add auto fetch ssl certs

2021-08-26 12:11:25 +08:00
parent 11ca254bed
commit 509ac048fc
237 changed files with 4968 additions and 7406 deletions
--- a/public/post/debian-buster-server-been-hacked/index.html
+++ b/public/post/debian-buster-server-been-hacked/index.html
@@ -13,7 +13,7 @@
        "articleSection" : "post",
        "name" : "[筆記] Debian Buster 伺服器被入侵了！\/ Debian Buster Server Been Hacked",
        "headline" : "[筆記] Debian Buster 伺服器被入侵了！\/ Debian Buster Server Been Hacked",
-        "description" : "\x3cp\x3e上禮拜某天在開會的時候，LINE不斷傳來訊息\x3c\/p\x3e\n\n\x3cp\x3e不過因為我向來開會都很認真(驕傲，所以都沒看，接著就變成來電了\x3c\/p\x3e\n\n\x3cp\x3e看來大概有啥事發生\x3c\/p\x3e\n\n\x3cp\x3e不過畢竟不是正職的工作，就先放著吧\x3c\/p\x3e\n\n\x3cp\x3e後來變成連學長都直接打來告訴我，某間公司的伺服器出事了，客戶找不到我\x3c\/p\x3e\n\n\x3cp\x3e叫我趕快連進去看\x3c\/p\x3e\n\n\x3cp\x3e是說，啊我又沒跟人家簽維護，趕什麼趕\x26hellip;\x3c\/p\x3e\n\n\x3cp\x3e總之，開完會後就了解一下狀況\x3c\/p\x3e",
+        "description" : "\x3cp\x3e上禮拜某天在開會的時候，LINE不斷傳來訊息\x3c\/p\x3e\n\x3cp\x3e不過因為我向來開會都很認真(驕傲，所以都沒看，接著就變成來電了\x3c\/p\x3e\n\x3cp\x3e看來大概有啥事發生\x3c\/p\x3e\n\x3cp\x3e不過畢竟不是正職的工作，就先放著吧\x3c\/p\x3e\n\x3cp\x3e後來變成連學長都直接打來告訴我，某間公司的伺服器出事了，客戶找不到我\x3c\/p\x3e\n\x3cp\x3e叫我趕快連進去看\x3c\/p\x3e\n\x3cp\x3e是說，啊我又沒跟人家簽維護，趕什麼趕\x26hellip;\x3c\/p\x3e\n\x3cp\x3e總之，開完會後就了解一下狀況\x3c\/p\x3e",
        "inLanguage" : "en",
        "author" : "Eric Chang",
        "creator" : "Eric Chang",
@@ -45,9 +45,9 @@

 <link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.3.1/css/all.css" integrity="sha384-mzrmE5qonljUremFsqc01SB46JvROS7bZs3IO2EmfFsd15uHvIt+Y8vEf7N7fWAU" crossorigin="anonymous">

-<link href="https://h.cowbay.org/css/style.css?v=1626744134" rel="stylesheet" id="theme-stylesheet" type='text/css' media='all'>
+<link href="https://h.cowbay.org/css/style.css?v=1629951055" rel="stylesheet" id="theme-stylesheet" type='text/css' media='all'>

-<link href="https://h.cowbay.org/css/custom.css?v=1626744134" rel="stylesheet" type='text/css' media='all'>
+<link href="https://h.cowbay.org/css/custom.css?v=1629951055" rel="stylesheet" type='text/css' media='all'>
 <link rel="shortcut icon" href="https://h.cowbay.org/img/favicon.ico" type="image/x-icon">
 <link rel="icon" href="https://h.cowbay.org/img/favicon.ico" type="image/x-icon">

@@ -81,10 +81,6 @@ if (!doNotTrack) {

      <ul id="menu-secondary-items" class="menu-secondary-items">
        
-        <li class="menu-item menu-item-type-taxonomy menu-item-object-category">
-          <a href="/categories/"></a>
-        </li>
-        
        <li class="menu-item menu-item-type-taxonomy menu-item-object-category">
          <a href="/categories/ansible">ansible</a>
        </li>
@@ -309,46 +305,26 @@ if (!doNotTrack) {
          <div class="entry-content">
            <article>
              <p>上禮拜某天在開會的時候，LINE不斷傳來訊息</p>
-
 <p>不過因為我向來開會都很認真(驕傲，所以都沒看，接著就變成來電了</p>
-
 <p>看來大概有啥事發生</p>
-
 <p>不過畢竟不是正職的工作，就先放著吧</p>
-
 <p>後來變成連學長都直接打來告訴我，某間公司的伺服器出事了，客戶找不到我</p>
-
 <p>叫我趕快連進去看</p>
-
 <p>是說，啊我又沒跟人家簽維護，趕什麼趕&hellip;</p>
-
 <p>總之，開完會後就了解一下狀況</p>
-
 <p>了解狀況後(user 也只說不能連線..WTF)，還是直接連進去看伺服器啥問題好了</p>
-
 <p>連線的過程就發現，主機回應有點慢</p>
-
 <p>不過還是可以連上，檢查一下ps / netstat 等等訊息，感覺就是有哪裡怪怪的</p>
-
 <p>進去etc 看一下，一下 ls -lart 就發現不對，畫面整個跑掉</p>
-
 <p>感覺就多了很多檔案</p>
-
 <p>所以先裝個file manager 來看(這樣才能避免ls 被駭客調包的情況)</p>
-
 <p>總之就發現了一些不正常的檔案</p>
-
 <p>/etc/.sh 等等族繁不及備載</p>
-
 <p>於是先去FW 把這台機器對外開放的port 先關掉</p>
-
 <p>然後開始紀錄邊清</p>
-
 <p>底下是一些記錄下來的log 很亂，因為是邊清邊紀錄的關係</p>
-
 <p>這是在某個特定日期時間被產生出來的檔案</p>
-
-<pre><code class="language-bash">/etc/allow.bak
+<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">/etc/allow.bak
 /etc/deny.bak
 /etc/fstab
 /etc/sysctl.conf
@@ -383,38 +359,26 @@ if (!doNotTrack) {
 /var/log/apt/history.log.1.gz
 /usr/lib/systemd
 /usr/lib/mysql/mysql
-</code></pre>
-
-<p>/etc/.supervisor/conf.d/sh.conf</p>
-
-<pre><code class="language-bash">[program:.sh]
-directory=/etc/
-command=/bin/bash -c 'cp -f -r -- /etc/spts /bin/.sh 2&gt;/dev/null &amp;&amp; /bin/.sh -c  &gt;/dev/null 2&gt;&amp;1 &amp;&amp; rm -rf -- /bin/.sh 2&gt;/dev/null'
-autostart=true
-autorestart=true
-startretries=999999999
-redirect_stderr=true
-pidfile=/etc/psdewo.pid
-stdout_logfile=/etc/usercenter_stdout
-</code></pre>
-
-<p>php.sh 這個忘了是在crontab 還是/etc/profile.d/底下看到的</p>
-
+</code></pre></div><p>/etc/.supervisor/conf.d/sh.conf</p>
+<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash"><span style="color:#f92672">[</span>program:.sh<span style="color:#f92672">]</span>
+directory<span style="color:#f92672">=</span>/etc/
+command<span style="color:#f92672">=</span>/bin/bash -c <span style="color:#e6db74">&#39;cp -f -r -- /etc/spts /bin/.sh 2&gt;/dev/null &amp;&amp; /bin/.sh -c  &gt;/dev/null 2&gt;&amp;1 &amp;&amp; rm -rf -- /bin/.sh 2&gt;/dev/null&#39;</span>
+autostart<span style="color:#f92672">=</span>true
+autorestart<span style="color:#f92672">=</span>true
+startretries<span style="color:#f92672">=</span><span style="color:#ae81ff">999999999</span>
+redirect_stderr<span style="color:#f92672">=</span>true
+pidfile<span style="color:#f92672">=</span>/etc/psdewo.pid
+stdout_logfile<span style="color:#f92672">=</span>/etc/usercenter_stdout
+</code></pre></div><p>php.sh 這個忘了是在crontab 還是/etc/profile.d/底下看到的</p>
 <pre><code>#!/bin/bash
 cp -f -r -- /bin/shh /bin/.sh 2&gt;/dev/null
 /bin/.sh -c  &gt;/dev/null 2&gt;&amp;1
 rm -rf -- .sh 2&gt;/dev/null
-</code></pre>
-
-<p>supervisor.sh</p>
-
+</code></pre><p>supervisor.sh</p>
 <pre><code>#!/bin/bash
 supervisord -c /etc/.supervisor/supervisord.conf &gt;/dev/null 2&gt;&amp;1
 supervisorctl reload &gt;/dev/null 2&gt;&amp;1
-</code></pre>
-
-<p>某個 service 檔案</p>
-
+</code></pre><p>某個 service 檔案</p>
 <pre><code>[Unit]
 Description=.sh

@@ -429,10 +393,7 @@ KillMode=process

 [Install]
 WantedBy=multi-user.target
-</code></pre>
-
-<p>syslog 部份內容</p>
-
+</code></pre><p>syslog 部份內容</p>
 <pre><code>Jul  7 06:20:01 pve CRON[12502]: (root) CMD (/sbin/httpss)
 Jul  7 06:20:01 pve CRON[12499]: (root) CMD ( echo /usr/local/lib/libprocesshider.so &gt; /etc/ld.so.preload &amp;&amp; lockr +i /etc/ld.so.preload &gt;/dev/null 2&gt;&amp;1)
 Jul  7 06:21:01 pve CRON[14096]: (root) CMD (/usr/lib/mysql/mysql)
@@ -451,18 +412,11 @@ Jul  7 06:25:01 pve CRON[21289]: (root) CMD ( cp -f -r -- /etc/.sh /tmp/.sh 2&gt
 Jul  7 06:25:01 pve CRON[21290]: (root) CMD (/usr/lib/mysql/mysql)
 Jul  7 06:25:01 pve CRON[21288]: (root) CMD (test -x /usr/sbin/anacron || ( cd / &amp;&amp; run-parts --report /etc/cron.daily ))
 Jul  7 06:25:01 pve CRON[21291]: (root) CMD ( echo /usr/local/lib/libprocesshider.so &gt; /etc/ld.so.preload &amp;&amp; lockr +i /etc/ld.so.preload &gt;/dev/null 2&gt;&amp;1)
-</code></pre>
-
-<p>比較特別的是，他會去修改 /etc/fstab 載入一個 swapfile</p>
-
+</code></pre><p>比較特別的是，他會去修改 /etc/fstab 載入一個 swapfile</p>
 <p>WTF！？ 沒事載入自己的 fstab 做啥？？</p>
-
 <p>然後還會在系統建立user 可以看一下 /etc/passwd , /etc/group , /etc/gshadow 這些檔案檢查</p>
-
 <p>手邊最好有另一臺乾淨的同樣作業系統的機器</p>
-
 <p>因為有很多系統指令已經被替換掉(netstat/ss/lsof 等等)</p>
-
 <p>需要從乾淨的系統弄過來，或者是重新從apt 安裝回來</p>
            </article>
          </div>
@@ -738,7 +692,7 @@ title="pinterest icon"></i>

 				</ul>	<div class="design-credit">
 		
-		<p>&copy; 2018 Göran Svensson</p>
+		<p>© 2018 Göran Svensson</p>
 		
 		<p>Nederburg Hugo Theme by <a href="https://appernetic.io">Appernetic</a>.</p>
 		
@@ -750,7 +704,7 @@ title="pinterest icon"></i>
  </div>
  <script src="https://h.cowbay.org/js/jquery.min.js"></script>
 <script src="https://h.cowbay.org/js/jquerymigrate.js"></script>
-<script src="https://h.cowbay.org/js/production.min.js?v=1626744134"></script>
+<script src="https://h.cowbay.org/js/production.min.js?v=1629951055"></script>

 </body>
 </html>