坑爹的記錄一下,並沒有解決
Gitlab 昨天(2021-11-29)打開之后看不到項目了,下面這個吊樣子
最后發現中病毒了,一堆的這個吊毛文件,復制一個打開看了一下
你別說這個黑客網頁寫的還不錯,這種組織應該 誅九族
CERBER RANSOMWARE
說明書您無法打開所需的文件?
您文件的內容無法閱讀?
這是正常的,因為您文件的文件名和數據已經被“Cerber Ransomware”加密了。
這意味着您的文件並沒有損壞!您的文件只是被修改了,這個修改是可逆的,解密之前您無法使用您的文件。
安全解密您文件的唯一方式是購買特別的解密軟件“Cerber Decryptor”。
任何使用第三方軟件恢復您文件的方式對您的文件來說都將是致命的!
您可以在您的個人頁面上購買解密軟件:
您將在這個頁面上看到怎樣購買解密軟件以恢復您的文件的詳細介紹。
您也可以在這個頁面上免費解密任意一份文件以確認“Cerber Decryptor”能夠恢復您的任何文件。
如果您的瀏覽器無法打開您的個人頁面,您需要安裝並使用 Tor 瀏覽器來打開您的個人頁面:
- 使用您的上網瀏覽器(如果您不知道使用 Internet Explorer 的話);
- 在瀏覽器的地址欄輸入或復制地址 https://www.torproject.org/download/download-easy.html.en 並按 ENTER 鍵;
- 等待站點加載;
- 您將在站點上下載 Tor 瀏覽器;下載並運行它,按照安裝指南進行操作,等待直至安裝完成;
- 運行 Tor 瀏覽器;
- 使用“Connect”按鈕進行連接(如果您使用英文版);
- 初始化之后將打開正常的上網瀏覽器窗口(初始化時您需要配置Tor瀏覽器的網橋或本地VPN代理才能FQ連接到Tor網絡);
- 在瀏覽器地址欄中輸入或復制地址
http://pigetrzlperjreyr3fbytm27bljaq4eungv3gdq2tohnoyfrqu4bx5qd.onion/bt105de1a8b160fb2876fa6f96f57f021044c382012717310ba4c2032a2ca704db464edf0509662630a290779d7f1179f90318221d3c1ce799757588104e8df3c2fbbf18e5956a0576dbf29047a9a22a94e23099a83cfe4e76b6c896e78bef9e0ee5cd24dbbe9f4e3ad9920b1bee8c0c2c80f8a4d319f500912263070d5fb5d7b13a/ - 按 ENTER 鍵;
- 該站點將加載;如果由於某些原因等待一會兒后沒有加載,請重試。
如果在安裝期間或使用 Tor 瀏覽器期間有任何問題,請訪問 https://www.baidu.com 並在搜索欄中輸入“怎么安裝 Tor 瀏覽器”,您將找到有關如何安裝洋蔥 Tor 瀏覽器的說明和教程。
附加信息:
您將在任何帶有加密文件的文件夾中找到恢復您文件(“*README*.hta”)的說明。
帶有加密文件的文件夾中的(“*README*.hta”)說明不是病毒,(“*README*.hta”)說明將幫助您解密您的文件。
請記住,最壞的情況都發生過了,您的文件還能不能用取決於您的決定和反應速度。
----------------------------2021-12-2,在解決中
相關文章
警惕!雙平台挖礦僵屍網絡 Sysrv-hello 盯上用戶 GitLab 服務器
騰訊雲容器安全服務(TCSS)捕獲利用GitLab ExifTool RCE漏洞在野攻擊案例
GitLab 遠程命令執行漏洞復現(CVE-2021-22205)
------------------------------------2021-12-3
GitLab找到了 11-10 的備份,做了恢復,然后大家把最新的代碼上傳,重新備份,然后重新搭了一個,因為是docker搭建的。所以重新搭一個很方便,docker-compose 里面做了升級,先防止這個漏洞在生事端,只有這個docker container 里有問題,還有其他的一些服務,confluence gira 還有不知道的啥,因為第一搭環境不是我搭的,所以我只能看到部分,其他的細節也不是很清楚,現在老大的意思是整個服務器重新搞一遍,我想這個工程量是有些大了,做好升級以及各個軟件的管理才是重點,即使系統重新搭一遍,有漏洞一樣中毒。
目前我想的是先弄清楚這台服務器已經安裝的都是啥,還有一些具體的配置都是啥,然后需要啥。之后做一些備份,然后讓把系統重裝了;另外做一些安全措施,比如管理代碼的GItLab只有通過VPN才能訪問,其他想不到啥,大家可以幫我出出主意啥的
------------------2021.12.07---
最近這兩天發現有攻擊!!!!
sudo docker container logs gitlab | grep "Thank you for playing"
用上面的搜索到了一堆
...... 2021-12-05_10:18:54.42415 Received disconnect from 5.181.80.15 port 52358:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:18:55.15312 Received disconnect from 5.181.80.15 port 52912:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:18:55.73275 Received disconnect from 5.181.80.15 port 53094:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:18:56.40179 Received disconnect from 5.181.80.15 port 53278:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:18:56.42875 Received disconnect from 5.181.80.15 port 53462:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:18:57.03512 Received disconnect from 5.181.80.15 port 53646:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:18:58.28274 Received disconnect from 5.181.80.15 port 53830:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:18:58.40812 Received disconnect from 5.181.80.15 port 54014:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:18:59.50798 Received disconnect from 5.181.80.15 port 54198:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:18:59.86178 Received disconnect from 5.181.80.15 port 54382:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:19:00.89994 Received disconnect from 5.181.80.15 port 54566:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:19:01.36386 Received disconnect from 5.181.80.15 port 54748:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:19:01.68053 Received disconnect from 5.181.80.15 port 54934:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:19:03.11922 Received disconnect from 5.181.80.15 port 55302:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:19:03.38771 Received disconnect from 5.181.80.15 port 55118:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:19:03.87525 Received disconnect from 5.181.80.15 port 55486:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:19:05.10209 Received disconnect from 5.181.80.15 port 55854:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:19:06.02891 Received disconnect from 5.181.80.15 port 55670:11: Normal Shutdown, Thank you for playing [preauth] ........ 2021-12-06_04:15:40.35091 Received disconnect from 188.166.251.221 port 54914:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:15:42.36727 Received disconnect from 188.166.251.221 port 49860:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:15:43.64879 Received disconnect from 188.166.251.221 port 36794:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:15:45.64857 Received disconnect from 188.166.251.221 port 39326:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:15:46.95939 Received disconnect from 188.166.251.221 port 34268:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:15:47.63012 Received disconnect from 188.166.251.221 port 41880:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:15:51.69799 Received disconnect from 188.166.251.221 port 51968:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:15:52.43925 Received disconnect from 188.166.251.221 port 44390:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:15:53.53751 Received disconnect from 188.166.251.221 port 46928:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:15:54.48499 Received disconnect from 188.166.251.221 port 57040:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:15:54.93217 Received disconnect from 188.166.251.221 port 54560:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:15:58.04736 Received disconnect from 188.166.251.221 port 49454:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:15:59.31935 Received disconnect from 188.166.251.221 port 33856:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:15:59.40580 Received disconnect from 188.166.251.221 port 36450:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:15:59.51271 Received disconnect from 188.166.251.221 port 59576:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:16:02.74579 Received disconnect from 188.166.251.221 port 38938:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:16:04.97637 Received disconnect from 188.166.251.221 port 46540:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:16:06.10581 Received disconnect from 188.166.251.221 port 44008:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:16:07.73245 Received disconnect from 188.166.251.221 port 54130:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:16:08.90563 Received disconnect from 188.166.251.221 port 56670:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:16:09.72965 Received disconnect from 188.166.251.221 port 51610:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:16:10.12646 Received disconnect from 188.166.251.221 port 49072:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:16:12.05080 Received disconnect from 188.166.251.221 port 33592:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:16:15.09082 Received disconnect from 188.166.251.221 port 41074:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:16:15.38273 Received disconnect from 188.166.251.221 port 59210:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:16:16.14651 Received disconnect from 188.166.251.221 port 36044:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:16:16.48798 Received disconnect from 188.166.251.221 port 38538:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:16:16.59046 Received disconnect from 188.166.251.221 port 43634:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:16:21.26001 Received disconnect from 188.166.251.221 port 48676:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:16:21.71931 Received disconnect from 188.166.251.221 port 46156:11: Normal Shutdown, Thank you for playing [preauth] .................
這個ip就很有嫌疑
sudo docker container logs gitlab | grep 5.181.80.15
找個看了下就像下面這個樣子,這就感覺是暴力破解呀。。。。。。。
...... 2021-12-05_10:32:50.13804 Disconnected from 5.181.80.15 port 41022 [preauth] 2021-12-05_10:32:50.76195 Invalid user zk from 5.181.80.15 2021-12-05_10:32:50.94788 Received disconnect from 5.181.80.15 port 41210:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:32:50.94792 Disconnected from 5.181.80.15 port 41210 [preauth] 2021-12-05_10:32:51.50977 Invalid user zl from 5.181.80.15 2021-12-05_10:32:51.68562 Received disconnect from 5.181.80.15 port 41394:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:32:51.68567 Disconnected from 5.181.80.15 port 41394 [preauth] 2021-12-05_10:32:52.81710 Invalid user zln from 5.181.80.15 2021-12-05_10:32:52.99201 Received disconnect from 5.181.80.15 port 41578:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:32:52.99205 Disconnected from 5.181.80.15 port 41578 [preauth] 2021-12-05_10:32:53.79301 Invalid user zl from 5.181.80.15 2021-12-05_10:32:53.96808 Received disconnect from 5.181.80.15 port 41762:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:32:53.96812 Disconnected from 5.181.80.15 port 41762 [preauth] 2021-12-05_10:32:54.95818 Invalid user zmingxing from 5.181.80.15 2021-12-05_10:32:54.99551 Invalid user zmj from 5.181.80.15 2021-12-05_10:32:55.13449 Received disconnect from 5.181.80.15 port 41946:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:32:55.13455 Disconnected from 5.181.80.15 port 41946 [preauth] 2021-12-05_10:32:55.17799 Received disconnect from 5.181.80.15 port 42130:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:32:55.17803 Disconnected from 5.181.80.15 port 42130 [preauth] 2021-12-05_10:32:56.89954 Invalid user zoomway from 5.181.80.15 2021-12-05_10:32:57.29566 Received disconnect from 5.181.80.15 port 42498:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:32:57.29573 Disconnected from 5.181.80.15 port 42498 [preauth] 2021-12-05_10:32:58.14266 Invalid user zq26 from 5.181.80.15 2021-12-05_10:32:58.32725 Received disconnect from 5.181.80.15 port 42682:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:32:58.32731 Disconnected from 5.181.80.15 port 42682 [preauth] 2021-12-05_10:32:58.86544 Invalid user zqs from 5.181.80.15 2021-12-05_10:32:59.04274 Received disconnect from 5.181.80.15 port 43050:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:32:59.04279 Disconnected from 5.181.80.15 port 43050 [preauth] 2021-12-05_10:32:59.73419 Invalid user zookeeper from 5.181.80.15 2021-12-05_10:32:59.90901 Received disconnect from 5.181.80.15 port 42314:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:32:59.90907 Disconnected from 5.181.80.15 port 42314 [preauth] 2021-12-05_10:33:00.18674 Invalid user zqc from 5.181.80.15 2021-12-05_10:33:00.31154 Invalid user zrp from 5.181.80.15 2021-12-05_10:33:00.36284 Received disconnect from 5.181.80.15 port 42866:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:33:00.36289 Disconnected from 5.181.80.15 port 42866 [preauth] 2021-12-05_10:33:00.48646 Received disconnect from 5.181.80.15 port 43234:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:33:00.48650 Disconnected from 5.181.80.15 port 43234 [preauth] 2021-12-05_10:33:01.74575 Invalid user zswang from 5.181.80.15 2021-12-05_10:33:01.92205 Received disconnect from 5.181.80.15 port 43416:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:33:01.92209 Disconnected from 5.181.80.15 port 43416 [preauth] 2021-12-05_10:33:02.32103 Invalid user zswang from 5.181.80.15 2021-12-05_10:33:02.49579 Received disconnect from 5.181.80.15 port 43602:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:33:02.49582 Disconnected from 5.181.80.15 port 43602 [preauth] 2021-12-05_10:33:02.73695 Invalid user zuoying from 5.181.80.15 2021-12-05_10:33:02.83117 Invalid user zs from 5.181.80.15 2021-12-05_10:33:03.00664 Received disconnect from 5.181.80.15 port 43786:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:33:03.00670 Disconnected from 5.181.80.15 port 43786 [preauth] 2021-12-05_10:33:03.13029 Received disconnect from 5.181.80.15 port 43970:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:33:03.13034 Disconnected from 5.181.80.15 port 43970 [preauth] 2021-12-05_10:33:03.89042 Invalid user zws from 5.181.80.15 2021-12-05_10:33:04.07824 Invalid user zxc from 5.181.80.15 2021-12-05_10:33:04.25347 Received disconnect from 5.181.80.15 port 44338:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:33:04.25353 Disconnected from 5.181.80.15 port 44338 [preauth] ........
真的,暴露外網是很方便,也帶來了很多問題!
還有另外一個也看起來很有毛病的log
sudo docker container logs gitlab | grep test*.jpg
也是有好多,而且這個IP是國外的 212.3.101.118; 107.172.198.108
目前我的發現就這些