mv /lib64/libkeyutils.so.1.9 /root
service sshd restart
Stopping sshd: [ OK ]
Starting sshd: /usr/sbin/sshd: error while loading shared libraries: libkeyutils.so.1: cannot open shared object file: No such file or directory
[FAILED]
如何从 SSHD 中删除它?
需要解决这个问题: http ://www.webhostingtalk.com/showpost.php?p=8548338&postcount=4
现在我已经听说了这个漏洞的 REF:http: //blog.solidshellsecurity.com/2013/02/18/0day-linuxcentos-sshd-spam-exploit-libkeyutils-so-1-9/
他们没有使用 root 登录,甚至没有生成 bash 进程。如果 lib 被移出,并且 sshd 被重新启动,他们将无法再登录 fwiw。
关键是找出他们是如何进入的。完全升级的、ssh 密钥受限的 sshd,在非标准端口上正在被破坏。我的客户都不是,但我收到了很多关于这个问题的销售咨询,所以我不知道机器的完整历史。
[/lib64]# rpm -vV openssh
......... /etc/ssh
......... c /etc/ssh/moduli
......... /usr/bin/ssh-keygen
......... /usr/libexec/openssh
......... /usr/libexec/openssh/ssh-keysign
......... /usr/share/doc/openssh-5.3p1
......... d /usr/share/doc/openssh-5.3p1/CREDITS
......... d /usr/share/doc/openssh-5.3p1/ChangeLog
......... d /usr/share/doc/openssh-5.3p1/INSTALL
......... d /usr/share/doc/openssh-5.3p1/LICENCE
......... d /usr/share/doc/openssh-5.3p1/OVERVIEW
......... d /usr/share/doc/openssh-5.3p1/PROTOCOL
......... d /usr/share/doc/openssh-5.3p1/PROTOCOL.agent
......... d /usr/share/doc/openssh-5.3p1/README
......... d /usr/share/doc/openssh-5.3p1/README.dns
......... d /usr/share/doc/openssh-5.3p1/README.nss
......... d /usr/share/doc/openssh-5.3p1/README.platform
......... d /usr/share/doc/openssh-5.3p1/README.privsep
......... d /usr/share/doc/openssh-5.3p1/README.smartcard
......... d /usr/share/doc/openssh-5.3p1/README.tun
......... d /usr/share/doc/openssh-5.3p1/TODO
......... d /usr/share/doc/openssh-5.3p1/WARNING.RNG
......... d /usr/share/man/man1/ssh-keygen.1.gz
......... d /usr/share/man/man8/ssh-keysign.8.gz
[/lib64]# rpm -vV openssh-clients
S.5....T. c /etc/ssh/ssh_config
......... /usr/bin/.ssh.hmac
......... /usr/bin/scp
......... /usr/bin/sftp
......... /usr/bin/slogin
......... /usr/bin/ssh
......... /usr/bin/ssh-add
......... /usr/bin/ssh-agent
......... /usr/bin/ssh-copy-id
......... /usr/bin/ssh-keyscan
......... d /usr/share/man/man1/scp.1.gz
......... d /usr/share/man/man1/sftp.1.gz
......... d /usr/share/man/man1/slogin.1.gz
......... d /usr/share/man/man1/ssh-add.1.gz
......... d /usr/share/man/man1/ssh-agent.1.gz
......... d /usr/share/man/man1/ssh-copy-id.1.gz
......... d /usr/share/man/man1/ssh-keyscan.1.gz
......... d /usr/share/man/man1/ssh.1.gz
......... d /usr/share/man/man5/ssh_config.5.gz
[/lib64]# rpm -vV openssh-server
.......T. c /etc/pam.d/ssh-keycat
S.5....T. c /etc/pam.d/sshd
......... /etc/rc.d/init.d/sshd
S.5....T. c /etc/ssh/sshd_config
......... c /etc/sysconfig/sshd
......... /usr/libexec/openssh/sftp-server
......... /usr/libexec/openssh/ssh-keycat
......... /usr/sbin/.sshd.hmac
......... /usr/sbin/sshd
......... /usr/share/doc/openssh-server-5.3p1
......... d /usr/share/doc/openssh-server-5.3p1/HOWTO.ssh-keycat
......... d /usr/share/man/man5/moduli.5.gz
......... d /usr/share/man/man5/sshd_config.5.gz
......... d /usr/share/man/man8/sftp-server.8.gz
......... d /usr/share/man/man8/sshd.8.gz
......... /var/empty/sshd
和
[/lib64]# rpm -qf /lib64/libkeyutils.so.1.9
file /lib64/libkeyutils.so.1.9 is not owned by any package
[/lib64]# rpm -vV keyutils-libs
....L.... /lib64/libkeyutils.so.1
......... /lib64/libkeyutils.so.1.3
......... /usr/share/doc/keyutils-libs-1.4
......... d /usr/share/doc/keyutils-libs-1.4/LICENCE.LGPL
您的 SSH 守护进程和系统可能受到威胁!!
您不能信任服务器上安装的现有 SSH 守护进程。
要进行快速检查,请运行现有包的 RPM 验证。你可以这样做:
Grep 的每个命令的输出
S\.5。这将告诉您二进制文件是否已更改。临时修复是重新安装您的 openssh 设置,但这超出了这个问题的范围。看下面...
我该如何处理被入侵的服务器?
sshd 在 fsck 修复后立即进行核心转储
`/etc/inittab` 中最后一行下方的条目 - 可能被破解了吗?