phoenix13023 Posted March 21, 2021 Share Posted March 21, 2021 之前一直没有注意,直到昨日发现一直有一个cpu是 100%的负荷,今天查验发现log一直有未知的远程连接: Quote Mar 21 17:21:37 Unraid sshd[15397]: Invalid user test from 165.22.193.58 port 56336 Mar 21 17:21:37 Unraid sshd[15397]: pam_unix(sshd:auth): check pass; user unknown Mar 21 17:21:37 Unraid sshd[15397]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=165.22.193.58 Mar 21 17:21:39 Unraid sshd[15397]: Failed password for invalid user test from 165.22.193.58 port 56336 ssh2 Mar 21 17:21:40 Unraid sshd[15397]: Received disconnect from 165.22.193.58 port 56336:11: Normal Shutdown, Thank you for playing [preauth] Mar 21 17:21:40 Unraid sshd[15397]: Disconnected from invalid user test 165.22.193.58 port 56336 [preauth] Mar 21 17:21:41 Unraid sshd[15912]: Connection from 211.65.196.53 port 55398 on 192.168.1.34 port 22 rdomain "" Mar 21 17:21:41 Unraid sshd[15912]: Unable to negotiate with 211.65.196.53 port 55398: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth] Mar 21 17:21:56 Unraid smbd[15377]: [2021/03/21 17:21:56.255069, 0] ../../source3/smbd/process.c:341(read_packet_remainder) Mar 21 17:21:56 Unraid smbd[15377]: read_fd_with_timeout failed for client 0.0.0.0 read error = NT_STATUS_CONNECTION_RESET. Mar 21 17:22:21 Unraid smbd[16547]: [2021/03/21 17:22:21.293745, 0] ../../source3/smbd/process.c:341(read_packet_remainder) Mar 21 17:22:21 Unraid smbd[16547]: read_fd_with_timeout failed for client 0.0.0.0 read error = NT_STATUS_CONNECTION_RESET. Mar 21 17:22:25 Unraid sshd[16846]: Connection from 165.22.193.58 port 56322 on 192.168.1.34 port 22 rdomain "" Mar 21 17:22:31 Unraid sshd[16846]: Invalid user admin from 165.22.193.58 port 56322 Mar 21 17:22:31 Unraid sshd[16846]: pam_unix(sshd:auth): check pass; user unknown Mar 21 17:22:31 Unraid sshd[16846]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=165.22.193.58 Mar 21 17:22:33 Unraid sshd[16846]: Failed password for invalid user admin from 165.22.193.58 port 56322 ssh2 Mar 21 17:22:35 Unraid sshd[16846]: Received disconnect from 165.22.193.58 port 56322:11: Normal Shutdown, Thank you for playing [preauth] Mar 21 17:22:35 Unraid sshd[16846]: Disconnected from invalid user admin 165.22.193.58 port 56322 [preauth] Mar 21 17:22:46 Unraid sshd[17062]: Connection from 211.65.196.53 port 60577 on 192.168.1.34 port 22 rdomain "" Mar 21 17:22:46 Unraid sshd[17062]: Unable to negotiate with 211.65.196.53 port 60577: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth] Mar 21 17:23:03 Unraid sshd[17219]: Connection from 165.22.193.58 port 51664 on 192.168.1.34 port 22 rdomain "" Mar 21 17:23:07 Unraid sshd[17219]: Invalid user admin from 165.22.193.58 port 51664 Mar 21 17:23:07 Unraid sshd[17219]: pam_unix(sshd:auth): check pass; user unknown Mar 21 17:23:07 Unraid sshd[17219]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=165.22.193.58 Mar 21 17:23:09 Unraid sshd[17219]: Failed password for invalid user admin from 165.22.193.58 port 51664 ssh2 Mar 21 17:23:10 Unraid sshd[17219]: Received disconnect from 165.22.193.58 port 51664:11: Normal Shutdown, Thank you for playing [preauth] Mar 21 17:23:10 Unraid sshd[17219]: Disconnected from invalid user admin 165.22.193.58 port 51664 [preauth] Mar 21 17:23:15 Unraid emhttpd: shcmd (14385): /usr/local/emhttp/webGui/scripts/update_access Mar 21 17:23:15 Unraid sshd[28640]: Received signal 15; terminating. Mar 21 17:23:16 Unraid emhttpd: shcmd (14386): /etc/rc.d/rc.nginx reload Mar 21 17:23:16 Unraid root: Checking configuration for correct syntax and Mar 21 17:23:16 Unraid root: then trying to open files referenced in configuration... Mar 21 17:23:16 Unraid root: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok Mar 21 17:23:16 Unraid root: nginx: configuration file /etc/nginx/nginx.conf test is successful Mar 21 17:23:16 Unraid root: Reloading Nginx configuration... Mar 21 17:23:19 Unraid emhttpd: shcmd (14387): /usr/bin/php -f /usr/local/emhttp/webGui/include/UpdateDNS.php Mar 21 17:23:19 Unraid emhttpd: shcmd (14387): exit status: 1 我刚刚才关闭ssh 以及telnet服务。我现在有以下问题: 1、接下来我该如何进行更多安全操作呢? 2、我如何查找nas是否有被安装什么?或读取了什么? 3、如何查找对方是通过何种方法查找到我的呢? Quote Link to comment
plutochang Posted March 22, 2021 Share Posted March 22, 2021 (edited) 我前陣子也遇到相同問題,有人成功攻進我的主機 (但我的 ssh port 並非預設的 port 22), 可查到它有大量的連線,他把我的主機變成礦工,全部 CPU loading 100%,後來重裝 unraid USB 盤、並改密碼、改對外面 IP、保留原 Config 設定,但過了三天,又被攻擊,所以我懷疑系統上裝的 docker 或 vm 有問題,有後門,主動呼叫外部來攻擊。因為我只有一個軟路由 vm (koolshare) 是比較有風險疑慮的, 其它的 vm, docker 風險不會太高;於是把原本來使用的軟路由換掉 (換成官方 OpenWRT vm ), telnet port 不做對外開放,密碼再次重設,並在軟路由 OpenWRT 中使用 banip 擋掉被歸類成有問題的 ip 後,目前運行還正常,請參考,謝謝 Edited March 22, 2021 by plutochang Quote Link to comment
phoenix13023 Posted April 8, 2021 Author Share Posted April 8, 2021 On 3/22/2021 at 11:16 AM, plutochang said: 我前陣子也遇到相同問題,有人成功攻進我的主機 (但我的 ssh port 並非預設的 port 22), 可查到它有大量的連線,他把我的主機變成礦工,全部 CPU loading 100%,後來重裝 unraid USB 盤、並改密碼、改對外面 IP、保留原 Config 設定,但過了三天,又被攻擊,所以我懷疑系統上裝的 docker 或 vm 有問題,有後門,主動呼叫外部來攻擊。因為我只有一個軟路由 vm (koolshare) 是比較有風險疑慮的, 其它的 vm, docker 風險不會太高;於是把原本來使用的軟路由換掉 (換成官方 OpenWRT vm ), telnet port 不做對外開放,密碼再次重設,並在軟路由 OpenWRT 中使用 banip 擋掉被歸類成有問題的 ip 後,目前運行還正常,請參考,謝謝 你好,我的确也是网上下载了一个openwrt的rom 做vm,但是我不大清楚openwrt官网那些下载目录意思,到底啥差别,所以一直没试过官方版本的rom,方便的话还请给点提示。 目前我的日志上面倒是看不见外部链接了,但是时常smbd这个报错一直,不知道是不是之前的遗留,cpu load 目前看还算稳定,我关闭了smb中一个wsd这个功能,就没有再遇到一个cpu一直被占。 只是我的校验盘一直每天会定时不知道什么导致它温度过高,目前日志中就剩这个smbd这个错误了。 Quote Link to comment
lyqalex Posted April 8, 2021 Share Posted April 8, 2021 出现以上的故障,安装了不安全的软件或损坏了的硬件都有可能发生,如果我们是普通人,骇客行动是没有针对性的。既然存在可疑的VM,我建议停止他的使用,并观察情况,使用unraid系统和软件中心的插件是安全的。也可以考虑重装unraid,如还有问题,需要排除硬件故障的可能。 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.