我正在运行 CentOS 5.3,这是“chkrootkit”的结果:
Possible t0rn v8 \(or variation\) rootkit installed
Warning: Possible Showtee Rootkit installed
/usr/include/file.h /usr/include/proc.h
Warning: `//root/.mysql_history' file size is zero
INFECTED (PORTS: 465)
You have 61 process hidden for readdir command
You have 62 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 3040 tty2 /sbin/mingetty tty2
! root 3041 tty3 /sbin/mingetty tty3
! root 3042 tty4 /sbin/mingetty tty4
! root 3043 tty5 /sbin/mingetty tty5
! root 3046 tty6 /sbin/mingetty tty6
我不明白警告是什么意思。
服务器是否被感染或处于危险之中?
编辑:
让我补充一下,我首先在命令行上收到了奇怪的消息:
Unknown HZ value! (##) Assume 100
然后我按照这个很好的说明,用新文件替换了我被黑的文件。我更换了:
/sbin/ifconfig
/bin/netstat
/usr/bin/pstree
/usr/bin/top
他们都被报告为感染了“chkrootkit”。
现在我重新运行“chkrootkit”并得到上面的输出。如何继续摆脱所有警告?
编辑 2:
检查 rpm 完整性后:rpm -vVa | grep 'S\.5\.\.\.\.\T' > rpmverify.txt这就是我得到的:
S.5....T c /etc/mail/spamassassin/local.cf
S.5....T c /etc/pam.d/system-auth
S.5....T c /etc/sudoers
S.5....T c /etc/samba/smb.conf
S.5....T /opt/drweb/lib/drweb32.dll
S.5....T /var/drweb/bases/drw50000.vdb
S.5....T /var/drweb/bases/drw50001.vdb
S.5....T /var/drweb/bases/drw50002.vdb
S.5....T /var/drweb/bases/drw50003.vdb
S.5....T /var/drweb/bases/drw50004.vdb
S.5....T /var/drweb/bases/drw50005.vdb
S.5....T /var/drweb/bases/drw50006.vdb
S.5....T /var/drweb/bases/drw50007.vdb
S.5....T /var/drweb/bases/drw50008.vdb
S.5....T /var/drweb/bases/drw50009.vdb
S.5....T /var/drweb/bases/drw50010.vdb
S.5....T /var/drweb/bases/drw50011.vdb
S.5....T /var/drweb/bases/drw50012.vdb
S.5....T /var/drweb/bases/drw50013.vdb
S.5....T /var/drweb/bases/drw50014.vdb
S.5....T /var/drweb/bases/drw50015.vdb
S.5....T /var/drweb/bases/drw50016.vdb
S.5....T /var/drweb/bases/drw50017.vdb
S.5....T /var/drweb/bases/drw50018.vdb
S.5....T /var/drweb/bases/drw50019.vdb
S.5....T /var/drweb/bases/drw50020.vdb
S.5....T /var/drweb/bases/drw50021.vdb
S.5....T /var/drweb/bases/drw50022.vdb
S.5....T /var/drweb/bases/drw50023.vdb
S.5....T /var/drweb/bases/drw50024.vdb
S.5....T /var/drweb/bases/drw50025.vdb
S.5....T /var/drweb/bases/drw50026.vdb
S.5....T /var/drweb/bases/drw50027.vdb
S.5....T /var/drweb/bases/drw50028.vdb
S.5....T /var/drweb/bases/drw50029.vdb
S.5....T /var/drweb/bases/drwebase.vdb
S.5....T /var/drweb/bases/drwnasty.vdb
S.5....T /var/drweb/bases/drwrisky.vdb
S.5....T /var/drweb/bases/drwtoday.vdb
S.5....T /var/drweb/bases/dwn50001.vdb
S.5....T /var/drweb/bases/dwn50002.vdb
S.5....T /var/drweb/bases/dwntoday.vdb
S.5....T /var/drweb/bases/dwr50001.vdb
S.5....T /var/drweb/bases/dwrtoday.vdb
S.5....T /bin/basename
S.5....T /bin/cat
S.5....T /bin/chgrp
S.5....T /bin/chmod
S.5....T /bin/chown
S.5....T /bin/cp
S.5....T /bin/cut
S.5....T /bin/dd
S.5....T /bin/df
S.5....T /bin/env
S.5....T /bin/false
S.5....T /bin/link
S.5....T /bin/ln
S.5....T c /etc/proftpd.conf
S.5....T c /root/.bash_profile
S.5....T c /etc/httpd/conf.d/mailman.conf
S.5....T /usr/lib/mailman/Mailman/mm_cfg.pyc
S.5....T c /etc/drweb/drweb32.ini
S.5....T /opt/drweb/ldwrap.sh
S.5....T c /etc/drweb/users.conf
S.5....T /usr/share/psa-horde/imp/compose.php
S.5....T /usr/share/psa-horde/imp/contacts.php
S.5....T /usr/local/psa/admin/plib/api-common/cuMail.php
S.5....T /usr/local/psa/admin/sbin/autoinstaller
S.5....T /usr/local/psa/admin/htdocs/modules/watchdog/stats-graph.php
S.5....T /usr/local/psa/etc/modules/watchdog/monitrc
S.5....T /usr/local/psa/etc/modules/watchdog/wdcollect.inc.php
S.5....T /usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter /db/backdoorports.dat
S.5....T /usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter/db/mirrors.dat
S.5....T /usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter/db/programs_bad.dat
S.5....T /usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter/db/suspscan.dat
S.5....T c /etc/courier-imap/imapd.cnf
S.5....T c /etc/php.ini
S.5....T c /etc/ssh/sshd_config
S.5....T c /etc/syslog.conf
S.5....T c /etc/sysconfig/named
S.5....T c /etc/httpd/conf.d/ssl.conf
S.5....T c /etc/smartd.conf
S.5....T c /etc/vsftpd/vsftpd.conf
S.5....T /usr/share/psa-horde/util/icon_browser.php
S.5....T c /etc/init.d/psa
S.5....T /usr/lib/plesk-9.0/key-handler
S.5....T /usr/local/psa/admin/htdocs/domains/databases/phpMyAdmin/librari/config.default.php
S.5....T /usr/local/psa/admin/plib/class.ComponentsChecker.php
S.5....T /usr/local/psa/admin/plib/class.ComponentsShow.php
S.5....T /usr/local/psa/admin/plib/class.RestartServForm.php
S.5....T /usr/local/psa/admin/plib/class.ServiceControl.php
S.5....T /usr/local/psa/admin/sbin/packagemng
S.5....T /usr/local/psa/admin/plib/backup/BackupCreateBackupNowForm.php
S.5....T c /etc/samba/smbusers
S.5....T c /etc/pam.d/ekshell
S.5....T c /etc/pam.d/kshell
S.5....T c /etc/printcap
S.5....T c /etc/my.cnf
S.5....T /usr/bin/spf_example_static
S.5....T /usr/bin/spfd_static
S.5....T /usr/bin/spfquery_static
S.5....T /usr/bin/spftest_static
S.5....T /usr/lib/libspf2.so.2.1.0
S.5....T c /etc/awstats/awstats.model.conf
S.5....T /usr/local/sso/base/Cookie.php
S.5....T c /etc/httpd/conf/httpd.conf
S.5....T /usr/sbin/suexec
这有帮助吗?
编辑 3:
这是重新安装后的 rpm 检查结果core utils:
S.5....T c /etc/mail/spamassassin/local.cf
S.5....T c /etc/pam.d/system-auth
S.5....T c /etc/sudoers
S.5....T c /etc/samba/smb.conf
S.5....T /opt/drweb/lib/drweb32.dll
S.5....T /var/drweb/bases/drw50000.vdb
S.5....T /var/drweb/bases/drw50001.vdb
S.5....T /var/drweb/bases/drw50002.vdb
S.5....T /var/drweb/bases/drw50003.vdb
S.5....T /var/drweb/bases/drw50004.vdb
S.5....T /var/drweb/bases/drw50005.vdb
S.5....T /var/drweb/bases/drw50006.vdb
S.5....T /var/drweb/bases/drw50007.vdb
S.5....T /var/drweb/bases/drw50008.vdb
S.5....T /var/drweb/bases/drw50009.vdb
S.5....T /var/drweb/bases/drw50010.vdb
S.5....T /var/drweb/bases/drw50011.vdb
S.5....T /var/drweb/bases/drw50012.vdb
S.5....T /var/drweb/bases/drw50013.vdb
S.5....T /var/drweb/bases/drw50014.vdb
S.5....T /var/drweb/bases/drw50015.vdb
S.5....T /var/drweb/bases/drw50016.vdb
S.5....T /var/drweb/bases/drw50017.vdb
S.5....T /var/drweb/bases/drw50018.vdb
S.5....T /var/drweb/bases/drw50019.vdb
S.5....T /var/drweb/bases/drw50020.vdb
S.5....T /var/drweb/bases/drw50021.vdb
S.5....T /var/drweb/bases/drw50022.vdb
S.5....T /var/drweb/bases/drw50023.vdb
S.5....T /var/drweb/bases/drw50024.vdb
S.5....T /var/drweb/bases/drw50025.vdb
S.5....T /var/drweb/bases/drw50026.vdb
S.5....T /var/drweb/bases/drw50027.vdb
S.5....T /var/drweb/bases/drw50028.vdb
S.5....T /var/drweb/bases/drw50029.vdb
S.5....T /var/drweb/bases/drwebase.vdb
S.5....T /var/drweb/bases/drwnasty.vdb
S.5....T /var/drweb/bases/drwrisky.vdb
S.5....T /var/drweb/bases/drwtoday.vdb
S.5....T /var/drweb/bases/dwn50001.vdb
S.5....T /var/drweb/bases/dwn50002.vdb
S.5....T /var/drweb/bases/dwntoday.vdb
S.5....T /var/drweb/bases/dwr50001.vdb
S.5....T /var/drweb/bases/dwrtoday.vdb
S.5....T c /etc/proftpd.conf
S.5....T c /etc/profile.d/colorls.csh
S.5....T c /etc/profile.d/colorls.sh
S.5....T c /root/.bash_profile
S.5....T c /etc/httpd/conf.d/mailman.conf
S.5....T /usr/lib/mailman/Mailman/mm_cfg.pyc
S.5....T c /etc/drweb/drweb32.ini
S.5....T /opt/drweb/ldwrap.sh
S.5....T c /etc/drweb/users.conf
S.5....T /usr/share/psa-horde/imp/compose.php
S.5....T /usr/share/psa-horde/imp/contacts.php
S.5....T /usr/local/psa/admin/plib/api-common/cuMail.php
S.5....T /usr/local/psa/admin/sbin/autoinstaller
S.5....T /usr/local/psa/admin/htdocs/modules/watchdog/stats-graph.php
S.5....T /usr/local/psa/etc/modules/watchdog/monitrc
S.5....T /usr/local/psa/etc/modules/watchdog/wdcollect.inc.php
S.5....T /usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter /db/backdoorports.dat
S.5....T /usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter/db/mirrors.dat
S.5....T /usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter/db/programs_bad.dat
S.5....T /usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter/db/suspscan.dat
S.5....T c /etc/courier-imap/imapd.cnf
S.5....T c /etc/php.ini
S.5....T c /etc/ssh/sshd_config
S.5....T c /etc/syslog.conf
S.5....T c /etc/sysconfig/named
S.5....T c /etc/httpd/conf.d/ssl.conf
S.5....T c /etc/smartd.conf
S.5....T c /etc/vsftpd/vsftpd.conf
S.5....T /usr/share/psa-horde/util/icon_browser.php
S.5....T c /etc/init.d/psa
S.5....T /usr/lib/plesk-9.0/key-handler
S.5....T /usr/local/psa/admin/htdocs/domains/databases/phpMyAdmin/libraries/config.default.php
S.5....T /usr/local/psa/admin/plib/class.ComponentsChecker.php
S.5....T /usr/local/psa/admin/plib/class.ComponentsShow.php
S.5....T /usr/local/psa/admin/plib/class.RestartServForm.php
S.5....T /usr/local/psa/admin/plib/class.ServiceControl.php
S.5....T /usr/local/psa/admin/sbin/packagemng
S.5....T /usr/local/psa/admin/plib/backup/BackupCreateBackupNowForm.php
S.5....T c /etc/samba/smbusers
S.5....T c /etc/pam.d/ekshell
S.5....T c /etc/pam.d/kshell
S.5....T c /etc/printcap
S.5....T c /etc/my.cnf
S.5....T /usr/bin/spf_example_static
S.5....T /usr/bin/spfd_static
S.5....T /usr/bin/spfquery_static
S.5....T /usr/bin/spftest_static
S.5....T /usr/lib/libspf2.so.2.1.0
S.5....T c /etc/awstats/awstats.model.conf
S.5....T /usr/local/sso/base/Cookie.php
S.5....T c /etc/httpd/conf/httpd.conf
S.5....T /usr/sbin/suexec
这是一个 CentOS 系统。我通常会修复这些 Rootkit,但是如果您以前没有这样做过,那么检测/获取所有内容的机会很小...
您可以从 RPM 验证开始...
跑
rpm -vVa | grep 'S\.5\.\.\.\.\T' > rpmverify.txt然后检查 中的输出
rpmverify.txt。这将允许您检查哪些二进制文件和配置文件与 RPM 数据库中的校验和不匹配。这是我开始修复这些系统的第一个地方(在确保没有未授权的网络守护进程/服务在运行之后)。编辑:
我看到了您的 RPM 验证命令的输出。如果您
yum仍然有效,请运行yum install yum-utils以获取对yumdownloader命令的访问权限。根据您的输出,您的
coreutils和可能的httpd包已被泄露(cat、df、dd、chown、cp 等)。运行yumdownloader coreutils以获得rpm。它将下载到您的当前目录。我会强制重新安装 RPM (rpm -ivh --force coreutils*) 并重新运行上面建议的验证。更新:
黑客/rootkit 通常会用木马版本替换二进制文件,并在文件上设置不可变标志以防止它们被删除。
请通过运行查看 /bin/ls 二进制文件的属性
lsattr /bin/ls。您可能会在输出中看到“a”、“u”、“i”和“s”。在同一个文件上运行
chattr -uisa应该删除不可变标志并允许您运行 rpm 安装。属性应如下所示:
对 RPM 安装失败的任何其他文件重复此操作。您可能还需要更改/删除封闭目录中的那些属性...