Network shock...

After I opened FTP for a colleague in Beijing at the company's network outlet, two minutes later, I relied on it. I couldn't log on, prompting me that the password was wrong. I was so scared that I had to shut down the machine, the single-user mode is used to get rid of the password, which is frightening...

Check whether the system has been hacked. Depend on me. There are two users in last, one from South Korea and one from Rome, I even logged on to my machine. Fortunately, it wasn't root. Otherwise, my logs will be deleted. Check/etc/passwd and/etc/shadow quickly, mySQL shell is/bin/bash. I rely on it to delete mysql users and delete other messy users and directories...

Two rotten people use the test user to log on and check that there is nothing in/home/test, but they are afraid of it...
No way now. I have added several policies.

Iptables-P input drop
Iptables-A input-p tcp -- dport 22-s xx. xx-J accept
Iptables-A input-p icmp-J accept
To see when he will come back, he adds a useless strategy.
Iptables-A input-p tcp -- dport 22-J Drop

Logs still exist...
But considering what may have been installed in the kernel, we have to get a new kernel and start it with the new kernel... now we are lucky.
Fortunately, there is no problem now. It seems that I have to strengthen network security protection for the DMZ zone. I found South Korea on the Web server last time.
The user's connection, but the terminal service is disabled, and it will be disconnected immediately.

It seems that all my default policies need to be changed to drop...
Copy the IP addresses of two bad people in South Korea and Rome.

NMAP: I found that South Korea has already passed. It is estimated that it is ADSL or other dynamic IP Address allocation, and Rome is not so happy.
After scanning, we found that it was a fedore Core Used as a proxy and Nat server. I don't know the version, but opened ports 3128 and.
Squid is used as an HTTP proxy to log on to... 80. I rely on... to realize that it is the default Apache page. I guess it is also a stepping stone for others, so there is no way to do it.
However, it is obvious that this proxy is very bad, and Apache's default page is open.
However, the current job is
1. Determine the target FC version.
2. Check the installed Apache, squid, and OpenSSH versions.
3. Search for software and system vulnerabilities
4. log on to the machine
5. check when I used this machine to log on to my machine, the user name, and the source IP address.
6. Find the real login person

Fuck, it's really scaring me...