background
There is a scheduled task in the marketing system to change the pending payment order to canceled, and the execution time is once every five minutes. If the business execution processing is abnormal, a text message will be sent to the relevant developer for text message reminder. You will receive an SMS reminder of abnormal business execution in minutes. At first, this situation occurred because there were indeed abnormal business in the test or formal environment. However, after the investigation, the business execution in the two environments was normal. I was very curious at the time How can this problem occur.
process
After connecting with Alibaba Cloud customer service, according to the sending time of one of the SMS messages, it was found that the IP of the server that sent the SMS came from Rizhao, which was obviously not sent by the business server. So far, it is basically confirmed that there is fraud in the SMS sending service, and the feedback from Alibaba Cloud is the SMS service. The AK information (secrectId and secretKey) is leaked. The suggestion given is to replace the AK information first and observe whether the SMS is still sent. Here, there will be many users under the Alibaba Cloud account, and each user can correspond to different permissions. Find the SMS service permissions For the corresponding user, first create and generate new AK information, apply the updated AK information, and then disable the original AK information (if not disabled, multiple AKs are supported to take effect at the same time). After the processing is completed, the development side does not receive SMS, preliminary look at the problem has been dealt with.
think
One thing that is not clear is that the service exception SMS reminder is a scheduled task in the application, and the interface is not exposed to the outside world. How the other party makes the call is still unclear. What kind of interests is the behavior of stealing text messages? Repeat Do you want to buy SMS packages? Anyone with ideas can give advice in the comment area.
In addition, Alibaba Cloud AK information should be replaced regularly. It seems that the AK information does have the risk of being leaked or cracked if it takes too long.
Replenish
Now the problem is basically clear. The new student’s local project abnormality caused the regular SMS abnormal reminder. At that time, he considered the problem of his local project, but he ignored it for two reasons. One is that after the suspension of his local project, he still After receiving the text message, he mistakenly ignored the reason for his project. In fact, the timed task should be executed at intervals of five minutes. It happened that after he stopped the timed task, he sent a text message just after the timed task was executed. Another point to get rid of suspicion is Ali The ip address sent by the cloud customer service query SMS shows: 140.75.156.48. A completely unfamiliar ip address, directly thinking about network security. It reappeared after a few days because the AK I changed has been updated locally, and the others remain unchanged .From 18:36, history began to repeat itself. After confirming with Alibaba cloud network students that the loopholes displayed in the background would not leak the code analysis of the server. In addition, the SMS students checked the ip sent by the SMS and found that it was our city. When we arrived here Basically, I have no idea, very helpless. I also thought about whether it is the problem of @Scheduled thread, and finally sorted out the idea again: there is no possibility of attack on Alibaba Cloud server security, and there is no possibility of abnormal sending of Alibaba Cloud SMS sending service, then only The application itself, if you can still receive text messages after the online application service is stopped, it means that it is not online. It can only be a few people with the project code. I tried to ask the new recruits. The project is still running. The time at that time was 21:35. I was still thinking hard in the company, and he was also giving me continuous empowerment at home. I checked his home ip, which was exactly the same as the feedback from Alibaba Cloud. So far The truth of this accident came to light. This online issue is definitely the best of the year! Thanks for letting me grow!
In addition, regarding the AK leak, the scene that appeared should be the particularly high frequency of text message fraud, which is inconsistent with the scene I encountered.