我的服务器正在被攻击,我该怎么办呀?快救命呀

grayrain

我这几天发现有ftp空间的资源被不定时的删除,查看日志文件发现有人正在攻击我的服务器,我该怎么办呀,救命呀.下面是摘自三个日志文件的部分内容:
xferlog被他删除文件是留下的日志记录)
Tue Nov 30 20:43:13 2004 0 n219077188049.netvigator.com 0 /var/nethd/1.jpg a _ d r exchange ftp 1 * c
Tue Nov 30 20:43:13 2004 0 n219077188049.netvigator.com 0 /var/nethd/2.jpg a _ d r exchange ftp 1 * c
Tue Nov 30 20:43:13 2004 0 n219077188049.netvigator.com 0 /var/nethd/3.jpg a _ d r exchange ftp 1 * c
Tue Nov 30 20:43:13 2004 0 n219077188049.netvigator.com 0 /var/nethd/4.jpg a _ d r exchange ftp 1 * c
Tue Nov 30 20:43:13 2004 0 n219077188049.netvigator.com 0 /var/nethd/5_拷贝.jpg a _ d r exchange ftp 1 * c
Tue Nov 30 20:43:14 2004 0 n219077188049.netvigator.com 0 /var/nethd/6_.jpg a _ d r exchange ftp 1 * c
Tue Nov 30 20:43:14 2004 0 n219077188049.netvigator.com 0 /var/nethd/7_.jpg a _ d r exchange ftp 1 * c
Tue Nov 30 20:43:14 2004 0 n219077188049.netvigator.com 0 /var/nethd/8_.jpg a _ d r exchange ftp 1 * c

messages:
Nov 30 03:27:13 server proftpd[2091]: server (blk-224-208-224.eastlink.ca[24.224.208.224]) - FTP session opened.
Nov 30 03:27:15 server proftpd[2091]: server (blk-224-208-224.eastlink.ca[24.224.208.224]) - PAM(exchange): Authentication failure.
Nov 30 03:27:17 dulcet proftpd[2091]: server (blk-224-208-224.eastlink.ca[24.224.208.224]) - wtmp /var/log/wtmp: No such file or directory
Nov 30 03:29:10 server proftpd[2091]: server (blk-224-208-224.eastlink.ca[24.224.208.224]) - wtmp /var/log/wtmp: No such file or directory
Nov 30 03:29:11 server proftpd[2091]: server (blk-224-208-224.eastlink.ca[24.224.208.224]) - FTP session closed.
Nov 30 04:02:03 server syslogd 1.4.1: restart.
Nov 30 20:43:04 server proftpd[11787]: server (n219077188049.netvigator.com[219.77.188.49]) - FTP session opened.
Nov 30 20:43:05 server proftpd[11787]: server (n219077188049.netvigator.com[219.77.188.49]) - PAM(exchange): Authentication failure.
Nov 30 20:43:05 server proftpd[11787]: server (n219077188049.netvigator.com[219.77.188.49]) - wtmp /var/log/wtmp: No such file or directory
Nov 30 20:43:39 server proftpd[11787]: server (n219077188049.netvigator.com[219.77.188.49]) - wtmp /var/log/wtmp: No such file or directory
Nov 30 20:43:39 server proftpd[11787]: server (n219077188049.netvigator.com[219.77.188.49]) - FTP session closed.
Dec  1 06:08:04 dulcet sshd(pam_unix)[25479]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61-220-103-26.hinet-ip.hinet.net  user=nobody
Dec  1 06:08:10 dulcet sshd(pam_unix)[25482]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61-220-103-26.hinet-ip.hinet.net  user=root
Dec  1 06:08:14 dulcet sshd(pam_unix)[25484]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61-220-103-26.hinet-ip.hinet.net  user=root
Dec  1 06:08:18 dulcet sshd(pam_unix)[25485]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61-220-103-26.hinet-ip.hinet.net  user=root
Dec  1 06:08:21 dulcet sshd(pam_unix)[25486]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61-220-103-26.hinet-ip.hinet.net  user=root
Dec  1 06:08:25 dulcet sshd(pam_unix)[25488]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61-220-103-26.hinet-ip.hinet.net  user=root

secure:
Nov 30 20:43:05 dulcet proftpd[11787]: server (n219077188049.netvigator.com[219.77.188.49]) - USER exchange: Login successful.
Nov 30 22:32:58 dulcet proftpd[17032]: server (n219077188049.netvigator.com[219.77.188.49]) - USER exchange: Login successful.
Dec  1 00:01:55 dulcet proftpd[20353]: server (n219077188049.netvigator.com[219.77.188.49]) - USER exchange: Login successful.
Dec  1 05:58:42 dulcet sshd[25356]: Did not receive identification string from 61.220.103.26.
Dec  1 06:08:07 dulcet sshd[25479]: Failed password for nobody from 61.220.103.26 port 58251 ssh2
Dec  1 06:08:07 dulcet sshd[25479]: Received disconnect from 61.220.103.26: 11: Bye Bye
Dec  1 06:08:08 dulcet sshd[25480]: input_userauth_request: illegal user patrick
Dec  1 06:08:08 dulcet sshd[25480]: Failed password for illegal user patrick from 61.220.103.26 port 58619 ssh2
Dec  1 06:08:08 dulcet sshd[25480]: Received disconnect from 61.220.103.26: 11: Bye Bye
Dec  1 06:08:09 dulcet sshd[25481]: input_userauth_request: illegal user patrick
Dec  1 06:08:09 dulcet sshd[25481]: Failed password for illegal user patrick from 61.220.103.26 port 58793 ssh2
Dec  1 06:08:09 dulcet sshd[25481]: Received disconnect from 61.220.103.26: 11: Bye Bye
Dec  1 06:08:12 dulcet sshd[25482]: Failed password for ROOT from 61.220.103.26 port 58861 ssh2
Dec  1 06:08:13 dulcet sshd[25482]: Received disconnect from 61.220.103.26: 11: Bye Bye
Dec  1 06:08:16 dulcet sshd[25484]: Failed password for ROOT from 61.220.103.26 port 59291 ssh2



从这些迹象看到我的服务器正被攻击,有没有办法阻击他或者查处他呀,要不总有天会被他毁了的.2555555555555555555555555555555555555555

skyy23

帮你呼唤高手

我不是太懂，
先封掉这个C段 61.220.103.*
检查用户权限 除root外都　nologin,修改root密码 看看

晨想

如果已经确定被黑了，就重新装吧。

如果要block的话，就像上边说的，封了那个网段。

晨想

你的proftpd和ssh都是被攻击的对象。
如果服务器不能停止，就先阻止所有进来的连接。。。

grayrain

我封了那几个网段,但是他又换了其他网段来尝试登陆,我不可能封所有的网段吧?因为我们公司的人登陆的IP也不是固定的.是不是没办法阻止他来登陆了啊?

这是今天弄下来的secure日志文件最后部分.218.88.X.X是正常的IP,其他的都没见过.
Dec  4 05:06:23 server sshd[25736]: input_userauth_request: illegal user guest
Dec  4 05:06:23 server sshd[25736]: Failed password for illegal user guest from 210.172.213.118 port 38157 ssh2
Dec  4 05:06:24 server sshd[25736]: Received disconnect from 210.172.213.118: 11: Bye Bye
Dec  4 05:06:24 server sshd[25737]: input_userauth_request: illegal user admin
Dec  4 05:06:25 server sshd[25737]: Failed password for illegal user admin from 210.172.213.118 port 38224 ssh2
Dec  4 05:06:25 server sshd[25737]: Received disconnect from 210.172.213.118: 11: Bye Bye
Dec  4 05:06:26 server sshd[25739]: input_userauth_request: illegal user admin
Dec  4 05:06:26 server sshd[25739]: Failed password for illegal user admin from 210.172.213.118 port 38295 ssh2
Dec  4 05:06:26 server sshd[25739]: Received disconnect from 210.172.213.118: 11: Bye Bye
Dec  4 05:06:28 server sshd[25740]: input_userauth_request: illegal user user
Dec  4 05:06:28 server sshd[25740]: Failed password for illegal user user from 210.172.213.118 port 38347 ssh2
Dec  4 05:06:28 server sshd[25740]: Received disconnect from 210.172.213.118: 11: Bye Bye
Dec  4 05:06:32 server sshd[25742]: Failed password for ROOT from 210.172.213.118 port 38405 ssh2
Dec  4 05:06:32 server sshd[25742]: Received disconnect from 210.172.213.118: 11: Bye Bye
Dec  4 05:06:36 server sshd[25743]: Failed password for ROOT from 210.172.213.118 port 38584 ssh2
Dec  4 05:06:36 server sshd[25743]: Received disconnect from 210.172.213.118: 11: Bye Bye
Dec  4 05:06:47 server sshd[25747]: Failed password for ROOT from 210.172.213.118 port 38978 ssh2
Dec  4 05:06:47 server sshd[25747]: Connection closed by 210.172.213.118
Dec  4 07:37:26 server proftpd[28584]: server (218.19.68.77[218.19.68.77]) - USER exchange (Login failed): Incorrect password.
Dec  4 07:46:16 server proftpd[28803]: server (219.137.40.112[219.137.40.112]) - USER exchange (Login failed): Incorrect password.
Dec  4 07:47:34 server proftpd[28803]: server (219.137.40.112[219.137.40.112]) - USER exchange (Login failed): Incorrect password.
Dec  4 07:47:44 server proftpd[28803]: server (219.137.40.112[219.137.40.112]) - USER exchange (Login failed): Incorrect password.
Dec  4 07:47:44 server proftpd[28803]: server (219.137.40.112[219.137.40.112]) - Maximum login attempts (3) exceeded
Dec  4 07:49:29 server proftpd[28867]: server (219.137.40.112[219.137.40.112]) - USER exchange (Login failed): Incorrect password.

Snoopy

Dec 1 05:58:42 dulcet sshd[25356]: Did not receive identification string from 61.220.103.26.
Dec 1 06:08:07 dulcet sshd[25479]: Failed password for nobody from 61.220.103.26 port 58251 ssh2
Dec 1 06:08:07 dulcet sshd[25479]: Received disconnect from 61.220.103.26: 11: Bye Bye
Dec 1 06:08:08 dulcet sshd[25480]: input_userauth_request: illegal user patrick
Dec 1 06:08:08 dulcet sshd[25480]: Failed password for illegal user patrick from 61.220.103.26 port 58619 ssh2
Dec 1 06:08:08 dulcet sshd[25480]: Received disconnect from 61.220.103.26: 11: Bye Bye
Dec 1 06:08:09 dulcet sshd[25481]: input_userauth_request: illegal user patrick
Dec 1 06:08:09 dulcet sshd[25481]: Failed password for illegal user patrick from 61.220.103.26 port 58793 ssh2
Dec 1 06:08:09 dulcet sshd[25481]: Received disconnect from 61.220.103.26: 11: Bye Bye
Dec 1 06:08:12 dulcet sshd[25482]: Failed password for ROOT from 61.220.103.26 port 58861 ssh2
Dec 1 06:08:13 dulcet sshd[25482]: Received disconnect from 61.220.103.26: 11: Bye Bye
Dec 1 06:08:16 dulcet sshd[25484]: Failed password for ROOT from 61.220.103.26 port 59291 ssh2



从这段ssh看出,对方应该是手工来的,重新设置一下复杂的root密码 !