The Linux system has been hacked again.

Aliyun bought a server to learn to use and installed the wdlinux system. It has been invaded many times.
previous invaders can only use snapshots to restore the system. Now, once again, my heart is tired

.

normally the wdcp directory is like this

clipboard.png

clipboard.png

OO

clipboard.png

The

killall command is also detected?

what should I do in this case except to restore the snapshot?


submit a work order to the console and ask Aliyun's technical team to help handle


Hello,

when was your snapshot created? The status of the snapshot is "clean", is it not "invaded"?

look at the creation time of your wdcp directory may be 2017.

personal advice is to export the site's data from the snapshot, then reset the system, install a new version of wdcp, and then import the site's data.

probably, change the official new system and patch it. Install the new version of the wdcp panel, and then import the data.


first of all, you need to make security settings for a new server, otherwise it will be Goben.

  1. ssh change port, or set to key access, strong password, it is best to directly hide ssh.
    (multi-mouthed, ssr is usually used to climb walls, but it is also an excellent security tool. You can hide ssh in ssr)
  2. turning off unwanted services, such as pureftpd, is a hole.
  3. if you use wdlinux, that is to say, if you run php, you need to turn off the high-risk function. The wdcp backend can be set or manually modified php.ini

chmod,exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,ini_alter,dl,popen,pcntl_exec,socket_accept,socket_bind,socket_clear_error,socket_close,socket_connect,socket_create_listen,socket_create_pair,socket_create,socket_get_option,socket_getpeername,socket_getsockname,socket_last_error,socket_listen,socket_read,socket_recv,socket_recvfrom,socket_select,socket_send,socket_sendto,socket_set_block, Socket_set_nonblock,socket_set_option,socket_shutdown,socket_strerror,socket_write,stream_socket_client,stream_socket_server,pfsockopen,disk_total_space,disk_free_space,chown,diskfreespace,getrusage,get_current_user,getmyuid,getmypid,dl,leak,listen,chgrp,link,symlink,dlopen,proc_nice,proc_get_stats,proc_terminate,shell_exec,sh2_exec,posix_getpwuid,posix_getgrgid,posix_kill,ini_restore,mkfifo,dbmopen,dbase_open,filepro,filepro_rowcount, Posix_mkfifo,putenv,sleep

4. The biggest insecurity comes mainly from your code. Be careful with wordpress, this guy is full of holes, of course, wordpress also has a lot of security plug-ins.

MySQL Query : SELECT * FROM `codeshelper`.`v9_news` WHERE status=99 AND catid='6' ORDER BY rand() LIMIT 5
MySQL Error : Disk full (/tmp/#sql-temptable-64f5-1e45473-4cebd.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
MySQL Errno : 1021
Message : Disk full (/tmp/#sql-temptable-64f5-1e45473-4cebd.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
Need Help?