VPS 被攻击了，二进制文件已掏出，有人有兴趣看看吗？

通过以下 Referral 链接购买 DigitalOcean 主机，你将可以帮助 V2EX 持续发展

This topic created in 3402 days ago, the information mentioned may be changed or developed.

压缩包地址 https://box.zjuqsc.com/-mal ，三个文件， Linux 下请谨慎打开。。。

Linode 告诉我：

Thanks for taking a closer look at this. I've got a recording of some example traffic we've seen. It appears that your Linode is emitting a Syn flood [1] with a destination port of 9008:

13:32:24.508094 IP 139.162.108.74.27713 > 122.226.191.98.9008: Flags [S], seq 1816213842:1816214726, win 60143, length 884 13:32:24.508101 IP 139.162.108.74.62227 > 122.226.191.98.9008: Flags [S], seq 4078117166:4078118031, win 65107, length 865 13:32:24.508104 IP 139.162.108.74.43579 > 122.226.191.98.9008: Flags [S], seq 2856034569:2856035451, win 64204, length 882 13:32:24.508106 IP 139.162.108.74.48818 > 122.226.191.98.9008: Flags [S], seq 3199391525:3199392381, win 61478, length 856 10054 packets captured 66946 packets received by filter 55141 packets dropped by kernel 0.87 seconds

貌似没有登录记录，但是估计应该是被删了。在 /etc/init.d 下放了三个脚本，分别执行这三个可执行文件，脚本形如

#!/bin/sh
# chkconfig: 12345 90 90
# description: ktinazm
### BEGIN INIT INFO
# Provides: ktinazm
# Required-Start:
# Required-Stop:
# Default-Start: 1 2 3 4 5
# Default-Stop:
# Short-Description: ktinazm
### END INIT INFO
case $1 in
start)
	"/bin/mzanitk"
  break
	;;
stop)
  break
	;;
*)
	"/bin/mzanitk"
  break
	;;
esac

两个是在/bin，一个在/usr/bin

有人见过这种恶意程序吗？

No Comments Yet

122.226.191.98 139.162.108.74 bin 13:32:24