2015-03-06: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-04-20: 厂商已经主动忽略漏洞,细节向公众公开
来一发
http://182.254.201.58:9200/_searchhttp://182.254.196.137:9200/_searchhttp://182.254.201.126:9200/_searchhttp://182.254.202.95:9200/_searchhttp://182.254.232.22:9200/_search均处于同一个log center,看hosts文件中看到应该是腾讯云或是内部机房使用。/etc/hosts
127.0.0.1\tTENCENT64.site TENCENT64","","#########log center host############","10.249.150.59 VM_150_59_centos","10.249.166.10 VM_166_10_centos","10.249.149.238 VM_149_238_centos","10.249.144.129 VM_144_129_centos","10.249.161.65 VM_161_65_centos","10.221.146.20 VM_146_20_centos","10.207.163.32 VM_163_32_centos","10.207.163.55 VM_163_55_centos","10.221.158.21 VM_158_21_centos","10.143.98.57 VM_98_57_centos","10.221.216.28 VM_216_28_centos","10.221.220.51 VM_220_51_centos","10.251.248.23 VM_248_23_centos","10.251.248.43 VM_248_43_centos
查看ip归属:
查看/etc/passwd
root:x:0:0:root:/root:/bin/bash","bin:x:1:1:bin:/bin:/sbin/nologin","daemon:x:2:2:daemon:/sbin:/sbin/nologin","adm:x:3:4:adm:/var/adm:/sbin/nologin","lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin","sync:x:5:0:sync:/sbin:/bin/sync","shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown","halt:x:7:0:halt:/sbin:/sbin/halt","mail:x:8:12:mail:/var/spool/mail:/sbin/nologin","uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin","operator:x:11:0:operator:/root:/sbin/nologin","games:x:12:100:games:/usr/games:/sbin/nologin","gopher:x:13:30:gopher:/var/gopher:/sbin/nologin","ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin","nobody:x:99:99:Nobody:/:/sbin/nologin","dbus:x:81:81:System message bus:/:/sbin/nologin","vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin","abrt:x:173:173::/etc/abrt:/sbin/nologin","haldaemon:x:68:68:HAL daemon:/:/sbin/nologin","ntp:x:38:38::/etc/ntp:/sbin/nologin","saslauth:x:499:76:\"Saslauthd user\":/var/empty/saslauth:/sbin/nologin","postfix:x:89:89::/var/spool/postfix:/sbin/nologin","sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin","tcpdump:x:72:72::/:/sbin/nologin","nscd:x:28:28:NSCD Daemon:/:/sbin/nologin","nslcd:x:65:55:LDAP Client User:/:/sbin/nologin","nginx:x:498:497:Nginx web server:/var/lib/nginx:/sbin/nologin","www:x:10126:10051::/home/www:/sbin/nologin","nagios:x:10127:10127::/home/nagios:/sbin/nologin","apache:x:48:48:Apache:/var/www:/sbin/nologin
一开始以为是腾讯内部使用,后来查看/var/log/messages后发现,是乐元素的
Mar 1 03:13:14 VM_146_20_centos kernel: imklog 4.6.2, log source = /proc/kmsg started.","Mar 1 03:13:14 VM_146_20_centos rsyslogd: [origin software=\"rsyslogd\" swVersion=\"4.6.2\" x-pid=\"1219\" x-info=\"http://www.rsyslog.com\"] (re)start","Mar 1 04:01:11 VM_146_20_centos nslcd[11233]: [64ad75] ldap_result() timed out","Mar 1 04:01:11 VM_146_20_centos nslcd[11233]: [abe597] ldap_result() timed out","Mar 1 04:07:11 VM_146_20_centos nslcd[11233]: [e12f61] ldap_result() timed out","Mar 1 04:09:11 VM_146_20_centos nslcd[11233]: [6863bc] ldap_result() timed out","Mar 1 04:10:11 VM_146_20_centos nslcd[11233]: [18c6c0] ldap_result() timed out","Mar 1 04:10:11 VM_146_20_centos nslcd[11233]: [7e4a15] ldap_result() timed out","Mar 1 04:10:11 VM_146_20_centos nslcd[11233]: [8e9f47] ldap_result() timed out","Mar 1 04:10:22 VM_146_20_centos nslcd[11233]: [18c6c0] failed to bind to LDAP server ldaps://ldap-vnt.happyelements.com: Can't contact LDAP server: Connection timed out","Mar 1 04:10:22 VM_146_20_centos nslcd[11233]: [18c6c0] no available LDAP server found","Mar 1 04:10:22 VM_146_20_centos nslcd[11233]: [7e4a15] failed to bind to LDAP server ldaps://ldap-vnt.happyelements.com: Can't contact LDAP server: Connection timed out","Mar 1 04:10:22 VM_146_20_centos nslcd[11233]: [7e4a15] no available LDAP server found","Mar 1 04:10:22 VM_146_20_centos nslcd[11233]: [8e9f47] failed to bind to LDAP server ldaps://ldap-vnt.happyelements.com: Can't contact LDAP server: Connection timed out","Mar 1 04:10:22 VM_146_20_centos nslcd[11233]: [8e9f47] no available LDAP server found","Mar 1 04:10:32 VM_146_20_centos nslcd[11233]: [18c6c0] failed to bind to LDAP server ldaps://ldap-vnt.happyelements.com: Can't contact LDAP server: Connection timed out","Mar 1 04:10:32 VM_146_20_centos nslcd[11233]: [18c6c0] no available LDAP server found","Mar 1 04:10:32 VM_146_20_centos nslcd[11233]: [7e4a15] failed to bind to LDAP server ldaps://ldap-vnt.happyelements.com: Can't contact LDAP server: Connection timed out","Mar 1 04:10:32 VM_146_20_centos nslcd[11233]: [7e4a15] no available LDAP server found","Mar 1 04:10:32 VM_146_20_centos nslcd[11233]: [8e9f47] failed to bind to LDAP server ldaps://ldap-vnt.happyelements.com: Can't contact LDAP server: Connection timed out","Mar 1 04:10:32 VM_146_20_centos nslcd[11233]: [8e9f47] no available LDAP server found","Mar 1 05:35:01 VM_146_20_centos auditd[10838]: Audit daemon rotating log files","Mar 1 09:11:22 VM_146_20_centos nrpe[20199]: Error: Network server getpeername() failure (107: Transport endpoint is not connected)","Mar 1 09:11:22 VM_146_20_centos nrpe[20199]: Cannot remove pidfile '/var/run/nrpe.pid' - check your privileges.","Mar 1 09:11:22 VM_146_20_centos nrpe[20199]: Daemon shutdown","Mar 1 09:11:46 VM_146_20_centos nrpe[20279]: Host 120.204.200.12 is not allowed to talk to us!","Mar 1 09:12:02 VM_146_20_centos nrpe[20356]: Host 120.204.200.12 is not allowed to talk to us!","Mar 1 11:24:01 VM_146_20_centos auditd[10838]: Audit daemon rotating log files","Mar 1 13:14:33 VM_146_20_centos nrpe[4730]: Host 183.60.48.110 is not allowed to talk to us!","Mar 1 17:14:01 VM_146_20_centos auditd[10838]: Audit daemon rotating log files","Mar 1 23:03:01 VM_146_20_centos auditd[10838]: Audit daemon rotating log files","Mar 2 02:52:18 VM_146_20_centos nrpe[23211]: Error: Network server getpeername() failure (107: Transport endpoint is not connected)","Mar 2 02:52:18 VM_146_20_centos nrpe[23211]: Cannot remove pidfile '/var/run/nrpe.pid' - check your privileges.","Mar 2 02:52:18 VM_146_20_centos nrpe[23211]: Daemon shutdown","Mar 2 02:52:22 VM_146_20_centos nrpe[23213]: Host 175.155.112.11 is not allowed to talk to us!","Mar 2 02:52:38 VM_146_20_centos nrpe[23217]: Host 175.155.112.11 is not allowed to talk to us!","Mar 2 04:08:11 VM_146_20_centos nslcd[11233]: [6a60be] ldap_result() timed out","Mar 2 04:09:11 VM_146_20_centos nslcd[11233]: [4fa349] ldap_result() timed out","Mar 2 04:10:11 VM_146_20_centos nslcd[11233]: [75770e] ldap_result() timed out","Mar 2 04:10:11 VM_146_20_centos nslcd[11233]: [1e22c1] ldap_result() timed out","Mar 2 04:10:11 VM_146_20_centos nslcd[11233]: [3ea557] ldap_result() timed out","Mar 2 04:49:01 VM_146_20_centos auditd[10838]: Audit daemon rotating log files","Mar 2 10:39:02 VM_146_20_centos auditd[10838]: Audit daemon rotating log files","Mar 2 15:19:00 VM_146_20_centos nrpe[2965]: Error: Network server getpeername() failure (107: Transport endpoint is not connected)","Mar 2 15:19:00 VM_146_20_centos nrpe[2965]: Cannot remove pidfile '/var/run/nrpe.pid' - check your privileges.","Mar 2 15:19:00 VM_146_20_centos nrpe[2965]: Daemon shutdown","Mar 2 15:19:06 VM_146_20_centos nrpe[3012]: Host 113.105.95.188 is not allowed to talk to us!","Mar 2 15:19:23 VM_146_20_centos nrpe[3059]: Host 113.105.95.188 is not allowed to talk to us!","Mar 2 16:28:01 VM_146_20_centos auditd[10838]: Audit daemon rotating log files","Mar 2 18:36:56 VM_146_20_centos nrpe[2195]: Caught SIGTERM - shutting down...","Mar 2 18:36:56 VM_146_20_centos nrpe[2195]: Cannot remove pidfile '/var/run/nrpe.pid' - check your privileges.","Mar 2 18:36:56 VM_146_20_centos nrpe[2195]: Daemon shutdown","Mar 2 18:36:58 VM_146_20_centos nrpe[9741]: Starting up daemon","Mar 2 18:36:58 VM_146_20_centos nrpe[9741]: Warning: Daemon is configured to accept command arguments from clients!","Mar 2 18:36:58 VM_146_20_centos nrpe[9741]: Listening for connections on port 5666","Mar 2 18:36:58 VM_146_20_centos nrpe[9741]: Allowing connections from: 127.0.0.1,10.21.9.78,174.36.157.111,67.228.227.56,67.228.227.57,67.228.227.58,67.228.227.59,219.232.227.209,192.168.1.209,173.192.132.68,10.28.12.96,219.232.227.209,58.83.216.89,218.106.255.48,10.135.144.92,10.130.120.48,218.105.255.53,10.182.7.108,203.66.80.149,10.130.100.22,203.195.184.237,10.221.160.171","Mar 2 18:37:55 VM_146_20_centos yum[9828]: Updated: openssl-1.0.1e-30.el6_6.5.x86_64","Mar 2 18:37:56 VM_146_20_centos yum[9828]: Updated: openssl-devel-1.0.1e-30.el6_6.5.x86_64","Mar 2 18:37:58 VM_146_20_centos nrpe[9741]: Caught SIGTERM - shutting down...","Mar 2 18:37:58 VM_146_20_centos nrpe[9741]: Cannot remove pidfile '/var/run/nrpe.pid' - check your privileges.","Mar 2 18:37:58 VM_146_20_centos nrpe[9741]: Daemon shutdown","Mar 2 20:48:11 VM_146_20_centos nrpe[2070]: Starting up daemon","Mar 2 20:48:11 VM_146_20_centos nrpe[2070]: Warning: Daemon is configured to accept command arguments from clients!","Mar 2 20:48:11 VM_146_20_centos nrpe[2070]: Listening for connections on port 5666","Mar 2 20:48:11 VM_146_20_centos nrpe[2070]: Allowing connections from: 127.0.0.1,10.21.9.78,174.36.157.111,67.228.227.56,67.228.227.57,67.228.227.58,67.228.227.59,219.232.227.209,192.168.1.209,173.192.132.68,10.28.12.96,219.232.227.209,58.83.216.89,218.106.255.48,10.135.144.92,10.130.120.48,218.105.255.53,10.182.7.108,10.204.154.139,10.141.13.66,203.195.184.237,10.221.160.171,42.62.67.201,10.6.15.88","Mar 2 22:13:01 VM_146_20_centos auditd[10838]: Audit daemon rotating log files","Mar 3 04:01:11 VM_146_20_centos nslcd[11233]: [ac86fd] ldap_result() timed out","Mar 3 04:01:11 VM_146_20_centos nslcd[11233]: [972269] ldap_result() timed out","Mar 3 04:08:11 VM_146_20_centos nslcd[11233]: [d5d802] ldap_result() timed out","Mar 3 04:10:11 VM_146_20_centos nslcd[11233]: [2d6024] ldap_result() timed out","Mar 3 04:10:11 VM_146_20_centos nslcd[11233]: [bc8c0a] ldap_result() timed out","Mar 3 04:10:11 VM_146_20_centos nslcd[11233]: [b64045] ldap_result() timed out","Mar 3 04:16:01 VM_146_20_centos auditd[10838]: Audit daemon rotating log files","Mar 3 07:51:51 VM_146_20_centos nrpe[15102]: Host 183.60.48.110 is not allowed to talk to us!","Mar 3 08:08:53 VM_146_20_centos nrpe[17969]: Error: Network server getpeername() failure (107: Transport endpoint is not connected)","Mar 3 08:08:53 VM_146_20_centos nrpe[17969]: Cannot remove pidfile '/var/run/nrpe.pid' - check your privileges.","Mar 3 08:08:53 VM_146_20_centos nrpe[17969]: Daemon shutdown","Mar 3 08:09:01 VM_146_20_centos nrpe[17978]: Host 119.147.120.8 is not allowed to talk to us!","Mar 3 08:09:17 VM_146_20_centos nrpe[18046]: Host 119.147.120.8 is not allowed to talk to us!","Mar 3 10:18:02 VM_146_20_centos auditd[10838]: Audit daemon rotating log files","Mar 3 16:17:11 VM_146_20_centos auditd[10838]: Audit daemon rotating log files","Mar 3 16:17:15 VM_146_20_centos nrpe[2070]: Caught SIGTERM - shutting down...","Mar 3 16:17:15 VM_146_20_centos nrpe[2070]: Cannot remove pidfile '/var/run/nrpe.pid' - check your privileges.","Mar 3 16:17:15 VM_146_20_centos nrpe[2070]: Daemon shutdown","Mar 3 16:17:17 VM_146_20_centos nrpe[13301]: Starting up daemon","Mar 3 16:17:17 VM_146_20_centos nrpe[13301]: Warning: Daemon is configured to accept command arguments from clients!","Mar 3 16:17:17 VM_146_20_centos nrpe[13301]: Listening for connections on port 5666","Mar 3 16:17:17 VM_146_20_centos nrpe[13301]: Allowing connections from: 127.0.0.1,10.21.9.78,174.36.157.111,67.228.227.56,67.228.227.57,67.228.227.58,67.228.227.59,219.232.227.209,192.168.1.209,173.192.132.68,10.28.12.96,219.232.227.209,58.83.216.89,218.106.255.48,10.135.144.92,10.130.120.48,218.105.255.53,10.182.7.108,203.66.80.149,10.130.100.22,203.195.184.237,10.221.160.171","Mar 3 16:17:53 VM_146_20_centos nrpe[13301]: Caught SIGTERM - shutting down...","Mar 3 16:17:53 VM_146_20_centos nrpe[13301]: Cannot remove pidfile '/var/run/nrpe.pid' - check your privileges.","Mar 3 16:17:53 VM_146_20_centos nrpe[13301]: Daemon shutdown","Mar 3 16:17:56 VM_146_20_centos nrpe[13424]: Starting up daemon","Mar 3 16:17:56 VM_146_20_centos nrpe[13424]: Warning: Daemon is configured to accept command arguments from clients!","Mar 3 16:17:56 VM_146_20_centos nrpe[13424]: Listening for connections on port 5666","Mar 3 16:17:56 VM_146_20_centos nrpe[13424]: Allowing connections from: 127.0.0.1,10.21.9.78,174.36.157.111,67.228.227.56,67.228.227.57,67.228.227.58,67.228.227.59,219.232.227.209,192.168.1.209,173.192.132.68,10.28.12.96,219.232.227.209,58.83.216.89,218.106.255.48,10.135.144.92,10.130.120.48,218.105.255.53,10.182.7.108,10.204.154.139,10.141.13.66,203.195.184.237,10.221.160.171,42.62.67.201,10.6.15.88","Mar 3 19:03:44 VM_146_20_centos nrpe[12724]: Error: Network server getpeername() failure (107: Transport endpoint is not connected)","Mar 3 19:03:44 VM_146_20_centos nrpe[12724]: Cannot remove pidfile '/var/run/nrpe.pid' - check your privileges.","Mar 3 19:03:44 VM_146_20_centos nrpe[12724]: Daemon shutdown","Mar 3 19:03:59 VM_146_20_centos nrpe[12769]: Host 119.147.120.8 is not allowed to talk to us!","Mar 3 19:04:15 VM_146_20_centos nrpe[12839]: Host 119.147.120.8 is not allowed to talk to us!","Mar 3 22:01:01 VM_146_20_centos auditd[10838]: Audit daemon rotating log files","Mar 4 03:47:01 VM_146_20_centos auditd[10838]: Audit daemon rotating log files","Mar 4 09:33:02 VM_146_20_centos auditd[10838]: Audit daemon rotating log files","Mar 4 13:51:51 VM_146_20_centos nrpe[6666]: Host 183.60.48.110 is not allowed to talk to us!","Mar 4 15:22:01 VM_146_20_centos auditd[10838]: Audit daemon rotating log files","Mar 4 21:01:48 VM_146_20_centos auditd[10838]: Audit daemon rotating log files","Mar 4 21:59:05 VM_146_20_centos nrpe[32085]: Error: Network server getpeername() failure (107: Transport endpoint is not connected)","Mar 4 21:59:05 VM_146_20_centos nrpe[32085]: Cannot remove pidfile '/var/run/nrpe.pid' - check your privileges.","Mar 4 21:59:05 VM_146_20_centos nrpe[32085]: Daemon shutdown","Mar 4 21:59:50 VM_146_20_centos nrpe[32233]: Host 183.60.163.144 is not allowed to talk to us!","Mar 4 22:00:06 VM_146_20_centos nrpe[32330]: Host 183.60.163.144 is not allowed to talk to us!","Mar 5 02:49:14 VM_146_20_centos auditd[10838]: Audit daemon rotating log files","Mar 5 04:03:11 VM_146_20_centos nslcd[11233]: [01e78c] ldap_result() timed out","Mar 5 04:10:11 VM_146_20_centos nslcd[11233]: [c2bda6] ldap_result() timed out","Mar 5 04:10:11 VM_146_20_centos nslcd[11233]: [66c15d] ldap_result() timed out","Mar 5 04:12:11 VM_146_20_centos nslcd[11233]: [2a178c] ldap_result() timed out","Mar 5 04:12:35 VM_146_20_centos nslcd[11233]: [2a178c] failed to bind to LDAP server ldaps://ldap-vnt.happyelements.com: Can't contact LDAP server: Connection timed out","Mar 5 04:12:35 VM_146_20_centos nslcd[11233]: [2a178c] no available LDAP server found","Mar 5 04:12:45 VM_146_20_centos nslcd[11233]: [2a178c] failed to bind to LDAP server ldaps://ldap-vnt.happyelements.com: Can't contact LDAP server: Connection timed out","Mar 5 04:12:45 VM_146_20_centos nslcd[11233]: [2a178c] no available LDAP server found","Mar 5 04:13:11 VM_146_20_centos nslcd[11233]: [c7a1cc] ldap_result() timed out","Mar 5 04:13:21 VM_146_20_centos nslcd[11233]: [c7a1cc] failed to bind to LDAP server ldaps://ldap-vnt.happyelements.com: Can't contact LDAP server: Connection timed out","Mar 5 04:13:21 VM_146_20_centos nslcd[11233]: [c7a1cc] no available LDAP server found","Mar 5 04:13:31 VM_146_20_centos nslcd[11233]: [c7a1cc] failed to bind to LDAP server ldaps://ldap-vnt.happyelements.com: Can't contact LDAP server: Connection timed out","Mar 5 04:13:31 VM_146_20_centos nslcd[11233]: [c7a1cc] no available LDAP server found","Mar 5 08:35:01 VM_146_20_centos auditd[10838]: Audit daemon rotating log files","Mar 5 14:23:01 VM_146_20_centos auditd[10838]: Audit daemon rotating log files","Mar 5 15:59:00 VM_146_20_centos nrpe[6052]: Error: Network server getpeername() failure (107: Transport endpoint is not connected)","Mar 5 15:59:00 VM_146_20_centos nrpe[6052]: Cannot remove pidfile '/var/run/nrpe.pid' - check your privileges.","Mar 5 15:59:00 VM_146_20_centos nrpe[6052]: Daemon shutdown","Mar 5 15:59:17 VM_146_20_centos nrpe[6110]: Host 180.153.160.15 is not allowed to talk to us!","Mar 5 15:59:33 VM_146_20_centos nrpe[6159]: Host 180.153.160.15 is not allowed to talk to us!
关闭外网 关闭groovy script在elasticsearch.yml加script.groovy.sandbox.enabled: false
未能联系到厂商或者厂商积极拒绝