0
点赞
收藏
分享

微信扫一扫

记录一次服务器被pnscan病毒攻击的处理理财

天悦哥 2022-05-02 阅读 78

记录一次服务器被pnscan病毒攻击的处理理财

起始

初步处理

netstat -antp
tcp        0      1 10.0.20.9:46146         154.236.210.203:6379    SYN_SENT    6494/pnscan         
tcp        0      1 10.0.20.9:42522         154.236.211.7:6379      SYN_SENT    6494/pnscan         
tcp        0      1 10.0.20.9:51640         154.236.209.202:6379    SYN_SENT    6494/pnscan         
tcp        0      1 10.0.20.9:39260         154.236.210.228:6379    SYN_SENT    6494/pnscan         
tcp        0      1 10.0.20.9:51790         154.236.208.110:6379    SYN_SENT    6494/pnscan         
tcp        0      1 10.0.20.9:40884         154.236.208.180:6379    SYN_SENT    6494/pnscan         
tcp        0      1 10.0.20.9:41620         154.236.209.132:6379    SYN_SENT    6494/pnscan         
tcp        0      1 10.0.20.9:34002         154.236.208.78:6379     SYN_SENT    6494/pnscan         
tcp        0      1 10.0.20.9:48168         154.236.211.204:6379    SYN_SENT    6494/pnscan         
tcp        0      1 10.0.20.9:49848         154.236.211.41:6379     SYN_SENT    6494/pnscan         
tcp        0      1 10.0.20.9:48114         154.236.209.181:6379    SYN_SENT    6494/pnscan

排查

锁定目标

file /proc/$PID/exe

终于定位到了恶意程序的文件位置,pnscan网上一搜,哦豁竟然是个Redis木马。先删为敬吧。

问题解决

netstat -antp
tcp        0     15 10.0.20.9:37840         154.201.31.115:6379     FIN_WAIT1   -                   
tcp        0     15 10.0.20.9:59182         154.201.19.168:6379     FIN_WAIT1   -                   
tcp        0     15 10.0.20.9:36256         154.201.18.78:6379      FIN_WAIT1   -                   
tcp        0     15 10.0.20.9:54160         154.201.18.110:6379     FIN_WAIT1   -                   
tcp        0     15 10.0.20.9:49734         154.201.25.232:6379     FIN_WAIT1   -                   
tcp        0     15 10.0.20.9:41130         154.201.31.22:6379      FIN_WAIT1   -                   
tcp        0     15 10.0.20.9:51344         154.201.31.78:6379      FIN_WAIT1   -                   
tcp        0     15 10.0.20.9:50258         154.201.25.212:6379     FIN_WAIT1   -                   
tcp        0     15 10.0.20.9:50154         154.201.21.108:6379     FIN_WAIT1   -                   
tcp        0     15 10.0.20.9:57212         154.201.17.42:6379      FIN_WAIT1   -                   
tcp        0     15 10.0.20.9:38138         154.201.16.173:6379     FIN_WAIT1   -                   
tcp        0     15 10.0.20.9:37086         154.201.31.11:6379      FIN_WAIT1   -                   
tcp        0     15 10.0.20.9:42400         154.201.16.108:6379     FIN_WAIT1   -                   
tcp        0     15 10.0.20.9:58452         154.201.20.6:6379       FIN_WAIT1   -                   
tcp        0     15 10.0.20.9:44898         154.201.19.70:6379      FIN_WAIT1   -   
[root@VM-20-9-centos bin]# netstat -antp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      9454/sshd           
tcp        0     28 10.0.20.9:22            119.123.176.171:64406   ESTABLISHED 10169/sshd: root@pt 
tcp        0      0 10.0.20.9:56920         194.36.190.30:1414      TIME_WAIT   -                   
tcp        0      0 10.0.20.9:56922         194.36.190.30:1414      ESTABLISHED 23497/[ddns]        
tcp        0      0 10.0.20.9:59830         169.254.0.138:8086      ESTABLISHED 19948/tat_agent     
[root@VM-20-9-centos bin]# netstat -antp

复盘

举报

相关推荐

0 条评论