THE MOMENT, THE MEMENTO

今天中午发现电脑有一些异常（忘记如何异常法了，只觉得有些不对劲），于是就想起来检查系统服务项目。检查后发现多了一个“Boot Time”的服务（服务名为lnajr，显示名为Boot Time），这是一个通过svchost.exe -k netsvcs加载的程序，其描述是“监测和监视新硬盘驱动器并向逻辑磁盘管理器管理服务发送卷的信息以便配置。如果此服务被终止，动态磁盘状态和配置信息会过时。如果此服务被禁用，任何依赖它的服务将无法启动。”。开始我还以为这个是某个驱动程序，后来觉得描述和“Logical Disk Manager”服务有些相关，就比较了一下发现居然是一样的描述。这就表明这肯定是一个恶意程序乃至是病毒的服务项了。

打开注册表想看看这个服务项的内容，却发现lnajr项下面是空空的。连一点“Boot Time”的信息都没有，不要说ServiceDll了。只好再打开Autoruns这个工具来查看，却发现根本就找不到lnajr这个项目。最后只好找出IceSword这个工具来，倒是在这里的注册表里查到了这个服务的信息：Enum（0: Root\LEGACY_LNAJR\0000; Count: 0×1; NextInstance: 0×1），Parameters（ServiceDll: C:\WINDOWS\system32\stxdnpbp.dll）。Google这个stxdnpbp.dll文件却查不到结果，看来只好自己手工清理了。

在磁盘中找到stxdnpbp.dll文件后，却发现无法将其拷贝到其它目录，用ATTRIB修改其属性也不行，只能改名。由于不确定这个dll是否已经加载了，就只好先改名重启。重启后，想起来应该查看这个文件的安全权限，发现其只有一个EveryOne的遍历权限，添加了管理员的权限后，所有的对其的操作都可以进行了。

分析了这个文件后，发现不到什么线索，只好将文件备份留底，然后把注册表清理掉。又看了一下系统日志，也只有今天一开机后有错误说“Boot Time”服务无法启动，而之前都没有这个服务的信息，看来这个病毒是昨天或者今天才驻进来的，应该不会有太大危险了。这个lnajr病毒的分析就只能暂时告一个段落了。不知道过一段时间查毒软件可不可以查到这个病毒了。

最近又开始折腾办公室的电脑——似乎最近每周的一、二都会忙于安装系统或者新软件，准备改为使用Linux（主要原因是）。

从上周四开始就一直在装机，期间换了Ubuntu 9.04（正好刚刚发布就用上）、Fedora 10，Fedora 9（前两个不能用是因为ICC居然嫌他们版本太高，FC9是因为刻的光盘根本就没发安装），最后只好安装成CentOS 5.3，至少这个以前安装过ICC，应该不会有问题。

一个下午都在更新软件包，到了晚上才想起来，应该要设置防火墙避免SSH登录攻击。

晚上到家以后开始赶紧登录设置防火墙，同时检查一下日志，发现居然已经有很多的攻击记录了：

Apr 27 19:14:12 windwood-office sshd[3073]: Did not receive identification string from 221.10.62.28
Apr 27 19:24:13 windwood-office sshd[3416]: Invalid user staff from 221.10.62.28
Apr 27 19:24:13 windwood-office sshd[3417]: input_userauth_request: invalid user staff
Apr 27 19:24:13 windwood-office sshd[3416]: pam_unix(sshd:auth): check pass; user unknown
Apr 27 19:24:13 windwood-office sshd[3416]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.10.62.28
Apr 27 19:24:13 windwood-office sshd[3416]: pam_succeed_if(sshd:auth): error retrieving information about user staff
Apr 27 19:24:15 windwood-office sshd[3416]: Failed password for invalid user staff from 221.10.62.28 port 14701 ssh2
Apr 27 19:24:15 windwood-office sshd[3417]: Received disconnect from 221.10.62.28: 11: Bye Bye
Apr 27 19:24:17 windwood-office sshd[3418]: Invalid user sales from 221.10.62.28
Apr 27 19:24:17 windwood-office sshd[3419]: input_userauth_request: invalid user sales
Apr 27 19:24:17 windwood-office sshd[3418]: pam_unix(sshd:auth): check pass; user unknown
Apr 27 19:24:17 windwood-office sshd[3418]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.10.62.28
Apr 27 19:24:17 windwood-office sshd[3418]: pam_succeed_if(sshd:auth): error retrieving information about user sales
Apr 27 19:24:19 windwood-office sshd[3418]: Failed password for invalid user sales from 221.10.62.28 port 16597 ssh2
Apr 27 19:24:19 windwood-office sshd[3419]: Received disconnect from 221.10.62.28: 11: Bye Bye
Apr 27 19:24:25 windwood-office sshd[3420]: Invalid user recruit from 221.10.62.28
Apr 27 19:24:25 windwood-office sshd[3421]: input_userauth_request: invalid user recruit
Apr 27 19:24:25 windwood-office sshd[3420]: pam_unix(sshd:auth): check pass; user unknown
Apr 27 19:24:25 windwood-office sshd[3420]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.10.62.28
Apr 27 19:24:25 windwood-office sshd[3420]: pam_succeed_if(sshd:auth): error retrieving information about user recruit
Apr 27 19:24:27 windwood-office sshd[3420]: Failed password for invalid user recruit from 221.10.62.28 port 17878 ssh2
Apr 27 19:24:27 windwood-office sshd[3421]: Received disconnect from 221.10.62.28: 11: Bye Bye
Apr 27 19:24:28 windwood-office sshd[3422]: Invalid user alias from 221.10.62.28
Apr 27 19:24:28 windwood-office sshd[3423]: input_userauth_request: invalid user alias
Apr 27 19:24:28 windwood-office sshd[3422]: pam_unix(sshd:auth): check pass; user unknown
Apr 27 19:24:28 windwood-office sshd[3422]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.10.62.28
Apr 27 19:24:28 windwood-office sshd[3422]: pam_succeed_if(sshd:auth): error retrieving information about user alias
Apr 27 19:24:30 windwood-office sshd[3422]: Failed password for invalid user alias from 221.10.62.28 port 19445 ssh2
Apr 27 19:24:30 windwood-office sshd[3423]: Received disconnect from 221.10.62.28: 11: Bye Bye
Apr 27 19:24:32 windwood-office sshd[3424]: Invalid user office from 221.10.62.28
Apr 27 19:24:32 windwood-office sshd[3425]: input_userauth_request: invalid user office
Apr 27 19:24:32 windwood-office sshd[3424]: pam_unix(sshd:auth): check pass; user unknown
Apr 27 19:24:32 windwood-office sshd[3424]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.10.62.28
Apr 27 19:24:32 windwood-office sshd[3424]: pam_succeed_if(sshd:auth): error retrieving information about user office
Apr 27 19:24:33 windwood-office sshd[3424]: Failed password for invalid user office from 221.10.62.28 port 20668 ssh2
Apr 27 19:24:33 windwood-office sshd[3425]: Received disconnect from 221.10.62.28: 11: Bye Bye
Apr 27 19:24:35 windwood-office sshd[3426]: Invalid user samba from 221.10.62.28
Apr 27 19:24:35 windwood-office sshd[3427]: input_userauth_request: invalid user samba
Apr 27 19:24:35 windwood-office sshd[3426]: pam_unix(sshd:auth): check pass; user unknown
Apr 27 19:24:35 windwood-office sshd[3426]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.10.62.28
Apr 27 19:24:35 windwood-office sshd[3426]: pam_succeed_if(sshd:auth): error retrieving information about user samba
Apr 27 19:24:37 windwood-office sshd[3426]: Failed password for invalid user samba from 221.10.62.28 port 21377 ssh2
Apr 27 19:24:37 windwood-office sshd[3427]: Received disconnect from 221.10.62.28: 11: Bye Bye
Apr 27 19:24:39 windwood-office sshd[3429]: Invalid user tomcat from 221.10.62.28
Apr 27 19:24:39 windwood-office sshd[3430]: input_userauth_request: invalid user tomcat
Apr 27 19:24:39 windwood-office sshd[3429]: pam_unix(sshd:auth): check pass; user unknown
Apr 27 19:24:39 windwood-office sshd[3429]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.10.62.28
Apr 27 19:24:39 windwood-office sshd[3429]: pam_succeed_if(sshd:auth): error retrieving information about user tomcat
Apr 27 19:24:41 windwood-office sshd[3429]: Failed password for invalid user tomcat from 221.10.62.28 port 22216 ssh2
Apr 27 19:24:41 windwood-office sshd[3430]: Received disconnect from 221.10.62.28: 11: Bye Bye
Apr 27 19:24:43 windwood-office sshd[3431]: Invalid user webadmin from 221.10.62.28
Apr 27 19:24:43 windwood-office sshd[3432]: input_userauth_request: invalid user webadmin
Apr 27 19:24:43 windwood-office sshd[3431]: pam_unix(sshd:auth): check pass; user unknown
Apr 27 19:24:43 windwood-office sshd[3431]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.10.62.28
Apr 27 19:24:43 windwood-office sshd[3431]: pam_succeed_if(sshd:auth): error retrieving information about user webadmin
Apr 27 19:24:44 windwood-office sshd[3431]: Failed password for invalid user webadmin from 221.10.62.28 port 23351 ssh2
Apr 27 19:24:44 windwood-office sshd[3432]: Received disconnect from 221.10.62.28: 11: Bye Bye
Apr 27 19:24:46 windwood-office sshd[3433]: Invalid user spam from 221.10.62.28
Apr 27 19:24:46 windwood-office sshd[3434]: input_userauth_request: invalid user spam
Apr 27 19:24:46 windwood-office sshd[3433]: pam_unix(sshd:auth): check pass; user unknown
Apr 27 19:24:46 windwood-office sshd[3433]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.10.62.28
Apr 27 19:24:46 windwood-office sshd[3433]: pam_succeed_if(sshd:auth): error retrieving information about user spam
Apr 27 19:24:48 windwood-office sshd[3433]: Failed password for invalid user spam from 221.10.62.28 port 24612 ssh2
Apr 27 19:24:49 windwood-office sshd[3434]: Received disconnect from 221.10.62.28: 11: Bye Bye
Apr 27 19:24:51 windwood-office sshd[3435]: Invalid user virus from 221.10.62.28
Apr 27 19:24:51 windwood-office sshd[3436]: input_userauth_request: invalid user virus
Apr 27 19:24:51 windwood-office sshd[3435]: pam_unix(sshd:auth): check pass; user unknown
Apr 27 19:24:51 windwood-office sshd[3435]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.10.62.28
Apr 27 19:24:51 windwood-office sshd[3435]: pam_succeed_if(sshd:auth): error retrieving information about user virus
Apr 27 19:24:52 windwood-office sshd[3435]: Failed password for invalid user virus from 221.10.62.28 port 25424 ssh2
Apr 27 19:24:52 windwood-office sshd[3436]: Received disconnect from 221.10.62.28: 11: Bye Bye
Apr 27 19:24:57 windwood-office sshd[3437]: Invalid user cyrus from 221.10.62.28
Apr 27 19:24:57 windwood-office sshd[3438]: input_userauth_request: invalid user cyrus
Apr 27 19:24:57 windwood-office sshd[3437]: pam_unix(sshd:auth): check pass; user unknown
Apr 27 19:24:57 windwood-office sshd[3437]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.10.62.28
Apr 27 19:24:57 windwood-office sshd[3437]: pam_succeed_if(sshd:auth): error retrieving information about user cyrus
Apr 27 19:24:59 windwood-office sshd[3437]: Failed password for invalid user cyrus from 221.10.62.28 port 26240 ssh2
Apr 27 19:24:59 windwood-office sshd[3438]: Received disconnect from 221.10.62.28: 11: Bye Bye
Apr 27 19:25:00 windwood-office sshd[3439]: Invalid user oracle from 221.10.62.28
Apr 27 19:25:00 windwood-office sshd[3440]: input_userauth_request: invalid user oracle
Apr 27 19:25:00 windwood-office sshd[3439]: pam_unix(sshd:auth): check pass; user unknown
Apr 27 19:25:00 windwood-office sshd[3439]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.10.62.28
Apr 27 19:25:00 windwood-office sshd[3439]: pam_succeed_if(sshd:auth): error retrieving information about user oracle
Apr 27 19:25:03 windwood-office sshd[3439]: Failed password for invalid user oracle from 221.10.62.28 port 28065 ssh2
Apr 27 19:25:03 windwood-office sshd[3440]: Received disconnect from 221.10.62.28: 11: Bye Bye
Apr 27 19:25:05 windwood-office sshd[3442]: Invalid user michael from 221.10.62.28
Apr 27 19:25:05 windwood-office sshd[3443]: input_userauth_request: invalid user michael
Apr 27 19:25:05 windwood-office sshd[3442]: pam_unix(sshd:auth): check pass; user unknown
Apr 27 19:25:05 windwood-office sshd[3442]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.10.62.28
Apr 27 19:25:05 windwood-office sshd[3442]: pam_succeed_if(sshd:auth): error retrieving information about user michael
Apr 27 19:25:07 windwood-office sshd[3442]: Failed password for invalid user michael from 221.10.62.28 port 28929 ssh2
Apr 27 19:25:07 windwood-office sshd[3443]: Received disconnect from 221.10.62.28: 11: Bye Bye
Apr 27 19:25:11 windwood-office sshd[3444]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.10.62.28  user=ftp
Apr 27 19:25:13 windwood-office sshd[3444]: Failed password for ftp from 221.10.62.28 port 30279 ssh2
Apr 27 19:25:13 windwood-office sshd[3445]: Received disconnect from 221.10.62.28: 11: Bye Bye
Apr 27 19:25:15 windwood-office sshd[3446]: Invalid user test from 221.10.62.28
Apr 27 19:25:15 windwood-office sshd[3447]: input_userauth_request: invalid user test
Apr 27 19:25:15 windwood-office sshd[3446]: pam_unix(sshd:auth): check pass; user unknown
Apr 27 19:25:15 windwood-office sshd[3446]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.10.62.28
Apr 27 19:25:15 windwood-office sshd[3446]: pam_succeed_if(sshd:auth): error retrieving information about user test
Apr 27 19:25:17 windwood-office sshd[3446]: Failed password for invalid user test from 221.10.62.28 port 31666 ssh2
Apr 27 19:25:17 windwood-office sshd[3447]: Received disconnect from 221.10.62.28: 11: Bye Bye
Apr 27 19:25:19 windwood-office sshd[3448]: Invalid user webmaster from 221.10.62.28
Apr 27 19:25:19 windwood-office sshd[3449]: input_userauth_request: invalid user webmaster
Apr 27 19:25:19 windwood-office sshd[3448]: pam_unix(sshd:auth): check pass; user unknown
Apr 27 19:25:19 windwood-office sshd[3448]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.10.62.28
Apr 27 19:25:19 windwood-office sshd[3448]: pam_succeed_if(sshd:auth): error retrieving information about user webmaster
Apr 27 19:25:21 windwood-office sshd[3448]: Failed password for invalid user webmaster from 221.10.62.28 port 33032 ssh2
Apr 27 19:25:21 windwood-office sshd[3449]: Received disconnect from 221.10.62.28: 11: Bye Bye
Apr 27 19:25:22 windwood-office sshd[3450]: Invalid user postmaster from 221.10.62.28
Apr 27 19:25:22 windwood-office sshd[3451]: input_userauth_request: invalid user postmaster
Apr 27 19:25:22 windwood-office sshd[3450]: pam_unix(sshd:auth): check pass; user unknown
Apr 27 19:25:22 windwood-office sshd[3450]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.10.62.28
Apr 27 19:25:22 windwood-office sshd[3450]: pam_succeed_if(sshd:auth): error retrieving information about user postmaster
Apr 27 19:25:24 windwood-office sshd[3450]: Failed password for invalid user postmaster from 221.10.62.28 port 34190 ssh2
Apr 27 19:25:24 windwood-office sshd[3451]: Received disconnect from 221.10.62.28: 11: Bye Bye
Apr 27 19:25:26 windwood-office sshd[3452]: Invalid user postfix from 221.10.62.28
Apr 27 19:25:26 windwood-office sshd[3453]: input_userauth_request: invalid user postfix
Apr 27 19:25:26 windwood-office sshd[3452]: pam_unix(sshd:auth): check pass; user unknown
Apr 27 19:25:26 windwood-office sshd[3452]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.10.62.28
Apr 27 19:25:26 windwood-office sshd[3452]: pam_succeed_if(sshd:auth): error retrieving information about user postfix
Apr 27 19:25:27 windwood-office sshd[3452]: Failed password for invalid user postfix from 221.10.62.28 port 35434 ssh2
Apr 27 19:25:27 windwood-office sshd[3453]: Received disconnect from 221.10.62.28: 11: Bye Bye
Apr 27 19:25:32 windwood-office sshd[3454]: Invalid user postgres from 221.10.62.28
Apr 27 19:25:32 windwood-office sshd[3455]: input_userauth_request: invalid user postgres
Apr 27 19:25:32 windwood-office sshd[3454]: pam_unix(sshd:auth): check pass; user unknown
Apr 27 19:25:32 windwood-office sshd[3454]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.10.62.28
Apr 27 19:25:32 windwood-office sshd[3454]: pam_succeed_if(sshd:auth): error retrieving information about user postgres
Apr 27 19:25:34 windwood-office sshd[3454]: Failed password for invalid user postgres from 221.10.62.28 port 35817 ssh2
Apr 27 19:25:34 windwood-office sshd[3455]: Received disconnect from 221.10.62.28: 11: Bye Bye
Apr 27 19:25:36 windwood-office sshd[3456]: Invalid user paul from 221.10.62.28
Apr 27 19:25:36 windwood-office sshd[3457]: input_userauth_request: invalid user paul
Apr 27 19:25:36 windwood-office sshd[3456]: pam_unix(sshd:auth): check pass; user unknown
Apr 27 19:25:36 windwood-office sshd[3456]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.10.62.28
Apr 27 19:25:36 windwood-office sshd[3456]: pam_succeed_if(sshd:auth): error retrieving information about user paul
Apr 27 19:25:38 windwood-office sshd[3456]: Failed password for invalid user paul from 221.10.62.28 port 37401 ssh2
Apr 27 19:25:38 windwood-office sshd[3457]: Received disconnect from 221.10.62.28: 11: Bye Bye
Apr 27 19:25:40 windwood-office sshd[3458]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.10.62.28  user=root
Apr 27 19:25:42 windwood-office sshd[3458]: Failed password for root from 221.10.62.28 port 38622 ssh2
Apr 27 19:25:42 windwood-office sshd[3459]: Received disconnect from 221.10.62.28: 11: Bye Bye
Apr 27 19:25:45 windwood-office sshd[3460]: Invalid user guest from 221.10.62.28
Apr 27 19:25:45 windwood-office sshd[3461]: input_userauth_request: invalid user guest
Apr 27 19:25:45 windwood-office sshd[3460]: pam_unix(sshd:auth): check pass; user unknown
Apr 27 19:25:45 windwood-office sshd[3460]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.10.62.28
Apr 27 19:25:45 windwood-office sshd[3460]: pam_succeed_if(sshd:auth): error retrieving information about user guest
Apr 27 19:25:46 windwood-office sshd[3460]: Failed password for invalid user guest from 221.10.62.28 port 39553 ssh2
Apr 27 19:25:46 windwood-office sshd[3461]: Received disconnect from 221.10.62.28: 11: Bye Bye
Apr 27 19:25:49 windwood-office sshd[3462]: Invalid user admin from 221.10.62.28
Apr 27 19:25:49 windwood-office sshd[3463]: input_userauth_request: invalid user admin
Apr 27 19:25:49 windwood-office sshd[3462]: pam_unix(sshd:auth): check pass; user unknown
Apr 27 19:25:49 windwood-office sshd[3462]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.10.62.28
Apr 27 19:25:49 windwood-office sshd[3462]: pam_succeed_if(sshd:auth): error retrieving information about user admin
Apr 27 19:25:51 windwood-office sshd[3462]: Failed password for invalid user admin from 221.10.62.28 port 40673 ssh2
Apr 27 19:25:51 windwood-office sshd[3463]: Received disconnect from 221.10.62.28: 11: Bye Bye
Apr 27 19:25:52 windwood-office sshd[3464]: Invalid user linux from 221.10.62.28
Apr 27 19:25:52 windwood-office sshd[3465]: input_userauth_request: invalid user linux
Apr 27 19:25:52 windwood-office sshd[3464]: pam_unix(sshd:auth): check pass; user unknown
Apr 27 19:25:52 windwood-office sshd[3464]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.10.62.28
Apr 27 19:25:52 windwood-office sshd[3464]: pam_succeed_if(sshd:auth): error retrieving information about user linux
Apr 27 19:25:54 windwood-office sshd[3464]: Failed password for invalid user linux from 221.10.62.28 port 41756 ssh2
Apr 27 19:25:56 windwood-office sshd[3467]: Invalid user user from 221.10.62.28
Apr 27 19:25:56 windwood-office sshd[3468]: input_userauth_request: invalid user user
Apr 27 19:25:56 windwood-office sshd[3467]: pam_unix(sshd:auth): check pass; user unknown
Apr 27 19:25:56 windwood-office sshd[3467]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.10.62.28
Apr 27 19:25:56 windwood-office sshd[3467]: pam_succeed_if(sshd:auth): error retrieving information about user user
Apr 27 19:25:58 windwood-office sshd[3467]: Failed password for invalid user user from 221.10.62.28 port 42986 ssh2
Apr 27 19:25:59 windwood-office sshd[3468]: Received disconnect from 221.10.62.28: 11: Bye Bye
Apr 27 19:26:00 windwood-office sshd[3469]: Invalid user david from 221.10.62.28
Apr 27 19:26:00 windwood-office sshd[3470]: input_userauth_request: invalid user david
Apr 27 19:26:00 windwood-office sshd[3469]: pam_unix(sshd:auth): check pass; user unknown
Apr 27 19:26:00 windwood-office sshd[3469]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.10.62.28
Apr 27 19:26:00 windwood-office sshd[3469]: pam_succeed_if(sshd:auth): error retrieving information about user david
Apr 27 19:26:01 windwood-office sshd[3465]: Received disconnect from 221.10.62.28: 11: Bye Bye
Apr 27 19:26:02 windwood-office sshd[3469]: Failed password for invalid user david from 221.10.62.28 port 43672 ssh2
Apr 27 19:26:03 windwood-office sshd[3470]: Received disconnect from 221.10.62.28: 11: Bye Bye
Apr 27 19:26:04 windwood-office sshd[3471]: Invalid user web from 221.10.62.28
Apr 27 19:26:04 windwood-office sshd[3472]: input_userauth_request: invalid user web
Apr 27 19:26:04 windwood-office sshd[3471]: pam_unix(sshd:auth): check pass; user unknown
Apr 27 19:26:04 windwood-office sshd[3471]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.10.62.28
Apr 27 19:26:04 windwood-office sshd[3471]: pam_succeed_if(sshd:auth): error retrieving information about user web
Apr 27 19:26:06 windwood-office sshd[3471]: Failed password for invalid user web from 221.10.62.28 port 44651 ssh2
Apr 27 19:26:07 windwood-office sshd[3472]: Received disconnect from 221.10.62.28: 11: Bye Bye
Apr 27 19:26:08 windwood-office sshd[3473]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.10.62.28  user=apache
Apr 27 19:26:09 windwood-office sshd[3473]: Failed password for apache from 221.10.62.28 port 45793 ssh2
Apr 27 19:26:09 windwood-office sshd[3474]: Received disconnect from 221.10.62.28: 11: Bye Bye
Apr 27 19:26:11 windwood-office sshd[3475]: Invalid user pgsql from 221.10.62.28
Apr 27 19:26:11 windwood-office sshd[3476]: input_userauth_request: invalid user pgsql
Apr 27 19:26:11 windwood-office sshd[3475]: pam_unix(sshd:auth): check pass; user unknown
Apr 27 19:26:11 windwood-office sshd[3475]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.10.62.28
Apr 27 19:26:11 windwood-office sshd[3475]: pam_succeed_if(sshd:auth): error retrieving information about user pgsql
Apr 27 19:26:13 windwood-office sshd[3475]: Failed password for invalid user pgsql from 221.10.62.28 port 46872 ssh2
Apr 27 19:26:13 windwood-office sshd[3476]: Received disconnect from 221.10.62.28: 11: Bye Bye
Apr 27 19:26:17 windwood-office sshd[3478]: Invalid user mysql from 221.10.62.28
Apr 27 19:26:17 windwood-office sshd[3479]: input_userauth_request: invalid user mysql
Apr 27 19:26:17 windwood-office sshd[3478]: pam_unix(sshd:auth): check pass; user unknown
Apr 27 19:26:17 windwood-office sshd[3478]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.10.62.28
Apr 27 19:26:17 windwood-office sshd[3478]: pam_succeed_if(sshd:auth): error retrieving information about user mysql
Apr 27 19:26:20 windwood-office sshd[3478]: Failed password for invalid user mysql from 221.10.62.28 port 47212 ssh2
Apr 27 19:26:20 windwood-office sshd[3479]: Received disconnect from 221.10.62.28: 11: Bye Bye
Apr 27 19:26:23 windwood-office sshd[3480]: Invalid user info from 221.10.62.28
Apr 27 19:26:23 windwood-office sshd[3481]: input_userauth_request: invalid user info
Apr 27 19:26:23 windwood-office sshd[3480]: pam_unix(sshd:auth): check pass; user unknown
Apr 27 19:26:23 windwood-office sshd[3480]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.10.62.28
Apr 27 19:26:23 windwood-office sshd[3480]: pam_succeed_if(sshd:auth): error retrieving information about user info
Apr 27 19:26:25 windwood-office sshd[3480]: Failed password for invalid user info from 221.10.62.28 port 49443 ssh2
Apr 27 19:26:25 windwood-office sshd[3481]: Received disconnect from 221.10.62.28: 11: Bye Bye
Apr 27 19:26:26 windwood-office sshd[3482]: Invalid user tony from 221.10.62.28
Apr 27 19:26:26 windwood-office sshd[3483]: input_userauth_request: invalid user tony
Apr 27 19:26:26 windwood-office sshd[3482]: pam_unix(sshd:auth): check pass; user unknown
Apr 27 19:26:26 windwood-office sshd[3482]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.10.62.28
Apr 27 19:26:26 windwood-office sshd[3482]: pam_succeed_if(sshd:auth): error retrieving information about user tony
Apr 27 19:26:28 windwood-office sshd[3482]: Failed password for invalid user tony from 221.10.62.28 port 50715 ssh2
Apr 27 19:26:28 windwood-office sshd[3483]: Received disconnect from 221.10.62.28: 11: Bye Bye
Apr 27 19:26:40 windwood-office sshd[3485]: Connection closed by 221.10.62.28

把这个记录完整的贴出来，是为了表明这个网络环境是多么的恐怖，仿佛处在一个垃圾堆里，到处都是有毒的细菌一般，身边无时不刻都有人（也许是“僵尸”在刺探着你）。

想起之前单位购买了一个公司的用友软件，结果他们只会安装没有打过补丁的Sql，结果软件安装完不到半天，一堆的病毒就进来了，可以想象网络里到处都充斥着病毒，这个世界太疯狂，太危险了。

不知道回到火星会不会更好一些呢？

根据Engadget-瘾科技最近的一篇文章：英国研究认为蓝牙比RFID更伤害你的隐私。常常在KFC或者某会议室、教室等地方和朋友交换数据时就会发现可以找到很多的蓝牙终端，多半这些都是一些蓝牙手机，而且估计蓝牙的主人根本就不知道如何安全的使用蓝牙。我们平时最好还是把电子设备的蓝牙关闭的好，至少应该设置成隐藏模式不让非信任设备搜索到，当然出于设备省电的目的还是关闭比较好些。

 虽然不是所有的地方都会在城市里到处放置蓝牙接收器并把数据进行分析的，但是谁能保证以后不会呢？这个东西感觉是一些网页搜索引擎的行为分析器，但这好歹只是一台电脑的事情，随身携带的电子设备被分析那就是人身隐私/安全的事了。

如今这个世道优盘病毒实在是越来越猖狂了。前些天就和同事处理了一个一台机器上lass病毒新变种的清除工作，没想到只隔了一天，还是同样那台机器又中lass病毒了，清除的时候发现病毒又进化了。我们就在纳闷，为什么在这里病毒进化得如此之快，每次出现的都是最新的、连互联网上都找不到资料的病毒？

说到电脑中毒，绝大多数问题都可以归结到用户使用习惯的问题，或者是用户操作不当导致的。比如，使用别人的优盘的时候，如果要安全的话，就不能直接双击打开，右键点击后打开也不行（以前没有考虑到这点，最近发现有的病毒会使“打开”以及“资源管理器”等直接关联到病毒程序的），最好是在命令行提示符（cmd）下执行start x:，或者是从资源管理器左侧菜单选择驱动器。

优盘的打开问题基本还是能记得的，问题最麻烦的就是感染病毒以后，硬盘的每个磁盘（Fixed Disk）下也都有了autorun.inf已经病毒程序。大家平时打开磁盘都已经习惯双击了，所以很容易通过双击打开磁盘的时候再次调用了病毒程序。

所以就想是否可以通过系统注册表禁用autorun.inf

在网络上搜索以后知道这项设置在注册表的位置是：HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer下的NoDriveTypeAutoRun，默认值可能是0×91h或者0×95h。具体原理大家可以看网络上的文章学习，我取的值是0xddh（主要是禁用Fixed Disk），如果还用禁用光驱的自动播放功能，那么可以取值为0xbdh。

不过有了这样的设置，然后无法阻止优盘的的自动播放（autorun)

大家做这个设置的测试的时候，可以用下面的autorun.inf做测试：

[AutoRun]
OPEN=calc.exe
shellexecute=calc.exe
shell\Auto\command=calc.exe