Linux servers fall into the tool of sending text messages to others

The reason why the Linux server has fallen for someone who sends a text messaging tool:

today's work Product manager said: The company's SMS verification code remaining use of 0650) this.width=650; "src=" Http://img.baidu.com/hi/jx2/j_0062.gif "alt = "J_0062.gif"/>, the first day I check the time there are more than 10,000. Shocked! Shocked! Shocked!

Lookup process:

One: So check with our third-party SMS operators to communicate, to see the corresponding situation, specific

650) this.width=650; "title=" SMS. png "src=" https://s5.51cto.com/wyfs02/M00/93/F4/wKiom1kLIU_ Anskyaaabergow4o428.png-wh_500x0-wm_3-wmp_4-s_1665552974.png "alt=" wkiom1kliu_anskyaaabergow4o428.png-wh_50 "/ >

The number of text messages at that time was 0, and we continued to look at the next article:

650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M02/93/F8/ Wkiol1kliupjxftkaackyksrlhw889.png-wh_500x0-wm_3-wmp_4-s_2635822920.png "title=" Send status. png "alt=" Wkiol1kliupjxftkaackyksrlhw889.png-wh_50 "/>

This is a simple matter to find out:

1. The number is empty and the Send status is empty. There may be an artificial bypass in code for validation

2. Sending time (date) is a succession of sending. Represents the validation in the code 10s,30s,60s these validations have been artificially skipped.

3. The SMS operator does not filter the numbers and review them. As soon as we submit, the SMS operator will send it and send it for a fee.

Two: View 2017.05.04 00:00 Back-end log situation, specifically

650) this.width=650; "Src=" https://s4.51cto.com/wyfs02/M02/93/FE/wKiom1kLJPXBTcAKAABKVkbfk88799.png-wh_500x0-wm_ 3-wmp_4-s_1129271915.png "title=" log file. png "alt=" wkiom1kljpxbtcakaabkvkbfk88799.png-wh_50 "/>

Basically the content on the log is the case. This is a problem that needs to be communicated with development to assist in the development of the solution.

This log is the back-end log, we also have a front-end access log, presumably from the Registergetphonecode. Let's look through grep and awk and command the following:

Cat Www.log|grep Registergetphonecode|awk ' {print $} ' |sort|uniq-c |sort-nr |head-n 40

650) this.width=650; "Src=" https://s4.51cto.com/wyfs02/M00/93/FF/wKioL1kLKE3ySmKRAABnYPWgj3g086.png-wh_500x0-wm_ 3-wmp_4-s_118062282.png "title=" Nginx log. png "alt=" wkiol1klke3ysmkraabnypwgj3g086.png-wh_50 "/>

Command detail: View the log file, first use grep to filter the Registergetphonecode, and then by awk in reverse order, go to heavy, only show the number of rows after the first column of the file to output (by my mosaic is IP, think or not exposed as good).

Obviously, it can be seen in the early morning when it has an ulterior motive for the server.

Three: Solutions:

1. Add all of these IPs to the firewall ...

Can be added to the firewall using shell scripts, can be manually typed into each IP ...

2. the development of the message here, the code: the front-end ' code does not filter the phone number, resulting in arbitrary parameters can be stitched. Find the sending URL on the backend to send a text message.

Emergency development code to limit the number of mobile phones. Add the corresponding graphics verification code.

Development is also working overtime to solve the matter ...

Summarize:

1. Things are about 5.4 hours early in the morning, from the early morning to work this period of time we have not issued an alarm, timely notify the relevant personnel, so we need to establish monitoring and alarm systems. There are many open-source monitoring frameworks, such as Zabbix.

2. The code quality needs to be improved, and public methods need to write the relevant documentation.

3. Establish the relevant security group to reduce the port of the exposed public network.

This article from "Cheng Xiao Bai" blog, declined reprint!

Linux servers fall into the tool of sending text messages to others