ubuntu ssh 服务坏死（经检查发现是黑客攻击）

常用的vps突然ssh连不上了，通过管理网页的web vnc 连接后，发现ssh 命令出问题，连带scp也不行。联系客服，不给解决。在网上搜到如下文章，解决了问题。

检查过程中几点发现：

1，/var/log/messages 内容被清空

2，之前大意将jupyter notebook放在后台运行，是个弱密码，端口号也不生僻，看后台日志，有俄罗斯的ip访问，以及异常网址，访问过去发现是个攻击性的php

This issue has been resolved. Here are the commands I ran to get it resolved.

Pastebin of "ssh -v `host' "
http://paste.ubuntu.com/57704/


dmesg


/var/log/auth.log
http://paste.ubuntu.com/57707


sudo /etc/init.d/ssh restart
OUTPUT:
Could not load host key: /etc/ssh/ssh_host_key
Disabiling protocol version 1. Could not load host key
Missing privilege separation directory: /var/empty


sudo apt-get remove --purge openssh-server && sudo apt-get install openssh-server
OUTPUT:
Errors were encountered while processing: /var/cache/apt/archives/openssh-server_1%3a4.7pl-8ubuntu1.2_i386.deb
E: Sub process /usr/bin/dpkg returned an error code (1)


sudo dpkg -i /var/cache/apt/archives/openssh-server_1%3a4.7pl-8ubuntu1.2_i386.deb
OUTPUT:
Unable to make backup link of `./usr/sbin/sshd' before installing new version: Operation not permitted


sudo -i then dpkg -i /var/cache/apt/archives/openssh-server_1%3a4.7pl-8ubuntu1.2_i386.deb
OUTPUT:
dpkg: error processing /var/cache/apt/archives/openssh-server_1%3a4.7pl-8ubuntu1.2_i386.deb (--install):
cannot access archive: No such file or directory


sudo apt-get install openssh-server
OUTPUT:
dpkg: error processing /var/cache/apt/archives/openssh-server_1%3a4.7p1-8ubuntu1.2_i386.deb (--unpack):
unable to make backup link of `./usr/sbin/sshd' before installing new version: Operation not permitted


dmesg
http://paste.ubuntu.com/57718/


sudo dpkg --purge openssh-server
OUTPUT:
dpkg - warning: ignoring request to remove openssh-server which isn't installed


ls -l /usr/sbin/sshd
OUTPUT:
-rwxr-xr-x 1 root root 236456 2007-03-23 14:29 /usr/sbin/sshd


lsattr /usr/sbin/sshd
OUTPUT:
su--ia------------ /usr/sbin/sshd


chattr -i /usr/sbin/sshd


sudo apt-get install openssh-server
OUTPUT:
dpkg: error processing /var/cache/apt/archives/openssh-server_1%3a4.7p1-8ubuntu1.2_i386.deb (--unpack):
unable to make backup link of `./usr/sbin/sshd' before installing new version: Operation not permitted


sudo rm /usr/sbin/sshd
OUTPUT:
rm: cannot remove `/usr/sbin/sshd': Operation not permitted


sudo /etc/init.d/ssh stop
OUTPUT:
sudo: /etc/init.d/ssh: command not found


sudo killall -9 sshd
OUTPUT:
sshd: no process killed


**REBOOT SYSTEM**


sudo apt-get clean


md5sum /usr/sbin/sshd
OUTPUT:
77fc5d90723430d090144fcbaaacce7b /usr/sbin/sshd


lsattr /usr/sbin/sshd
OUTPUT:
su---a------------ /usr/sbin/sshd


chattr -a -u -s /usr/sbin/sshd


mv /usr/sbin/sshd /usr/sbin/sshd.bak


sudo apt-get install openssh-server


rm /usr/sbin/sshd.bak


md5sum /usr/sbin/sshd
OUTPUT:
f5e43bdf79235f04cfe09b2eb0e87a00 /usr/sbin/sshd


sudo /etc/init.d/ssh restart


sudo dpkg --purge openssh-client
OUTPUT:
dpkg: dependency problems prevent removal of openssh-client:
openssh-server depends on openssh-client (= 1:4.7p1-8ubuntu1.2).
autossh depends on openssh-client | ssh-client; however:
Package openssh-client is to be removed.
Package ssh-client is not installed.
Package openssh-client which provides ssh-client is to be removed.
ssh depends on openssh-client.
autossh depends on openssh-client | ssh-client; however:
Package openssh-client is to be removed.
Package ssh-client is not installed.
Package openssh-client which provides ssh-client is to be removed.
dpkg: error processing openssh-client (--purge):
dependency problems - not removing
Errors were encountered while processing:
openssh-client


sudo dpkg --purge --force-all openssh-client


sudo apt-get install openssh-client
OUTPUT:
dpkg: error processing /var/cache/apt/archives/openssh-client_1%3a4.7p1-8ubuntu1.2_i386.deb (--unpack):
unable to make backup link of `./usr/bin/ssh' before installing new version: Operation not permitted
dpkg-deb: subprocess paste killed by signal (Broken pipe)
Errors were encountered while processing:
/var/cache/apt/archives/openssh-client_1%3a4.7p1-8ubuntu1.2_i386.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)


sudo lsattr /usr/bin/ssh
OUTPUT:
su--ia------------ /usr/bin/ssh


sudo chattr -i -a /usr/bin/ssh


sudo mv /usr/bin/ssh /usr/bin/ssh.bak


sudo apt-get install openssh-client
OUTPUT:
dpkg: error processing /var/cache/apt/archives/openssh-client_1%3a4.7p1-8ubuntu1.2_i386.deb (--unpack):
unable to make backup link of `./usr/bin/scp' before installing new version: Operation not permitted
dpkg-deb: subprocess paste killed by signal (Broken pipe)
Errors were encountered while processing:
/var/cache/apt/archives/openssh-client_1%3a4.7p1-8ubuntu1.2_i386.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)


sudo rm /usr/bin/ssh.bak


sudo chattr -i -a scp && sudo chattr -i -a sftp


sudo apt-get install openssh-client


sudo ssh-vulnkey
(2 keys in output; not blacklisted)


ssh-vulnkey
(same 2 keys; not blacklisted)


Finished off with " sudo touch /forcefsck " to check my filesystem