Anasayfa » Forum

Bildirimler
Hepsini Temizle

[Çözüldü] Server'ımız Zombi Olmuş..  

  RSS
kemal nezir
(@kemalnezir)
Üye

Merhaba, server'ımızın bot olarak kullanıldığına dair uyarı aldık ve 24 nisan saat 11 e kadar çözemezsek serverımızı kapatacaklarını ifade ettiler. Fakat gönderdikleri bilgilerden tehlikenin kaynağını belirleyemedik. Bu konudan anlayan arkadaşlarımız var mıdır? Konuyla ilgili daha önce bir post açılmış ama orada çözüm oluşmamış. 

aşağıda paylaşacağım loglarda bahsedilen websitesi sistemimizde yok. 

We have received complaints about your server vmi41320, specifically about the following IP address(es):

5.189.145.XX

Please see the forwarded e-mail below for more details. Apparently, your server is used for attacking which is strictly forbidden by our ToS.

Abuse is a serious threat in the Internet and can cause a huge amount of damage; thus, we ask for your understanding that once an ABUSE case is reported to us, we must handle abuse strictly and with no tolerance.

Please take immediate action to stop the ongoing server misuse. It is required that you solve the problem within the next 60 hours, and that we receive your reply within this period, too. Your reply must contain all information which enable us to understand exactly which measures you took to stop the abuse and prevent such or similar incidents in the future.

We will suspend access to your server if we do not receive your reply within the given time frame, and if the problem is not solved in due time; both is essential - the solution and your response. The reactivation of a server always demands a reactivation fee of at least 30.00 EUR. Please respond in due time to save these expenses.

We would appreciate your immediate attention to this matter.

Original complaint from Abuse Team - Comvive Servidores SL <abusenotices@comvive.com>
Subject: Network attack received from an IP ( 5.189.145.XX ) from your network / Ataque recibido desde una ip ( 5.189.145.XX ) de su red

> Hi, We have detected a network attack from an IP ( 5.189.145.XX ) from your network, a computer connected to it is probably infected and being part of a botnet. Please check it and fix it up as soon as possible. Thank you.

> /

> Saludos, Hemos detectado un ataque desde una ip ( 5.189.145.XX ) de su red, probablemente el equipo este infectado y este dentro de una botnet. Porfavor revisenlo y solucionenlo en la mayor brevedad posible. Muchas gracias.


> The IP 5.189.145.XX has just been banned by Fail2Ban after
> 1 attempts against apache-critico.


> Domain: riversfly.com (91.192.108.99)


> Here are more information about 5.189.145.XX:
> Lines containing IP:5.189.145.XX in /furanet/sites/*/web/htdocs/logs/access

> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX - - [21/Apr/2019:22:10:56 +0200] "GET /shop/es/index.php?controller=attachment'&id_attachment=12'\" HTTP/1.1" 301 - "-" "-" "-"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX- - [21/Apr/2019:22:10:56 +0200] "GET /shop/es/ HTTP/1.0" 200 210520 "-" "-" "-"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX - - [21/Apr/2019:22:10:56 +0200] "GET /shop/es/index.php?id_attachment=12&controller=attachment HTTP/1.1" 200 208175 "-" "-" "-"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX - - [21/Apr/2019:22:10:57 +0200] "GET /shop/es/index.php?id_attachment=12&controller=attachment2121121121212.1 HTTP/1.1" 301 - "-" "-" "-"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX - - [21/Apr/2019:22:10:57 +0200] "GET /shop/es/?id_attachment=12 HTTP/1.0" 200 210554 "-" "-" "-"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX - - [21/Apr/2019:22:10:57 +0200] "GET /shop/es/index.php?id_attachment=12&controller=attachment%20and%201%3D1 HTTP/1.1" 301 - "-" "-" "-"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX- - [21/Apr/2019:22:10:58 +0200] "GET /shop/es/?id_attachment=12 HTTP/1.0" 200 210554 "-" "-" "-"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX - - [21/Apr/2019:22:10:58 +0200] "GET /shop/es/index.php?id_attachment=12&controller=attachment%20and%201%3E1 HTTP/1.1" 301 - "-" "-" "-"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX- - [21/Apr/2019:22:10:58 +0200] "GET /shop/es/?id_attachment=12 HTTP/1.0" 200 210554 "-" "-" "-"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX - - [21/Apr/2019:22:10:59 +0200] "GET /shop/es/index.php?id_attachment=12&controller=attachment%27%20and%20%27x%27%3D%27x HTTP/1.1" 301 - "-" "-" "-"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX- - [21/Apr/2019:22:10:59 +0200] "GET /shop/es/?id_attachment=12 HTTP/1.0" 200 210554 "-" "-" "-"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX - - [21/Apr/2019:22:11:00 +0200] "GET /shop/es/index.php?id_attachment=12&controller=attachment%27%20and%20%27x%27%3D%27y HTTP/1.1" 301 - "-" "-" "-"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX - - [21/Apr/2019:22:11:00 +0200] "GET /shop/es/?id_attachment=12 HTTP/1.0" 200 210554 "-" "-" "-"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX - - [21/Apr/2019:22:11:00 +0200] "GET /shop/es/index.php?id_attachment=12&controller=attachment\"%20and%20\"x\"%3D\"x HTTP/1.1" 301 - "-" "-" "-"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX - - [21/Apr/2019:22:11:00 +0200] "GET /shop/es/?id_attachment=12 HTTP/1.0" 200 210554 "-" "-" "-"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX - - [21/Apr/2019:22:11:01 +0200] "GET /shop/es/index.php?id_attachment=12&controller=attachment%22%20and%20%22x%22%3D%22y HTTP/1.1" 301 - "-" "-" "-"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX - - [21/Apr/2019:22:11:01 +0200] "GET /shop/es/?id_attachment=12 HTTP/1.0" 200 210554 "-" "-" "-"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX - - [21/Apr/2019:22:11:02 +0200] "GET /shop/es/index.php?id_attachment=12&controller=attachment%20AND%201=1 HTTP/1.1" 301 - "-" "-" "-"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX - - [21/Apr/2019:22:11:02 +0200] "GET /shop/es/?id_attachment=12 HTTP/1.0" 200 210554 "-" "-" "-"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX - - [21/Apr/2019:22:11:02 +0200] "GET /shop/es/index.php?controller=attachment&id_attachment=12 HTTP/1.1" 200 208175 "-" "-" "-"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX - - [21/Apr/2019:22:11:03 +0200] "GET /shop/es/index.php?controller=attachment&id_attachment=122121121121212.1 HTTP/1.1" 302 - "-" "-" "-"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX - - [21/Apr/2019:22:11:03 +0200] "GET /shop/es/ HTTP/1.1" 200 210520 "-" "-" "-"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX - - [21/Apr/2019:22:11:03 +0200] "GET /shop/es/index.php?controller=attachment&id_attachment=12%20and%201%3D1 HTTP/1.1" 200 208175 "-" "-" "-"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX - - [21/Apr/2019:22:11:04 +0200] "GET /shop/es/index.php?controller=attachment&id_attachment=12%20and%201%3E1 HTTP/1.1" 200 208175 "-" "-" "-"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX - - [21/Apr/2019:22:11:04 +0200] "GET /shop/es/index.php?controller=attachment&id_attachment=12%27%20and%20%27x%27%3D%27x HTTP/1.1" 200 208175 "-" "-" "-"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX - - [21/Apr/2019:22:11:05 +0200] "GET /shop/es/index.php?controller=attachment&id_attachment=12%27%20and%20%27x%27%3D%27y HTTP/1.1" 200 208175 "-" "-" "-"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX - - [21/Apr/2019:22:11:05 +0200] "GET /shop/es/index.php?controller=attachment&id_attachment=12\"%20and%20\"x\"%3D\"x HTTP/1.1" 200 208175 "-" "-" "-"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX - - [21/Apr/2019:22:11:05 +0200] "GET /shop/es/index.php?controller=attachment&id_attachment=12%22%20and%20%22x%22%3D%22y HTTP/1.1" 200 208175 "-" "-" "-"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX - - [21/Apr/2019:22:11:06 +0200] "GET /shop/es/index.php?controller=attachment&id_attachment=12%20AND%201=1 HTTP/1.1" 200 208175 "-" "-" "-"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX - - [21/Apr/2019:22:11:06 +0200] "GET /shop/es/index.php?amp;id_attachment=12&controller=attachment HTTP/1.0" 302 - "-" "-" "Opera/9.27"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX - - [21/Apr/2019:22:11:06 +0200] "GET /shop/es/index.php?amp;id_attachment=12&controller=attachment%27%20AnD%20sLeep%283%29%20ANd%20%271 HTTP/1.0" 301 - "-" "-" "Opera/9.27"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX - - [21/Apr/2019:22:11:06 +0200] "GET /shop/es/index.php?amp;id_attachment=12&controller=attachment%27%26%26sLEEp%283%29%26%26%271 HTTP/1.0" 301 - "-" "-" "Opera/9.27"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX - - [21/Apr/2019:22:11:07 +0200] "GET /shop/es/index.php?amp;id_attachment=12&controller=attachment%00%27%7C%7CSLeeP%283%29%26%26%271 HTTP/1.0" 301 - "-" "-" "Opera/9.27"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX - - [21/Apr/2019:22:11:07 +0200] "GET /shop/es/index.php?amp;id_attachment=12&controller=attachment%27%20aND%20BeNChMaRK%282999999%2CMd5%28NoW%28%29%29%29%20AnD%20%271 HTTP/1.0" 301 - "-" "-" "Opera/9.27"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX - - [21/Apr/2019:22:11:07 +0200] "GET /shop/es/index.php?amp;id_attachment=12&controller=attachment%27%26%26BeNChMaRK%282999999%2CmD5%28NOW%28%29%29%29%26%26%271 HTTP/1.0" 301 - "-" "-" "Opera/9.27"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX - - [21/Apr/2019:22:11:07 +0200] "GET /shop/es/index.php?amp;id_attachment=12&controller=attachment%27%20AnD%20sLeep%283%29%20ANd%20%270%27%3D%270 HTTP/1.0" 301 - "-" "-" "Opera/9.27"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX - - [21/Apr/2019:22:11:07 +0200] "GET /shop/es/index.php?controller=attachment&id_attachment=12999999.1%20union%20select%20unhex(hex(version()))%20--%20and%201%3D1 HTTP/1.1" 302 - "-" "-" "-"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX - - [21/Apr/2019:22:11:07 +0200] "GET /shop/es/ HTTP/1.1" 200 210520 "-" "-" "-"
> /furanet/sites/riversfly.com/web/htdocs/logs/access:5.189.145.XX - - [21/Apr/2019:22:11:08 +0200] "GET /shop/es/index.php?controller=attachment&id_attachment=1299999%27%20union%20select%20unhex(hex(version()))%20--%20%27x%27=%27x HTTP/1.1" 302 - "-" "-" "-"

> Date: Sun Apr 21 22:11:09 CEST 2019

> Unix timestamp: 1555877468.42

Alıntı
Gönderildi : 23/04/2019 08:26
Buğra PARLAYAN
(@bugraparlayan)
Saygın Üye Forum Yöneticisi

Selamlar,

Burada önemli olan sunucunun kullandığı ip adresi dedicate mi yoksa paylaşımlı mı. Bunun dışında eğer size ait bir fiziksel sunucu kullanıyoranız, servisleri inceleyerek yabancı bir uygulama varmı ona bakmanız.

Problemi web sitesi değil, işletim sistemi fazında incelemeniz gerek.

CevapAlıntı
Gönderildi : 23/04/2019 13:01
Hakan Uzuner
(@hakanuzuner)
Kıdemli Üye Yönetici

Forum üzerinden bu şekilde sorunu çözmeniz çok zor, hızlıca bir uzmana gösterin ama büyük ihtimal o sunucu adam olmaz, yedeklerinizi alın ve yeniden kurun. Bir daha bu sorun olmasın diye OS security hardening yaptırın. 

Danışman - ITSTACK Bilgi Sistemleri
****************************************************************
Probleminiz Çözüldüğünde Sonucu Burada Paylaşırsanız.
Sizde Aynı Problemi Yaşayanlar İçin Yardım Etmiş Olursunuz.
Eğer sorununuz çözüldü ise lütfen "çözüldü" olarak işaretlerseniz diğer üyeler için çok büyük kolaylık sağlayacaktır.
*****************************************************************

CevapAlıntı
Gönderildi : 23/04/2019 13:15
Tursun İsak
(@Tursunisak)
Üye
Gönderen: @hakanuzuner

OS security hardening

Bu işlem neyi sağlıyor Hakan bey kısa bir şekilde açıklayabilirmisiniz. Teşekkür ederim.

CevapAlıntı
Gönderildi : 28/02/2020 17:07
ibrahim yildiz
(@ibrahimyildiz)
Tecrübeli Üye
Hakan Uzuner
(@hakanuzuner)
Kıdemli Üye Yönetici
Gönderen: @Tursunisak
Gönderen: @hakanuzuner

OS security hardening

Bu işlem neyi sağlıyor Hakan bey kısa bir şekilde açıklayabilirmisiniz. Teşekkür ederim.

İşletim sistemi için güvenlik anlamında sıkılaştırma yapıyoruz, bu sayede işletim sistemi daha güvenli oluyor. 

Danışman - ITSTACK Bilgi Sistemleri
****************************************************************
Probleminiz Çözüldüğünde Sonucu Burada Paylaşırsanız.
Sizde Aynı Problemi Yaşayanlar İçin Yardım Etmiş Olursunuz.
Eğer sorununuz çözüldü ise lütfen "çözüldü" olarak işaretlerseniz diğer üyeler için çok büyük kolaylık sağlayacaktır.
*****************************************************************

CevapAlıntı
Gönderildi : 29/02/2020 18:01
Turan COŞKUN
(@turancoskun)
Tecrübeli Üye Forum Yöneticisi

Merhaba,

24 Nisan tarihini nereden referans aldınız bilmemekle birlikte, sizinle paylaşılan mail içeriğinde 60 saat içerisinde problem/çözüm noktası için geri bildirimde bulunmanız gerektiği belirtiliyor.

Hakan hocanın belirttiği gibi yaşadığınız sorun için tecrübeniz yok ise danışmanlık almalısınız.

Birkaç temel kontrolü kendiniz sağlayabilirsiniz.

Öncelikle kullandığınız sunucu sistemine ait public ip adresini abuseipdb tarafındaa sorgulayıp, neden raporlandığını listeleyebilirsiniz.

https://www.abuseipdb.com/

İşletim sistemi üzerinde erişim logları ( access/error.log ) ve aktif kullanıcıları incelemelisiniz.

https://www.tecmint.com/query-audit-logs-using-ausearch-tool-on-centos-rhel/

Sisteminizde rootkit uygulamaları için bir tarama gerçekleştirmeniz, yararınıza olacaktır.

Mehmet hocanın eski tarihli bir yazısını paylaşıyorum, fikir verecektir, yöntem aynı.

https://www.mehmetince.net/linux-sunucularda-rootkit-tespiti-rkhunter-ile-chkrootkit-performansi/

****************************************************************
Probleminiz Çözüldüğünde Sonucu Burada Paylaşırsanız.
Sizde Aynı Problemi Yaşayanlar İçin Yardım Etmiş Olursunuz.
Eğer sorununuz çözüldü ise lütfen "çözüldü" olarak işaretlerseniz diğer üyeler için çok büyük kolaylık sağlayacaktır.
*****************************************************************

CevapAlıntı
Gönderildi : 01/03/2020 09:33
Paylaş: