发现阿里云 ECS 自带的系统镜像里竟然装了带有 root 权限的若干监控软件。一个字,删删删。后来在服务器记录里又发现一堆 Alibaba.Security.Heimdall 的访问记录,赶快加进了黑名单。
0x01 - 卸载云盾(安骑士)
直接上:
-
curl -sSL http://update.aegis.aliyun.com/download/quartz_uninstall.sh | sudo bash
-
sudo rm -rf /usr/local/aegis
-
sudo rm /usr/sbin/aliyun-service
-
sudo rm /lib/systemd/system/aliyun.service
bash
代码备份
-
#!/bin/bash
-
-
#check linux Gentoo os
-
var=`lsb_release -a | grep Gentoo`
-
if [ -z "${var}" ]; then
-
var=`cat /etc/issue | grep Gentoo`
-
fi
-
-
if [ -d "/etc/runlevels/default" -a -n "${var}" ]; then
-
LINUX_RELEASE="GENTOO"
-
else
-
LINUX_RELEASE="OTHER"
-
fi
-
-
stop_aegis(){
-
killall -9 aegis_cli >/dev/null 2>&1
-
killall -9 aegis_update >/dev/null 2>&1
-
killall -9 aegis_cli >/dev/null 2>&1
-
printf "%-40s %40s\n" "Stopping aegis" "[ OK ]"
-
}
-
-
stop_quartz(){
-
killall -9 aegis_quartz >/dev/null 2>&1
-
printf "%-40s %40s\n" "Stopping quartz" "[ OK ]"
-
}
-
-
remove_aegis(){
-
if [ -d /usr/local/aegis ];then
-
rm -rf /usr/local/aegis/aegis_client
-
rm -rf /usr/local/aegis/aegis_update
-
fi
-
}
-
-
remove_quartz(){
-
if [ -d /usr/local/aegis ];then
-
rm -rf /usr/local/aegis/aegis_quartz
-
fi
-
}
-
-
-
uninstall_service() {
-
-
if [ -f "/etc/init.d/aegis" ]; then
-
/etc/init.d/aegis stop >/dev/null 2>&1
-
rm -f /etc/init.d/aegis
-
fi
-
-
if [ $LINUX_RELEASE = "GENTOO" ]; then
-
rc-update del aegis default 2>/dev/null
-
if [ -f "/etc/runlevels/default/aegis" ]; then
-
rm -f "/etc/runlevels/default/aegis" >/dev/null 2>&1;
-
fi
-
elif [ -f /etc/init.d/aegis ]; then
-
/etc/init.d/aegis uninstall
-
for ((var=2; var<=5; var++)) do
-
if [ -d "/etc/rc${var}.d/" ];then
-
rm -f "/etc/rc${var}.d/S80aegis"
-
elif [ -d "/etc/rc.d/rc${var}.d" ];then
-
rm -f "/etc/rc.d/rc${var}.d/S80aegis"
-
fi
-
done
-
fi
-
-
}
-
-
stop_aegis
-
stop_quartz
-
uninstall_service
-
remove_aegis
-
printf "%-40s %40s\n" "Uninstalling aegis" "[ OK ]"
-
-
remove_quartz
腾讯云解决方案
据说腾讯云也有类似问题:转:
-
#!/bin/bash
-
-
rm -rf /usr/local/sa
-
rm -rf /usr/local/agenttools
-
rm -rf /usr/local/qcloud
-
process=(sap100 secu-tcs-agent sgagent64 barad_agent agent agentPlugInD pvdriver )
-
for i in ${process[@]}
-
do
-
for A in $(ps aux | grep $i | grep -v grep | awk '{print $2}')
-
do
-
kill -9 $A
-
done
-
done
-
-
chkconfig --level 35 postfix off
-
service postfix stop
-
echo ''>/var/spool/cron/root
-
echo '#!/bin/bash' >/etc/rc.local
bash
Links:
0x02 - 屏蔽云盾 IP
而后检查服务器记录时发现一堆 Alibaba.Security.Heimdall 的访问记录。网上查询发现是云盾。
根据官方介绍:
云盾会通过公网模拟黑客入侵攻击,进行安全扫描。所以服务器有安全防护时,需要对云盾扫描ip进行放行。
赶快屏蔽!
Update 09/16/2017:使用阿里云安全组
阿里云安全组可以直接设置屏蔽云盾 ip 地址段查看,如图即可。
Update 09/20/2017:日志发现云盾 ip 140.205.201.31 没有在官方列表里。遂更新安全组直接屏蔽 /24 。
140.205.201.0/24,140.205.225.0/24,106.11.222.0/23,106.11.224.0/24,106.11.228.0/22
原方法:使用 UFW / iptables
此处使用 UFW,iptables 用户请参考下方网友评论。注意:如果已有接受 80 端口之类的规则,新增的拒绝 IP 规则在其后将不会生效。所以要在 /etc/ufw/before.rules 设置。
sudo nano 编辑此文件并找到 # End required lines,在其后添加:
-
-
-
-A ufw-before-input -s 140.205.201.0/24 -j DROP
-
-A ufw-before-input -s 140.205.225.0/24 -j DROP
-
-A ufw-before-input -s 106.11.222.0/23 -j DROP
-
-A ufw-before-input -s 106.11.224.0/24 -j DROP
-
-A ufw-before-input -s 106.11.228.0/22 -j DROP
bash
保存后运行 sudo ufw reload。完毕!
0x03 - 删除阿里云登录界面欢迎信息
每次登录看到
-
Welcome to Ubuntu 17.04 (GNU/Linux 4.10.0-19-generic x86_64)
-
-
* Documentation: https://help.ubuntu.com
-
* Management: https://landscape.canonical.com
-
* Support: https://ubuntu.com/advantage
-
-
Welcome to Alibaba Cloud Elastic Compute Service !
-
-
Last login from
就莫名的不爽,于是查了一下 sudo nano /etc/motd 就可以编辑/删除倒数第二行的 Welcome to Alibaba Cloud Elastic Compute Service ! 欢迎信息了。
很有用的文章+转载于:Wei 的小站