服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 新用户'ubuntu'自动创build,是我的服务器被黑客入侵?
Intereting Posts
为什么DNS服务器不能parsing任何以.io结尾的域? 阅读性能监视器日志 Apache用代理请求命中 AADDC SLDAP实施 问题与域名PC上的USB设备 如果我注册一个域名作为名称服务器,我该如何设置它的名称服务器? 如何在我的网站停用时收到提醒? net use命令显示_all_连接 组策略禁用特定错误的通知? 双节点服务器2012 R2 Hyper-V群集:可以在群集中使用本地物理磁盘吗? 远程SCCM部署操作系统 从Amazon EC2实例连接到外部Web服务时出现问题 PolicyMaker for Windows Server 2003 无法在ubuntu上configurationcntlm进行NTLM身份validation 活动目录故障切换

新用户'ubuntu'自动创build,是我的服务器被黑客入侵?

昨天我的博客(WordPress的)下降,当我login(SSH)到我的服务器有消息“系统重新启动所需”,我重新启动系统,一切恢复正常(我的意思是wordpress开始正常工作了)。

但是,当我试图通过SSH重新启动后访问我的服务器,我得到了“服务器标识更改”错误,并不得不修改knownhosts文件login。

而当我检查/var/log/auth.log ,我发现一个新的用户ubuntu和一个新的组lxd刚刚重新启动后,用户被添加到所有组创build。

这是当时/var/log/auth.log的片段: 

 Aug 20 02:58:24 localhost sudo: pam_unix(sudo:session): session opened for user root by admin(uid=0) Aug 20 02:58:24 localhost sshd[12486]: pam_unix(sshd:session): session closed for user admin Aug 20 02:58:24 localhost sudo: pam_unix(sudo:session): session closed for user root Aug 20 02:58:24 localhost sshd[2425]: Received signal 15; terminating. Aug 20 02:58:33 localhost systemd-logind[1279]: New seat seat0. Aug 20 02:58:34 localhost systemd-logind[1279]: Watching system buttons on /dev/input/event0 (Power Button) Aug 20 02:58:39 localhost groupadd[2433]: group added to /etc/group: name=lxd, GID=1001 Aug 20 02:58:39 localhost groupadd[2433]: group added to /etc/gshadow: name=lxd Aug 20 02:58:39 localhost groupadd[2433]: new group: name=lxd, GID=1001 Aug 20 02:58:39 localhost useradd[2437]: new group: name=ubuntu, GID=1002 Aug 20 02:58:39 localhost useradd[2437]: new user: name=ubuntu, UID=1001, GID=1002, home=/home/ubuntu, shell=/bin/bash Aug 20 02:58:39 localhost useradd[2437]: add 'ubuntu' to group 'adm' Aug 20 02:58:39 localhost useradd[2437]: add 'ubuntu' to group 'dialout' Aug 20 02:58:39 localhost useradd[2437]: add 'ubuntu' to group 'cdrom' Aug 20 02:58:39 localhost useradd[2437]: add 'ubuntu' to group 'floppy' Aug 20 02:58:39 localhost useradd[2437]: add 'ubuntu' to group 'sudo' Aug 20 02:58:39 localhost useradd[2437]: add 'ubuntu' to group 'audio' Aug 20 02:58:39 localhost useradd[2437]: add 'ubuntu' to group 'dip' Aug 20 02:58:39 localhost useradd[2437]: add 'ubuntu' to group 'video' Aug 20 02:58:39 localhost useradd[2437]: add 'ubuntu' to group 'plugdev' Aug 20 02:58:39 localhost useradd[2437]: add 'ubuntu' to group 'netdev' Aug 20 02:58:39 localhost useradd[2437]: add 'ubuntu' to group 'lxd' Aug 20 02:58:39 localhost useradd[2437]: add 'ubuntu' to shadow group 'adm' Aug 20 02:58:39 localhost useradd[2437]: add 'ubuntu' to shadow group 'dialout' Aug 20 02:58:39 localhost useradd[2437]: add 'ubuntu' to shadow group 'cdrom' Aug 20 02:58:39 localhost useradd[2437]: add 'ubuntu' to shadow group 'floppy' Aug 20 02:58:39 localhost useradd[2437]: add 'ubuntu' to shadow group 'sudo' Aug 20 02:58:39 localhost useradd[2437]: add 'ubuntu' to shadow group 'audio' Aug 20 02:58:39 localhost useradd[2437]: add 'ubuntu' to shadow group 'dip' Aug 20 02:58:39 localhost useradd[2437]: add 'ubuntu' to shadow group 'video' Aug 20 02:58:39 localhost useradd[2437]: add 'ubuntu' to shadow group 'plugdev' Aug 20 02:58:39 localhost useradd[2437]: add 'ubuntu' to shadow group 'netdev' Aug 20 02:58:39 localhost useradd[2437]: add 'ubuntu' to shadow group 'lxd' Aug 20 02:58:39 localhost passwd[2442]: password for 'ubuntu' changed by 'root' Aug 20 02:58:40 localhost sshd[2451]: Server listening on 0.0.0.0 port 22. Aug 20 02:58:40 localhost sshd[2451]: Server listening on :: port 22. Aug 20 02:59:14 localhost sshd[2655]: Connection closed by 47.31.15.188 port 62746 [preauth] Aug 20 02:59:45 localhost sshd[2658]: Connection closed by 47.31.15.188 port 50927 [preauth] Aug 20 02:59:57 localhost sshd[2660]: Connection closed by 47.31.15.188 port 50928 [preauth] Aug 20 03:00:01 localhost CRON[2662]: pam_unix(cron:session): session opened for user smmsp by (uid=0) Aug 20 03:00:01 localhost CRON[2662]: pam_unix(cron:session): session closed for user smmsp

所以,现在我不知道发生了什么事, 我的服务器被入侵或者是系统更新?

无论如何,我已经开始转移从服务器的一切,一旦完成,将删除它。

更新1

我自己没有在系统上安装任何新的东西,但是我有一个更新Let's Encrypt证书的cron工作,它确实尝试安装一些依赖项。 所以,当我检查/var/log/apt ,我在history.log中find了这个 

 Start-Date: 2017-08-08 13:35:06 Commandline: apt-get install -y --no-install-recommends python python-dev virtualenv python-virtualenv gcc libaugeas0 augeas-lenses libssl-dev openssl libffi-dev ca-certificates Upgrade: openssl:amd64 (1.0.2g-1ubuntu4.1, 1.0.2g-1ubuntu4.8), libssl-dev:amd64 (1.0.2g-1ubuntu4.5, 1.0.2g-1ubuntu4.8), libssl1.0.0:amd64 (1.0.2g-1ubuntu4.5, 1.0.2g-1ubuntu4.8) End-Date: 2017-08-08 13:35:07

/var/log/dpkg.log内容 

 2017-08-08 13:35:06 startup archives unpack 2017-08-08 13:35:06 upgrade libssl-dev:amd64 1.0.2g-1ubuntu4.5 1.0.2g-1ubuntu4.8 2017-08-08 13:35:06 status half-configured libssl-dev:amd64 1.0.2g-1ubuntu4.5 2017-08-08 13:35:06 status unpacked libssl-dev:amd64 1.0.2g-1ubuntu4.5 2017-08-08 13:35:06 status half-installed libssl-dev:amd64 1.0.2g-1ubuntu4.5 2017-08-08 13:35:06 status half-installed libssl-dev:amd64 1.0.2g-1ubuntu4.5 2017-08-08 13:35:06 status unpacked libssl-dev:amd64 1.0.2g-1ubuntu4.8 2017-08-08 13:35:06 status unpacked libssl-dev:amd64 1.0.2g-1ubuntu4.8 2017-08-08 13:35:06 upgrade libssl1.0.0:amd64 1.0.2g-1ubuntu4.5 1.0.2g-1ubuntu4.8 2017-08-08 13:35:06 status triggers-pending libc-bin:amd64 2.23-0ubuntu3 2017-08-08 13:35:06 status half-configured libssl1.0.0:amd64 1.0.2g-1ubuntu4.5 2017-08-08 13:35:06 status unpacked libssl1.0.0:amd64 1.0.2g-1ubuntu4.5 2017-08-08 13:35:06 status half-installed libssl1.0.0:amd64 1.0.2g-1ubuntu4.5 2017-08-08 13:35:06 status half-installed libssl1.0.0:amd64 1.0.2g-1ubuntu4.5 2017-08-08 13:35:06 status unpacked libssl1.0.0:amd64 1.0.2g-1ubuntu4.8 2017-08-08 13:35:06 status unpacked libssl1.0.0:amd64 1.0.2g-1ubuntu4.8 2017-08-08 13:35:06 upgrade openssl:amd64 1.0.2g-1ubuntu4.1 1.0.2g-1ubuntu4.8 2017-08-08 13:35:06 status half-configured openssl:amd64 1.0.2g-1ubuntu4.1 2017-08-08 13:35:06 status unpacked openssl:amd64 1.0.2g-1ubuntu4.1 2017-08-08 13:35:06 status half-installed openssl:amd64 1.0.2g-1ubuntu4.1 2017-08-08 13:35:06 status triggers-pending man-db:amd64 2.7.5-1 2017-08-08 13:35:06 status half-installed openssl:amd64 1.0.2g-1ubuntu4.1 2017-08-08 13:35:06 status unpacked openssl:amd64 1.0.2g-1ubuntu4.8 2017-08-08 13:35:06 status unpacked openssl:amd64 1.0.2g-1ubuntu4.8 2017-08-08 13:35:07 trigproc libc-bin:amd64 2.23-0ubuntu3 <none> 2017-08-08 13:35:07 status half-configured libc-bin:amd64 2.23-0ubuntu3 2017-08-08 13:35:07 status installed libc-bin:amd64 2.23-0ubuntu3 2017-08-08 13:35:07 trigproc man-db:amd64 2.7.5-1 <none> 2017-08-08 13:35:07 status half-configured man-db:amd64 2.7.5-1 2017-08-08 13:35:07 status installed man-db:amd64 2.7.5-1 2017-08-08 13:35:07 startup packages configure 2017-08-08 13:35:07 configure libssl1.0.0:amd64 1.0.2g-1ubuntu4.8 <none> 2017-08-08 13:35:07 status triggers-pending libc-bin:amd64 2.23-0ubuntu3 2017-08-08 13:35:07 status unpacked libssl1.0.0:amd64 1.0.2g-1ubuntu4.8 2017-08-08 13:35:07 status half-configured libssl1.0.0:amd64 1.0.2g-1ubuntu4.8 2017-08-08 13:35:07 status installed libssl1.0.0:amd64 1.0.2g-1ubuntu4.8 2017-08-08 13:35:07 configure libssl-dev:amd64 1.0.2g-1ubuntu4.8 <none> 2017-08-08 13:35:07 status unpacked libssl-dev:amd64 1.0.2g-1ubuntu4.8 2017-08-08 13:35:07 status half-configured libssl-dev:amd64 1.0.2g-1ubuntu4.8 2017-08-08 13:35:07 status installed libssl-dev:amd64 1.0.2g-1ubuntu4.8 2017-08-08 13:35:07 configure openssl:amd64 1.0.2g-1ubuntu4.8 <none> 2017-08-08 13:35:07 status unpacked openssl:amd64 1.0.2g-1ubuntu4.8 2017-08-08 13:35:07 status unpacked openssl:amd64 1.0.2g-1ubuntu4.8 2017-08-08 13:35:07 status half-configured openssl:amd64 1.0.2g-1ubuntu4.8 2017-08-08 13:35:07 status installed openssl:amd64 1.0.2g-1ubuntu4.8 2017-08-08 13:35:07 trigproc libc-bin:amd64 2.23-0ubuntu3 <none> 2017-08-08 13:35:07 status half-configured libc-bin:amd64 2.23-0ubuntu3 2017-08-08 13:35:07 status installed libc-bin:amd64 2.23-0ubuntu3 2017-08-08 13:35:07 startup packages configure

更新2

输出stat /etc/ssh/*.pub 

 File: '/etc/ssh/ssh_host_dsa_key.pub' Size: 616 Blocks: 8 IO Block: 4096 regular file Device: fd01h/64769d Inode: 655785 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2017-08-21 02:59:11.029155361 -0400 Modify: 2017-08-20 02:58:40.092000000 -0400 Change: 2017-08-20 02:58:40.092000000 -0400 Birth: - File: '/etc/ssh/ssh_host_ecdsa_key.pub' Size: 188 Blocks: 8 IO Block: 4096 regular file Device: fd01h/64769d Inode: 655834 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2017-08-21 02:59:11.029155361 -0400 Modify: 2017-08-20 02:58:40.104000000 -0400 Change: 2017-08-20 02:58:40.104000000 -0400 Birth: - File: '/etc/ssh/ssh_host_ed25519_key.pub' Size: 108 Blocks: 8 IO Block: 4096 regular file Device: fd01h/64769d Inode: 655966 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2017-08-21 02:59:11.029155361 -0400 Modify: 2017-08-20 02:58:40.124000000 -0400 Change: 2017-08-20 02:58:40.124000000 -0400 Birth: - File: '/etc/ssh/ssh_host_rsa_key.pub' Size: 408 Blocks: 8 IO Block: 4096 regular file Device: fd01h/64769d Inode: 655745 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2017-08-21 02:59:11.029155361 -0400 Modify: 2017-08-20 02:58:39.884000000 -0400 Change: 2017-08-20 02:58:39.884000000 -0400