|
分析/var/log/secure日志。不看不知道一看吓一跳,该日志已经占用了四个文件,每个文件都记录了大量尝试登录的情况,执行命令:
- cat secure-20150317 | grep 'Failed password' | cut -d " " -f 9,10,11 | sort | uniq
结果如下:
- invalid user admin
- invalid user dacx
- invalid user details3
- invalid user drishti
- invalid user ferreluque
- invalid user git
- invalid user hall
- invalid user jparksu
- invalid user last
- invalid user patrol
- invalid user paul
- invalid user pgadmin
- invalid user postgres
- invalid user public
- invalid user sauser
- invalid user siginspect
- invalid user sql
- invalid user support
- invalid user sys
- invalid user sysadmin
- invalid user system
- invalid user taz
- invalid user test
- invalid user tiptop
- invalid user txl5460
- invalid user ubnt
- invalid user www
- mysql from 10.10.10.1
- oracle from 10.10.10.1
- root from 10.10.10.1
可以看出攻击程序不断采用不同的账户和密码进行尝试。然后在接近尾部的地方发现如下2行,说明被攻破了。
- Mar 9 20:35:30 localhost sshd[30379]: Accepted password for oracle from 10.10.10.1 port 56906 ssh2
- Mar 9 20:35:30 localhost sshd[30379]: pam_unix(sshd:session): session opened for user oracle by (uid=0)
可见账户oracle的密码被猜中,并成功登入系统。
3.2 黑客动作推演 (编辑:西安站长网)
【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容!
|
