小鸡被暂停了,有大佬帮忙看看这个是什么情况吗?
(我看是扫ssh,但这不是我扫的)
是中了木马吗?
=================
以下是ticket
=================
您好,在今天收到了两封关于您滥用服务器的邮件 根据tos 暂时为你做出封禁处理
第一封
An attempt to brute-force account passwords over SSH/FTP by a machine in your domain or in your network has been detected. Attached are the host who attacks and time / date of activity. Please take the necessary action(s) to stop this activity immediately. If you have any questions please reply to this email.
Host of attacker: 我的ip => =>
Responsible email contacts: abuse@kirino.co
Attacked hosts in our Network: 37.228.155.100, 178.250.10.81
Logfile entries (time is CE(S)T):
Mon Jan 31 20:45:08 2022: user: root service: ssh target: 178.250.10.81 source: 我的ip
Mon Jan 31 20:44:18 2022: user: root service: ssh target: 178.250.10.81 source: 我的ip
Mon Jan 31 20:43:08 2022: user: root service: ssh target: 178.250.10.81 source: 我的ip
Mon Jan 31 20:32:41 2022: user: student service: ssh target: 37.228.155.100 source: 我的ip
Mon Jan 31 20:31:51 2022: user: mitch service: ssh target: 37.228.155.100 source: 我的ip
Mon Jan 31 20:31:01 2022: user: ritchie service: ssh target: 37.228.155.100 source: 我的ip
Mon Jan 31 20:30:01 2022: user: amaya service: ssh target: 37.228.155.100 source: 我的ip
Mon Jan 31 20:29:11 2022: user: cherie service: ssh target: 37.228.155.100 source: 我的ip
Mon Jan 31 20:28:21 2022: user: isha service: ssh target: 37.228.155.100 source: 我的ip
Mon Jan 31 20:27:31 2022: user: victoria service: ssh target: 37.228.155.100 source: 我的ip
Mon Jan 31 20:26:41 2022: user: charmaine service: ssh target: 37.228.155.100 source: 我的ip
Mon Jan 31 20:25:51 2022: user: brandon service: ssh target: 37.228.155.100 source: 我的ip
Mon Jan 31 20:25:01 2022: user: abraham service: ssh target: 37.228.155.100 source: 我的ip
Mon Jan 31 20:24:11 2022: user: linsey service: ssh target: 37.228.155.100 source: 我的ip
Mon Jan 31 20:23:21 2022: user: ucla service: ssh target: 37.228.155.100 source: 我的ip
Mon Jan 31 20:22:31 2022: user: vcsa service: ssh target: 37.228.155.100 source: 我的ip
Mon Jan 31 20:21:31 2022: user: jory service: ssh target: 37.228.155.100 source: 我的ip
Mon Jan 31 20:20:41 2022: user: dalia service: ssh target: 37.228.155.100 source: 我的ip
Mon Jan 31 20:19:51 2022: user: talisha service: ssh target: 37.228.155.100 source: 我的ip
Mon Jan 31 20:18:21 2022: user: giselle service: ssh target: 37.228.155.100 source: 我的ip
Mon Jan 31 20:17:31 2022: user: angel service: ssh target: 37.228.155.100 source: 我的ip
Mon Jan 31 20:16:21 2022: user: happy service: ssh target: 37.228.155.100 source: 我的ip
Mon Jan 31 20:15:01 2022: user: unitedlinux service: ssh target: 37.228.155.100 source: 我的ip
...
Regards,
Profihost AG Team
The recipient address of this report was provided by the Abuse Contact DB by abusix.com.
Abusix provides a free proxy DB service which provides the abuse@ address for all global RIRs.
Abusix does not maintain the core DB content but provides a service built on top of the RIR databases.
If you wish to change or report a non-working abuse contact address.
please contact the appropriate RIR responsible for managing the underlying data.
If you have any further questions about using the Abusix Abuse Contact DB, please either contact abusix.com directly via email (info@abusix.com) or visit the URL here: https://abusix.com/contactdb
Abusix is neither responsible nor liable for the content or accuracy of this message.
第二封
Hello Abuse-Team,
your Server/Customer with the IP: 我的ip (我的ip) has attacked one of our servers/partners.
The attackers used the method/service: ssh on: Mon, 31 Jan 2022 20:43:48 +0100 .
The time listed is from the server-time of the Blocklist-user who submitted the report.
The attack was reported to the Blocklist.de-System on: Mon, 31 Jan 2022 20:43:49 +0100
!!! Do not answer to this Mail! Use support@ or contact-form for Questions (no resolve-messages, no updates....) !!!
The IP has been automatically blocked for a period of time. For an IP to be blocked, it needs
to have made several failed logins (ssh, imap....), tried to log in for an "invalid user", or have
triggered several 5xx-Error-Codes (eg. Blacklist on email...), all during a short period of time.
The Server-Owner configures the number of failed attempts, and the time period they have
to occur in, in order to trigger a ban and report. Blocklist has no control over these settings.
Please check the machine behind the IP 我的ip (我的ip) and fix the problem.
To search for AS-Number/IPs that you control, to see if any others have been infected/blocked, please go to:
https://www.blocklist.de/en/search.html?as=41378
If you need the logs in another format (rather than an attachment), please let us know.
You can see the Logfiles online again: https://www.blocklist.de/en/logs.html?rid=1033645016&ip=我的ip
You can parse this abuse report mail with X-ARF-Tools from http://www.xarf.org/tools.html e.g. validatexarf-php.tar.gz.
You can find more information about X-Arf V0.2 at http://www.xarf.org/specification.html
This message will be sent again in one day if more attacks are reported to Blocklist.
In the attachment of this message you can find the original logs from the attacked system.
To pause this message for one week, you can use our "Stop Reports" feature on Blocklist.de to submit
the IP you want to stop recieving emails about, and the email you want to stop receiving them on.
If more attacks from your network are recognized after the seven day grace period, the reports will start
being sent again.
To pause these reports for one week:
https://www.blocklist.de/en/insert.html?ip=我的ip&email=abuse@kirino.co
We found this abuse email address in the Contact-Database abusix.org. This is because we could not parse
an abuse/security-Address (e.g. abuse-mailbox, abuse@....) in the Whois, or the Whois request has been
rejected (usually because of a registrar's limits on the number of Whois requests we can perform in a day).
If this is not the right address to send abuse reports to, please contact info@abusix.org: http://abusix.org/services/abuse-contact-db
Reply to this message to let us know if you want us to send future reports to a different email. (e.g. to abuse-quiet or a special address)
blocklist.de Abuse-Team
This message was sent automatically. For questions please use our Contact-Form (autogenerated@/abuse-team@ is not monitored!):
https://www.blocklist.de/en/contact.html?RID=1033645016
Logfiles: https://www.blocklist.de/en/logs.html?rid=1033645016&ip=我的ip
Reported-From: abuse-team@blocklist.de
Category: abuse
Report-Type: login-attack
Service: ssh
Version: 0.2
User-Agent: Fail2BanFeedBackScript blocklist.de V0.2
Date: Mon, 31 Jan 2022 20:43:48 +0100
Source-Type: ip-address
Source: (我的ip)
Port: 22
Report-ID: 1033645016@blocklist.de
Schema-URL: http://www.xarf.org/schema/abuse_login-attack_0.1.2.json
Attachment: text/plain
Lines containing failures of 我的ip
Jan 31 20:42:08 v11 sshd[5575]: User root from 我的ip not allowed because not listed in AllowUsers
Jan 31 20:42:08 v11 sshd[5575]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=我的ip user=root
Jan 31 20:42:09 v11 sshd[5575]: Failed password for invalid user root from 我的ip port 64210 ssh2
Jan 31 20:42:11 v11 sshd[5575]: Received disconnect from 我的ip port 64210:11: Bye Bye [preauth]Jan 31 20:42:11 v11 sshd[5575]: Disconnected from invalid user root 我的ip port 64210 [preauth]Jan 31 20:43:47 v11 sshd[5684]: User root from 我的ip not allowed because not listed in AllowUsers
Jan 31 20:43:47 v11 sshd[5684]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=我的ip user=root
Jan 31 20:43:48 v11 sshd[5684]: Failed password for invalid user root from 我的ip port 64362 s
热议
2楼 jqbaobao 昨天20:21
被人黑了扫爆吧
3楼 konololi 昨天20:41
不是你扫的那就是你鸡子被黑了然后扫的
4楼 yxb 昨天20:42
黑了
/**
* 垂死病中惊坐起,笑问客从何处来
**/
5楼 华为任正非 昨天21:25
是你的IP扫别人,机器被黑了。
不要用什么一键脚本,后门很多。
6楼 stingeo 昨天21:27
网上脚本不能乱跑啊~~~~~~~~~~~~
7楼 emptysuns 昨天21:28
被人扫爆,然后被控制扫爆别人
直接用密钥登录+改掉该死的22端口,可解99.9%的暴力破解
8楼 苦沉沦 昨天21:33
同意楼上!
9楼 笑花落半世琉璃 昨天21:35
被黑进去了吧,数据拿一下直接重装
10楼 mmedici 昨天22:15
估计是弱密码 / 密码已经在泄漏库里
申明:本文内容由网友收集分享,仅供学习参考使用。如文中内容侵犯到您的利益,请在文章下方留言,本站会第一时间进行处理。
评论前必须登录!
立即登录 注册