英文好的鞋童帮忙看下这个是被DDOS攻击还是被人黑了

skywing

BWG的VPS

Reason:         Network abuse: Large number of conntrack sessions
More details:         The server is creating too many conntrack sessions (more than 30000). This affects other customers on the same physical node.

被人DDOS那还好 如果被人黑了充作弹药事情就大条了 我VPS设置了证书登陆 应该不存在被人暴破的可能 另外安装AMH4.2 难道是AMH的问题？

How to resolve:         This usually happens when your server is compromised (hacked) or under a DoS attack. This may also be caused by a misconfigured system. Make sure you install clean OS immediately after resuming service, otherwise the issue will repeat.

You can unsuspend a service 3 times in one calendar year.
Remaining unsuspensions for this server: 3

By clicking the button above you agree to take all measures to prevent future TOS violations.
You also acknowledge that after 3 suspensions this server will be disabled until January 1, 2015.

给翻译下 我看得一知半解的 小学没毕业

skywing

他后面也跟我说了可能是被黑了也可能是被DDOS攻击 我不确定啊 我把日志贴上来 帮看下

1. **********************************************
   
2. List of processes
   
3. **********************************************
   
4. 47826      mysqld_safe      /bin/sh /usr/local/mysql/bin/mysqld_safe --datadir=/usr/local/mysql/data --pid-file=/usr/local/mysql/data/skywing.pid
   
5. 48135      mysqld           /usr/local/mysql/bin/mysqld --basedir=/usr/local/mysql --datadir=/usr/local/mysql/data --plugin-dir=/usr/local/mysql/lib/plugin --user=mysql --log-error=/usr/local/mysql/data/skywing.err --pid-file=/usr/local/mysql/data/skywing.pid --socket=/tmp/mysql.sock --port=3306
   
6. 48175      php-fpm          php-fpm: master process (/usr/local/php/etc/fpm/***.****.***.conf)
   
7. 48177      php-fpm          php-fpm: pool ***.****.***
   
8. 48178      php-fpm          php-fpm: pool ***.****.***
   
9. 48179      php-fpm          php-fpm: pool ***.****.***
   
10. 48181      php-fpm          php-fpm: master process (/usr/local/php/etc/php-fpm.conf)
    
11. 48183      php-fpm          php-fpm: pool www
    
12. 48184      php-fpm          php-fpm: pool www
    
13. 48187      pure-ftpd        pure-ftpd (SERVER)
    
14. 48193      nginx            nginx: master process /usr/local/nginx/sbin/nginx
    
15. 48197      nginx            nginx: worker process
    
16. 749017     init             init
    
17. 749018     kthreadd/48748   
    
18. 749019     khelper/48748   
    
19. 749169     upstart-udev-br  upstart-udev-bridge --daemon
    
20. 749183     udevd            /sbin/udevd --daemon
    
21. 749218     udevd            /sbin/udevd --daemon
    
22. 749219     udevd            /sbin/udevd --daemon
    
23. 749257     upstart-socket-  upstart-socket-bridge --daemon
    
24. 749363     cron             cron
    
25. 749399     syslogd          /sbin/syslogd -u syslog
    
26. 749472     saslauthd        /usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 2
    
27. 749474     saslauthd        /usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 2
    
28. 749665     xinetd           /usr/sbin/xinetd -dontfork -pidfile /var/run/xinetd.pid -stayalive -inetd_compat -inetd_ipv6
    
29. 749691     sendmail-mta     sendmail: MTA: accepting connections
    
30. 749751     getty            /sbin/getty 38400 console
    
31. 749754     getty            /sbin/getty 38400 tty2
    
32. 753176     sshd             /usr/sbin/sshd -D
    
33. 835189     ntpd             /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 108:112
    
34. 
    
35. 
    
36. **********************************************
    
37. First 282 lines from conntrack table (truncated)
    
38. **********************************************
    
39. ipv4     2 udp      17 28 src=194.143.194.9 dst=***.***.***.*** sport=53 dport=31955 [UNREPLIED] src=***.***.***.*** dst=194.143.194.9 sport=31955 dport=53 mark=0 secmark=0 use=2
    
40. ipv4     2 udp      17 28 src=110.74.213.134 dst=***.***.***.*** sport=53 dport=53310 [UNREPLIED] src=***.***.***.*** dst=110.74.213.134 sport=53310 dport=53 mark=0 secmark=0 use=2
    
41. ipv4     2 udp      17 24 src=190.82.66.85 dst=***.***.***.*** sport=53 dport=44889 [UNREPLIED] src=***.***.***.*** dst=190.82.66.85 sport=44889 dport=53 mark=0 secmark=0 use=2
    
42. ipv4     2 udp      17 24 src=175.106.19.10 dst=***.***.***.*** sport=53 dport=27175 [UNREPLIED] src=***.***.***.*** dst=175.106.19.10 sport=27175 dport=53 mark=0 secmark=0 use=2
    
43. ipv4     2 udp      17 22 src=175.156.107.228 dst=***.***.***.*** sport=53 dport=61867 [UNREPLIED] src=***.***.***.*** dst=175.156.107.228 sport=61867 dport=53 mark=0 secmark=0 use=2
    
44. ipv4     2 udp      17 18 src=177.5.217.127 dst=***.***.***.*** sport=53 dport=45559 [UNREPLIED] src=***.***.***.*** dst=177.5.217.127 sport=45559 dport=53 mark=0 secmark=0 use=2
    
45. ipv4     2 udp      17 16 src=5.178.96.3 dst=***.***.***.*** sport=53 dport=53102 [UNREPLIED] src=***.***.***.*** dst=5.178.96.3 sport=53102 dport=53 mark=0 secmark=0 use=2
    
46. ipv4     2 udp      17 15 src=118.163.109.86 dst=***.***.***.*** sport=53 dport=43386 [UNREPLIED] src=***.***.***.*** dst=118.163.109.86 sport=43386 dport=53 mark=0 secmark=0 use=2
    
47. ipv4     2 udp      17 8 src=46.252.48.2 dst=***.***.***.*** sport=53 dport=3672 [UNREPLIED] src=***.***.***.*** dst=46.252.48.2 sport=3672 dport=53 mark=0 secmark=0 use=2
    
48. ipv4     2 udp      17 7 src=80.241.245.78 dst=***.***.***.*** sport=53 dport=60157 [UNREPLIED] src=***.***.***.*** dst=80.241.245.78 sport=60157 dport=53 mark=0 secmark=0 use=2
    
49. ipv4     2 udp      17 6 src=187.177.161.134 dst=***.***.***.*** sport=53 dport=34855 [UNREPLIED] src=***.***.***.*** dst=187.177.161.134 sport=34855 dport=53 mark=0 secmark=0 use=2
    
50. ipv4     2 udp      17 3 src=200.16.132.82 dst=***.***.***.*** sport=53 dport=24668 [UNREPLIED] src=***.***.***.*** dst=200.16.132.82 sport=24668 dport=53 mark=0 secmark=0 use=2
    
51. ipv4     2 udp      17 2 src=177.137.144.76 dst=***.***.***.*** sport=53 dport=12742 [UNREPLIED] src=***.***.***.*** dst=177.137.144.76 sport=12742 dport=53 mark=0 secmark=0 use=2
    
52. ipv4     2 udp      17 1 src=221.176.130.254 dst=***.***.***.*** sport=53 dport=1486 [UNREPLIED] src=***.***.***.*** dst=221.176.130.254 sport=1486 dport=53 mark=0 secmark=0 use=2
    
53. ipv4     2 udp      17 23 src=200.12.63.2 dst=***.***.***.*** sport=53 dport=56754 [UNREPLIED] src=***.***.***.*** dst=200.12.63.2 sport=56754 dport=53 mark=0 secmark=0 use=2
    
54. ipv4     2 udp      17 23 src=177.177.56.125 dst=***.***.***.*** sport=22701 dport=11013 [UNREPLIED] src=***.***.***.*** dst=177.177.56.125 sport=11013 dport=22701 mark=0 secmark=0 use=2
    
55. ipv4     2 udp      17 20 src=82.194.76.140 dst=***.***.***.*** sport=53 dport=42635 [UNREPLIED] src=***.***.***.*** dst=82.194.76.140 sport=42635 dport=53 mark=0 secmark=0 use=2
    
56. ipv4     2 udp      17 19 src=190.66.20.213 dst=***.***.***.*** sport=53 dport=16673 [UNREPLIED] src=***.***.***.*** dst=190.66.20.213 sport=16673 dport=53 mark=0 secmark=0 use=2
    
57. ipv4     2 udp      17 19 src=201.49.29.6 dst=***.***.***.*** sport=53 dport=44588 [UNREPLIED] src=***.***.***.*** dst=201.49.29.6 sport=44588 dport=53 mark=0 secmark=0 use=2
    
58. ipv4     2 udp      17 17 src=177.137.168.17 dst=***.***.***.*** sport=53 dport=60750 [UNREPLIED] src=***.***.***.*** dst=177.137.168.17 sport=60750 dport=53 mark=0 secmark=0 use=2
    
59. ipv4     2 udp      17 17 src=180.180.246.61 dst=***.***.***.*** sport=53 dport=64641 [UNREPLIED] src=***.***.***.*** dst=180.180.246.61 sport=64641 dport=53 mark=0 secmark=0 use=2

复制代码

skywing

那些IP天南地北都有 我估计是被DDOS攻击了

违法主机

udp 攻击?

v998

装了ddos deflate么?
看到那么多53 port, 不用就封了它吧

_jerryjee

Make sure you install clean OS immediately after resuming service, otherwise the issue will repeat.
让你重装系统的，可以试一下 fail2ban

SKIDROW

你得看看是哪个进程进行了连接，53是目的端口，应该是DNS反射攻击吧。

skywing

违法主机 发表于 2014-8-26 07:49
udp 攻击?

不是被黑了就好 也就不用重装了

skywing

_jerryjee 发表于 2014-8-26 08:24
Make sure you install clean OS immediately after resuming service, otherwise the issue will repeat. ...

fail2ban不是防暴力破解的吗 我不允许密码登陆 使用证书登陆也要装？