摘要：病毒，或者叫病毒是一種肆虐于服務(wù)器上的病毒。從名字上可以看出來病毒的創(chuàng)作者對它的名字是隨機(jī)取的，就是要增加它的隱蔽性。如果是不知不覺間中招，很有可能被服務(wù)商停止服務(wù)，那就損失大了。

sfewfesfs病毒，或者叫nhgbhhj病毒是一種肆虐于linux服務(wù)器上的病毒。從名字上可以看出來病毒的創(chuàng)作者對它的名字是隨機(jī)取的，就是要增加它的隱蔽性。本來以為這種事情離我很遠(yuǎn)，但是一次疏忽的操作導(dǎo)致我的個人VPS差點(diǎn)掛掉，在這里記錄下來也算是給大家提個醒吧。

其實(shí)起因現(xiàn)在看起來也是有點(diǎn)愚蠢，因?yàn)槲易罱鼘iscourse這個新興的論壇程序很感興趣，再加上它有個特性是可以跟disqus和多說一樣嵌入到已有的靜態(tài)網(wǎng)站中。所以我也想在Logecho中試一試它。

百度了一下它的安裝文檔。因此我就跟著步驟一步一步開始做了，我為了圖省事找了一篇中文文檔，事實(shí)證明這個安裝步驟非常麻煩，我做了幾步以后突然想起來discourse貌似有個docker安裝的版本，因此在它的官網(wǎng)上找到了推薦的安裝流程，非常簡單，幾步就做完了。

但是上面提到了，我有個安裝流程做了一半就沒管它了，好死不死的是我正好做到了創(chuàng)建一個名為admin的用戶那一步

$ sudo adduser admin
$ sudo adduser admin sudo

為了方便登錄，我還特意把admin的密碼改成了12345。做到這里，我就去找其它的安裝文檔了，這個事情也被我拋到了九霄云外。明眼人馬上就可以看出來我留下這樣一個弱口令高權(quán)限的賬號是多么危險，我當(dāng)時也就是想臨時用用，用完了馬上刪掉的。

所以悲劇往往在不經(jīng)意間就發(fā)生了。。。

大概到第二天中午的時候，我正在VPS上操作一個倒入數(shù)據(jù)的腳本，突然發(fā)現(xiàn)終端響應(yīng)特別慢，程序也卡死了。我當(dāng)時還以為是網(wǎng)絡(luò)間歇性抽風(fēng)就沒管它。但過了一回就收到了linode發(fā)來的告警郵件，而且一次是兩封。CPU，網(wǎng)絡(luò)負(fù)載都超過上限了，我意識到自己可能是中招了。

但此時由于系統(tǒng)響應(yīng)緩慢，而且網(wǎng)絡(luò)擁塞，我已經(jīng)無法通過ssh連上主機(jī)了。下圖可以看到當(dāng)時的系統(tǒng)情況

還好Linode提供了基于網(wǎng)頁的實(shí)時終端，我一上去就發(fā)現(xiàn)了一個名為nhgbhhj的進(jìn)程占用非常高的負(fù)載。在網(wǎng)上一搜索發(fā)現(xiàn)確實(shí)是一種惡意程序，目的就是不斷發(fā)包占滿你的帶寬。由于網(wǎng)上的資料都非常舊了，我發(fā)現(xiàn)它們提供的方法并不能有效刪除這個程序，所以就自己琢磨了一下

首先第一步當(dāng)然是kill掉這個程序，但肯定是治標(biāo)不治本，不過好在可以馬上把系統(tǒng)負(fù)載降下來，這樣我就可以利用終端登錄回去了。然后是找到這些進(jìn)程的本體文件，根據(jù)網(wǎng)上的介紹應(yīng)該放在/tmp目錄下面，進(jìn)去一看果然有一坨奇奇怪怪的文件

把這些文件干掉，并殺掉相應(yīng)的進(jìn)程，發(fā)現(xiàn)有個conf.n文件老是刪不掉，或者說刪了以后又自己跑出來了

推測應(yīng)該還有很多進(jìn)程沒有殺干凈，后來發(fā)現(xiàn)該目錄下還有很多隱藏文件，比如以.ssh開頭的

真是狡兔三窟，把這些烏七八糟的東西刪掉以后conf.n文件就再也沒出來了，判斷應(yīng)該是殺干凈了。

首先要把這個弱密碼的admin賬戶處理掉，為了更徹底一點(diǎn)干脆完全禁止密碼登錄，到/etc/ssh/sshd_config找到

PasswordAuthentication yes

把yes改成no，然后重啟ssh服務(wù)即可。

首先，網(wǎng)絡(luò)安全的弦要時刻緊繃，也許你其它方面做得都很好，但就是因?yàn)橛幸稽c(diǎn)疏忽就可能功虧一簣。

在服務(wù)器上做任何一個操作的時候都要想到后果，不要為了圖方便就放棄一些安全底限，現(xiàn)在大多數(shù)猜口令的掃描器都是時時刻刻全網(wǎng)掃描的，只要是弱口令就沒有僥幸逃脫的。不信可以看看你的登錄日志

root@localhost:/tmp# cat /var/log/auth.log | grep admin
Jan 19 08:23:48 localhost sshd[22552]: Invalid user www-admin from 180.150.177.103
Jan 19 08:23:48 localhost sshd[22552]: input_userauth_request: invalid user www-admin [preauth]
Jan 19 08:23:51 localhost sshd[22552]: Failed password for invalid user www-admin from 180.150.177.103 port 40628 ssh2
Jan 19 08:24:51 localhost sshd[22592]: Invalid user www-admin from 180.150.177.103
Jan 19 08:24:51 localhost sshd[22592]: input_userauth_request: invalid user www-admin [preauth]
Jan 19 08:24:53 localhost sshd[22592]: Failed password for invalid user www-admin from 180.150.177.103 port 35412 ssh2
Jan 19 08:26:28 localhost sshd[22658]: Invalid user www-admin from 180.150.177.103
Jan 19 08:26:28 localhost sshd[22658]: input_userauth_request: invalid user www-admin [preauth]
Jan 19 08:26:30 localhost sshd[22658]: Failed password for invalid user www-admin from 180.150.177.103 port 58053 ssh2
Jan 19 08:27:29 localhost sshd[22704]: Invalid user www-admin from 180.150.177.103
Jan 19 08:27:29 localhost sshd[22704]: input_userauth_request: invalid user www-admin [preauth]
Jan 19 08:27:32 localhost sshd[22704]: Failed password for invalid user www-admin from 180.150.177.103 port 52837 ssh2
Jan 19 11:01:07 localhost sshd[29337]: Invalid user wwwadmin from 180.150.177.103
Jan 19 11:01:07 localhost sshd[29337]: input_userauth_request: invalid user wwwadmin [preauth]
Jan 19 11:01:09 localhost sshd[29337]: Failed password for invalid user wwwadmin from 180.150.177.103 port 33113 ssh2
Jan 19 11:02:01 localhost sshd[29366]: Invalid user wwwadmin from 180.150.177.103
Jan 19 11:02:01 localhost sshd[29366]: input_userauth_request: invalid user wwwadmin [preauth]
Jan 19 11:02:03 localhost sshd[29366]: Failed password for invalid user wwwadmin from 180.150.177.103 port 56130 ssh2
Jan 19 15:35:37 localhost sshd[7495]: Invalid user gitadmin from 202.85.211.206
Jan 19 15:35:37 localhost sshd[7495]: input_userauth_request: invalid user gitadmin [preauth]
Jan 19 15:35:39 localhost sshd[7495]: Failed password for invalid user gitadmin from 202.85.211.206 port 48362 ssh2
Jan 19 15:38:38 localhost sshd[7735]: Invalid user pgadmin from 202.85.211.206
Jan 19 15:38:38 localhost sshd[7735]: input_userauth_request: invalid user pgadmin [preauth]
Jan 19 15:38:41 localhost sshd[7735]: Failed password for invalid user pgadmin from 202.85.211.206 port 49705 ssh2
Jan 19 15:38:42 localhost sshd[7739]: Invalid user pgadmin from 202.85.211.206
Jan 19 15:38:42 localhost sshd[7739]: input_userauth_request: invalid user pgadmin [preauth]
Jan 19 15:38:44 localhost sshd[7739]: Failed password for invalid user pgadmin from 202.85.211.206 port 50784 ssh2
Jan 19 15:38:45 localhost sshd[7741]: Invalid user pgadmin from 202.85.211.206
Jan 19 15:38:45 localhost sshd[7741]: input_userauth_request: invalid user pgadmin [preauth]
Jan 19 15:38:47 localhost sshd[7741]: Failed password for invalid user pgadmin from 202.85.211.206 port 51875 ssh2
Jan 19 15:38:48 localhost sshd[7745]: Invalid user pgadmin from 202.85.211.206
Jan 19 15:38:48 localhost sshd[7745]: input_userauth_request: invalid user pgadmin [preauth]
Jan 19 15:38:50 localhost sshd[7745]: Failed password for invalid user pgadmin from 202.85.211.206 port 52905 ssh2
Jan 19 15:38:52 localhost sshd[7760]: Invalid user pgadmin from 202.85.211.206
Jan 19 15:38:52 localhost sshd[7760]: input_userauth_request: invalid user pgadmin [preauth]
Jan 19 15:38:53 localhost sshd[7760]: Failed password for invalid user pgadmin from 202.85.211.206 port 54193 ssh2
Jan 19 15:39:19 localhost sshd[7800]: Invalid user wasadmin from 202.85.211.206
Jan 19 15:39:19 localhost sshd[7800]: input_userauth_request: invalid user wasadmin [preauth]
Jan 19 15:39:21 localhost sshd[7800]: Failed password for invalid user wasadmin from 202.85.211.206 port 35276 ssh2
Jan 19 15:39:34 localhost sshd[7829]: Invalid user db2admin from 202.85.211.206
Jan 19 15:39:34 localhost sshd[7829]: input_userauth_request: invalid user db2admin [preauth]
Jan 19 15:39:35 localhost sshd[7829]: Failed password for invalid user db2admin from 202.85.211.206 port 40124 ssh2
Jan 19 15:40:16 localhost sshd[7880]: Invalid user cvsadmin from 202.85.211.206
Jan 19 15:40:16 localhost sshd[7880]: input_userauth_request: invalid user cvsadmin [preauth]
Jan 19 15:40:17 localhost sshd[7880]: Failed password for invalid user cvsadmin from 202.85.211.206 port 54468 ssh2
Jan 19 15:40:18 localhost sshd[7884]: Invalid user cvsadmin from 202.85.211.206
Jan 19 15:40:18 localhost sshd[7884]: input_userauth_request: invalid user cvsadmin [preauth]
Jan 19 15:40:21 localhost sshd[7884]: Failed password for invalid user cvsadmin from 202.85.211.206 port 55489 ssh2
Jan 19 15:40:22 localhost sshd[7899]: Invalid user cvsadmin from 202.85.211.206
Jan 19 15:40:22 localhost sshd[7899]: input_userauth_request: invalid user cvsadmin [preauth]
Jan 19 15:40:24 localhost sshd[7899]: Failed password for invalid user cvsadmin from 202.85.211.206 port 56596 ssh2
Jan 19 15:40:25 localhost sshd[7901]: Invalid user cvsadmin from 202.85.211.206
Jan 19 15:40:25 localhost sshd[7901]: input_userauth_request: invalid user cvsadmin [preauth]
Jan 19 15:40:27 localhost sshd[7901]: Failed password for invalid user cvsadmin from 202.85.211.206 port 57620 ssh2
Jan 19 15:40:28 localhost sshd[7903]: Invalid user cvsadmin from 202.85.211.206
Jan 19 15:40:28 localhost sshd[7903]: input_userauth_request: invalid user cvsadmin [preauth]
Jan 19 15:40:30 localhost sshd[7903]: Failed password for invalid user cvsadmin from 202.85.211.206 port 58645 ssh2
Jan 19 17:24:31 localhost sshd[14524]: Invalid user gitadmin from 202.85.211.206
Jan 19 17:24:31 localhost sshd[14524]: input_userauth_request: invalid user gitadmin [preauth]
Jan 19 17:24:33 localhost sshd[14524]: Failed password for invalid user gitadmin from 202.85.211.206 port 33227 ssh2
Jan 19 17:27:05 localhost sshd[14779]: Invalid user pgadmin from 202.85.211.206
Jan 19 17:27:05 localhost sshd[14779]: input_userauth_request: invalid user pgadmin [preauth]
Jan 19 17:27:07 localhost sshd[14779]: Failed password for invalid user pgadmin from 202.85.211.206 port 33521 ssh2
Jan 19 17:27:08 localhost sshd[14785]: Invalid user pgadmin from 202.85.211.206
Jan 19 17:27:08 localhost sshd[14785]: input_userauth_request: invalid user pgadmin [preauth]
Jan 19 17:27:10 localhost sshd[14785]: Failed password for invalid user pgadmin from 202.85.211.206 port 34578 ssh2
Jan 19 17:27:10 localhost sshd[14787]: Invalid user pgadmin from 202.85.211.206
Jan 19 17:27:10 localhost sshd[14787]: input_userauth_request: invalid user pgadmin [preauth]
Jan 19 17:27:12 localhost sshd[14787]: Failed password for invalid user pgadmin from 202.85.211.206 port 35593 ssh2
Jan 19 17:27:13 localhost sshd[14791]: Invalid user pgadmin from 202.85.211.206
Jan 19 17:27:13 localhost sshd[14791]: input_userauth_request: invalid user pgadmin [preauth]
Jan 19 17:27:15 localhost sshd[14791]: Failed password for invalid user pgadmin from 202.85.211.206 port 36610 ssh2
Jan 19 17:27:15 localhost sshd[14793]: Invalid user pgadmin from 202.85.211.206
Jan 19 17:27:15 localhost sshd[14793]: input_userauth_request: invalid user pgadmin [preauth]
Jan 19 17:27:17 localhost sshd[14793]: Failed password for invalid user pgadmin from 202.85.211.206 port 37616 ssh2
Jan 19 17:27:39 localhost sshd[14836]: Invalid user wasadmin from 202.85.211.206
Jan 19 17:27:39 localhost sshd[14836]: input_userauth_request: invalid user wasadmin [preauth]
Jan 19 17:27:40 localhost sshd[14836]: Failed password for invalid user wasadmin from 202.85.211.206 port 46739 ssh2
Jan 19 17:27:51 localhost sshd[14854]: Invalid user db2admin from 202.85.211.206
Jan 19 17:27:51 localhost sshd[14854]: input_userauth_request: invalid user db2admin [preauth]
Jan 19 17:27:53 localhost sshd[14854]: Failed password for invalid user db2admin from 202.85.211.206 port 51364 ssh2
Jan 19 17:28:28 localhost sshd[14926]: Invalid user cvsadmin from 202.85.211.206
Jan 19 17:28:28 localhost sshd[14926]: input_userauth_request: invalid user cvsadmin [preauth]
Jan 19 17:28:30 localhost sshd[14926]: Failed password for invalid user cvsadmin from 202.85.211.206 port 37019 ssh2
Jan 19 17:28:31 localhost sshd[14930]: Invalid user cvsadmin from 202.85.211.206
Jan 19 17:28:31 localhost sshd[14930]: input_userauth_request: invalid user cvsadmin [preauth]
Jan 19 17:28:33 localhost sshd[14930]: Failed password for invalid user cvsadmin from 202.85.211.206 port 38037 ssh2
Jan 19 17:28:34 localhost sshd[14932]: Invalid user cvsadmin from 202.85.211.206
Jan 19 17:28:34 localhost sshd[14932]: input_userauth_request: invalid user cvsadmin [preauth]
Jan 19 17:28:36 localhost sshd[14932]: Failed password for invalid user cvsadmin from 202.85.211.206 port 39119 ssh2
Jan 19 17:28:37 localhost sshd[14936]: Invalid user cvsadmin from 202.85.211.206
Jan 19 17:28:37 localhost sshd[14936]: input_userauth_request: invalid user cvsadmin [preauth]
Jan 19 17:28:39 localhost sshd[14936]: Failed password for invalid user cvsadmin from 202.85.211.206 port 40179 ssh2

這次還好發(fā)現(xiàn)地及時，當(dāng)時我也正好連在線上。如果是不知不覺間中招，很有可能被服務(wù)商停止服務(wù)，那就損失大了。

轉(zhuǎn)載自：http://www.l4zy.com/posts/hacked-by-sfewfesfs.html