今天网站不能访问了,putty和winscp均无法连接,到DO后台一看,因为服务器发送垃圾邮件攻击被断网了,各种原因,估计是wordpress的不良插件或者目录下的某些文件被垃圾邮件组织利用,滥发垃圾邮件被国际机构投诉,然后DO就断网了。
下面是处置过程记录,以备后忘。
———————————————————————————————
Networking disabled: SFO-Ubuntu14.04
#689xxx – Created on 07/16/15 at 22:00 UTC SFO-Ubuntu14.04
Support Request Posted on 07/16/15 at 22:00 UTC
Hi there,
We are sorry to report that we have detected what appears to be a Brute Force attack being launched from one or more of your servers.
To shut down this attack, we have disabled the networking interface on the server or servers involved. In order to correct the issue, please connect to your sever via the console in the control panel. Please take action at your earliest convenience in order to investigate and resolve the situation. You can connect to your web console by logging into the control panel and selecting the droplet on the following page https://cloud.digitalocean.com/droplets
From there you will select the “Console Access” option in the upper right. Here you will be able to log in and troubleshoot your issue. This is the direct link to the console of the effected droplet https://cloud.digitalocean.com/droplets/xxxxxxx/console
Once this is done, please also determine how this software came to be installed on your droplet and prevent it from being installed again in the future. Once you are done, let us know and we will investigate re-enabling your networking.
If you need any guidance on how to find and resolve this issue, we recommend reviewing this:
https://www.digitalocean.com/community/tutorials/how-to-recover-from-a-compromised-droplet-sending-an-outgoing-flood-or-ddos
Please understand that this is a very serious issue as it negatively impacts our platform and your server. If you need any guidance on how to protect your servers please let us know.
Thank you,
DigitalOcean Support
——————————————————————
REPLY from Custerm Posted on 07/17/15 at 02:06 UTC
hi there, I cann’t connect my VPS today, it’s a disaster. as you can see, i just run some wordpress site in my VPS,visit is also rare.
I don’t know “IP: *104.236.xxx.xxx* has attacked one of our servers/partners” and why it happened, As a professional company, i think and hope DO will deal it, but not disabled the network.
according your advice, I checked my droplet,login the Console Access, maybe it was caused by a bad wordpress plugin, i will deactivate it.
now , please re-enabling my networking, thanks a lot.
—————————————————————————————
REPLY from Michael Posted on 07/17/15 at 02:19 UTC
Hello,
We’re sorry for any confusion here. The reports you’ve received indicate that your server has been performing attacks against a third party. They are not reports of login cash advance Near North Side Chicago attempts on your own server, but instead they show your server attempting to log into others.
This almost always indicates that your server has been compromised, and is a very serious issue that you will need to investigate.
Best,
——————————————————————————————————-
REPLY from CUS Posted on 07/17/15 at 02:54 UTC
well,i see. thanks !
i will disable SMTP servers and close related port to avoid my server sending spam.
please re-enabling my networking.
———————————————————————————————————
REPLY from Michael Posted on 07/17/15 at 03:18 UTC
Hey,
Networking has been re-enabled. Please note that you likely have a compromised plugin or otherwise malicious files in your website directory.
Best,
———————————————————————————————————
REPLY from Cus Posted on 07/17/15 at 03:24 UTC
thanks, you are right, i will delete the compromised plugin.
————————-
参考了这篇文章http://shadowkong.com/archives/1823 ,把SMTP服务禁用了。
