我看到很多带有这一行的日志:
Nov 7 03:47:41 s1 sshd[23430]: Received disconnect from XX.XXX.XX.XX: 11:
Nov 7 05:08:16 s1 sshd[24474]: Received disconnect from XX.XXX.XX.XX: 11:
Nov 7 06:33:59 s1 sshd[25526]: Received disconnect from XX.XXX.XX.XX: 11:
Nov 7 08:06:33 s1 sshd[26601]: Received disconnect from XX.XXX.XX.XX: 11:
Nov 7 09:24:14 s1 sshd[27460]: Received disconnect from XX.XXX.XX.XX: 11:
Nov 7 10:59:49 s1 sshd[28821]: Received disconnect from XX.XXX.XX.XX: 11:
Nov 7 12:14:39 s1 sshd[29894]: Received disconnect from XX.XXX.XX.XX: 11:
我在这里只粘贴了 7 行,但我在日志文件中有数百行。IP始终相同。
我被告知这表明我的服务器被黑了,攻击者以某种方式设法清除了注册登录信息的日志条目,因为为了获得“断开连接”消息,我必须为以前一样的IP。这是真的?
我的问题是: