0
点赞
收藏
分享

微信扫一扫

记录一次服务器被pnscan病毒攻击的处理理财

天悦哥 2022-05-02 阅读 78
服务器网络运维

记录一次服务器被pnscan病毒攻击的处理理财

起始

初步处理

netstat -antp

tcp        0      1 10.0.20.9:46146         154.236.210.203:6379    SYN_SENT    6494/pnscan         
tcp        0      1 10.0.20.9:42522         154.236.211.7:6379      SYN_SENT    6494/pnscan         
tcp        0      1 10.0.20.9:51640         154.236.209.202:6379    SYN_SENT    6494/pnscan         
tcp        0      1 10.0.20.9:39260         154.236.210.228:6379    SYN_SENT    6494/pnscan         
tcp        0      1 10.0.20.9:51790         154.236.208.110:6379    SYN_SENT    6494/pnscan         
tcp        0      1 10.0.20.9:40884         154.236.208.180:6379    SYN_SENT    6494/pnscan         
tcp        0      1 10.0.20.9:41620         154.236.209.132:6379    SYN_SENT    6494/pnscan         
tcp        0      1 10.0.20.9:34002         154.236.208.78:6379     SYN_SENT    6494/pnscan         
tcp        0      1 10.0.20.9:48168         154.236.211.204:6379    SYN_SENT    6494/pnscan         
tcp        0      1 10.0.20.9:49848         154.236.211.41:6379     SYN_SENT    6494/pnscan         
tcp        0      1 10.0.20.9:48114         154.236.209.181:6379    SYN_SENT    6494/pnscan

排查

锁定目标

file /proc/$PID/exe

终于定位到了恶意程序的文件位置,pnscan网上一搜,哦豁竟然是个Redis木马。先删为敬吧。

问题解决

netstat -antp

tcp        0     15 10.0.20.9:37840         154.201.31.115:6379     FIN_WAIT1   -                   
tcp        0     15 10.0.20.9:59182         154.201.19.168:6379     FIN_WAIT1   -                   
tcp        0     15 10.0.20.9:36256         154.201.18.78:6379      FIN_WAIT1   -                   
tcp        0     15 10.0.20.9:54160         154.201.18.110:6379     FIN_WAIT1   -                   
tcp        0     15 10.0.20.9:49734         154.201.25.232:6379     FIN_WAIT1   -                   
tcp        0     15 10.0.20.9:41130         154.201.31.22:6379      FIN_WAIT1   -                   
tcp        0     15 10.0.20.9:51344         154.201.31.78:6379      FIN_WAIT1   -                   
tcp        0     15 10.0.20.9:50258         154.201.25.212:6379     FIN_WAIT1   -                   
tcp        0     15 10.0.20.9:50154         154.201.21.108:6379     FIN_WAIT1   -                   
tcp        0     15 10.0.20.9:57212         154.201.17.42:6379      FIN_WAIT1   -                   
tcp        0     15 10.0.20.9:38138         154.201.16.173:6379     FIN_WAIT1   -                   
tcp        0     15 10.0.20.9:37086         154.201.31.11:6379      FIN_WAIT1   -                   
tcp        0     15 10.0.20.9:42400         154.201.16.108:6379     FIN_WAIT1   -                   
tcp        0     15 10.0.20.9:58452         154.201.20.6:6379       FIN_WAIT1   -                   
tcp        0     15 10.0.20.9:44898         154.201.19.70:6379      FIN_WAIT1   -   

[root@VM-20-9-centos bin]# netstat -antp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      9454/sshd           
tcp        0     28 10.0.20.9:22            119.123.176.171:64406   ESTABLISHED 10169/sshd: root@pt 
tcp        0      0 10.0.20.9:56920         194.36.190.30:1414      TIME_WAIT   -                   
tcp        0      0 10.0.20.9:56922         194.36.190.30:1414      ESTABLISHED 23497/[ddns]        
tcp        0      0 10.0.20.9:59830         169.254.0.138:8086      ESTABLISHED 19948/tat_agent     
[root@VM-20-9-centos bin]# netstat -antp

复盘

举报

相关推荐

记一次服务器被木马注入攻击

服务器运维centos

一次windows server 服务器病毒分析处理总结

vue.jsjavascript前端

企业服务器被devos勒索病毒攻击后怎么处理,devos勒索病毒如何攻击的

pytorch人工智能python

一次服务器被入侵的处理过程分享

centoslinuxIT业界

服务器被攻击了多久恢复?服务器被攻击了怎么处理?

服务器网络安全

记录一次云服务器被劫持下载了挖矿病毒的处理过程

服务器p2p运维

服务器被 DDos 攻击有效的处理方法

安全网络服务器数据库

服务器被攻击如何处理(DDOS攻击和服务器入侵)

负载均衡区块链阿里云安全腾讯云

记录一次病毒启动脚本

windows安全福昕阅读器batchc++编辑器

游戏服务器被攻击怎么处理,怎么杜绝游戏被攻击

安全负载均衡
0 条评论