내 홈/사용자 디렉터리가 서버에서 삭제되었습니다. 보안 로그를 통해 이 작업이 어떻게 수행되었는지 알아낼 수 있습니까?

내 홈/사용자 디렉터리가 서버에서 삭제되었습니다. 보안 로그를 통해 이 작업이 어떻게 수행되었는지 알아낼 수 있습니까?

AWS에서 실행되는 서버와 cpanel.net의 cPanel이 있습니다. 서버는 apache이고 OS는 centos 7입니다. 오늘 갑자기 내 웹 사이트 10개가 모두 응답하지 않고 521 오류가 표시되었습니다. 몇 분 동안 조사한 결과 내 파일 관리자의 home/user 아래에 폴더/파일이 전혀 없었고 10개 사이트, 해당 데이터베이스, 이메일 등이 모두 사라진 것을 발견했습니다. Amazon에 스냅샷이 있으므로 서버에서 백업을 검색할 수 있지만 조사를 위해 이전 백업을 보관합니다. 보안 로그에서 많은 연결 시도를 볼 수 있지만 무슨 일이 일어나고 있는지, 누군가가 어떻게 연결하고 삭제할 수 있었는지 잘 이해하지 못합니다. 누군가가 나를 도울 수 있도록 아래에 로그를 붙여넣겠습니다.

Amazon 팀은 그것이 해커의 실수일 수도 있고 Cpanel 지원 팀의 실수일 수도 있다고 말했지만 전문가들은 그런 어리석은 실수를 하지 않으며 그들은 또한 그들이 하지 않았다고 확인했기 때문에 두 번째 옵션은 그다지 옳지 않은 것 같습니다. 해.

해커라고 주장하는 사람과 논쟁을 벌였으나 실제로 그랬는지 확실하지 않습니다.

이 기사를 읽고 무슨 일이 일어나고 있는지에 대한 힌트를 알려주십시오. 참고: 이들에 대한 이전 로그는 모두 존재하지 않습니다. 또한 명령이 초당 3~10개의 명령처럼 매우 자주 실행된다는 점도 확인했습니다.

이 하나:

    [ec2-user@ip-172-31-13-2 log]$ sudo cat secure
    Feb 12 15:19:15 server polkitd[583]: Loading rules from directory /etc/polkit-1/rules.d
    Feb 12 15:19:15 server polkitd[583]: Loading rules from directory /usr/share/polkit-1/rules.d
    Feb 12 15:19:15 server polkitd[583]: Finished loading, compiling and executing 2 rules
    Feb 12 15:19:15 server polkitd[583]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
    Feb 12 15:19:20 server sshd[1257]: Server listening on 0.0.0.0 port 22.
    Feb 12 15:19:20 server sshd[1257]: Server listening on :: port 22.
    Feb 12 15:21:22 server sshd[1998]: Invalid user hduser from 111.229.235.119 port 51986
    Feb 12 15:21:22 server sshd[1998]: input_userauth_request: invalid user hduser [preauth]
    Feb 12 15:21:22 server sshd[1998]: Received disconnect from 111.229.235.119 port 51986:11: Bye Bye [preauth]
    Feb 12 15:21:22 server sshd[1998]: Disconnected from 111.229.235.119 port 51986 [preauth]
    Feb 12 15:27:12 server polkitd[580]: Loading rules from directory /etc/polkit-1/rules.d
    Feb 12 15:27:12 server polkitd[580]: Loading rules from directory /usr/share/polkit-1/rules.d
    Feb 12 15:27:12 server polkitd[580]: Finished loading, compiling and executing 2 rules
    Feb 12 15:27:12 server polkitd[580]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
    Feb 12 15:27:19 server sshd[1297]: Server listening on 0.0.0.0 port 22.
    Feb 12 15:27:19 server sshd[1297]: Server listening on :: port 22.
    Feb 12 15:27:29 server sshd[1833]: Did not receive identification string from 87.251.64.186 port 45362
    Feb 12 15:27:30 server sshd[1835]: Connection closed by 87.251.64.186 port 50330 [preauth]
    Feb 12 15:27:30 server sshd[1834]: Invalid user 0101 from 87.251.64.186 port 50108
    Feb 12 15:27:30 server sshd[1834]: input_userauth_request: invalid user 0101 [preauth]
    Feb 12 15:27:30 server sshd[1834]: Connection closed by 87.251.64.186 port 50108 [preauth]
    Feb 12 15:29:27 server sshd[1987]: Invalid user aaron from 103.37.151.84 port 49382
    Feb 12 15:29:27 server sshd[1987]: input_userauth_request: invalid user aaron [preauth]
    Feb 12 15:29:27 server sshd[1987]: Received disconnect from 103.37.151.84 port 49382:11: Bye Bye [preauth]
    Feb 12 15:29:27 server sshd[1987]: Disconnected from 103.37.151.84 port 49382 [preauth]
    Feb 12 15:34:32 server sshd[2234]: Invalid user agustina from 103.45.184.234 port 53762
    Feb 12 15:34:32 server sshd[2234]: input_userauth_request: invalid user agustina [preauth]
    Feb 12 15:34:33 server sshd[2234]: Received disconnect from 103.45.184.234 port 53762:11: Bye Bye [preauth]
    Feb 12 15:34:33 server sshd[2234]: Disconnected from 103.45.184.234 port 53762 [preauth]
    Feb 12 15:38:50 server sshd[2578]: Connection closed by 222.119.218.120 port 13597 [preauth]
    Feb 12 15:39:31 server sshd[2617]: Accepted publickey for root from 222.119.218.120 port 55062 ssh2: RSA SHA256:cnhuplyGAzI1x1W2DudZZq7CN6qi1oMqTdtdi5VqnRc
    Feb 12 15:39:31 server sshd[2617]: pam_unix(sshd:session): session opened for user root by (uid=0)
    Feb 12 15:39:31 server sshd[2617]: pam_lastlog(sshd:session): unable to open /var/log/lastlog: No such file or directory
    Feb 12 15:39:33 server sshd[2627]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
    Feb 12 15:39:33 server sshd[2627]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
    Feb 12 15:41:59 server sshd[2822]: Received disconnect from 123.58.213.220 port 44408:11: Bye Bye [preauth]
    Feb 12 15:41:59 server sshd[2822]: Disconnected from 123.58.213.220 port 44408 [preauth]
    Feb 12 15:42:49 server sshd[2865]: Did not receive identification string from 81.161.63.103 port 44104
    Feb 12 15:42:58 server sshd[2869]: Connection reset by 81.161.63.103 port 43178 [preauth]
    Feb 12 15:43:01 server sshd[2867]: Connection reset by 81.161.63.103 port 43168 [preauth]
    Feb 12 15:43:01 server sshd[2868]: Connection reset by 81.161.63.103 port 43152 [preauth]
    Feb 12 15:43:02 server sshd[2874]: Connection reset by 81.161.63.103 port 43194 [preauth]
    Feb 12 15:43:02 server sshd[2877]: Accepted publickey for root from 222.119.218.120 port 16725 ssh2: RSA SHA256:cnhuplyGAzI1x1W2DudZZq7CN6qi1oMqTdtdi5VqnRc
    Feb 12 15:43:03 server sshd[2877]: pam_unix(sshd:session): session opened for user root by (uid=0)
    Feb 12 15:43:03 server sshd[2877]: pam_lastlog(sshd:session): unable to open /var/log/lastlog: No such file or directory
    Feb 12 15:43:04 server sshd[2924]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
    Feb 12 15:43:04 server sshd[2924]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
    Feb 12 15:43:32 server sshd[3150]: Invalid user liangyzh from 190.104.149.194 port 55456
    Feb 12 15:43:32 server sshd[3150]: input_userauth_request: invalid user liangyzh [preauth]
    Feb 12 15:43:32 server sshd[3150]: Received disconnect from 190.104.149.194 port 55456:11: Bye Bye [preauth]
    Feb 12 15:43:32 server sshd[3150]: Disconnected from 190.104.149.194 port 55456 [preauth]
    Feb 12 15:46:00 server polkitd[583]: Loading rules from directory /etc/polkit-1/rules.d
    Feb 12 15:46:00 server polkitd[583]: Loading rules from directory /usr/share/polkit-1/rules.d
    Feb 12 15:46:00 server polkitd[583]: Finished loading, compiling and executing 2 rules
    Feb 12 15:46:00 server polkitd[583]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
    Feb 12 15:46:10 server sshd[1313]: Server listening on 0.0.0.0 port 22.
    Feb 12 15:46:10 server sshd[1313]: Server listening on :: port 22.
    Feb 12 15:46:31 server sshd[1840]: Accepted publickey for root from 222.119.218.120 port 26665 ssh2: RSA SHA256:cnhuplyGAzI1x1W2DudZZq7CN6qi1oMqTdtdi5VqnRc
    Feb 12 15:46:32 server sshd[1840]: pam_unix(sshd:session): session opened for user root by (uid=0)
    Feb 12 15:46:32 server sshd[1840]: pam_lastlog(sshd:session): unable to open /var/log/lastlog: No such file or directory
    Feb 12 15:46:33 server sshd[1858]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
    Feb 12 15:46:33 server sshd[1858]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
    Feb 12 15:49:59 server sshd[2022]: Connection closed by 90.199.242.27 port 62452 [preauth]
    Feb 12 15:50:11 server sshd[2043]: Connection closed by 90.199.242.27 port 62453 [preauth]
    Feb 12 15:50:31 server sshd[1840]: Received disconnect from 222.119.218.120 port 26665:11: disconnected by user
    Feb 12 15:50:31 server sshd[1840]: Disconnected from 222.119.218.120 port 26665
    Feb 12 15:50:31 server sshd[1840]: pam_unix(sshd:session): session closed for user root
    Feb 12 15:50:45 server sshd[2096]: Accepted publickey for root from 222.119.218.120 port 37066 ssh2: RSA SHA256:cnhuplyGAzI1x1W2DudZZq7CN6qi1oMqTdtdi5VqnRc
    Feb 12 15:50:45 server sshd[2096]: pam_unix(sshd:session): session opened for user root by (uid=0)
    Feb 12 15:50:45 server sshd[2096]: pam_lastlog(sshd:session): unable to open /var/log/lastlog: No such file or directory
    Feb 12 15:50:46 server sshd[2102]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
    Feb 12 15:50:46 server sshd[2102]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
    Feb 12 15:52:21 server polkitd[583]: Registered Authentication Agent for unix-process:2421:38780 (system bus name :1.24 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8)
    Feb 12 15:52:21 server polkitd[583]: Unregistered Authentication Agent for unix-process:2421:38780 (system bus name :1.24, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8) (disconnected from bus)
    Feb 12 15:56:53 server sshd[2540]: Received disconnect from 85.62.169.71 port 61169:11: Client disconnecting normally [preauth]
    Feb 12 15:56:53 server sshd[2540]: Disconnected from 85.62.169.71 port 61169 [preauth]
    Feb 12 15:57:32 server sshd[2096]: Received disconnect from 222.119.218.120 port 37066:11: disconnected by user
    Feb 12 15:57:32 server sshd[2096]: Disconnected from 222.119.218.120 port 37066
    Feb 12 15:57:32 server sshd[2096]: pam_unix(sshd:session): session closed for user root
    Feb 12 15:57:50 server sshd[2767]: Connection closed by 222.119.218.120 port 54211 [preauth]
    Feb 12 15:58:09 server sudo: wp-toolkit : TTY=unknown ; PWD=/usr/local/cpanel/3rdparty/wp-toolkit/scripts ; USER=root ; COMMAND=/bin/test -e /etc/passwd
    Feb 12 15:58:09 server sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
    Feb 12 15:58:09 server sudo: pam_unix(sudo:session): session closed for user root
    Feb 12 15:58:09 server sudo: wp-toolkit : TTY=unknown ; PWD=/usr/local/cpanel/3rdparty/wp-toolkit/scripts ; USER=root ; COMMAND=/bin/cat /etc/passwd
    Feb 12 15:58:09 server sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
    Feb 12 15:58:09 server sudo: pam_unix(sudo:session): session closed for user root
    Feb 12 15:58:09 server sudo: wp-toolkit : TTY=unknown ; PWD=/usr/local/cpanel/3rdparty/wp-toolkit/scripts ; USER=root ; COMMAND=/bin/cat /root/.wp-toolkit-identifier
    Feb 12 15:58:09 server sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
    Feb 12 15:58:09 server sudo: pam_unix(sudo:session): session closed for user root
    Feb 12 15:58:10 server sudo: wp-toolkit : TTY=unknown ; PWD=/usr/local/cpanel/3rdparty/wp-toolkit/scripts ; USER=root ; COMMAND=/bin/sh -c whmapi1 get_domain_info --output=json
    Feb 12 15:58:10 server sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
    Feb 12 15:58:10 server sudo: pam_unix(sudo:session): session closed for user root
    Feb 12 15:58:10 server sudo: wp-toolkit : TTY=unknown ; PWD=/usr/local/cpanel/3rdparty/wp-toolkit/scripts ; USER=root ; COMMAND=/bin/sh -c whmapi1 listaccts --output=json
    Feb 12 15:58:10 server sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
    Feb 12 15:58:11 server sudo: pam_unix(sudo:session): session closed for user root
    Feb 12 15:58:11 server sudo: wp-toolkit : TTY=unknown ; PWD=/usr/local/cpanel/3rdparty/wp-toolkit/scripts ; USER=root ; COMMAND=/bin/sh -c whmapi1 get_users_features_settings user-1=staffdir feature-1=filemanager feature-2=backup feature-3=cron feature-4=phpmyadmin feature-5=mysql feature-6=multiphp feature-7=subdomains feature-8=webprotect feature-9=wp-toolkit feature-10=wp-toolkit-deluxe --output=json
    Feb 12 15:58:11 server sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
    Feb 12 15:58:11 server sudo: pam_unix(sudo:session): session closed for user root
    Feb 12 15:59:08 server sshd[2822]: Accepted publickey for root from 222.119.218.120 port 23199 ssh2: RSA SHA256:cnhuplyGAzI1x1W2DudZZq7CN6qi1oMqTdtdi5VqnRc
    Feb 12 15:59:08 server sshd[2822]: pam_unix(sshd:session): session opened for user root by (uid=0)
    Feb 12 15:59:08 server sshd[2822]: pam_lastlog(sshd:session): unable to open /var/log/lastlog: No such file or directory
    Feb 12 15:59:10 server sshd[2828]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
    Feb 12 15:59:10 server sshd[2828]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
    Feb 12 15:59:50 server sshd[2876]: Accepted publickey for root from 184.94.197.2 port 63442 ssh2: RSA SHA256:ktvoarqhiUkvbQXOEOshtQttY4RN52fOmbxzT1c9U3E
    Feb 12 15:59:50 server sshd[2876]: pam_unix(sshd:session): session opened for user root by (uid=0)
    Feb 12 15:59:50 server sshd[2876]: pam_lastlog(sshd:session): unable to open /var/log/lastlog: No such file or directory
    Feb 12 15:59:50 server sshd[2881]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
    Feb 12 15:59:50 server sshd[2881]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
    Feb 12 15:59:56 server useradd[2936]: new group: name=cptktywhllsifolm, GID=1006
    Feb 12 15:59:56 server useradd[2936]: new user: name=cptktywhllsifolm, UID=1004, GID=1006, home=/home/cptktywhllsifolm, shell=/bin/bash
    Feb 12 16:00:39 server sshd[3256]: Invalid user support from 178.128.152.209 port 45928
    Feb 12 16:00:39 server sshd[3256]: input_userauth_request: invalid user support [preauth]
    Feb 12 16:00:39 server sshd[3256]: Received disconnect from 178.128.152.209 port 45928:11: Bye Bye [preauth]
    Feb 12 16:00:39 server sshd[3256]: Disconnected from 178.128.152.209 port 45928 [preauth]
    Feb 12 16:00:40 server sshd[3258]: Received disconnect from 178.128.152.209 port 45988:11: Bye Bye [preauth]
    Feb 12 16:00:40 server sshd[3258]: Disconnected from 178.128.152.209 port 45988 [preauth]
    Feb 12 16:00:40 server sshd[3261]: Received disconnect from 178.128.152.209 port 46018:11: Bye Bye [preauth]
    Feb 12 16:00:40 server sshd[3261]: Disconnected from 178.128.152.209 port 46018 [preauth]
    Feb 12 16:00:41 server sshd[3263]: Invalid user usuario from 178.128.152.209 port 46058
    Feb 12 16:00:41 server sshd[3263]: input_userauth_request: invalid user usuario [preauth]
    Feb 12 16:00:41 server sshd[3263]: Received disconnect from 178.128.152.209 port 46058:11: Bye Bye [preauth]
    Feb 12 16:00:41 server sshd[3263]: Disconnected from 178.128.152.209 port 46058 [preauth]
    Feb 12 16:00:42 server sshd[3266]: Invalid user ubnt from 178.128.152.209 port 46090
    Feb 12 16:00:42 server sshd[3266]: input_userauth_request: invalid user ubnt [preauth]
    Feb 12 16:00:42 server sshd[3266]: Received disconnect from 178.128.152.209 port 46090:11: Bye Bye [preauth]
    Feb 12 16:00:42 server sshd[3266]: Disconnected from 178.128.152.209 port 46090 [preauth]
    Feb 12 16:00:42 server sshd[3269]: Invalid user debian from 178.128.152.209 port 46104
    Feb 12 16:00:42 server sshd[3269]: input_userauth_request: invalid user debian [preauth]
    Feb 12 16:00:42 server sshd[3269]: Received disconnect from 178.128.152.209 port 46104:11: Bye Bye [preauth]
    Feb 12 16:00:42 server sshd[3269]: Disconnected from 178.128.152.209 port 46104 [preauth]
    Feb 12 16:00:43 server sshd[3271]: Invalid user test from 178.128.152.209 port 46132
    Feb 12 16:00:43 server sshd[3271]: input_userauth_request: invalid user test [preauth]
    Feb 12 16:00:43 server sshd[3271]: Received disconnect from 178.128.152.209 port 46132:11: Bye Bye [preauth]
    Feb 12 16:00:43 server sshd[3271]: Disconnected from 178.128.152.209 port 46132 [preauth]
    Feb 12 16:00:44 server sshd[3274]: Invalid user usuario from 178.128.152.209 port 46156
    Feb 12 16:00:44 server sshd[3274]: input_userauth_request: invalid user usuario [preauth]
    Feb 12 16:00:44 server sshd[3274]: Received disconnect from 178.128.152.209 port 46156:11: Bye Bye [preauth]
    Feb 12 16:00:44 server sshd[3274]: Disconnected from 178.128.152.209 port 46156 [preauth]
    Feb 12 16:00:45 server sshd[3278]: Received disconnect from 178.128.152.209 port 46170:11: Bye Bye [preauth]
    Feb 12 16:00:45 server sshd[3278]: Disconnected from 178.128.152.209 port 46170 [preauth]
    Feb 12 16:00:45 server sshd[3281]: Invalid user user from 178.128.152.209 port 46200
    Feb 12 16:00:45 server sshd[3281]: input_userauth_request: invalid user user [preauth]
    Feb 12 16:00:45 server sshd[3281]: Received disconnect from 178.128.152.209 port 46200:11: Bye Bye [preauth]
    Feb 12 16:00:45 server sshd[3281]: Disconnected from 178.128.152.209 port 46200 [preauth]
    Feb 12 16:02:10 server polkitd[583]: Registered Authentication Agent for unix-process:3665:97728 (system bus name :1.48 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8)
    Feb 12 16:02:10 server polkitd[583]: Unregistered Authentication Agent for unix-process:3665:97728 (system bus name :1.48, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8) (disconnected from bus)
    Feb 12 16:02:17 server polkitd[583]: Registered Authentication Agent for unix-process:3711:98441 (system bus name :1.49 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8)
    Feb 12 16:02:17 server polkitd[583]: Unregistered Authentication Agent for unix-process:3711:98441 (system bus name :1.49, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8) (disconnected from bus)
    Feb 12 16:02:26 server polkitd[583]: Registered Authentication Agent for unix-process:3725:99300 (system bus name :1.50 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8)
    Feb 12 16:02:51 server polkitd[556]: Loading rules from directory /etc/polkit-1/rules.d
    Feb 12 16:02:51 server polkitd[556]: Loading rules from directory /usr/share/polkit-1/rules.d
    Feb 12 16:02:51 server polkitd[556]: Finished loading, compiling and executing 2 rules
    Feb 12 16:02:51 server polkitd[556]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
    Feb 12 16:02:56 server sshd[1208]: Server listening on 0.0.0.0 port 22.
    Feb 12 16:02:56 server sshd[1208]: Server listening on :: port 22.
    Feb 12 16:04:58 server sshd[1703]: Connection closed by 184.94.197.2 port 52823 [preauth]
    Feb 12 16:09:29 server sshd[1749]: Connection closed by 184.94.197.2 port 33422 [preauth]
    Feb 12 16:14:43 server sshd[1812]: Invalid user ubuntu from 51.254.63.223 port 33866
    Feb 12 16:14:43 server sshd[1812]: input_userauth_request: invalid user ubuntu [preauth]
    Feb 12 16:14:43 server sshd[1812]: Received disconnect from 51.254.63.223 port 33866:11: Bye Bye [preauth]
    Feb 12 16:14:43 server sshd[1812]: Disconnected from 51.254.63.223 port 33866 [preauth]

도와주세요.

답변1

보안 로그는 알아내는 데 도움이 될 수 있습니다.어떻게 이루어졌나요??

아니요.

또한 이는 security.stackexchange.com에 문제가 될 수 있습니다.

이 토론을 참조하십시오:https://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromished-server

관련 정보