腾讯云服务器对外攻击8090端口问题解决

已于 2023-05-16 03:26:03 修改
阅读量1k 收藏 1
点赞数
文章标签: 服务器 腾讯云 运维
于 2023-05-13 03:25:02 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_44722690/article/details/130653064
版权

起因

在一次测试docker开放2375端口后,使用阿里云的CloudToolKit插件上传过一次docker镜像文件,启动容器。

第二天腾讯云发来了警告邮件,提示说:服务器存在对外8090端口攻击。

排查

登录上腾讯云账号到服务器进行查看,使用 docker ps -a命令进行查看。
发现多了几个陌生的镜像和两个正在运行的容器,因此怀疑是服务器中病毒了。
找了下原因,应该是之前开放docker的2375端口造成的。
找了下docker的2375端口的相关信息,发现这个端口极不安全,可以被其他人自由上传镜像并运行在容器中的。docker官方不推荐暴露到公网上,即使暴露也要换其他tcp端口,并配置TLS证书进行加密才能够避免被攻击渗透。

原因找到了,我们就需要解决它:

解决

首先,我们需要釜底抽薪先防止后续攻击,先切断攻击源

首先关闭服务器防火墙的2375端口,然后:

配置关闭docker2375端口远程访问,仅开启本地访问:

1:vim /usr/lib/systemd/system/docker.service    
2#ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix://var/run/docker.sock。此配置代表该docker主机开放tcp端口供其他主机访问,不需要共享则注释掉    
3:改为-H unix:///var/run/docker.sock,此配置代表本地访问

上面三步解决了容器运行的病毒攻击,但是还没完全解决,因为腾讯云邮箱提示服务器还是存在对外攻击行为。因此我们还得排查:

使用netstat工具查看流量的出入端口信息,发现本机服务器起了不少端口来访问外部公网的8090端口:

[root@VM-12-15-centos deepinsea]# netstat -anpo|egrep "tcp|udp"
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1468/master          off (0.00/0/0)
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1344/sshd            off (0.00/0/0)
tcp        0    130 10.0.12.15:52848        197.253.121.72:2376     FIN_WAIT1   -                    probe (48.60/0/2)
tcp        0    616 10.0.12.15:38074        81.29.242.109:8090      ESTABLISHED 501/zgrab            probe (2.67/0/0)
tcp        0    616 10.0.12.15:40090        81.29.242.247:8090      ESTABLISHED 501/zgrab            probe (1.73/0/2)
tcp        0      0 10.0.12.15:58952        81.161.5.203:8090       ESTABLISHED 501/zgrab            keepalive (11.23/0/0)
tcp        0    617 10.0.12.15:45444        81.29.242.159:8090      FIN_WAIT1   -                    probe (100.51/0/8)
tcp        0    130 10.0.12.15:50010        197.253.88.171:2376     FIN_WAIT1   -                    probe (6.43/0/6)
tcp        0      0 10.0.12.15:35004        81.15.106.89:8090       ESTABLISHED 501/zgrab            keepalive (11.16/0/0)
tcp        0    131 10.0.12.15:44042        197.253.107.127:2376    FIN_WAIT1   -                    probe (119.45/0/7)
tcp        0    615 10.0.12.15:46382        81.29.242.49:8090       ESTABLISHED 501/zgrab            probe (1.36/0/2)
tcp        0    130 10.0.12.15:50624        197.253.88.216:2376     FIN_WAIT1   -                    probe (19.48/0/6)
tcp        0    130 10.0.12.15:45668        197.253.115.83:2376     FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0    129 10.0.12.15:56822        197.253.93.17:2376      FIN_WAIT1   -                    probe (27.10/0/2)
tcp        0    130 10.0.12.15:47120        197.253.67.195:2376     FIN_WAIT1   -                    probe (47.84/0/3)
tcp        0    618 10.0.12.15:58820        81.105.173.116:8090     FIN_WAIT1   -                    probe (13.72/0/8)
tcp        0    130 10.0.12.15:55370        197.253.105.62:2376     FIN_WAIT1   -                    probe (57.05/0/3)
tcp        0    131 10.0.12.15:49642        197.253.117.240:2376    FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0    616 10.0.12.15:35322        81.0.144.219:8090       FIN_WAIT1   -                    probe (38.30/0/8)
tcp        0      0 10.0.12.15:38290        81.171.17.18:8090       ESTABLISHED 501/zgrab            keepalive (11.36/0/0)
tcp        0      0 10.0.12.15:55808        81.171.17.59:8090       ESTABLISHED 501/zgrab            keepalive (10.33/0/0)
tcp        0    131 10.0.12.15:55654        197.253.118.121:2376    FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0    131 10.0.12.15:57480        197.253.108.205:2376    FIN_WAIT1   -                    probe (4.76/0/6)
tcp        0      0 10.0.12.15:49388        81.131.60.246:8090      ESTABLISHED 501/zgrab            keepalive (10.27/0/0)
tcp        0    130 10.0.12.15:54044        197.253.93.244:2376     FIN_WAIT1   -                    probe (47.71/0/3)
tcp        0    129 10.0.12.15:44584        197.253.76.18:2376      FIN_WAIT1   -                    probe (20.38/0/6)
tcp        0      0 10.0.12.15:40954        81.95.1.85:8090         ESTABLISHED 501/zgrab            keepalive (11.80/0/0)
tcp        0    614 10.0.12.15:37820        81.29.242.2:8090        ESTABLISHED 501/zgrab            probe (1.78/0/2)
tcp        0    131 10.0.12.15:35850        197.253.125.118:2376    FIN_WAIT1   -                    probe (8.41/0/6)
tcp        0    128 10.0.12.15:50598        197.253.73.8:2376       FIN_WAIT1   -                    probe (47.84/0/3)
tcp        0      0 10.0.12.15:40648        81.161.5.22:8090        ESTABLISHED 501/zgrab            keepalive (13.40/0/0)
tcp        0    131 10.0.12.15:43120        197.253.120.187:2376    FIN_WAIT1   -                    probe (4.89/0/6)
tcp        0      0 10.0.12.15:50028        81.70.0.108:8090        ESTABLISHED 501/zgrab            keepalive (11.13/0/0)
tcp        0    130 10.0.12.15:42054        197.253.115.96:2376     FIN_WAIT1   -                    probe (2.84/0/6)
tcp        0    131 10.0.12.15:46746        197.253.108.145:2376    FIN_WAIT1   -                    probe (5.98/0/6)
tcp        0    616 10.0.12.15:46174        81.29.242.240:8090      ESTABLISHED 501/zgrab            probe (1.87/0/2)
tcp        0    616 10.0.12.15:52722        81.103.81.219:8090      ESTABLISHED 501/zgrab            on (5.49/0/0)
tcp        0    617 10.0.12.15:57188        81.145.54.162:8090      FIN_WAIT1   -                    probe (54.17/0/8)
tcp        0    617 10.0.12.15:37208        81.27.214.108:8090      FIN_WAIT1   -                    probe (36.25/0/8)
tcp        0    129 10.0.12.15:42812        197.253.99.90:2376      FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0    616 10.0.12.15:53044        81.39.251.151:8090      ESTABLISHED 501/zgrab            on (2.92/0/0)
tcp        0    616 10.0.12.15:34028        81.90.111.126:8090      ESTABLISHED 501/zgrab            probe (4.68/0/3)
tcp        0    131 10.0.12.15:52268        197.253.125.125:2376    FIN_WAIT1   -                    probe (5.28/0/6)
tcp        0    131 10.0.12.15:49646        197.253.107.104:2376    FIN_WAIT1   -                    probe (25.05/0/6)
tcp        0    131 10.0.12.15:33874        197.253.120.105:2376    FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0    130 10.0.12.15:40302        197.253.72.135:2376     FIN_WAIT1   -                    probe (47.84/0/3)
tcp        0    131 10.0.12.15:49646        197.253.104.139:2376    FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0    616 10.0.12.15:38022        81.29.242.252:8090      ESTABLISHED 501/zgrab            probe (1.24/0/2)
tcp        0      0 10.0.12.15:33762        81.215.15.207:8090      ESTABLISHED 501/zgrab            keepalive (10.36/0/0)
tcp        0    131 10.0.12.15:40052        197.253.109.131:2376    FIN_WAIT1   -                    probe (57.05/0/3)
tcp        0    131 10.0.12.15:51758        197.253.115.240:2376    FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0     52 10.0.12.15:22           124.77.91.181:50691     ESTABLISHED 24594/sshd: deepins  on (0.22/0/0)
tcp        0    130 10.0.12.15:50352        197.253.105.14:2376     FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0      0 10.0.12.15:53176        81.161.5.182:8090       ESTABLISHED 501/zgrab            keepalive (10.33/0/0)
tcp        0    130 10.0.12.15:42098        197.253.120.80:2376     FIN_WAIT1   -                    probe (60.51/0/4)
tcp        0      0 10.0.12.15:56838        81.70.195.186:8090      ESTABLISHED 501/zgrab            keepalive (10.14/0/0)
tcp        0    131 10.0.12.15:58508        197.253.107.173:2376    FIN_WAIT1   -                    probe (113.50/0/7)
tcp        0    130 10.0.12.15:42798        197.253.115.88:2376     FIN_WAIT1   -                    probe (57.05/0/3)
tcp        0      0 10.0.12.15:46190        81.171.17.84:8090       ESTABLISHED 501/zgrab            keepalive (11.36/0/0)
tcp        0    130 10.0.12.15:56506        197.253.105.32:2376     FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0      0 10.0.12.15:47604        81.71.64.46:8090        ESTABLISHED 501/zgrab            keepalive (10.14/0/0)
tcp        0    130 10.0.12.15:37932        197.253.88.147:2376     FIN_WAIT1   -                    probe (47.84/0/3)
tcp        0      0 10.0.12.15:51092        81.35.46.109:8090       ESTABLISHED 501/zgrab            keepalive (10.33/0/0)
tcp        0    129 10.0.12.15:55216        197.253.84.22:2376      FIN_WAIT1   -                    probe (12.83/0/6)
tcp        0      0 10.0.12.15:41770        169.254.0.138:8186      ESTABLISHED 18087/tat_agent      off (0.00/0/0)
tcp        0    131 10.0.12.15:43100        197.253.125.105:2376    FIN_WAIT1   -                    probe (6.30/0/6)
tcp        0    130 10.0.12.15:59702        197.253.93.174:2376     FIN_WAIT1   -                    probe (11.04/0/6)
tcp        0      0 10.0.12.15:33588        81.171.17.82:8090       ESTABLISHED 501/zgrab            keepalive (11.36/0/0)
tcp        0      0 10.0.12.15:45230        81.161.5.7:8090         ESTABLISHED 501/zgrab            keepalive (11.74/0/0)
tcp        0    129 10.0.12.15:51924        197.253.99.84:2376      FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0      0 10.0.12.15:59806        81.69.254.142:8090      ESTABLISHED 501/zgrab            keepalive (10.65/0/0)
tcp        0    130 10.0.12.15:60402        197.253.99.191:2376     FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0    131 10.0.12.15:42788        197.253.120.117:2376    FIN_WAIT1   -                    probe (68.44/0/4)
tcp        0    130 10.0.12.15:48742        197.253.88.153:2376     FIN_WAIT1   -                    probe (11.55/0/6)
tcp        0    130 10.0.12.15:50180        197.253.91.181:2376     FIN_WAIT1   -                    probe (47.84/0/3)
tcp        0      0 10.0.12.15:41476        81.69.0.184:8090        ESTABLISHED 501/zgrab            keepalive (10.11/0/0)
tcp        0      0 10.0.12.15:36324        81.161.4.119:8090       ESTABLISHED 501/zgrab            keepalive (11.39/0/0)
tcp        0    130 10.0.12.15:54802        197.253.91.252:2376     FIN_WAIT1   -                    probe (19.48/0/6)
tcp        0    130 10.0.12.15:47358        197.253.88.200:2376     FIN_WAIT1   -                    probe (47.84/0/3)
tcp        0    615 10.0.12.15:37926        81.139.35.92:8090       ESTABLISHED 501/zgrab            probe (11.28/0/1)
tcp        0    130 10.0.12.15:39436        197.253.118.15:2376     FIN_WAIT1   -                    probe (60.51/0/4)
tcp        0      0 10.0.12.15:56416        81.23.144.198:8090      ESTABLISHED 501/zgrab            keepalive (10.97/0/0)
tcp        0    130 10.0.12.15:58062        197.253.91.255:2376     FIN_WAIT1   -                    probe (47.71/0/3)
tcp        0    615 10.0.12.15:52446        81.139.35.60:8090       ESTABLISHED 501/zgrab            probe (3.28/0/3)
tcp        0    616 10.0.12.15:38692        81.29.242.190:8090      ESTABLISHED 501/zgrab            probe (1.72/0/2)
tcp        0    131 10.0.12.15:45412        197.253.107.105:2376    FIN_WAIT1   -                    probe (60.64/0/4)
tcp        0      0 10.0.12.15:40460        81.168.185.69:8090      TIME_WAIT   -                    timewait (55.91/0/0)
tcp        0    129 10.0.12.15:47664        197.253.73.36:2376      FIN_WAIT1   -                    probe (27.10/0/2)
tcp        0    130 10.0.12.15:37532        197.253.92.163:2376     FIN_WAIT1   -                    probe (11.23/0/6)
tcp        0    129 10.0.12.15:59970        197.253.93.70:2376      FIN_WAIT1   -                    probe (27.10/0/2)
tcp        0    131 10.0.12.15:41488        197.253.109.191:2376    FIN_WAIT1   -                    probe (48.48/0/2)
tcp        0      0 10.0.12.15:46768        81.161.5.48:8090        ESTABLISHED 501/zgrab            keepalive (11.04/0/0)
tcp        0      0 10.0.12.15:50430        81.171.17.71:8090       ESTABLISHED 501/zgrab            keepalive (10.33/0/0)
tcp        0      0 10.0.12.15:56128        81.196.212.179:8090     TIME_WAIT   -                    timewait (58.78/0/0)
tcp        0    617 10.0.12.15:42968        81.167.212.138:8090     ESTABLISHED 501/zgrab            probe (1.43/0/2)
tcp        0    130 10.0.12.15:57060        197.253.104.87:2376     FIN_WAIT1   -                    probe (57.05/0/3)
tcp        0      0 10.0.12.15:38910        81.23.35.221:8090       ESTABLISHED 501/zgrab            keepalive (10.27/0/0)
tcp        0      0 10.0.12.15:48858        81.196.244.171:8090     ESTABLISHED 501/zgrab            keepalive (11.29/0/0)
tcp        0      0 10.0.12.15:44674        81.68.110.127:8090      ESTABLISHED 501/zgrab            keepalive (11.10/0/0)
tcp        0    616 10.0.12.15:43844        81.90.111.166:8090      ESTABLISHED 501/zgrab            probe (4.35/0/3)
tcp        0    130 10.0.12.15:36364        197.253.67.102:2376     FIN_WAIT1   -                    probe (18.14/0/6)
tcp        0      0 10.0.12.15:38934        81.68.176.147:8090      ESTABLISHED 501/zgrab            keepalive (13.12/0/0)
tcp        0      0 10.0.12.15:49706        81.169.162.6:8090       ESTABLISHED 501/zgrab            keepalive (11.29/0/0)
tcp        0      0 10.0.12.15:44558        81.177.165.135:8090     ESTABLISHED 501/zgrab            keepalive (13.40/0/0)
tcp        0    131 10.0.12.15:41530        197.253.104.158:2376    FIN_WAIT1   -                    probe (48.60/0/2)
tcp        0      0 10.0.12.15:43634        81.13.250.127:8090      ESTABLISHED 501/zgrab            keepalive (11.29/0/0)
tcp        0      0 10.0.12.15:45098        81.68.223.49:8090       ESTABLISHED 501/zgrab            keepalive (10.14/0/0)
tcp        0    130 10.0.12.15:51376        197.253.92.190:2376     FIN_WAIT1   -                    probe (47.84/0/3)
tcp        0      0 10.0.12.15:52344        81.41.190.246:8090      TIME_WAIT   -                    timewait (56.22/0/0)
tcp        0      0 10.0.12.15:59716        81.171.17.12:8090       ESTABLISHED 501/zgrab            keepalive (12.00/0/0)
tcp        0    617 10.0.12.15:53954        81.105.173.92:8090      FIN_WAIT1   -                    probe (29.34/0/8)
tcp        0    130 10.0.12.15:33934        197.253.72.202:2376     FIN_WAIT1   -                    probe (57.18/0/4)
tcp        0    616 10.0.12.15:58688        81.29.242.98:8090       FIN_WAIT1   -                    probe (108.19/0/8)
tcp        0    130 10.0.12.15:36560        197.253.83.113:2376     FIN_WAIT1   -                    probe (1.18/0/6)
tcp        0      0 10.0.12.15:40060        81.45.79.250:8090       TIME_WAIT   -                    timewait (55.74/0/0)
tcp        0    129 10.0.12.15:38350        197.253.72.97:2376      FIN_WAIT1   -                    probe (47.71/0/3)
tcp        0      0 10.0.12.15:22           124.77.91.181:50697     ESTABLISHED 24620/sshd: deepins  keepalive (4213.72/0/0)
tcp        0    129 10.0.12.15:57486        197.253.105.4:2376      FIN_WAIT1   -                    probe (5.79/0/6)
tcp        0    129 10.0.12.15:35496        197.253.92.42:2376      FIN_WAIT1   -                    probe (9.50/0/6)
tcp        0    131 10.0.12.15:47150        197.253.124.103:2376    FIN_WAIT1   -                    probe (119.45/0/7)
tcp        0      0 10.0.12.15:58692        81.161.5.149:8090       ESTABLISHED 501/zgrab            keepalive (12.19/0/0)
tcp        0      0 10.0.12.15:59664        81.70.20.73:8090        ESTABLISHED 501/zgrab            keepalive (13.15/0/0)
tcp        0    616 10.0.12.15:33914        81.198.189.28:8090      ESTABLISHED 501/zgrab            on (0.44/2/0)
tcp        0      0 10.0.12.15:54284        81.219.79.41:8090       ESTABLISHED 501/zgrab            keepalive (10.78/0/0)
tcp        0    129 10.0.12.15:53248        197.253.77.99:2376      FIN_WAIT1   -                    probe (48.60/0/2)
tcp        0    131 10.0.12.15:40004        197.253.120.103:2376    FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0      0 10.0.12.15:44866        81.19.3.152:8090        ESTABLISHED 501/zgrab            keepalive (13.37/0/0)
tcp        0    128 10.0.12.15:55110        197.253.89.5:2376       FIN_WAIT1   -                    probe (47.84/0/3)
tcp        0    129 10.0.12.15:47410        197.253.76.66:2376      FIN_WAIT1   -                    probe (48.60/0/2)
tcp        0    615 10.0.12.15:33572        81.0.147.248:8090       ESTABLISHED 501/zgrab            probe (4.65/0/3)
tcp        0    130 10.0.12.15:48502        197.253.91.200:2376     FIN_WAIT1   -                    probe (27.10/0/2)
tcp        0    131 10.0.12.15:46440        197.253.120.135:2376    FIN_WAIT1   -                    probe (112.80/0/7)
tcp        0    131 10.0.12.15:36108        197.253.102.187:2376    FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0    130 10.0.12.15:50210        197.253.72.109:2376     FIN_WAIT1   -                    probe (8.73/0/6)
tcp        0      0 10.0.12.15:42014        81.165.106.117:8090     ESTABLISHED 501/zgrab            keepalive (11.36/0/0)
tcp        0      0 10.0.12.15:35754        81.171.17.68:8090       ESTABLISHED 501/zgrab            keepalive (10.40/0/0)
tcp        0      0 10.0.12.15:41516        81.83.19.97:8090        ESTABLISHED 501/zgrab            keepalive (13.34/0/0)
tcp        0    131 10.0.12.15:33930        197.253.104.234:2376    FIN_WAIT1   -                    probe (57.05/0/3)
tcp        0    129 10.0.12.15:51304        197.253.83.90:2376      FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0    130 10.0.12.15:55812        197.253.116.45:2376     FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0    131 10.0.12.15:41658        197.253.104.159:2376    FIN_WAIT1   -                    probe (15.00/0/6)
tcp        0      0 10.0.12.15:33940        81.34.110.120:8090      ESTABLISHED 501/zgrab            keepalive (10.84/0/0)
tcp        0    130 10.0.12.15:41666        197.253.92.120:2376     FIN_WAIT1   -                    probe (0.41/0/6)
tcp        0    129 10.0.12.15:41244        197.253.89.75:2376      FIN_WAIT1   -                    probe (7.45/0/6)
tcp        0      0 10.0.12.15:51118        81.161.5.42:8090        ESTABLISHED 501/zgrab            keepalive (10.33/0/0)
tcp        0    130 10.0.12.15:45580        197.253.85.244:2376     FIN_WAIT1   -                    probe (0.92/0/6)
tcp        0    131 10.0.12.15:55074        197.253.107.253:2376    FIN_WAIT1   -                    probe (13.72/0/6)
tcp        0    615 10.0.12.15:42032        81.29.242.61:8090       ESTABLISHED 501/zgrab            probe (1.21/0/2)
tcp        0    616 10.0.12.15:37358        81.29.242.134:8090      ESTABLISHED 501/zgrab            probe (1.32/0/2)
tcp        0    131 10.0.12.15:59606        197.253.120.255:2376    FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0      0 10.0.12.15:43972        81.70.78.244:8090       ESTABLISHED 501/zgrab            keepalive (13.15/0/0)
tcp        0    129 10.0.12.15:53090        197.253.86.41:2376      FIN_WAIT1   -                    probe (119.71/0/7)
tcp        0      0 10.0.12.15:46130        81.171.17.63:8090       ESTABLISHED 501/zgrab            keepalive (11.35/0/0)
tcp        0    130 10.0.12.15:35024        197.253.125.83:2376     FIN_WAIT1   -                    probe (57.05/0/3)
tcp        0      0 10.0.12.15:33460        81.71.37.96:8090        ESTABLISHED 501/zgrab            keepalive (10.97/0/0)
tcp        0    130 10.0.12.15:55256        197.253.105.68:2376     FIN_WAIT1   -                    probe (7.07/0/6)
tcp        0      0 10.0.12.15:40496        81.34.27.73:8090        ESTABLISHED 501/zgrab            keepalive (10.33/0/0)
tcp        0    130 10.0.12.15:34726        197.253.108.32:2376     FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0    131 10.0.12.15:57910        197.253.104.179:2376    FIN_WAIT1   -                    probe (12.19/0/6)
tcp        0    131 10.0.12.15:41488        197.253.125.248:2376    FIN_WAIT1   -                    probe (12.70/0/6)
tcp        0    130 10.0.12.15:60462        197.253.67.244:2376     FIN_WAIT1   -                    probe (27.10/0/2)
tcp        0    130 10.0.12.15:59310        197.253.83.175:2376     FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0    131 10.0.12.15:51562        197.253.120.154:2376    FIN_WAIT1   -                    probe (5.27/0/6)
tcp        0    131 10.0.12.15:51556        197.253.108.173:2376    FIN_WAIT1   -                    probe (3.99/0/6)
tcp        0    615 10.0.12.15:52020        81.29.242.54:8090       ESTABLISHED 501/zgrab            probe (2.65/0/0)
tcp        0    616 10.0.12.15:50410        81.29.242.36:8090       FIN_WAIT1   -                    probe (62.36/0/5)
tcp        0      0 10.0.12.15:45240        81.33.97.83:8090        ESTABLISHED 501/zgrab            keepalive (10.33/0/0)
tcp        0    131 10.0.12.15:40144        197.253.118.148:2376    FIN_WAIT1   -                    probe (112.92/0/7)
tcp        0      0 10.0.12.15:35628        81.161.5.58:8090        ESTABLISHED 501/zgrab            keepalive (13.79/0/0)
tcp        0      0 10.0.12.15:53584        81.70.228.72:8090       ESTABLISHED 501/zgrab            keepalive (13.15/0/0)
tcp        0      0 10.0.12.15:56130        81.60.67.202:8090       TIME_WAIT   -                    timewait (59.74/0/0)
tcp        0      0 10.0.12.15:56318        81.161.4.226:8090       ESTABLISHED 501/zgrab            keepalive (10.94/0/0)
tcp        0    616 10.0.12.15:43586        81.29.242.154:8090      ESTABLISHED 501/zgrab            probe (2.65/0/0)
tcp        0    617 10.0.12.15:43642        81.105.173.107:8090     ESTABLISHED 501/zgrab            probe (0.12/0/2)
tcp        0    130 10.0.12.15:48790        197.253.91.147:2376     FIN_WAIT1   -                    probe (27.10/0/2)
tcp        0    130 10.0.12.15:55124        197.253.76.160:2376     FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0      0 10.0.12.15:40004        81.171.17.65:8090       ESTABLISHED 501/zgrab            keepalive (10.33/0/0)
tcp        0    617 10.0.12.15:54540        81.29.242.225:8090      FIN_WAIT1   -                    probe (107.67/0/8)
tcp        0      0 10.0.12.15:52022        81.168.130.85:8090      ESTABLISHED 501/zgrab            keepalive (10.33/0/0)
tcp        0      0 10.0.12.15:40172        81.218.231.209:8090     TIME_WAIT   -                    timewait (56.58/0/0)
tcp        0      0 10.0.12.15:49146        81.163.3.97:8090        ESTABLISHED 501/zgrab            keepalive (11.42/0/0)
tcp        0    131 10.0.12.15:39982        197.253.120.145:2376    FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0    617 10.0.12.15:39842        81.105.173.108:8090     ESTABLISHED 501/zgrab            probe (4.23/0/3)
tcp        0      0 10.0.12.15:32968        81.161.5.12:8090        ESTABLISHED 501/zgrab            keepalive (10.97/0/0)
tcp        0      0 10.0.12.15:35474        81.161.4.239:8090       ESTABLISHED 501/zgrab            keepalive (10.52/0/0)
tcp        0    617 10.0.12.15:51120        81.29.242.151:8090      FIN_WAIT1   -                    probe (79.77/0/8)
tcp        0    130 10.0.12.15:60678        197.253.72.123:2376     FIN_WAIT1   -                    probe (47.83/0/3)
tcp        0    131 10.0.12.15:40030        197.253.104.138:2376    FIN_WAIT1   -                    probe (13.34/0/6)
tcp        0    131 10.0.12.15:49302        197.253.104.191:2376    FIN_WAIT1   -                    probe (10.39/0/6)
tcp        0    130 10.0.12.15:33902        197.253.91.244:2376     FIN_WAIT1   -                    probe (18.71/0/6)
tcp        0    131 10.0.12.15:34970        197.253.104.163:2376    FIN_WAIT1   -                    probe (57.05/0/3)
tcp        0    616 10.0.12.15:57576        81.29.242.200:8090      ESTABLISHED 501/zgrab            probe (10.62/0/0)
tcp        0      0 10.0.12.15:53064        81.173.58.105:8090      ESTABLISHED 501/zgrab            keepalive (10.84/0/0)
tcp        0      0 10.0.12.15:53126        81.161.5.17:8090        ESTABLISHED 501/zgrab            keepalive (10.78/0/0)
tcp        0      0 10.0.12.15:39096        81.161.5.83:8090        ESTABLISHED 501/zgrab            keepalive (10.91/0/0)
tcp        0      0 10.0.12.15:42358        81.164.179.89:8090      ESTABLISHED 501/zgrab            keepalive (10.33/0/0)
tcp        0    129 10.0.12.15:52428        197.253.77.77:2376      FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0    129 10.0.12.15:57790        197.253.77.55:2376      FIN_WAIT1   -                    probe (60.63/0/4)
tcp        0    130 10.0.12.15:34372        197.253.75.141:2376     FIN_WAIT1   -                    probe (47.83/0/3)
tcp        0    130 10.0.12.15:59512        197.253.72.124:2376     FIN_WAIT1   -                    probe (12.70/0/6)
tcp        0    131 10.0.12.15:59480        197.253.120.178:2376    FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0      0 10.0.12.15:39728        81.161.4.92:8090        ESTABLISHED 501/zgrab            keepalive (10.33/0/0)
tcp        0    131 10.0.12.15:52488        197.253.115.151:2376    FIN_WAIT1   -                    probe (3.61/0/6)
tcp        0    130 10.0.12.15:56146        197.253.118.37:2376     FIN_WAIT1   -                    probe (57.05/0/3)
tcp        0      0 10.0.12.15:35372        81.171.17.61:8090       ESTABLISHED 501/zgrab            keepalive (10.33/0/0)
tcp        0    616 10.0.12.15:53666        81.105.173.89:8090      ESTABLISHED 501/zgrab            probe (0.12/0/2)
tcp        0    130 10.0.12.15:52818        197.253.72.237:2376     FIN_WAIT1   -                    probe (47.71/0/3)
tcp        0      1 10.0.12.15:35602        81.140.36.150:8090      LAST_ACK    -                    on (1.72/2/0)
tcp        0    130 10.0.12.15:53304        197.253.125.30:2376     FIN_WAIT1   -                    probe (48.47/0/2)
tcp        0    128 10.0.12.15:58306        197.253.76.1:2376       FIN_WAIT1   -                    probe (19.48/0/6)
tcp        0      1 10.0.12.15:40664        81.174.1.69:8090        SYN_SENT    501/zgrab            on (2.08/2/0)
tcp        0      0 10.0.12.15:54264        81.171.17.10:8090       ESTABLISHED 501/zgrab            keepalive (10.33/0/0)
tcp        0    130 10.0.12.15:53756        197.253.88.123:2376     FIN_WAIT1   -                    probe (17.69/0/6)
tcp        0      0 10.0.12.15:56908        81.171.17.13:8090       ESTABLISHED 501/zgrab            keepalive (10.71/0/0)
tcp        0      0 10.0.12.15:44962        81.161.4.250:8090       ESTABLISHED 501/zgrab            keepalive (11.39/0/0)
tcp        0    129 10.0.12.15:60836        197.253.89.32:2376      FIN_WAIT1   -                    probe (27.10/0/2)
tcp        0    131 10.0.12.15:50894        197.253.104.130:2376    FIN_WAIT1   -                    probe (7.32/0/6)
tcp        0      0 10.0.12.15:37128        81.70.242.98:8090       ESTABLISHED 501/zgrab            keepalive (10.14/0/0)
tcp        0    130 10.0.12.15:49706        197.253.72.175:2376     FIN_WAIT1   -                    probe (10.65/0/6)
tcp        0    617 10.0.12.15:35896        81.167.212.184:8090     ESTABLISHED 501/zgrab            probe (0.34/0/2)
tcp        0      0 10.0.12.15:47264        81.171.17.56:8090       ESTABLISHED 501/zgrab            keepalive (13.34/0/0)
tcp        0    615 10.0.12.15:50592        81.139.35.46:8090       ESTABLISHED 501/zgrab            probe (1.30/0/0)
tcp        0    131 10.0.12.15:53498        197.253.115.182:2376    FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0    617 10.0.12.15:36800        81.165.138.149:8090     ESTABLISHED 501/zgrab            on (2.98/0/0)
tcp        0    131 10.0.12.15:41638        197.253.104.209:2376    FIN_WAIT1   -                    probe (48.47/0/2)
tcp        0    131 10.0.12.15:59004        197.253.108.210:2376    FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0    616 10.0.12.15:38342        81.105.173.90:8090      ESTABLISHED 501/zgrab            probe (4.77/0/3)
tcp        0    131 10.0.12.15:36212        197.253.120.248:2376    FIN_WAIT1   -                    probe (4.76/0/6)
tcp        0    130 10.0.12.15:59880        197.253.121.76:2376     FIN_WAIT1   -                    probe (48.47/0/2)
tcp        0    131 10.0.12.15:47960        197.253.107.158:2376    FIN_WAIT1   -                    probe (48.60/0/2)
tcp        0    130 10.0.12.15:38006        197.253.92.129:2376     FIN_WAIT1   -                    probe (47.83/0/3)
tcp        0    130 10.0.12.15:47156        197.253.72.144:2376     FIN_WAIT1   -                    probe (11.29/0/6)
tcp        0    130 10.0.12.15:37414        197.253.93.166:2376     FIN_WAIT1   -                    probe (27.10/0/2)
tcp        0    131 10.0.12.15:36436        197.253.120.162:2376    FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0    616 10.0.12.15:50126        81.29.242.77:8090       FIN_WAIT1   -                    probe (83.61/0/8)
tcp        0    129 10.0.12.15:59180        197.253.92.23:2376      FIN_WAIT1   -                    probe (47.83/0/3)
tcp        0      0 10.0.12.15:60776        81.171.10.144:8090      ESTABLISHED 501/zgrab            keepalive (10.33/0/0)
tcp        0      0 10.0.12.15:33874        81.71.85.94:8090        ESTABLISHED 501/zgrab            keepalive (14.07/0/0)
tcp        0    131 10.0.12.15:34132        197.253.104.119:2376    FIN_WAIT1   -                    probe (3.23/0/6)
tcp        0    616 10.0.12.15:55016        81.29.242.192:8090      ESTABLISHED 501/zgrab            probe (2.63/0/0)
tcp        0      0 10.0.12.15:43690        81.213.207.109:8090     ESTABLISHED 501/zgrab            keepalive (13.40/0/0)
tcp        0    130 10.0.12.15:33588        197.253.125.21:2376     FIN_WAIT1   -                    probe (48.60/0/2)
tcp        0    130 10.0.12.15:36072        197.253.120.95:2376     FIN_WAIT1   -                    probe (1.76/0/6)
tcp        0    616 10.0.12.15:49008        81.90.111.124:8090      ESTABLISHED 501/zgrab            probe (1.05/0/2)
tcp        0    616 10.0.12.15:40890        81.210.81.99:8090       FIN_WAIT1   -                    probe (55.45/0/8)
tcp        0    129 10.0.12.15:43064        197.253.99.96:2376      FIN_WAIT1   -                    probe (5.53/0/6)
tcp        0    130 10.0.12.15:45750        197.253.99.220:2376     FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0    130 10.0.12.15:32900        197.253.88.188:2376     FIN_WAIT1   -                    probe (47.83/0/3)
tcp        0    129 10.0.12.15:39280        197.253.88.92:2376      FIN_WAIT1   -                    probe (47.83/0/3)
tcp        0    129 10.0.12.15:54320        197.253.92.28:2376      FIN_WAIT1   -                    probe (14.43/0/6)
tcp        0      0 10.0.12.15:46462        81.68.100.132:8090      ESTABLISHED 501/zgrab            keepalive (13.11/0/0)
tcp        0    129 10.0.12.15:60984        197.253.88.97:2376      FIN_WAIT1   -                    probe (9.43/0/6)
tcp        0    130 10.0.12.15:42286        197.253.83.153:2376     FIN_WAIT1   -                    probe (3.67/0/6)
tcp        0      0 10.0.12.15:51024        81.161.5.6:8090         ESTABLISHED 501/zgrab            keepalive (13.34/0/0)
tcp        0    130 10.0.12.15:43296        197.253.88.129:2376     FIN_WAIT1   -                    probe (47.71/0/3)
tcp        0      0 10.0.12.15:60980        81.169.228.61:8090      ESTABLISHED 501/zgrab            keepalive (10.71/0/0)
tcp        0    130 10.0.12.15:43660        197.253.125.82:2376     FIN_WAIT1   -                    probe (1.43/0/6)
tcp        0    130 10.0.12.15:40746        197.253.83.193:2376     FIN_WAIT1   -                    probe (57.05/0/3)
tcp        0      0 10.0.12.15:39162        81.70.47.51:8090        ESTABLISHED 501/zgrab            keepalive (10.14/0/0)
tcp        0    131 10.0.12.15:60856        197.253.109.137:2376    FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0    130 10.0.12.15:36452        197.253.93.252:2376     FIN_WAIT1   -                    probe (47.83/0/3)
tcp        0    615 10.0.12.15:38510        81.23.71.92:8090        FIN_WAIT1   -                    probe (97.69/0/8)
tcp        0    130 10.0.12.15:56684        197.253.86.125:2376     FIN_WAIT1   -                    probe (47.83/0/3)
tcp        0      0 10.0.12.15:52046        81.69.245.131:8090      ESTABLISHED 501/zgrab            keepalive (10.14/0/0)
tcp        0    617 10.0.12.15:34252        81.105.173.109:8090     ESTABLISHED 501/zgrab            probe (3.38/0/3)
tcp        0    130 10.0.12.15:54774        197.253.105.26:2376     FIN_WAIT1   -                    probe (9.69/0/6)
tcp        0      0 10.0.12.15:50476        81.70.180.148:8090      ESTABLISHED 501/zgrab            keepalive (13.15/0/0)
tcp        0    129 10.0.12.15:57642        197.253.86.53:2376      FIN_WAIT1   -                    probe (47.71/0/3)
tcp        0    131 10.0.12.15:49118        197.253.115.125:2376    FIN_WAIT1   -                    probe (48.47/0/2)
tcp        0    130 10.0.12.15:56540        197.253.126.43:2376     FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0      0 10.0.12.15:56390        81.171.17.11:8090       ESTABLISHED 501/zgrab            keepalive (10.33/0/0)
tcp        0    616 10.0.12.15:51336        81.105.173.78:8090      ESTABLISHED 501/zgrab            probe (4.59/0/3)
tcp        0    130 10.0.12.15:52996        197.253.88.229:2376     FIN_WAIT1   -                    probe (63.45/0/4)
tcp        0    130 10.0.12.15:41772        197.253.88.175:2376     FIN_WAIT1   -                    probe (47.83/0/3)
tcp        0      0 10.0.12.15:38440        81.60.223.170:8090      ESTABLISHED 501/zgrab            keepalive (11.80/0/0)
tcp        0    617 10.0.12.15:36336        81.29.242.215:8090      FIN_WAIT1   -                    probe (108.70/0/8)
tcp        0    131 10.0.12.15:44640        197.253.101.220:2376    FIN_WAIT1   -                    probe (48.47/0/2)
tcp        0    130 10.0.12.15:39426        197.253.72.231:2376     FIN_WAIT1   -                    probe (7.45/0/6)
tcp        0      0 10.0.12.15:59558        81.211.94.210:8090      ESTABLISHED 501/zgrab            keepalive (10.33/0/0)
tcp        0    131 10.0.12.15:47772        197.253.107.214:2376    FIN_WAIT1   -                    probe (11.29/0/6)
tcp        0    130 10.0.12.15:34688        197.253.88.109:2376     FIN_WAIT1   -                    probe (1.82/0/6)
tcp        0      0 10.0.12.15:49494        81.69.19.26:8090        ESTABLISHED 501/zgrab            keepalive (10.11/0/0)
tcp        0      0 10.0.12.15:42520        81.70.57.114:8090       ESTABLISHED 501/zgrab            keepalive (11.13/0/0)
tcp        0      0 10.0.12.15:45970        81.163.5.1:8090         ESTABLISHED 501/zgrab            keepalive (10.46/0/0)
tcp        0    130 10.0.12.15:46830        197.253.70.136:2376     FIN_WAIT1   -                    probe (9.75/0/6)
tcp        0    617 10.0.12.15:39022        81.255.204.237:8090     ESTABLISHED 501/zgrab            on (2.88/0/0)
tcp        0      0 10.0.12.15:40922        81.140.69.62:8090       ESTABLISHED 501/zgrab            keepalive (10.27/0/0)
tcp        0    130 10.0.12.15:35102        197.253.99.121:2376     FIN_WAIT1   -                    probe (48.60/0/2)
tcp        0    130 10.0.12.15:58918        197.253.120.82:2376     FIN_WAIT1   -                    probe (48.60/0/2)
tcp        0    130 10.0.12.15:47244        197.253.88.122:2376     FIN_WAIT1   -                    probe (27.23/0/2)
tcp        0    130 10.0.12.15:35844        197.253.69.168:2376     FIN_WAIT1   -                    probe (47.83/0/3)
tcp        0      0 10.0.12.15:50080        81.69.222.228:8090      ESTABLISHED 501/zgrab            keepalive (11.10/0/0)
tcp        0      0 10.0.12.15:48430        81.161.5.2:8090         ESTABLISHED 501/zgrab            keepalive (12.38/0/0)
tcp        0      0 10.0.12.15:51090        81.70.116.73:8090       ESTABLISHED 501/zgrab            keepalive (10.59/0/0)
tcp        0    130 10.0.12.15:59508        197.253.93.129:2376     FIN_WAIT1   -                    probe (27.10/0/2)
tcp        0    130 10.0.12.15:35830        197.253.121.74:2376     FIN_WAIT1   -                    probe (57.05/0/3)
tcp        0    616 10.0.12.15:34914        81.29.242.146:8090      ESTABLISHED 501/zgrab            probe (10.66/0/0)
tcp        0    130 10.0.12.15:47516        197.253.75.202:2376     FIN_WAIT1   -                    probe (47.71/0/3)
tcp        0    130 10.0.12.15:60470        197.253.124.15:2376     FIN_WAIT1   -                    probe (60.63/0/4)
tcp        0    615 10.0.12.15:39122        81.29.242.62:8090       ESTABLISHED 501/zgrab            probe (1.70/0/2)
tcp        0    131 10.0.12.15:46764        197.253.120.207:2376    FIN_WAIT1   -                    probe (4.76/0/6)
tcp        0      0 10.0.12.15:42806        81.169.135.204:8090     ESTABLISHED 501/zgrab            keepalive (11.03/0/0)
tcp        0    130 10.0.12.15:33030        197.253.121.71:2376     FIN_WAIT1   -                    probe (0.73/0/6)
tcp        0    130 10.0.12.15:33102        197.253.121.52:2376     FIN_WAIT1   -                    probe (60.51/0/4)
tcp        0    130 10.0.12.15:37892        197.253.72.149:2376     FIN_WAIT1   -                    probe (47.71/0/3)
tcp        0    130 10.0.12.15:59120        197.253.91.153:2376     FIN_WAIT1   -                    probe (10.78/0/6)
tcp        0    615 10.0.12.15:50976        81.29.242.32:8090       ESTABLISHED 501/zgrab            probe (2.62/0/0)
tcp        0      0 10.0.12.15:40334        81.70.57.240:8090       ESTABLISHED 501/zgrab            keepalive (13.15/0/0)
tcp        0    130 10.0.12.15:54694        197.253.88.120:2376     FIN_WAIT1   -                    probe (2.59/0/6)
tcp        0      0 10.0.12.15:60830        81.47.165.128:8090      TIME_WAIT   -                    timewait (58.86/0/0)
tcp        0      0 10.0.12.15:58880        81.71.100.22:8090       ESTABLISHED 501/zgrab            keepalive (10.14/0/0)
tcp        0    130 10.0.12.15:48614        197.253.105.23:2376     FIN_WAIT1   -                    probe (10.97/0/6)
tcp        0    130 10.0.12.15:34872        197.253.93.182:2376     FIN_WAIT1   -                    probe (11.03/0/6)
tcp        0    131 10.0.12.15:40122        197.253.104.186:2376    FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0    130 10.0.12.15:43284        197.253.105.21:2376     FIN_WAIT1   -                    probe (9.69/0/6)
tcp        0    615 10.0.12.15:49558        81.29.242.20:8090       ESTABLISHED 501/zgrab            probe (2.56/0/2)
tcp        0    616 10.0.12.15:56560        81.29.242.40:8090       FIN_WAIT1   -                    probe (112.79/0/8)
tcp        0      0 10.0.12.15:45312        81.70.142.97:8090       ESTABLISHED 501/zgrab            keepalive (10.14/0/0)
tcp        0    129 10.0.12.15:33548        197.253.89.47:2376      FIN_WAIT1   -                    probe (47.83/0/3)
tcp        0    131 10.0.12.15:55976        197.253.108.181:2376    FIN_WAIT1   -                    probe (48.60/0/2)
tcp        0      0 10.0.12.15:41528        81.42.201.237:8090      ESTABLISHED 501/zgrab            keepalive (10.33/0/0)
tcp        0    616 10.0.12.15:57990        81.246.65.152:8090      ESTABLISHED 501/zgrab            probe (4.78/0/3)
tcp        0    615 10.0.12.15:46764        81.139.35.68:8090       ESTABLISHED 501/zgrab            probe (4.98/0/3)
tcp        0      0 10.0.12.15:55352        81.163.1.180:8090       ESTABLISHED 501/zgrab            keepalive (10.46/0/0)
tcp        0    615 10.0.12.15:59314        81.90.111.94:8090       ESTABLISHED 501/zgrab            probe (5.14/0/3)
tcp        0      0 10.0.12.15:41676        81.218.11.171:8090      ESTABLISHED 501/zgrab            keepalive (13.79/0/0)
tcp        0    617 10.0.12.15:45206        81.29.242.166:8090      FIN_WAIT1   -                    probe (98.97/0/8)
tcp        0      0 10.0.12.15:43290        81.3.204.89:8090        TIME_WAIT   -                    timewait (56.06/0/0)
tcp        0    616 10.0.12.15:49266        81.90.111.114:8090      ESTABLISHED 501/zgrab            probe (4.13/0/3)
tcp        0    617 10.0.12.15:51338        81.29.242.126:8090      FIN_WAIT1   -                    probe (84.63/0/8)
tcp        0    130 10.0.12.15:36872        197.253.69.185:2376     FIN_WAIT1   -                    probe (47.71/0/3)
tcp        0    131 10.0.12.15:50266        197.253.107.172:2376    FIN_WAIT1   -                    probe (48.60/0/2)
tcp        0      0 10.0.12.15:55602        81.169.226.114:8090     ESTABLISHED 501/zgrab            keepalive (11.29/0/0)
tcp        0      0 10.0.12.15:48700        81.171.17.88:8090       ESTABLISHED 501/zgrab            keepalive (13.34/0/0)
tcp        0    130 10.0.12.15:58176        197.253.92.158:2376     FIN_WAIT1   -                    probe (117.91/0/7)
tcp        0    129 10.0.12.15:39166        197.253.93.87:2376      FIN_WAIT1   -                    probe (19.67/0/6)
tcp        0    131 10.0.12.15:38150        197.253.117.189:2376    FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0    131 10.0.12.15:40410        197.253.120.149:2376    FIN_WAIT1   -                    probe (7.19/0/6)
tcp        0    131 10.0.12.15:34008        197.253.101.186:2376    FIN_WAIT1   -                    probe (48.47/0/2)
tcp        0      0 10.0.12.15:40116        81.51.29.221:8090       ESTABLISHED 501/zgrab            keepalive (13.85/0/0)
tcp        0    616 10.0.12.15:52192        81.29.242.199:8090      ESTABLISHED 501/zgrab            probe (2.68/0/0)
tcp        0    616 10.0.12.15:38436        81.196.68.204:8090      ESTABLISHED 501/zgrab            on (2.38/0/0)
tcp        0    130 10.0.12.15:56522        197.253.91.113:2376     FIN_WAIT1   -                    probe (27.10/0/2)
tcp        0    615 10.0.12.15:53500        81.29.242.45:8090       ESTABLISHED 501/zgrab            probe (1.65/0/2)
tcp        0    130 10.0.12.15:42530        197.253.76.177:2376     FIN_WAIT1   -                    probe (48.60/0/2)
tcp        0    129 10.0.12.15:37106        197.253.89.31:2376      FIN_WAIT1   -                    probe (19.74/0/6)
tcp        0    615 10.0.12.15:51604        81.29.242.46:8090       ESTABLISHED 501/zgrab            probe (2.05/0/2)
tcp        0      0 10.0.12.15:46974        81.161.5.142:8090       ESTABLISHED 501/zgrab            keepalive (10.84/0/0)
tcp        0    130 10.0.12.15:58910        197.253.105.54:2376     FIN_WAIT1   -                    probe (11.99/0/6)
tcp        0      0 10.0.12.15:52160        81.161.7.249:8090       ESTABLISHED 501/zgrab            keepalive (11.48/0/0)
tcp        0    616 10.0.12.15:47428        81.185.29.224:8090      ESTABLISHED 501/zgrab            on (0.19/2/0)
tcp        0    130 10.0.12.15:38688        197.253.125.71:2376     FIN_WAIT1   -                    probe (5.79/0/6)
tcp        0      0 10.0.12.15:34996        81.5.117.14:8090        ESTABLISHED 501/zgrab            keepalive (13.37/0/0)
tcp        0    617 10.0.12.15:46142        81.192.159.245:8090     ESTABLISHED 501/zgrab            probe (1.58/0/2)
tcp        0    130 10.0.12.15:45268        197.253.75.238:2376     FIN_WAIT1   -                    probe (47.83/0/3)
tcp        0    617 10.0.12.15:40114        81.105.173.118:8090     ESTABLISHED 501/zgrab            probe (0.05/0/2)
tcp        0      0 10.0.12.15:60236        81.171.17.64:8090       ESTABLISHED 501/zgrab            keepalive (10.33/0/0)
tcp        0    617 10.0.12.15:56778        81.27.214.111:8090      FIN_WAIT1   -                    probe (34.46/0/8)
tcp        0      0 10.0.12.15:52838        81.154.27.51:8090       ESTABLISHED 501/zgrab            keepalive (10.78/0/0)
tcp        0    130 10.0.12.15:57180        197.253.125.85:2376     FIN_WAIT1   -                    probe (116.89/0/7)
tcp        0    616 10.0.12.15:58098        81.90.111.116:8090      ESTABLISHED 501/zgrab            probe (0.19/0/2)
tcp        0    616 10.0.12.15:49856        81.29.242.51:8090       FIN_WAIT1   -                    probe (80.54/0/8)
tcp        0      0 10.0.12.15:43950        81.161.4.224:8090       ESTABLISHED 501/zgrab            keepalive (10.75/0/0)
tcp        0      0 10.0.12.15:34186        81.69.160.82:8090       ESTABLISHED 501/zgrab            keepalive (10.11/0/0)
tcp        0      0 10.0.12.15:32826        81.71.48.111:8090       ESTABLISHED 501/zgrab            keepalive (11.16/0/0)
tcp        0      0 10.0.12.15:54214        81.70.52.120:8090       ESTABLISHED 501/zgrab            keepalive (13.15/0/0)
tcp        0    129 10.0.12.15:50660        197.253.83.97:2376      FIN_WAIT1   -                    probe (1.75/0/6)
tcp        0      0 10.0.12.15:40258        81.150.157.114:8090     ESTABLISHED 501/zgrab            keepalive (11.35/0/0)
tcp        0    616 10.0.12.15:33198        81.29.242.224:8090      ESTABLISHED 501/zgrab            probe (2.62/0/0)
tcp        0    131 10.0.12.15:59654        197.253.108.139:2376    FIN_WAIT1   -                    probe (57.05/0/3)
tcp        0    130 10.0.12.15:53610        197.253.77.192:2376     FIN_WAIT1   -                    probe (31.51/0/6)
tcp        0    617 10.0.12.15:51782        81.27.214.122:8090      FIN_WAIT1   -                    probe (37.27/0/8)
tcp        0    130 10.0.12.15:50688        197.253.105.40:2376     FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0    616 10.0.12.15:47882        81.29.242.170:8090      ESTABLISHED 501/zgrab            probe (1.36/0/2)
tcp        0      0 10.0.12.15:55600        81.70.164.204:8090      ESTABLISHED 501/zgrab            keepalive (13.15/0/0)
tcp        0      0 10.0.12.15:57886        81.161.5.21:8090        ESTABLISHED 501/zgrab            keepalive (10.33/0/0)
tcp        0      0 10.0.12.15:43930        81.19.4.116:8090        ESTABLISHED 501/zgrab            keepalive (10.36/0/0)
tcp        0      0 10.0.12.15:59668        81.171.17.51:8090       ESTABLISHED 501/zgrab            keepalive (13.34/0/0)
tcp        0    131 10.0.12.15:57384        197.253.125.129:2376    FIN_WAIT1   -                    probe (5.40/0/6)
tcp        0    617 10.0.12.15:35422        81.27.214.100:8090      FIN_WAIT1   -                    probe (53.91/0/8)
tcp        0    616 10.0.12.15:54382        81.29.242.137:8090      ESTABLISHED 501/zgrab            probe (1.67/0/2)
tcp        0    130 10.0.12.15:52480        197.253.92.216:2376     FIN_WAIT1   -                    probe (9.18/0/6)
tcp        0      0 10.0.12.15:52670        81.161.5.14:8090        ESTABLISHED 501/zgrab            keepalive (10.30/0/0)
tcp        0    131 10.0.12.15:47262        197.253.104.253:2376    FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0    617 10.0.12.15:43346        81.246.65.212:8090      FIN_WAIT1   -                    probe (31.90/0/8)
tcp        0      0 10.0.12.15:34466        81.171.17.66:8090       ESTABLISHED 501/zgrab            keepalive (11.35/0/0)
tcp        0    131 10.0.12.15:48054        197.253.109.128:2376    FIN_WAIT1   -                    probe (48.60/0/2)
tcp        0    130 10.0.12.15:50406        197.253.83.111:2376     FIN_WAIT1   -                    probe (9.18/0/6)
tcp        0    130 10.0.12.15:48632        197.253.121.27:2376     FIN_WAIT1   -                    probe (67.55/0/4)
tcp        0    616 10.0.12.15:42660        81.0.144.216:8090       FIN_WAIT1   -                    probe (40.09/0/8)
tcp        0    129 10.0.12.15:39926        197.253.77.81:2376      FIN_WAIT1   -                    probe (9.75/0/6)
tcp        0      0 10.0.12.15:43332        81.171.17.89:8090       ESTABLISHED 501/zgrab            keepalive (10.33/0/0)
tcp        0    130 10.0.12.15:50542        197.253.83.129:2376     FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0    130 10.0.12.15:44032        197.253.85.225:2376     FIN_WAIT1   -                    probe (47.83/0/3)
tcp        0      0 10.0.12.15:41302        81.171.17.33:8090       ESTABLISHED 501/zgrab            keepalive (11.35/0/0)
tcp        0      0 10.0.12.15:36420        81.171.17.85:8090       ESTABLISHED 501/zgrab            keepalive (10.75/0/0)
tcp        0    129 10.0.12.15:50196        197.253.77.89:2376      FIN_WAIT1   -                    probe (9.24/0/6)
tcp        0      0 10.0.12.15:44910        81.171.17.32:8090       ESTABLISHED 501/zgrab            keepalive (10.39/0/0)
tcp        0    129 10.0.12.15:43932        197.253.93.47:2376      FIN_WAIT1   -                    probe (47.70/0/3)
tcp        0    131 10.0.12.15:57640        197.253.107.130:2376    FIN_WAIT1   -                    probe (48.60/0/2)
tcp        0    131 10.0.12.15:55500        197.253.107.171:2376    FIN_WAIT1   -                    probe (11.99/0/6)
tcp        0      0 10.0.12.15:48934        81.20.16.5:8090         ESTABLISHED 501/zgrab            keepalive (10.90/0/0)
tcp        0    130 10.0.12.15:52580        197.253.83.216:2376     FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0    130 10.0.12.15:44818        197.253.88.161:2376     FIN_WAIT1   -                    probe (47.83/0/3)
tcp        0    130 10.0.12.15:40616        197.253.83.126:2376     FIN_WAIT1   -                    probe (1.18/0/6)
tcp        0    615 10.0.12.15:53574        81.29.242.43:8090       ESTABLISHED 501/zgrab            probe (1.24/0/2)
tcp        0    128 10.0.12.15:44092        197.253.86.0:2376       FIN_WAIT1   -                    probe (1.82/0/6)
tcp        0    130 10.0.12.15:45272        197.253.104.85:2376     FIN_WAIT1   -                    probe (119.83/0/7)
tcp        0    130 10.0.12.15:57356        197.253.92.209:2376     FIN_WAIT1   -                    probe (47.83/0/3)
tcp        0    616 10.0.12.15:48870        81.29.242.210:8090      ESTABLISHED 501/zgrab            probe (1.28/0/2)
tcp        0    131 10.0.12.15:33458        197.253.120.213:2376    FIN_WAIT1   -                    probe (57.05/0/3)
tcp        0    131 10.0.12.15:33728        197.253.108.184:2376    FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0      0 10.0.12.15:33148        81.69.98.100:8090       ESTABLISHED 501/zgrab            keepalive (11.48/0/0)
tcp        0      0 10.0.12.15:48296        81.89.61.188:8090       ESTABLISHED 501/zgrab            keepalive (11.35/0/0)
tcp        0    130 10.0.12.15:57116        197.253.99.160:2376     FIN_WAIT1   -                    probe (7.06/0/6)
tcp        0      0 10.0.12.15:60590        81.42.222.51:8090       ESTABLISHED 501/zgrab            keepalive (10.33/0/0)
tcp        0    130 10.0.12.15:33510        197.253.104.93:2376     FIN_WAIT1   -                    probe (12.44/0/6)
tcp        0    614 10.0.12.15:58692        81.29.242.6:8090        ESTABLISHED 501/zgrab            probe (10.62/0/0)
tcp        0      0 10.0.12.15:40938        81.200.132.85:8090      TIME_WAIT   -                    timewait (56.93/0/0)
tcp        0    131 10.0.12.15:47758        197.253.101.120:2376    FIN_WAIT1   -                    probe (4.70/0/6)
tcp        0    130 10.0.12.15:34098        197.253.76.125:2376     FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0    129 10.0.12.15:52228        197.253.91.89:2376      FIN_WAIT1   -                    probe (11.54/0/6)
tcp        0      0 10.0.12.15:53644        81.214.141.188:8090     ESTABLISHED 501/zgrab            keepalive (11.35/0/0)
tcp        0    616 10.0.12.15:48800        81.29.242.255:8090      ESTABLISHED 501/zgrab            probe (1.78/0/2)
tcp        0    130 10.0.12.15:56622        197.253.75.167:2376     FIN_WAIT1   -                    probe (7.32/0/6)
tcp        0      0 10.0.12.15:46360        81.171.17.4:8090        ESTABLISHED 501/zgrab            keepalive (13.27/0/0)
tcp        0    615 10.0.12.15:49780        81.29.242.12:8090       ESTABLISHED 501/zgrab            probe (1.35/0/2)
tcp        0      0 10.0.12.15:58790        81.172.209.240:8090     ESTABLISHED 501/zgrab            keepalive (10.39/0/0)
tcp        0    129 10.0.12.15:42262        197.253.73.19:2376      FIN_WAIT1   -                    probe (18.46/0/6)
tcp        0    130 10.0.12.15:56606        197.253.69.124:2376     FIN_WAIT1   -                    probe (57.18/0/4)
tcp        0      0 10.0.12.15:45742        81.61.129.168:8090      ESTABLISHED 501/zgrab            keepalive (11.42/0/0)
tcp        0    616 10.0.12.15:37500        81.29.242.230:8090      ESTABLISHED 501/zgrab            probe (1.20/0/2)
tcp        0    616 10.0.12.15:39468        81.29.242.217:8090      ESTABLISHED 501/zgrab            probe (1.68/0/2)
tcp        0    130 10.0.12.15:58502        197.253.83.100:2376     FIN_WAIT1   -                    probe (18.58/0/6)
tcp        0    131 10.0.12.15:58852        197.253.120.156:2376    FIN_WAIT1   -                    probe (57.30/0/3)
tcp        0      0 10.0.12.15:36454        81.171.17.47:8090       ESTABLISHED 501/zgrab            keepalive (10.39/0/0)
tcp        0    617 10.0.12.15:45890        81.161.241.194:8090     ESTABLISHED 501/zgrab            probe (10.56/0/0)
tcp        0      0 10.0.12.15:35802        81.161.4.65:8090        ESTABLISHED 501/zgrab            keepalive (11.42/0/0)
tcp        0    129 10.0.12.15:42876        197.253.88.89:2376      FIN_WAIT1   -                    probe (47.83/0/3)
tcp        0      0 10.0.12.15:43370        14.18.167.233:9988      ESTABLISHED 10246/secu-tcs-agen  off (0.00/0/0)
tcp        0      0 10.0.12.15:57480        81.42.244.128:8090      ESTABLISHED 501/zgrab            keepalive (13.34/0/0)
tcp        0    615 10.0.12.15:51590        81.29.242.5:8090        FIN_WAIT1   -                    probe (58.52/0/4)
tcp        0      0 10.0.12.15:59800        81.19.141.118:8090      ESTABLISHED 501/zgrab            keepalive (10.33/0/0)
tcp        0    130 10.0.12.15:60178        197.253.67.221:2376     FIN_WAIT1   -                    probe (9.43/0/6)
tcp        0    616 10.0.12.15:43856        81.29.242.207:8090      ESTABLISHED 501/zgrab            probe (3.13/0/0)
tcp        0    131 10.0.12.15:36816        197.253.104.120:2376    FIN_WAIT1   -                    probe (48.47/0/2)
tcp        0    614 10.0.12.15:55048        81.23.64.14:8090        ESTABLISHED 501/zgrab            probe (1.36/0/2)
tcp        0    131 10.0.12.15:39444        197.253.104.172:2376    FIN_WAIT1   -                    probe (60.50/0/4)
tcp        0    129 10.0.12.15:45248        197.253.73.58:2376      FIN_WAIT1   -                    probe (27.10/0/2)
tcp        0      0 10.0.12.15:53588        81.161.4.244:8090       ESTABLISHED 501/zgrab            keepalive (10.97/0/0)
tcp        0    616 10.0.12.15:57636        81.29.242.25:8090       FIN_WAIT1   -                    probe (114.33/0/8)
tcp        0    130 10.0.12.15:51168        197.253.125.64:2376     FIN_WAIT1   -                    probe (3.74/0/6)
tcp        0    615 10.0.12.15:59604        81.90.111.97:8090       ESTABLISHED 501/zgrab            probe (1.30/0/0)
tcp        0    130 10.0.12.15:59896        197.253.88.223:2376     FIN_WAIT1   -                    probe (57.18/0/4)
tcp        0    130 10.0.12.15:59512        197.253.72.127:2376     FIN_WAIT1   -                    probe (1.30/0/6)
tcp        0    128 10.0.12.15:40436        197.253.89.3:2376       FIN_WAIT1   -                    probe (9.69/0/6)
tcp        0    130 10.0.12.15:50008        197.253.110.39:2376     FIN_WAIT1   -                    probe (57.18/0/3)
tcp        0      0 10.0.12.15:44630        81.71.130.76:8090       ESTABLISHED 501/zgrab            keepalive (10.97/0/0)
tcp        0      0 10.0.12.15:51550        81.69.128.214:8090      ESTABLISHED 501/zgrab            keepalive (11.10/0/0)
tcp        0      0 10.0.12.15:39842        81.161.4.130:8090       ESTABLISHED 501/zgrab            keepalive (13.40/0/0)
tcp        0      0 10.0.12.15:58494        81.161.5.3:8090         ESTABLISHED 501/zgrab            keepalive (10.33/0/0)
tcp        0    616 10.0.12.15:51792        81.14.186.233:8090      ESTABLISHED 501/zgrab            probe (1.26/0/2)
tcp        0    130 10.0.12.15:55902        197.253.75.219:2376     FIN_WAIT1   -                    probe (27.10/0/2)
tcp        0      0 10.0.12.15:59276        81.20.240.230:8090      ESTABLISHED 501/zgrab            keepalive (13.34/0/0)
tcp        0      0 10.0.12.15:40854        81.161.5.37:8090        ESTABLISHED 501/zgrab            keepalive (11.29/0/0)
tcp        0      0 10.0.12.15:58466        81.161.4.223:8090       ESTABLISHED 501/zgrab            keepalive (11.74/0/0)
tcp        0    130 10.0.12.15:33456        197.253.83.160:2376     FIN_WAIT1   -                    probe (48.60/0/2)
tcp        0      0 10.0.12.15:48572        81.71.32.88:8090        ESTABLISHED 501/zgrab            keepalive (10.14/0/0)
tcp        0    615 10.0.12.15:43796        81.29.242.15:8090       ESTABLISHED 501/zgrab            probe (2.62/0/0)
tcp        0    130 10.0.12.15:48726        197.253.88.255:2376     FIN_WAIT1   -                    probe (7.96/0/6)
tcp        0      0 10.0.12.15:41426        81.19.141.93:8090       ESTABLISHED 501/zgrab            keepalive (10.78/0/0)
tcp        0      0 10.0.12.15:35272        81.4.123.179:8090       ESTABLISHED 501/zgrab            keepalive (10.90/0/0)
tcp        0    131 10.0.12.15:57918        197.253.120.212:2376    FIN_WAIT1   -                    probe (118.17/0/7)
tcp        0      1 10.0.12.15:59962        81.109.224.136:8090     LAST_ACK    -                    on (7.97/0/0)
tcp        0    129 10.0.12.15:46866        197.253.91.99:2376      FIN_WAIT1   -                    probe (27.10/0/2)
tcp        0      0 10.0.12.15:37556        81.165.171.152:8090     TIME_WAIT   -                    timewait (55.92/0/0)
tcp        0      0 10.0.12.15:56002        81.161.5.15:8090        ESTABLISHED 501/zgrab            keepalive (10.84/0/0)
tcp        0    131 10.0.12.15:42052        197.253.107.121:2376    FIN_WAIT1   -                    probe (48.47/0/2)
tcp        0      0 10.0.12.15:40480        81.149.178.39:8090      ESTABLISHED 501/zgrab            keepalive (10.33/0/0)
tcp        0    130 10.0.12.15:36072        197.253.88.165:2376     FIN_WAIT1   -                    probe (8.47/0/6)
tcp        0    617 10.0.12.15:46780        81.246.65.198:8090      FIN_WAIT1   -                    probe (30.87/0/8)
tcp        0    616 10.0.12.15:49274        81.105.173.81:8090      ESTABLISHED 501/zgrab            probe (4.00/0/3)
tcp        0    618 10.0.12.15:48926        81.183.235.165:8090     FIN_WAIT1   -                    probe (69.27/0/8)
tcp        0    130 10.0.12.15:53704        197.253.109.39:2376     FIN_WAIT1   -                    probe (60.50/0/4)
tcp        0      0 10.0.12.15:60520        81.68.110.139:8090      ESTABLISHED 501/zgrab            keepalive (11.10/0/0)
tcp        1    617 10.0.12.15:52742        119.96.82.114:8090      CLOSING     -                    on (3.49/0/0)
tcp        0      0 10.0.12.15:52922        81.148.211.202:8090     ESTABLISHED 501/zgrab            keepalive (12.28/0/0)
tcp        0    616 10.0.12.15:41246        81.246.65.184:8090      ESTABLISHED 501/zgrab            probe (4.37/0/3)
tcp        0      0 10.0.12.15:47322        81.30.217.30:8090       ESTABLISHED 501/zgrab            keepalive (10.39/0/0)
tcp6       0      0 ::1:25                  :::*                    LISTEN      1468/master          off (0.00/0/0)   keepalive (0.60/0/0)
udp        0      0 10.0.12.15:123          0.0.0.0:*                           674/ntpd             off (0.00/0/0)
udp        0      0 127.0.0.1:123           0.0.0.0:*                           674/ntpd             off (0.00/0/0)
udp6       0      0 fe80::5054:ff:fea8::123 :::*                                674/ntpd             off (0.00/0/0)
udp6       0      0 ::1:123                 :::*                                674/ntpd             off (0.00/0/0)

这下找到腾讯云判断为"服务器对外攻击行为"的原因了,应该是有一个恶意进程在不断访问,下面我们来找一下这个恶意进程:

使用netstat工具找不到8090端口的恶意进程信息,那就使用专门查找进程ps工具来查看,因为:

  • netstat工具是用于显示各种网络相关信息,如网络连接,路由表,接口状态;
  • ps工具是查看所有终端控制的所有进程

找到病毒运行的进程了,如下所示:

[root@VM-12-15-centos deepinsea]# ps -elf|grep 8090
0 S root       501   498  0  80   0 - 245880 pipe_w 02:30 ?       00:00:00 zgrab --senders 200 --port 8090 --http=/%24%7BClass.forName%28%22com.opensymphony.webwork.ServletActionContext%22%29.getMethod%28%22getResponse%22%2Cnull%29.invoke%28null%2Cnull%29.setHeader%28%22X-Cmd-Response%22%2CClass.forName%28%22javax.script.ScriptEngineManager%22%29.newInstance%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22var%20d%3D%27%27%3Bvar%20i%20%3D%20java.lang.Runtime.getRuntime%28%29.exec%28%27id%27%29.getInputStream%28%29%3B%20while%28i.available%28%29%29d%2B%3DString.fromCharCode%28i.read%28%29%29%3Bd%22%29%29%7D/ --output-file=-
4 S root      3299 24712  0  80   0 - 30529 pipe_w 02:40 pts/0    00:00:00 grep --color=auto 8090

看来是使用go写的zgrab端口扫描工具**,**扫描到咱们的服务器端口了,然后上传并允许攻击镜像和容器,还留了个真实进程作为后门并且还能继续攻击。

直接杀这个501进程还会重新起一个新的相同进程,说明源攻击进程不是这个。那我们找一下和zgrab相关的进程:

[root@VM-12-15-centos deepinsea]# ps -ef |grep zgrab
root       501     1  0 02:30 ?        00:00:02 zgrab --senders 200 --port 8090 --http=/%24%7BClass.forName%28%22com.opensymphony.webwork.ServletActionContext%22%29.getMethod%28%22getResponse%22%2Cnull%29.invoke%28null%2Cnull%29.setHeader%28%22X-Cmd-Response%22%2CClass.forName%28%22javax.script.ScriptEngineManager%22%29.newInstance%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22var%20d%3D%27%27%3Bvar%20i%20%3D%20java.lang.Runtime.getRuntime%28%29.exec%28%27id%27%29.getInputStream%28%29%3B%20while%28i.available%28%29%29d%2B%3DString.fromCharCode%28i.read%28%29%29%3Bd%22%29%29%7D/ --output-file=-
root     10503 10500  0 03:04 ?        00:00:00 zgrab --senders 200 --port 2376 --http=/v1.16/version --output-file=-
root     10943 24712  0 03:06 pts/0    00:00:00 grep --color=auto zgrab

找到了zgrab的源进程信息,就是这个运行在本地2376端口的zgrab服务。还真是讽刺啊,就是docker对外暴露端口的下一个端口。

kill命令杀掉这个进程并使用ps工具再次查看下进程信息,如下所示:

[root@VM-12-15-centos deepinsea]# kill -9 10503
[root@VM-12-15-centos deepinsea]# pgrep zgrab | xargs kill -s 9
[root@VM-12-15-centos deepinsea]# ps -ef |grep zgrab
root     11188 11185  0 03:06 ?        00:00:00 zgrab --senders 200 --port 8090 --http=/%24%7BClass.forName%28%22com.opensymphony.webwork.ServletActionContext%22%29.getMethod%28%22getResponse%22%2Cnull%29.invoke%28null%2Cnull%29.setHeader%28%22X-Cmd-Response%22%2CClass.forName%28%22javax.script.ScriptEngineManager%22%29.newInstance%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22var%20d%3D%27%27%3Bvar%20i%20%3D%20java.lang.Runtime.getRuntime%28%29.exec%28%27id%27%29.getInputStream%28%29%3B%20while%28i.available%28%29%29d%2B%3DString.fromCharCode%28i.read%28%29%29%3Bd%22%29%29%7D/ --output-file=-
root     11220 24712  0 03:06 pts/0    00:00:00 grep --color=auto zgrab

之前杀不掉这个进程,现在zgrab运行的源进程都被杀了,现在使用kill -9应该能杀死这个进程了:

当然,后续还可能存在定时任务再次重启恶意进程,所以我们可以选择排查一下定时任务并观察服务器一段时间,确认没有问题了再暴露原来被攻击过的端口

[root@VM-12-15-centos deepinsea]# ps -ef |grep zgrab
root     11188 11185  0 03:06 ?        00:00:00 zgrab --senders 200 --port 8090 --http=/%24%7BClass.forName%28%22com.opensymphony.webwork.ServletActionContext%22%29.getMethod%28%22getResponse%22%2Cnull%29.invoke%28null%2Cnull%29.setHeader%28%22X-Cmd-Response%22%2CClass.forName%28%22javax.script.ScriptEngineManager%22%29.newInstance%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22var%20d%3D%27%27%3Bvar%20i%20%3D%20java.lang.Runtime.getRuntime%28%29.exec%28%27id%27%29.getInputStream%28%29%3B%20while%28i.available%28%29%29d%2B%3DString.fromCharCode%28i.read%28%29%29%3Bd%22%29%29%7D/ --output-file=-
root     11245 24712  0 03:07 pts/0    00:00:00 grep --color=auto zgrab
[root@VM-12-15-centos deepinsea]# kill -9 11188
[root@VM-12-15-centos deepinsea]# ps -ef |grep zgrab
root     11316 24712  0 03:07 pts/0    00:00:00 grep --color=auto zgrab
[root@VM-12-15-centos deepinsea]# ps -ef |grep 8090
root     11376 24712  0 03:07 pts/0    00:00:00 grep --color=auto 8090
[root@VM-12-15-centos deepinsea]# ps -ef |grep 2376
root     12625 24712  0 03:11 pts/0    00:00:00 grep --color=auto 2376

ok,成功解决!

后续

事实证明,光是杀死进程还是不够的,还得解决后门问题,因为不到一天腾讯云的警告邮件重新发到了我的邮箱里。

我们登录到服务器,使用ps命令继续查看,发现恶意进程又重新启动了:

[root@VM-12-15-centos 26997]# ps -ef |grep zgrab
root      3351 32101  0 01:31 pts/0    00:00:00 grep --color=auto zgrab
root     26997 26994  0 01:01 ?        00:00:02 zgrab --senders 200 --port 8090 --http=/%24%7BClass.forName%28%22com.opensymphony.webwork.ServletActionContext%22%29.getMethod%28%22getResponse%22%2Cnull%29.invoke%28null%2Cnull%29.setHeader%28%22X-Cmd-Response%22%2CClass.forName%28%22javax.script.ScriptEngineManager%22%29.newInstance%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22var%20d%3D%27%27%3Bvar%20i%20%3D%20java.lang.Runtime.getRuntime%28%29.exec%28%27id%27%29.getInputStream%28%29%3B%20while%28i.available%28%29%29d%2B%3DString.fromCharCode%28i.read%28%29%29%3Bd%22%29%29%7D/ --output-file=-
root     29195 29192  0 May15 ?        00:00:07 zgrab --senders 200 --port 2375 --http=/v1.16/version --output-file=-

我们根据,根据PID查看软件所在位置路径

[root@VM-12-15-centos 26997]# ls -l /proc/26997 | grep exe
lrwxrwxrwx  1 root root 0 May 16 01:01 exe -> /usr/bin/zgrab

重新kill掉这两个进程:

[root@VM-12-15-centos 26997]# kill -9 26997
[root@VM-12-15-centos 26997]# kill -9 29195

再次使用ps命令查看,发现进程已被成功清除:

[root@VM-12-15-centos 26997]# ps -ef |grep zgrab
root      4483 32101  0 01:34 pts/0    00:00:00 grep --color=auto zgrab

然后删除/usr/bin/zgrab二进制包,重新安装docker,即可解决!

Java白羊
关注
  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
阿里云Liunx服务器开启新端口
01-07
开启服务端口需要俩步,配置安全组、开启防火墙 配置阿里云安全组 准备工作: 登陆阿里云后台,点击左上角菜单,选择云服务器。 选择实例 选择安全组 选择配置规则 添加安全组规则 注: 端口范围填写 xx/xx,可填写...
mysql服务器端口12260被占用_处理服务器端口被占用问题
weixin_31558841的博客
01-26 630
在MyEclipse启动或者是tomcat启动的时候出现:Address already in use: JVM_Bind:8080 出现该异常,这里的8080是你的端口,有可能是80或者其他,但是都是一个原因引起的,我在用MyEclipse的时候,有时候MyEclipse突然死掉了,然后我就直接关掉在打开,这时候重启服务器就会出现该异常:Address already in use: JVM_B...
存在对其他服务器端口(TCP:8090)的攻击行为之我的服务器被黑了
比尔·马云的博客
11-25 2368
docker暴露2375端口导致变成了别人的肉鸡
端口经常被攻击怎么办
最新发布
athena1999的博客
01-31 171
5.及时更新软件和补丁:及时更新系统和应用程序的补丁和安全更新,以修复已知的安全漏洞。1.关闭不必要的端口:只打开必要的端口,避免打开不必要的端口,以减少潜在的安全风险。3.定期检查系统日志:定期检查系统日志以发现异常流量和异常行为,及时处理安全事件。4.使用安全的密码策略:设置复杂的密码并定期更换密码,以避免密码猜测攻击。2.使用防火墙:在服务器上安装防火墙并配置安全规则,以限制对端口的访问。端口经常被攻击怎么办。
Error: listen EADDRINUSE: address already in use 127.16.20.217:8090
sx_lz_1119的博客
01-29 707
Error: listen EADDRINUSE: address already in use 127.16.20.217:8090
问题8090端口号被占用
你要去相信,没有到不了的明天。
04-28 4223
做项目要用8090端口号,但是现在不幸的是我之前做项目用了这个端口,这就遇到问题啦,刚开始的时候就想着找到那个文件,改一下或者删除。但是我之前的文件已经不在,那我的端口号为什么还是会被占用的呢,因为当时着急弄其他的就把它搁置了,换了一个端口号,但是这样就很麻烦,项目接口就不能自启。麻烦了好几天,终于我忍不了了,不要学我,遇到问题还是要及时解决的。 一、接下来就是去找寻它的踪迹, 输入命令 nets...
阿里云开墙
weixin_45608827的博客
08-08 1058
阿里云开墙攻略
阿里云ECS云服务器如何开放8080端口
01-09
阿里云服务器ECS处于安全考虑默认自带安全组(仅开放了22号和3389号端口),Tomcat的默认端口号为8080,所以想使用Tomcat不开放8080端口是不行的。很多用户通过修改iptables来开放8080号端口,结果失败,这是由于...
Docker暴露2375端口导致服务器攻击问题解决方法
01-20
相信了解过docker remote API的同学对2375端口都不陌生了,2375是docker远程操控的默认端口,通过这个端口可以直接对远程的docker daemon进行操作。 当$HOST主机以docker daemon -H=0.0.0.0:2375方式启动daemon时,...
腾讯云ubuntu服务器tomcat访问慢的原因分析及解决方法
01-10
腾讯云上配了个一元的学生云,开始一切正常,直到配置tomcat开始出现各种莫名其妙的问题。最莫名其妙的是tomcat启动了,端口也 正常监听,安全组也放行端口了,然后问题来了。  用浏览器访问tomcat主页,会发现...
8090端口扫描
09-29
这是一款自动扫描端口扫描器。欢迎打下下载,有用途可出。
您的云服务器由于被检测到对外攻击,已阻断该服务器对其它服务器端口的访问
01-30
您的云服务器由于被检测到对外攻击,已阻断该服务器对其它服务器端口的访问
解决django服务器重启端口被占用的问题
12-31
在开发django项目时,启动开发服务器的命令为: python manager.py runserver [port] ...以上这篇解决django服务器重启端口被占用的问题就是小编分享给大家的全部内容了,希望能给大家一个参考,也希望大家多多支持软件
Linux 查看服务器开放的端口
01-09
在讨论这个问题前,我们先来了解一下物理端口、逻辑端口端口号等计算机概念。  端口相关的概念:  在网络技术中,端口(Port)包括逻辑端口和物理端口两种类型。物理端口指的是物理存在的端口,如ADSLModem、...
解决阿里云邮件发送不能使用25端口问题
09-16
主要介绍了解决阿里云邮件发送不能使用25端口问题,文中通过示例代码介绍的非常详细,对大家的学习或者工作具有一定的参考学习价值,需要的朋友们下面随着小编来一起学习学习吧
天翼云服务器安装宝塔面板
01-20
开放8888端口,8888端口是宝塔面板的访问端口 只需要协议端口填上8888,源地址不用填写 使用远程连接软件 (如 Putty、XShell) 连接你的Linux服务器 根据提示,输入你要登录的账户 Centos安装命令: yum install -y...
阿里云服务器安装配置tomcat 添加外网访问端口的教程
09-29
主要介绍了阿里云服务器安装配置tomcat 添加外网访问端口,需要的朋友可以参考下
阿里云服务器Tomcat无法访问的问题
01-09
1.前言 之前我就已经在阿里云上面配置过...2.1配置防火墙,开通端口 这里我们先检查防火墙的状态是否是开启的 systemctl status firewalld `` 如果出现这个错误 `Unit firewalld.service could not be found.` 就说
腾讯云服务器防火墙怎么设置端口号只能内部访问
05-25
您可以通过以下步骤设置腾讯云服务器防火墙使端口号只能内部访问: 1.登录腾讯云控制台,进入云服务器实例的管理页面。 2.在左侧导航栏中找到“安全组”,点击进入。 3.选择您需要修改的安全组,点击“管理规则”。 4.在管理规则页面,点击“添加安全组规则”。 5.在弹出的添加安全组规则对话框中,选择协议类型和端口号,并设置来源 IP 为私有网络内的 IP 地址或者子网 IP 段。 6.点击“确定”保存规则即可。 这样设置后,只有来自同一私有网络内的主机或者同一子网 IP 段的访问才能够访问该端口

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值