今天上班的时候,腾讯云突然发来一份邮件说我的那台学生机在异地登陆了,我赶紧去连接xshell看了下。
结果就是下面的信息
Hi, please view here: https://pastebin.com/raw/eFDC9giY for information on how to obtain your files!网址内容如下:
YOU HAVE BEEN INFECTED WITH RANSOMWARE | YOU HAVE BEEN INFECTED WITH RANSOMWARE
You have been hacked.
When you were hacked, your files were sent to a server that we control and removed from you.
You must pay 0.25 BITCOIN to get your files back and prevent them from being leaked to this address:
14z9Rbpw5SozMuMRRrdwcKaSs4PsxiEHRE
We are the only ones in the world that can provide your files for you!
When you have sent payment, send e-mail to [email protected] with:
2) SERVER IP ADDRESS
3) BTC TRANSACTION ID
FBI SUGGEST TO JUST PAY: https://www.tripwire.com/state-of-security/latest-security-news/ransomware-victims-should-just-pay-the-ransom-says-the-fbi/
When you pay, you will receive an FTP account where you can retrieve your files and delete all your data from us. If you do not pay, at end of the month we will collect all data that remains on server and leak it.
HOW TO PURCHASE BITCOIN:
You can purchase bitcoin from following:
http://localbitcoins.com
http://kraken.com
http://okcoin.com
http://coinbase.com
You can message [email protected] for support, but we will not respond to questions such as "can i see files first?" because we do not have time for this
When you have sent payment, put [PAID] in email subject so we can attend to you before others!大致意思就是说被黑客入侵了,必须要付比特币。
当时我就想,我这台机器就装了一个宝塔,还有附带的mysql,phpmyadmin,然后一个redis是我自己做测试用,百度了一下发现有两位博主也遭遇到了这种现象,国外有篇文章也是关于这个的,下面有评论说,攻击者只是操作redis获取了权限,不用支付,他们并没有储存文件。
我看了一下那篇文章,总而言之就是redis服务暴露在外网的原因,攻击者操作redis然后执行了以下命令:
rm -rf /var/www/
rm -rf /usr/share/nginx
rm -rf /var/lib/mysql/
rm -rf /data/
echo "Hi, please view: http://termbin.com/um7t for further information in regards to your files" > /root/READ_TO_DECRYPT
echo "Hi, please view: http://termbin.com/um7t for further information in regards to your file!" > /etc/motd解决方案如下:
防止攻击者破坏Redis实例的最简单方法是避免将其暴露给Internet。但是,如果必须外部暴露Redis,可以采取一些措施将其锁定:
设置AUTH密码 - 用户可以配置与Redis实例的所有连接所需的密码。设置此项时,请确保密码很复杂,因为攻击者可以轻松强制使用较短的密码。
重命名或禁用CONFIG命令 - 可以将CONFIG命令重命名为不可取用的命令或完全禁用它。如果不需要该命令,我们强烈建议禁用它。
最后,与任何暴露在互联网上的软件一样,保持Redis最新是至关重要的。Redis 3.2.0版添加了一项名为保护模式的功能。此模式可防止使用不安全配置意外部署Redis实例(绑定到没有密码的所有接口),这有助于防止发生危害