天塌了,一个原本很轻松愉快的周五,白天在公司发现早期买的 cloudcone国外云厂商 科学上网机器忽然失联了,回到家又发现前几天白嫖codebuddy 的服务器装的数据库被入侵了,表结构和数据都清空了,只给我留下了RECOVER_YOUR_DATA_info 表,里面写着如下内容:

Dear Sir/Madam,

We hope this message finds you well.

We would like to let you know that we created a backup of your databases/tables (we keep them for 30 days and then your data will be publicly disclosed and permanently delete them from our servers).


<!--more-->


We offer you our recover service: if you want to recover your corrupted or incomplete databases/tables, simply transfer 0.015 BTC to this address:

1Eek省略.......zwyvQ

This address is assigned to your database credentials (host + user). We will know when you have paid.

After payment confirmation, our program will restore the entire databases/tables automatically, so please do not change your database login details and make sure the database is still accessible from outside the local network. Don not worry. All your databases and tables will be restored. (If the restore fails the current field will be modified and provide links for you to download your datas).

Please take note of the following:

After 30 days, we cannot guarantee that we will be able to send the data to you.

The only way to recover your data is by making the payment. We will not provide the data for free.

Data leaks can have serious consequences. Rest assured your data is protected.

Once your payment is completed, all your data will be deleted from our servers. Currently, government agencies, competitors, contractors, and local media remain unaware of the incident. Upon receiving your payment, we guarantee that these entities will not be contacted about this matter, ensuring your privacy and the confidentiality of the situation are maintained.

If you pay we guarantee that your data will not be sold on Darkweb resources and will not be used to attack your company, employees, or counterparties in the future and the full database dump will be sent to you.

If you have not sent the requested amount within 30 days from the date of the incident, we will consider the transaction incomplete. Your data will then be sent to any interested parties. This is your responsibility.

After payment confirmation, our program will restore the entire databases/tables automatically, so please do not change your database login details and make sure the database is still accessible from outside the local network.

The only accepted payment method is Bitcoin. To the wallet specified above.

Be advised: PayPal, WeTransfer, Alipay, credit cards, and other methods will not be accepted.

If you do not have Bitcoin, you can purchase it using a credit card from the following websites:

Coinbase: https://www.coinbase.com/
MoonPay: https://www.moonpay.com/buy
Paybis: https://paybis.com/
Changelly: https://changelly.com/buy
Aqua: https://aqua.net/
CEX: https://cex.io/
HodlHodl: https://hodlhodl.com

Alternatively, you can buy Bitcoin using other payment methods from the following platforms (some of them work in China):

Coinbase: https://www.coinbase.com/
Paxful: https://paxful.com/
Binance: https://www.binance.com/
Crypto.com: https://www.crypto.com/
Huobi: https://www.huobi.com/
OKCoin: https://www.okcoin.com/
BTCC: https://www.btcc.com/
Paybis: https://paybis.com/
Coinmama: https://coinmama.com/
Bitfinex: https://www.bitfinex.com/

For users in China, Bitcoin can be purchased with Alipay from:

CoinCola: https://www.coincola.com/?lang=zh-HK
BitValve: https://www.bitvalve.com/buy-bitcoin/alipay 

If you don not need to restore your data but you want to prevent it from being leaked, send 0.005 BTC to this address:

1Eek省略.......zwyvQ

In this case, your data will not be made public and will be deleted from our servers without any recovery service.

cloudcone

先说第一件事 cloudcone国外云厂商 失联问题排查过程,我第一时间直接登录到控制台,点击我的机器实例,点击之后直接出现 404 错误,无法控制了,于是提了一个工单给官方,官方给了如下回复:

Hi lcry,

We're aware of a major infrastructure incident affecting multiple nodes. 

 

Our engineering team is actively working on it. This ticket is linked to the incident and updates will be shared centrally.

You can refer to the status page for more details: https://status.cloudcone.com/

Thank you for understanding

这句话很重要 We're aware of a major infrastructure incident affecting multiple nodes.

我又顺找找到官方说的监控状态一看,果然我买的[US] Los Angeles 的机器直接 Major incident

我和 cloudcone 的服务器叕叕被“入侵”了

看事件通知都已经持续了好久了,感觉这个不是小事件了,截止发文都还未恢复,看网上论坛讨论一张图,说被入侵数据被清空了,要求打钱回复(图片来自网络,真实性有待考究)

我和 cloudcone 的服务器叕叕被“入侵”了

这个事情没有好的办法,只有等(期望不要等到直接官方跑路哈哈哈哈),看最后官方怎么说和补偿吧,还好有其他备用机器不影响正常科学上网。

国内服务器

再说回来第二件事,数据库被入侵这台服务器是前几天白嫖 codebuddy 的,因为觉得都是临时用的不会放重要数据在上面,直接安全组放开了所有端口,再加上昨天晚上在家安装了一个开源项目,构建镜像需要等待,于是我直接执行了 docker compose up -d 后就去睡觉没管了,今天上班也没看一眼,下班前收到了腾讯云提醒说扫描出高危漏洞还短信通知了,我就知道出事了。

我和 cloudcone 的服务器叕叕被“入侵”了

回到家一看果然就是数据库被入侵了,就在数据库里看到了文章开头的那段文本内容留到了数据库里面,我又看了下部署的开源项目里面是弱密码,redis 虽然设置了密码但是漏洞太多还是容易出问题的,没啥说的,直接立马改了密码然后安全组只开自己的公网 ip,反正都没啥重要数据,勒索我 0.005 BTC 简直了。

总结

经过今天这件事,发现年前爆出好多高危漏洞,特别是 Redis 这个很容易中招,千万千万大家不要把这些服务暴露在公网上,端口按需开放,并且数据要定时备份,不然真的要是真正生产服务器被勒索了数据没了真的炸了,不知道 cloudcone 后续数据能不能恢复,虽然我上面没啥数据,但是还是建议大家养成数据备份的好习惯,还是那句话数据无价!!!

文章目录