- 积分
- 28
- 威望
-
- 金钱
-
- 注册时间
- 2019-3-27
- 在线时间
- 小时
- 最后登录
- 1970-1-1
|
不知道是不是PURE-FTPD有漏洞还是什么原因,网站所有JS文件被植入恶意代码。查看/var/log下syslog,发现是通过pure-ftpd连接,短短几秒钟内将网站下所有js文件自动下载后又上传植入代码后的同名文件。pureftp是禁止匿名连接的,唯一的用户名密码也不算简单。系统:ubuntu20.04,LNMP版本:1.9正式版。
以下是LOG文件:
Nov 14 18:36:22 instance-20220813-4081 pure-ftpd: (?@172.81.104.64) [INFO] New connection from 172.81.104.64
Nov 14 18:36:22 instance-20220813-4081 pure-ftpd: (?@172.81.104.64) [INFO] myFtp is now logged in
Nov 14 18:36:22 instance-20220813-4081 pure-ftpd: (myFtp@172.81.104.64) [NOTICE] /home/wwwroot//default/calendarHandler.js downloaded (4933 bytes, 69674.37KB/sec)
Nov 14 18:36:23 instance-20220813-4081 pure-ftpd: (myFtp@172.81.104.64) [NOTICE] /home/wwwroot//default/calendarHandler.js uploaded (14384 bytes, 353.30KB/sec)
Nov 14 18:36:23 instance-20220813-4081 pure-ftpd: (myFtp@172.81.104.64) [NOTICE] /home/wwwroot//default/calendarObj.js downloaded (27475 bytes, 330992.94KB/sec)
Nov 14 18:36:23 instance-20220813-4081 pure-ftpd: (myFtp@172.81.104.64) [NOTICE] /home/wwwroot//default/calendarObj.js uploaded (36926 bytes, 455.42KB/sec)
Nov 14 18:36:23 instance-20220813-4081 pure-ftpd: (myFtp@172.81.104.64) [NOTICE] /home/wwwroot//default/common.js downloaded (30809 bytes, 165174.95KB/sec)
Nov 14 18:36:24 instance-20220813-4081 pure-ftpd: (myFtp@172.81.104.64) [NOTICE] /home/wwwroot//default/common.js uploaded (40260 bytes, 433.86KB/sec)
Nov 14 18:36:24 instance-20220813-4081 pure-ftpd: (myFtp@172.81.104.64) [NOTICE] /home/wwwroot//default/dataHandler.js downloaded (11633 bytes, 67682.91KB/sec)
Nov 14 18:36:24 instance-20220813-4081 pure-ftpd: (myFtp@172.81.104.64) [NOTICE] /home/wwwroot//default/dataHandler.js uploaded (21084 bytes, 228.32KB/sec)
Nov 14 18:36:24 instance-20220813-4081 pure-ftpd: (myFtp@172.81.104.64) [NOTICE] /home/wwwroot//default/jquery-1.js downloaded (72328 bytes, 1576.17KB/sec)
Nov 14 18:36:25 instance-20220813-4081 pure-ftpd: (myFtp@172.81.104.64) [NOTICE] /home/wwwroot//default/jquery-1.js uploaded (81779 bytes, 617.09KB/sec)
Nov 14 18:36:25 instance-20220813-4081 pure-ftpd: (myFtp@172.81.104.64) [NOTICE] /home/wwwroot//default/json.js downloaded (5093 bytes, 36856.76KB/sec)
Nov 14 18:36:25 instance-20220813-4081 pure-ftpd: (myFtp@172.81.104.64) [NOTICE] /home/wwwroot//default/json.js uploaded (14544 bytes, 326.49KB/sec)
Nov 14 18:36:25 instance-20220813-4081 pure-ftpd: (myFtp@172.81.104.64) [NOTICE] /home/wwwroot//default/makeCal.js downloaded (59202 bytes, 326367.96KB/sec)
Nov 14 18:36:26 instance-20220813-4081 pure-ftpd: (myFtp@172.81.104.64) [NOTICE] /home/wwwroot//default/makeCal.js uploaded (68653 bytes, 486.10KB/sec)
Nov 14 18:36:26 instance-20220813-4081 pure-ftpd: (myFtp@172.81.104.64) [NOTICE] /home/wwwroot//default/workTime.js downloaded (4956 bytes, 27175.07KB/sec)
Nov 14 18:36:26 instance-20220813-4081 pure-ftpd: (myFtp@172.81.104.64) [NOTICE] /home/wwwroot//default/workTime.js uploaded (14407 bytes, 327.86KB/sec)
具体被植入的恶意代码,可以查看这个地址:https://segmentfault.com/q/1010000042809600/a-1020000042812410
|
|