GitLab 无仓库 中了勒索病毒
坑爹的记录一下,并没有解决
Gitlab 昨天(2021-11-29)打开之后看不到项目了,下面这个吊样子
最后发现中病毒了,一堆的这个吊毛文件,复制一个打开看了一下
你别说这个黑客网页写的还不错,这种组织应该 诛九族
CERBER RANSOMWARE
说明书您无法打开所需的文件?
您文件的内容无法阅读?
这是正常的,因为您文件的文件名和数据已经被“Cerber Ransomware”加密了。
这意味着您的文件并没有损坏!您的文件只是被修改了,这个修改是可逆的,解密之前您无法使用您的文件。
安全解密您文件的唯一方式是购买特别的解密软件“Cerber Decryptor”。
任何使用第三方软件恢复您文件的方式对您的文件来说都将是致命的!
您可以在您的个人页面上购买解密软件:
您将在这个页面上看到怎样购买解密软件以恢复您的文件的详细介绍。
您也可以在这个页面上免费解密任意一份文件以确认“Cerber Decryptor”能够恢复您的任何文件。
如果您的浏览器无法打开您的个人页面,您需要安装并使用 Tor 浏览器来打开您的个人页面:
- 使用您的上网浏览器(如果您不知道使用 Internet Explorer 的话);
- 在浏览器的地址栏输入或复制地址 https://www.torproject.org/download/download-easy.html.en 并按 ENTER 键;
- 等待站点加载;
- 您将在站点上下载 Tor 浏览器;下载并运行它,按照安装指南进行操作,等待直至安装完成;
- 运行 Tor 浏览器;
- 使用“Connect”按钮进行连接(如果您使用英文版);
- 初始化之后将打开正常的上网浏览器窗口(初始化时您需要配置Tor浏览器的网桥或本地VPN代理才能FQ连接到Tor网络);
- 在浏览器地址栏中输入或复制地址
http://pigetrzlperjreyr3fbytm27bljaq4eungv3gdq2tohnoyfrqu4bx5qd.onion/bt105de1a8b160fb2876fa6f96f57f021044c382012717310ba4c2032a2ca704db464edf0509662630a290779d7f1179f90318221d3c1ce799757588104e8df3c2fbbf18e5956a0576dbf29047a9a22a94e23099a83cfe4e76b6c896e78bef9e0ee5cd24dbbe9f4e3ad9920b1bee8c0c2c80f8a4d319f500912263070d5fb5d7b13a/ - 按 ENTER 键;
- 该站点将加载;如果由于某些原因等待一会儿后没有加载,请重试。
如果在安装期间或使用 Tor 浏览器期间有任何问题,请访问 https://www.baidu.com 并在搜索栏中输入“怎么安装 Tor 浏览器”,您将找到有关如何安装洋葱 Tor 浏览器的说明和教程。
附加信息:
您将在任何带有加密文件的文件夹中找到恢复您文件(“*README*.hta”)的说明。
带有加密文件的文件夹中的(“*README*.hta”)说明不是病毒,(“*README*.hta”)说明将帮助您解密您的文件。
请记住,最坏的情况都发生过了,您的文件还能不能用取决于您的决定和反应速度。
----------------------------2021-12-2,在解决中
相关文章
警惕!双平台挖矿僵尸网络 Sysrv-hello 盯上用户 GitLab 服务器
腾讯云容器安全服务(TCSS)捕获利用GitLab ExifTool RCE漏洞在野攻击案例
GitLab 远程命令执行漏洞复现(CVE-2021-22205)
------------------------------------2021-12-3
GitLab找到了 11-10 的备份,做了恢复,然后大家把最新的代码上传,重新备份,然后重新搭了一个,因为是docker搭建的。所以重新搭一个很方便,docker-compose 里面做了升级,先防止这个漏洞在生事端,只有这个docker container 里有问题,还有其他的一些服务,confluence gira 还有不知道的啥,因为第一搭环境不是我搭的,所以我只能看到部分,其他的细节也不是很清楚,现在老大的意思是整个服务器重新搞一遍,我想这个工程量是有些大了,做好升级以及各个软件的管理才是重点,即使系统重新搭一遍,有漏洞一样中毒。
目前我想的是先弄清楚这台服务器已经安装的都是啥,还有一些具体的配置都是啥,然后需要啥。之后做一些备份,然后让把系统重装了;另外做一些安全措施,比如管理代码的GItLab只有通过VPN才能访问,其他想不到啥,大家可以帮我出出主意啥的
------------------2021.12.07---
最近这两天发现有攻击!!!!
sudo docker container logs gitlab | grep "Thank you for playing"
用上面的搜索到了一堆
...... 2021-12-05_10:18:54.42415 Received disconnect from 5.181.80.15 port 52358:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:18:55.15312 Received disconnect from 5.181.80.15 port 52912:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:18:55.73275 Received disconnect from 5.181.80.15 port 53094:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:18:56.40179 Received disconnect from 5.181.80.15 port 53278:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:18:56.42875 Received disconnect from 5.181.80.15 port 53462:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:18:57.03512 Received disconnect from 5.181.80.15 port 53646:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:18:58.28274 Received disconnect from 5.181.80.15 port 53830:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:18:58.40812 Received disconnect from 5.181.80.15 port 54014:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:18:59.50798 Received disconnect from 5.181.80.15 port 54198:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:18:59.86178 Received disconnect from 5.181.80.15 port 54382:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:19:00.89994 Received disconnect from 5.181.80.15 port 54566:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:19:01.36386 Received disconnect from 5.181.80.15 port 54748:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:19:01.68053 Received disconnect from 5.181.80.15 port 54934:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:19:03.11922 Received disconnect from 5.181.80.15 port 55302:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:19:03.38771 Received disconnect from 5.181.80.15 port 55118:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:19:03.87525 Received disconnect from 5.181.80.15 port 55486:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:19:05.10209 Received disconnect from 5.181.80.15 port 55854:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:19:06.02891 Received disconnect from 5.181.80.15 port 55670:11: Normal Shutdown, Thank you for playing [preauth] ........ 2021-12-06_04:15:40.35091 Received disconnect from 188.166.251.221 port 54914:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:15:42.36727 Received disconnect from 188.166.251.221 port 49860:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:15:43.64879 Received disconnect from 188.166.251.221 port 36794:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:15:45.64857 Received disconnect from 188.166.251.221 port 39326:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:15:46.95939 Received disconnect from 188.166.251.221 port 34268:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:15:47.63012 Received disconnect from 188.166.251.221 port 41880:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:15:51.69799 Received disconnect from 188.166.251.221 port 51968:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:15:52.43925 Received disconnect from 188.166.251.221 port 44390:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:15:53.53751 Received disconnect from 188.166.251.221 port 46928:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:15:54.48499 Received disconnect from 188.166.251.221 port 57040:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:15:54.93217 Received disconnect from 188.166.251.221 port 54560:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:15:58.04736 Received disconnect from 188.166.251.221 port 49454:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:15:59.31935 Received disconnect from 188.166.251.221 port 33856:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:15:59.40580 Received disconnect from 188.166.251.221 port 36450:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:15:59.51271 Received disconnect from 188.166.251.221 port 59576:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:16:02.74579 Received disconnect from 188.166.251.221 port 38938:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:16:04.97637 Received disconnect from 188.166.251.221 port 46540:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:16:06.10581 Received disconnect from 188.166.251.221 port 44008:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:16:07.73245 Received disconnect from 188.166.251.221 port 54130:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:16:08.90563 Received disconnect from 188.166.251.221 port 56670:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:16:09.72965 Received disconnect from 188.166.251.221 port 51610:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:16:10.12646 Received disconnect from 188.166.251.221 port 49072:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:16:12.05080 Received disconnect from 188.166.251.221 port 33592:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:16:15.09082 Received disconnect from 188.166.251.221 port 41074:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:16:15.38273 Received disconnect from 188.166.251.221 port 59210:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:16:16.14651 Received disconnect from 188.166.251.221 port 36044:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:16:16.48798 Received disconnect from 188.166.251.221 port 38538:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:16:16.59046 Received disconnect from 188.166.251.221 port 43634:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:16:21.26001 Received disconnect from 188.166.251.221 port 48676:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-06_04:16:21.71931 Received disconnect from 188.166.251.221 port 46156:11: Normal Shutdown, Thank you for playing [preauth] .................
这个ip就很有嫌疑
sudo docker container logs gitlab | grep 5.181.80.15
找个看了下就像下面这个样子,这就感觉是暴力破解呀。。。。。。。
...... 2021-12-05_10:32:50.13804 Disconnected from 5.181.80.15 port 41022 [preauth] 2021-12-05_10:32:50.76195 Invalid user zk from 5.181.80.15 2021-12-05_10:32:50.94788 Received disconnect from 5.181.80.15 port 41210:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:32:50.94792 Disconnected from 5.181.80.15 port 41210 [preauth] 2021-12-05_10:32:51.50977 Invalid user zl from 5.181.80.15 2021-12-05_10:32:51.68562 Received disconnect from 5.181.80.15 port 41394:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:32:51.68567 Disconnected from 5.181.80.15 port 41394 [preauth] 2021-12-05_10:32:52.81710 Invalid user zln from 5.181.80.15 2021-12-05_10:32:52.99201 Received disconnect from 5.181.80.15 port 41578:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:32:52.99205 Disconnected from 5.181.80.15 port 41578 [preauth] 2021-12-05_10:32:53.79301 Invalid user zl from 5.181.80.15 2021-12-05_10:32:53.96808 Received disconnect from 5.181.80.15 port 41762:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:32:53.96812 Disconnected from 5.181.80.15 port 41762 [preauth] 2021-12-05_10:32:54.95818 Invalid user zmingxing from 5.181.80.15 2021-12-05_10:32:54.99551 Invalid user zmj from 5.181.80.15 2021-12-05_10:32:55.13449 Received disconnect from 5.181.80.15 port 41946:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:32:55.13455 Disconnected from 5.181.80.15 port 41946 [preauth] 2021-12-05_10:32:55.17799 Received disconnect from 5.181.80.15 port 42130:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:32:55.17803 Disconnected from 5.181.80.15 port 42130 [preauth] 2021-12-05_10:32:56.89954 Invalid user zoomway from 5.181.80.15 2021-12-05_10:32:57.29566 Received disconnect from 5.181.80.15 port 42498:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:32:57.29573 Disconnected from 5.181.80.15 port 42498 [preauth] 2021-12-05_10:32:58.14266 Invalid user zq26 from 5.181.80.15 2021-12-05_10:32:58.32725 Received disconnect from 5.181.80.15 port 42682:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:32:58.32731 Disconnected from 5.181.80.15 port 42682 [preauth] 2021-12-05_10:32:58.86544 Invalid user zqs from 5.181.80.15 2021-12-05_10:32:59.04274 Received disconnect from 5.181.80.15 port 43050:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:32:59.04279 Disconnected from 5.181.80.15 port 43050 [preauth] 2021-12-05_10:32:59.73419 Invalid user zookeeper from 5.181.80.15 2021-12-05_10:32:59.90901 Received disconnect from 5.181.80.15 port 42314:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:32:59.90907 Disconnected from 5.181.80.15 port 42314 [preauth] 2021-12-05_10:33:00.18674 Invalid user zqc from 5.181.80.15 2021-12-05_10:33:00.31154 Invalid user zrp from 5.181.80.15 2021-12-05_10:33:00.36284 Received disconnect from 5.181.80.15 port 42866:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:33:00.36289 Disconnected from 5.181.80.15 port 42866 [preauth] 2021-12-05_10:33:00.48646 Received disconnect from 5.181.80.15 port 43234:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:33:00.48650 Disconnected from 5.181.80.15 port 43234 [preauth] 2021-12-05_10:33:01.74575 Invalid user zswang from 5.181.80.15 2021-12-05_10:33:01.92205 Received disconnect from 5.181.80.15 port 43416:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:33:01.92209 Disconnected from 5.181.80.15 port 43416 [preauth] 2021-12-05_10:33:02.32103 Invalid user zswang from 5.181.80.15 2021-12-05_10:33:02.49579 Received disconnect from 5.181.80.15 port 43602:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:33:02.49582 Disconnected from 5.181.80.15 port 43602 [preauth] 2021-12-05_10:33:02.73695 Invalid user zuoying from 5.181.80.15 2021-12-05_10:33:02.83117 Invalid user zs from 5.181.80.15 2021-12-05_10:33:03.00664 Received disconnect from 5.181.80.15 port 43786:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:33:03.00670 Disconnected from 5.181.80.15 port 43786 [preauth] 2021-12-05_10:33:03.13029 Received disconnect from 5.181.80.15 port 43970:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:33:03.13034 Disconnected from 5.181.80.15 port 43970 [preauth] 2021-12-05_10:33:03.89042 Invalid user zws from 5.181.80.15 2021-12-05_10:33:04.07824 Invalid user zxc from 5.181.80.15 2021-12-05_10:33:04.25347 Received disconnect from 5.181.80.15 port 44338:11: Normal Shutdown, Thank you for playing [preauth] 2021-12-05_10:33:04.25353 Disconnected from 5.181.80.15 port 44338 [preauth] ........
真的,暴露外网是很方便,也带来了很多问题!
还有另外一个也看起来很有毛病的log
sudo docker container logs gitlab | grep test*.jpg
也是有好多,而且这个IP是国外的 212.3.101.118; 107.172.198.108
目前我的发现就这些
