正常输出lsattr如下
# lsattr /etc/fstab
---------------- /etc/fstab
但我有一个主机,当我运行时lsattr,没有输出显示给我,就像下面一样。
我的操作系统版本是centos 7.9.2009.我重新安装了 e2fsprogs-1.42.9-19.el7.x86_64 但它看起来很无奈。
为什么我注意到这一点是因为我无法操作/usr/sbin/sshd删除或复制等操作。这导致我无法重新安装 sshd 服务
下面是安装openssh-server的错误
我strace /usr/sbin/sshd在 ob01 上运行,这是一个坏系统,输出如下
[root@ob01 ~]# strace lsattr /usr/sbin/sshd
execve("/bin/lsattr", ["lsattr", "/usr/sbin/sshd"], 0x7ffd56518b68 /* 17 vars */) = 0
brk(NULL) = 0x945000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb10a84a000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=34304, ...}) = 0
mmap(NULL, 34304, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fb10a841000
close(3) = 0
open("/lib64/libtinfo.so.5", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@\316\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=174576, ...}) = 0
mmap(NULL, 2268928, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fb10a400000
mprotect(0x7fb10a425000, 2097152, PROT_NONE) = 0
mmap(0x7fb10a625000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x25000) = 0x7fb10a625000
close(3) = 0
open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\16\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=19248, ...}) = 0
mmap(NULL, 2109744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fb10a1fc000
mprotect(0x7fb10a1fe000, 2097152, PROT_NONE) = 0
mmap(0x7fb10a3fe000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7fb10a3fe000
close(3) = 0
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`&\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=2156592, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb10a840000
mmap(NULL, 3985920, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fb109e2e000
mprotect(0x7fb109ff2000, 2093056, PROT_NONE) = 0
mmap(0x7fb10a1f1000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c3000) = 0x7fb10a1f1000
mmap(0x7fb10a1f7000, 16896, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fb10a1f7000
close(3) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb10a83e000
arch_prctl(ARCH_SET_FS, 0x7fb10a83e740) = 0
access("/etc/sysconfig/strcasecmp-nonascii", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/sysconfig/strcasecmp-nonascii", F_OK) = -1 ENOENT (No such file or directory)
mprotect(0x7fb10a1f1000, 16384, PROT_READ) = 0
mprotect(0x7fb10a3fe000, 4096, PROT_READ) = 0
mprotect(0x7fb10a625000, 16384, PROT_READ) = 0
mprotect(0x6dd000, 4096, PROT_READ) = 0
mprotect(0x7fb10a84b000, 4096, PROT_READ) = 0
munmap(0x7fb10a841000, 34304) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
open("/dev/tty", O_RDWR|O_NONBLOCK) = 3
close(3) = 0
brk(NULL) = 0x945000
brk(0x966000) = 0x966000
brk(NULL) = 0x966000
open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=106176928, ...}) = 0
mmap(NULL, 106176928, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fb1038eb000
close(3) = 0
brk(NULL) = 0x966000
getuid() = 0
getgid() = 0
geteuid() = 0
getegid() = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
open("/proc/meminfo", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb10a849000
read(3, "MemTotal: 263972636 kB\nMem"..., 1024) = 1024
close(3) = 0
munmap(0x7fb10a849000, 4096) = 0
rt_sigaction(SIGCHLD, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7fb109e64400}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGCHLD, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7fb109e64400}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7fb109e64400}, 8) = 0
rt_sigaction(SIGINT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fb109e64400}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGINT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fb109e64400}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fb109e64400}, 8) = 0
rt_sigaction(SIGQUIT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fb109e64400}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGQUIT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fb109e64400}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fb109e64400}, 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigaction(SIGQUIT, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fb109e64400}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fb109e64400}, 8) = 0
uname({sysname="Linux", nodename="ob01", ...}) = 0
stat("/root", {st_mode=S_IFDIR|0550, st_size=4096, ...}) = 0
stat(".", {st_mode=S_IFDIR|0550, st_size=4096, ...}) = 0
getpid() = 28390
open("/usr/lib64/gconv/gconv-modules.cache", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=26970, ...}) = 0
mmap(NULL, 26970, PROT_READ, MAP_SHARED, 3, 0) = 0x7fb10a843000
close(3) = 0
getppid() = 28383
getpgrp() = 28383
rt_sigaction(SIGCHLD, {sa_handler=0x4414a0, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7fb109e64400}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7fb109e64400}, 8) = 0
getrlimit(RLIMIT_NPROC, {rlim_cur=640*1024, rlim_max=640*1024}) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
open("/bin/lsattr", O_RDONLY) = 3
ioctl(3, TCGETS, 0x7fff7292e310) = -1 ENOTTY (Inappropriate ioctl for device)
lseek(3, 0, SEEK_CUR) = 0
read(3, "#!/bin/sh\n", 80) = 10
lseek(3, 0, SEEK_SET) = 0
getrlimit(RLIMIT_NOFILE, {rlim_cur=640*1024, rlim_max=640*1024}) = 0
fcntl(255, F_GETFD) = -1 EBADF (Bad file descriptor)
dup2(3, 255) = 255
close(3) = 0
fcntl(255, F_SETFD, FD_CLOEXEC) = 0
fcntl(255, F_GETFL) = 0x8000 (flags O_RDONLY|O_LARGEFILE)
fstat(255, {st_mode=S_IFREG|0755, st_size=10, ...}) = 0
lseek(255, 0, SEEK_CUR) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
read(255, "#!/bin/sh\n", 10) = 10
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
read(255, "", 10) = 0
exit_group(0) = ?
+++ exited with 0 +++
好的系统输出如下
[root@ob03 ~]# strace lsattr /usr/sbin/sshd
execve("/usr/bin/lsattr", ["lsattr", "/usr/sbin/sshd"], 0x7ffcd663f778 /* 21 vars */) = 0
brk(NULL) = 0x246d000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f742d042000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=26333, ...}) = 0
mmap(NULL, 26333, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f742d03b000
close(3) = 0
open("/lib64/libe2p.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\37\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=33704, ...}) = 0
mmap(NULL, 2128240, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f742cc1a000
mprotect(0x7f742cc21000, 2093056, PROT_NONE) = 0
mmap(0x7f742ce20000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7f742ce20000
close(3) = 0
open("/lib64/libcom_err.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@\25\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=15856, ...}) = 0
mmap(NULL, 2109928, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f742ca16000
mprotect(0x7f742ca19000, 2093056, PROT_NONE) = 0
mmap(0x7f742cc18000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f742cc18000
close(3) = 0
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`&\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=2156592, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f742d03a000
mmap(NULL, 3985920, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f742c648000
mprotect(0x7f742c80c000, 2093056, PROT_NONE) = 0
mmap(0x7f742ca0b000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c3000) = 0x7f742ca0b000
mmap(0x7f742ca11000, 16896, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f742ca11000
close(3) = 0
open("/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200m\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=142144, ...}) = 0
mmap(NULL, 2208904, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f742c42c000
mprotect(0x7f742c443000, 2093056, PROT_NONE) = 0
mmap(0x7f742c642000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0x7f742c642000
mmap(0x7f742c644000, 13448, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f742c644000
close(3) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f742d039000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f742d037000
arch_prctl(ARCH_SET_FS, 0x7f742d037740) = 0
access("/etc/sysconfig/strcasecmp-nonascii", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/sysconfig/strcasecmp-nonascii", F_OK) = -1 ENOENT (No such file or directory)
mprotect(0x7f742ca0b000, 16384, PROT_READ) = 0
mprotect(0x7f742c642000, 4096, PROT_READ) = 0
mprotect(0x7f742cc18000, 4096, PROT_READ) = 0
mprotect(0x7f742ce20000, 4096, PROT_READ) = 0
mprotect(0x601000, 4096, PROT_READ) = 0
mprotect(0x7f742d043000, 4096, PROT_READ) = 0
munmap(0x7f742d03b000, 26333) = 0
set_tid_address(0x7f742d037a10) = 6671
set_robust_list(0x7f742d037a20, 24) = 0
rt_sigaction(SIGRTMIN, {sa_handler=0x7f742c432860, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f742c43b630}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {sa_handler=0x7f742c4328f0, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f742c43b630}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
getrlimit(RLIMIT_STACK, {rlim_cur=10240*1024, rlim_max=10240*1024}) = 0
brk(NULL) = 0x246d000
brk(0x248e000) = 0x248e000
brk(NULL) = 0x248e000
open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=106176928, ...}) = 0
mmap(NULL, 106176928, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f7425ee9000
close(3) = 0
lstat("/usr/sbin/sshd", {st_mode=S_IFREG|0755, st_size=852856, ...}) = 0
lstat("/usr/sbin/sshd", {st_mode=S_IFREG|0755, st_size=852856, ...}) = 0
open("/usr/sbin/sshd", O_RDONLY|O_NONBLOCK) = 3
ioctl(3, FS_IOC_GETFLAGS, 0x7ffdd67d6c3c) = 0
close(3) = 0
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f742d041000
write(1, "---------------- /usr/sbin/sshd\n", 32---------------- /usr/sbin/sshd
) = 32
exit_group(0) = ?
+++ exited with 0 +++
有谁对这种情况以及如何解决有任何想法吗?
最好的祝愿。
答案1
open("/bin/lsattr", O_RDONLY) = 3
ioctl(3, TCGETS, 0x7fff7292e310) = -1 ENOTTY (Inappropriate ioctl for device)
lseek(3, 0, SEEK_CUR) = 0
read(3, "#!/bin/sh\n", 80) = 10
它看起来像是/bin/lsattr被“坏”系统中的脚本替换了。这些行告诉我现在的前 10 个字节/bin/lsattr是#!/bin/sh<newline>.
dup2(3, 255) = 255
close(3) = 0
fcntl(255, F_SETFD, FD_CLOEXEC) = 0
fcntl(255, F_GETFL) = 0x8000 (flags O_RDONLY|O_LARGEFILE)
fstat(255, {st_mode=S_IFREG|0755, st_size=10, ...}) = 0
看起来 的大小/bin/lsattr正好是 10 个字节,因此看起来实际的脚本/bin/lsattr已被替换为基本上空的脚本,该脚本不执行任何操作。这看起来不太好。
您的系统可能已被破坏:软件包/usr/sbin/sshd中的openssh-server可能已被替换为有后门的软件包,该软件包可能会将输入的任何密码的副本发送给入侵者,而替换lsattr可能只是为了使摆脱后门变得更加困难。还可能存在其他非法修改。
在这种情况下,您应该尽快断开该系统与网络的连接,然后查看这个问题关于信息安全.SE以获得进一步的建议。
但简而言之:您应该将用于登录该系统的所有密码视为已泄露。如果本系统使用的用户名+密码对在其他地方使用,应立即更改。
然后,您应该备份该系统上的所有重要数据,然后完全格式化并重新安装。对真的。入侵者可能对系统进行了任意数量的修改,以使其为他们服务,并使他们更容易重新获得对系统的访问权限,即使您试图“清理”它。
如果您从旧备份恢复此系统(有风险),您应该仔细验证备份中是否还没有入侵者的修改,然后确保恢复的系统无法从互联网访问,直到您安装了所有可用的系统。更新并验证所有已安装软件包的完整性。
答案2
你的版本(和我的,Debian Bookworm 上的 lsattr 1.47.0 (5-Feb-2023))可能需要 -a 开关(或另一个开关)。
root@debian:~# lsattr /Hitachi/
root@debian:~#
root@debian:~# lsattr -a /Hitachi/
----i---------e------- /Hitachi/.
--------------e------- /Hitachi/..