそのような愚かな間違いをしなかったし、彼らはまた彼らがしなかったことを確認したので、2番目の選択肢はそれほど正しくないようです。します。
ハッカーだと主張する人と議論をしましたが、実際にそうしたのかどうかはわかりません。
この記事を読んで、何が起こっているのかについてのヒントを教えてください。注:これらの以前のログはすべて存在しません。また、コマンドが毎秒3〜10個のコマンドのように非常に頻繁に実行されることも確認しました。
この一つ:
[ec2-user@ip-172-31-13-2 log]$ sudo cat secure
Feb 12 15:19:15 server polkitd[583]: Loading rules from directory /etc/polkit-1/rules.d
Feb 12 15:19:15 server polkitd[583]: Loading rules from directory /usr/share/polkit-1/rules.d
Feb 12 15:19:15 server polkitd[583]: Finished loading, compiling and executing 2 rules
Feb 12 15:19:15 server polkitd[583]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Feb 12 15:19:20 server sshd[1257]: Server listening on 0.0.0.0 port 22.
Feb 12 15:19:20 server sshd[1257]: Server listening on :: port 22.
Feb 12 15:21:22 server sshd[1998]: Invalid user hduser from 111.229.235.119 port 51986
Feb 12 15:21:22 server sshd[1998]: input_userauth_request: invalid user hduser [preauth]
Feb 12 15:21:22 server sshd[1998]: Received disconnect from 111.229.235.119 port 51986:11: Bye Bye [preauth]
Feb 12 15:21:22 server sshd[1998]: Disconnected from 111.229.235.119 port 51986 [preauth]
Feb 12 15:27:12 server polkitd[580]: Loading rules from directory /etc/polkit-1/rules.d
Feb 12 15:27:12 server polkitd[580]: Loading rules from directory /usr/share/polkit-1/rules.d
Feb 12 15:27:12 server polkitd[580]: Finished loading, compiling and executing 2 rules
Feb 12 15:27:12 server polkitd[580]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Feb 12 15:27:19 server sshd[1297]: Server listening on 0.0.0.0 port 22.
Feb 12 15:27:19 server sshd[1297]: Server listening on :: port 22.
Feb 12 15:27:29 server sshd[1833]: Did not receive identification string from 87.251.64.186 port 45362
Feb 12 15:27:30 server sshd[1835]: Connection closed by 87.251.64.186 port 50330 [preauth]
Feb 12 15:27:30 server sshd[1834]: Invalid user 0101 from 87.251.64.186 port 50108
Feb 12 15:27:30 server sshd[1834]: input_userauth_request: invalid user 0101 [preauth]
Feb 12 15:27:30 server sshd[1834]: Connection closed by 87.251.64.186 port 50108 [preauth]
Feb 12 15:29:27 server sshd[1987]: Invalid user aaron from 103.37.151.84 port 49382
Feb 12 15:29:27 server sshd[1987]: input_userauth_request: invalid user aaron [preauth]
Feb 12 15:29:27 server sshd[1987]: Received disconnect from 103.37.151.84 port 49382:11: Bye Bye [preauth]
Feb 12 15:29:27 server sshd[1987]: Disconnected from 103.37.151.84 port 49382 [preauth]
Feb 12 15:34:32 server sshd[2234]: Invalid user agustina from 103.45.184.234 port 53762
Feb 12 15:34:32 server sshd[2234]: input_userauth_request: invalid user agustina [preauth]
Feb 12 15:34:33 server sshd[2234]: Received disconnect from 103.45.184.234 port 53762:11: Bye Bye [preauth]
Feb 12 15:34:33 server sshd[2234]: Disconnected from 103.45.184.234 port 53762 [preauth]
Feb 12 15:38:50 server sshd[2578]: Connection closed by 222.119.218.120 port 13597 [preauth]
Feb 12 15:39:31 server sshd[2617]: Accepted publickey for root from 222.119.218.120 port 55062 ssh2: RSA SHA256:cnhuplyGAzI1x1W2DudZZq7CN6qi1oMqTdtdi5VqnRc
Feb 12 15:39:31 server sshd[2617]: pam_unix(sshd:session): session opened for user root by (uid=0)
Feb 12 15:39:31 server sshd[2617]: pam_lastlog(sshd:session): unable to open /var/log/lastlog: No such file or directory
Feb 12 15:39:33 server sshd[2627]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
Feb 12 15:39:33 server sshd[2627]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
Feb 12 15:41:59 server sshd[2822]: Received disconnect from 123.58.213.220 port 44408:11: Bye Bye [preauth]
Feb 12 15:41:59 server sshd[2822]: Disconnected from 123.58.213.220 port 44408 [preauth]
Feb 12 15:42:49 server sshd[2865]: Did not receive identification string from 81.161.63.103 port 44104
Feb 12 15:42:58 server sshd[2869]: Connection reset by 81.161.63.103 port 43178 [preauth]
Feb 12 15:43:01 server sshd[2867]: Connection reset by 81.161.63.103 port 43168 [preauth]
Feb 12 15:43:01 server sshd[2868]: Connection reset by 81.161.63.103 port 43152 [preauth]
Feb 12 15:43:02 server sshd[2874]: Connection reset by 81.161.63.103 port 43194 [preauth]
Feb 12 15:43:02 server sshd[2877]: Accepted publickey for root from 222.119.218.120 port 16725 ssh2: RSA SHA256:cnhuplyGAzI1x1W2DudZZq7CN6qi1oMqTdtdi5VqnRc
Feb 12 15:43:03 server sshd[2877]: pam_unix(sshd:session): session opened for user root by (uid=0)
Feb 12 15:43:03 server sshd[2877]: pam_lastlog(sshd:session): unable to open /var/log/lastlog: No such file or directory
Feb 12 15:43:04 server sshd[2924]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
Feb 12 15:43:04 server sshd[2924]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
Feb 12 15:43:32 server sshd[3150]: Invalid user liangyzh from 190.104.149.194 port 55456
Feb 12 15:43:32 server sshd[3150]: input_userauth_request: invalid user liangyzh [preauth]
Feb 12 15:43:32 server sshd[3150]: Received disconnect from 190.104.149.194 port 55456:11: Bye Bye [preauth]
Feb 12 15:43:32 server sshd[3150]: Disconnected from 190.104.149.194 port 55456 [preauth]
Feb 12 15:46:00 server polkitd[583]: Loading rules from directory /etc/polkit-1/rules.d
Feb 12 15:46:00 server polkitd[583]: Loading rules from directory /usr/share/polkit-1/rules.d
Feb 12 15:46:00 server polkitd[583]: Finished loading, compiling and executing 2 rules
Feb 12 15:46:00 server polkitd[583]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Feb 12 15:46:10 server sshd[1313]: Server listening on 0.0.0.0 port 22.
Feb 12 15:46:10 server sshd[1313]: Server listening on :: port 22.
Feb 12 15:46:31 server sshd[1840]: Accepted publickey for root from 222.119.218.120 port 26665 ssh2: RSA SHA256:cnhuplyGAzI1x1W2DudZZq7CN6qi1oMqTdtdi5VqnRc
Feb 12 15:46:32 server sshd[1840]: pam_unix(sshd:session): session opened for user root by (uid=0)
Feb 12 15:46:32 server sshd[1840]: pam_lastlog(sshd:session): unable to open /var/log/lastlog: No such file or directory
Feb 12 15:46:33 server sshd[1858]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
Feb 12 15:46:33 server sshd[1858]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
Feb 12 15:49:59 server sshd[2022]: Connection closed by 90.199.242.27 port 62452 [preauth]
Feb 12 15:50:11 server sshd[2043]: Connection closed by 90.199.242.27 port 62453 [preauth]
Feb 12 15:50:31 server sshd[1840]: Received disconnect from 222.119.218.120 port 26665:11: disconnected by user
Feb 12 15:50:31 server sshd[1840]: Disconnected from 222.119.218.120 port 26665
Feb 12 15:50:31 server sshd[1840]: pam_unix(sshd:session): session closed for user root
Feb 12 15:50:45 server sshd[2096]: Accepted publickey for root from 222.119.218.120 port 37066 ssh2: RSA SHA256:cnhuplyGAzI1x1W2DudZZq7CN6qi1oMqTdtdi5VqnRc
Feb 12 15:50:45 server sshd[2096]: pam_unix(sshd:session): session opened for user root by (uid=0)
Feb 12 15:50:45 server sshd[2096]: pam_lastlog(sshd:session): unable to open /var/log/lastlog: No such file or directory
Feb 12 15:50:46 server sshd[2102]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
Feb 12 15:50:46 server sshd[2102]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
Feb 12 15:52:21 server polkitd[583]: Registered Authentication Agent for unix-process:2421:38780 (system bus name :1.24 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8)
Feb 12 15:52:21 server polkitd[583]: Unregistered Authentication Agent for unix-process:2421:38780 (system bus name :1.24, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8) (disconnected from bus)
Feb 12 15:56:53 server sshd[2540]: Received disconnect from 85.62.169.71 port 61169:11: Client disconnecting normally [preauth]
Feb 12 15:56:53 server sshd[2540]: Disconnected from 85.62.169.71 port 61169 [preauth]
Feb 12 15:57:32 server sshd[2096]: Received disconnect from 222.119.218.120 port 37066:11: disconnected by user
Feb 12 15:57:32 server sshd[2096]: Disconnected from 222.119.218.120 port 37066
Feb 12 15:57:32 server sshd[2096]: pam_unix(sshd:session): session closed for user root
Feb 12 15:57:50 server sshd[2767]: Connection closed by 222.119.218.120 port 54211 [preauth]
Feb 12 15:58:09 server sudo: wp-toolkit : TTY=unknown ; PWD=/usr/local/cpanel/3rdparty/wp-toolkit/scripts ; USER=root ; COMMAND=/bin/test -e /etc/passwd
Feb 12 15:58:09 server sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Feb 12 15:58:09 server sudo: pam_unix(sudo:session): session closed for user root
Feb 12 15:58:09 server sudo: wp-toolkit : TTY=unknown ; PWD=/usr/local/cpanel/3rdparty/wp-toolkit/scripts ; USER=root ; COMMAND=/bin/cat /etc/passwd
Feb 12 15:58:09 server sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Feb 12 15:58:09 server sudo: pam_unix(sudo:session): session closed for user root
Feb 12 15:58:09 server sudo: wp-toolkit : TTY=unknown ; PWD=/usr/local/cpanel/3rdparty/wp-toolkit/scripts ; USER=root ; COMMAND=/bin/cat /root/.wp-toolkit-identifier
Feb 12 15:58:09 server sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Feb 12 15:58:09 server sudo: pam_unix(sudo:session): session closed for user root
Feb 12 15:58:10 server sudo: wp-toolkit : TTY=unknown ; PWD=/usr/local/cpanel/3rdparty/wp-toolkit/scripts ; USER=root ; COMMAND=/bin/sh -c whmapi1 get_domain_info --output=json
Feb 12 15:58:10 server sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Feb 12 15:58:10 server sudo: pam_unix(sudo:session): session closed for user root
Feb 12 15:58:10 server sudo: wp-toolkit : TTY=unknown ; PWD=/usr/local/cpanel/3rdparty/wp-toolkit/scripts ; USER=root ; COMMAND=/bin/sh -c whmapi1 listaccts --output=json
Feb 12 15:58:10 server sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Feb 12 15:58:11 server sudo: pam_unix(sudo:session): session closed for user root
Feb 12 15:58:11 server sudo: wp-toolkit : TTY=unknown ; PWD=/usr/local/cpanel/3rdparty/wp-toolkit/scripts ; USER=root ; COMMAND=/bin/sh -c whmapi1 get_users_features_settings user-1=staffdir feature-1=filemanager feature-2=backup feature-3=cron feature-4=phpmyadmin feature-5=mysql feature-6=multiphp feature-7=subdomains feature-8=webprotect feature-9=wp-toolkit feature-10=wp-toolkit-deluxe --output=json
Feb 12 15:58:11 server sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Feb 12 15:58:11 server sudo: pam_unix(sudo:session): session closed for user root
Feb 12 15:59:08 server sshd[2822]: Accepted publickey for root from 222.119.218.120 port 23199 ssh2: RSA SHA256:cnhuplyGAzI1x1W2DudZZq7CN6qi1oMqTdtdi5VqnRc
Feb 12 15:59:08 server sshd[2822]: pam_unix(sshd:session): session opened for user root by (uid=0)
Feb 12 15:59:08 server sshd[2822]: pam_lastlog(sshd:session): unable to open /var/log/lastlog: No such file or directory
Feb 12 15:59:10 server sshd[2828]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
Feb 12 15:59:10 server sshd[2828]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
Feb 12 15:59:50 server sshd[2876]: Accepted publickey for root from 184.94.197.2 port 63442 ssh2: RSA SHA256:ktvoarqhiUkvbQXOEOshtQttY4RN52fOmbxzT1c9U3E
Feb 12 15:59:50 server sshd[2876]: pam_unix(sshd:session): session opened for user root by (uid=0)
Feb 12 15:59:50 server sshd[2876]: pam_lastlog(sshd:session): unable to open /var/log/lastlog: No such file or directory
Feb 12 15:59:50 server sshd[2881]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
Feb 12 15:59:50 server sshd[2881]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
Feb 12 15:59:56 server useradd[2936]: new group: name=cptktywhllsifolm, GID=1006
Feb 12 15:59:56 server useradd[2936]: new user: name=cptktywhllsifolm, UID=1004, GID=1006, home=/home/cptktywhllsifolm, shell=/bin/bash
Feb 12 16:00:39 server sshd[3256]: Invalid user support from 178.128.152.209 port 45928
Feb 12 16:00:39 server sshd[3256]: input_userauth_request: invalid user support [preauth]
Feb 12 16:00:39 server sshd[3256]: Received disconnect from 178.128.152.209 port 45928:11: Bye Bye [preauth]
Feb 12 16:00:39 server sshd[3256]: Disconnected from 178.128.152.209 port 45928 [preauth]
Feb 12 16:00:40 server sshd[3258]: Received disconnect from 178.128.152.209 port 45988:11: Bye Bye [preauth]
Feb 12 16:00:40 server sshd[3258]: Disconnected from 178.128.152.209 port 45988 [preauth]
Feb 12 16:00:40 server sshd[3261]: Received disconnect from 178.128.152.209 port 46018:11: Bye Bye [preauth]
Feb 12 16:00:40 server sshd[3261]: Disconnected from 178.128.152.209 port 46018 [preauth]
Feb 12 16:00:41 server sshd[3263]: Invalid user usuario from 178.128.152.209 port 46058
Feb 12 16:00:41 server sshd[3263]: input_userauth_request: invalid user usuario [preauth]
Feb 12 16:00:41 server sshd[3263]: Received disconnect from 178.128.152.209 port 46058:11: Bye Bye [preauth]
Feb 12 16:00:41 server sshd[3263]: Disconnected from 178.128.152.209 port 46058 [preauth]
Feb 12 16:00:42 server sshd[3266]: Invalid user ubnt from 178.128.152.209 port 46090
Feb 12 16:00:42 server sshd[3266]: input_userauth_request: invalid user ubnt [preauth]
Feb 12 16:00:42 server sshd[3266]: Received disconnect from 178.128.152.209 port 46090:11: Bye Bye [preauth]
Feb 12 16:00:42 server sshd[3266]: Disconnected from 178.128.152.209 port 46090 [preauth]
Feb 12 16:00:42 server sshd[3269]: Invalid user debian from 178.128.152.209 port 46104
Feb 12 16:00:42 server sshd[3269]: input_userauth_request: invalid user debian [preauth]
Feb 12 16:00:42 server sshd[3269]: Received disconnect from 178.128.152.209 port 46104:11: Bye Bye [preauth]
Feb 12 16:00:42 server sshd[3269]: Disconnected from 178.128.152.209 port 46104 [preauth]
Feb 12 16:00:43 server sshd[3271]: Invalid user test from 178.128.152.209 port 46132
Feb 12 16:00:43 server sshd[3271]: input_userauth_request: invalid user test [preauth]
Feb 12 16:00:43 server sshd[3271]: Received disconnect from 178.128.152.209 port 46132:11: Bye Bye [preauth]
Feb 12 16:00:43 server sshd[3271]: Disconnected from 178.128.152.209 port 46132 [preauth]
Feb 12 16:00:44 server sshd[3274]: Invalid user usuario from 178.128.152.209 port 46156
Feb 12 16:00:44 server sshd[3274]: input_userauth_request: invalid user usuario [preauth]
Feb 12 16:00:44 server sshd[3274]: Received disconnect from 178.128.152.209 port 46156:11: Bye Bye [preauth]
Feb 12 16:00:44 server sshd[3274]: Disconnected from 178.128.152.209 port 46156 [preauth]
Feb 12 16:00:45 server sshd[3278]: Received disconnect from 178.128.152.209 port 46170:11: Bye Bye [preauth]
Feb 12 16:00:45 server sshd[3278]: Disconnected from 178.128.152.209 port 46170 [preauth]
Feb 12 16:00:45 server sshd[3281]: Invalid user user from 178.128.152.209 port 46200
Feb 12 16:00:45 server sshd[3281]: input_userauth_request: invalid user user [preauth]
Feb 12 16:00:45 server sshd[3281]: Received disconnect from 178.128.152.209 port 46200:11: Bye Bye [preauth]
Feb 12 16:00:45 server sshd[3281]: Disconnected from 178.128.152.209 port 46200 [preauth]
Feb 12 16:02:10 server polkitd[583]: Registered Authentication Agent for unix-process:3665:97728 (system bus name :1.48 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8)
Feb 12 16:02:10 server polkitd[583]: Unregistered Authentication Agent for unix-process:3665:97728 (system bus name :1.48, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8) (disconnected from bus)
Feb 12 16:02:17 server polkitd[583]: Registered Authentication Agent for unix-process:3711:98441 (system bus name :1.49 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8)
Feb 12 16:02:17 server polkitd[583]: Unregistered Authentication Agent for unix-process:3711:98441 (system bus name :1.49, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8) (disconnected from bus)
Feb 12 16:02:26 server polkitd[583]: Registered Authentication Agent for unix-process:3725:99300 (system bus name :1.50 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8)
Feb 12 16:02:51 server polkitd[556]: Loading rules from directory /etc/polkit-1/rules.d
Feb 12 16:02:51 server polkitd[556]: Loading rules from directory /usr/share/polkit-1/rules.d
Feb 12 16:02:51 server polkitd[556]: Finished loading, compiling and executing 2 rules
Feb 12 16:02:51 server polkitd[556]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Feb 12 16:02:56 server sshd[1208]: Server listening on 0.0.0.0 port 22.
Feb 12 16:02:56 server sshd[1208]: Server listening on :: port 22.
Feb 12 16:04:58 server sshd[1703]: Connection closed by 184.94.197.2 port 52823 [preauth]
Feb 12 16:09:29 server sshd[1749]: Connection closed by 184.94.197.2 port 33422 [preauth]
Feb 12 16:14:43 server sshd[1812]: Invalid user ubuntu from 51.254.63.223 port 33866
Feb 12 16:14:43 server sshd[1812]: input_userauth_request: invalid user ubuntu [preauth]
Feb 12 16:14:43 server sshd[1812]: Received disconnect from 51.254.63.223 port 33866:11: Bye Bye [preauth]
Feb 12 16:14:43 server sshd[1812]: Disconnected from 51.254.63.223 port 33866 [preauth]
助けてください。
ベストアンサー1
セキュリティログは把握するのに役立ちます。どうしたの??
いいえ。
また、これはsecurity.stackexchange.comで問題になる可能性があります。
この議論を参照してください。https://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromished-server