Manon’s hacker counterattack (3)



Recently, the server has been hacked as a chicken. It has been tossed twice before and after (codefarmer’s hacker counterattack, codefarmer’s hacker counterattack (II)), killing virus files and modifying the default configuration of the server. After observation, it is still not completely cleared. Specifically, the server will not be connected in a few hours after restart, and Alibaba cloud will send an abnormal message of Ping failure.

[Alibaba cloud] you can monitor Ping2_ one*4229: Ping packet loss rate, address XXXXXXXX, alarm occurs at all nodes at 17:15, and the value is 100%. Please log in to the cloud monitoring platform to check


After the restart is controlled by alicloud, SSH can log in again. After checking the system for a long time and scanning again with ClamAV anti-virus software, after deleting some infected files (missing and screenshots), the system is completely abnormal. After the restart, SSH cannot be connected. In fact, it can only be regarded as a “counterattack” by hackers (in fact, it can only be regarded as a “counterattack”.

Come again

The server is abnormally disconnected, but the server still has a lot of data to reply to. Later, I communicated with Alibaba after-sales engineers through the work order system on Alibaba cloud console. Alibaba engineers provided the following solutions.
Manon's hacker counterattack (3)

According to the scheme of Ali engineer, the snapshot is created manually. After reinitializing the disk, the system returns to normal. Then, Ali engineers help mount the snapshot to the system, copy the original data from the snapshot file for recovery, and the data returns to normal. When the system snapshot was mounted, it was not successfully mounted. Later, it was mounted to other servers.


This is the first time that the server has been hacked. I have insufficient experience and no relevant anti hacker experience and means. Although as a code farmer, his heart is full of an unfathomable hacker dream that a computer controls the world. More often, he just watches movies and thinks about it. I’m ashamed.
Manon's hacker counterattack (3)

This time, it also reflects their own knowledge weaknesses (they are not familiar with Linux system and only use common applications), and also reflects some non-standard use in the server (Yun Wei is weak), which needs reflection, learning and attention. The newly restored system has made some security settings and maintenance, such as upgrading and installing system patches, setting firewall rules, modifying some software default settings (especially vulnerable software, such as redis secret access, and also on the Internet), reorganizing and planning the server distribution. It can not be opened without the Internet, External network agent is required.


This is not a successful counterattack. Write it down and publish it. First, it is used as a record. Second, if other people encounter similar situations see it, it may give some reference value. end.