记录一次服务器被pnscan病毒攻击的处理理财
起始
初步处理
netstat -antp
tcp 0 1 10.0.20.9:46146 154.236.210.203:6379 SYN_SENT 6494/pnscan
tcp 0 1 10.0.20.9:42522 154.236.211.7:6379 SYN_SENT 6494/pnscan
tcp 0 1 10.0.20.9:51640 154.236.209.202:6379 SYN_SENT 6494/pnscan
tcp 0 1 10.0.20.9:39260 154.236.210.228:6379 SYN_SENT 6494/pnscan
tcp 0 1 10.0.20.9:51790 154.236.208.110:6379 SYN_SENT 6494/pnscan
tcp 0 1 10.0.20.9:40884 154.236.208.180:6379 SYN_SENT 6494/pnscan
tcp 0 1 10.0.20.9:41620 154.236.209.132:6379 SYN_SENT 6494/pnscan
tcp 0 1 10.0.20.9:34002 154.236.208.78:6379 SYN_SENT 6494/pnscan
tcp 0 1 10.0.20.9:48168 154.236.211.204:6379 SYN_SENT 6494/pnscan
tcp 0 1 10.0.20.9:49848 154.236.211.41:6379 SYN_SENT 6494/pnscan
tcp 0 1 10.0.20.9:48114 154.236.209.181:6379 SYN_SENT 6494/pnscan
排查
锁定目标
file /proc/$PID/exe
终于定位到了恶意程序的文件位置,pnscan网上一搜,哦豁竟然是个Redis木马。先删为敬吧。
问题解决
netstat -antp
tcp 0 15 10.0.20.9:37840 154.201.31.115:6379 FIN_WAIT1 -
tcp 0 15 10.0.20.9:59182 154.201.19.168:6379 FIN_WAIT1 -
tcp 0 15 10.0.20.9:36256 154.201.18.78:6379 FIN_WAIT1 -
tcp 0 15 10.0.20.9:54160 154.201.18.110:6379 FIN_WAIT1 -
tcp 0 15 10.0.20.9:49734 154.201.25.232:6379 FIN_WAIT1 -
tcp 0 15 10.0.20.9:41130 154.201.31.22:6379 FIN_WAIT1 -
tcp 0 15 10.0.20.9:51344 154.201.31.78:6379 FIN_WAIT1 -
tcp 0 15 10.0.20.9:50258 154.201.25.212:6379 FIN_WAIT1 -
tcp 0 15 10.0.20.9:50154 154.201.21.108:6379 FIN_WAIT1 -
tcp 0 15 10.0.20.9:57212 154.201.17.42:6379 FIN_WAIT1 -
tcp 0 15 10.0.20.9:38138 154.201.16.173:6379 FIN_WAIT1 -
tcp 0 15 10.0.20.9:37086 154.201.31.11:6379 FIN_WAIT1 -
tcp 0 15 10.0.20.9:42400 154.201.16.108:6379 FIN_WAIT1 -
tcp 0 15 10.0.20.9:58452 154.201.20.6:6379 FIN_WAIT1 -
tcp 0 15 10.0.20.9:44898 154.201.19.70:6379 FIN_WAIT1 -
[root@VM-20-9-centos bin]# netstat -antp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 9454/sshd
tcp 0 28 10.0.20.9:22 119.123.176.171:64406 ESTABLISHED 10169/sshd: root@pt
tcp 0 0 10.0.20.9:56920 194.36.190.30:1414 TIME_WAIT -
tcp 0 0 10.0.20.9:56922 194.36.190.30:1414 ESTABLISHED 23497/[ddns]
tcp 0 0 10.0.20.9:59830 169.254.0.138:8086 ESTABLISHED 19948/tat_agent
[root@VM-20-9-centos bin]# netstat -antp