黑客入侵 CentOS 5 服务器-可能安装了 rootkit?

黑客入侵 CentOS 5 服务器-可能安装了 rootkit?

可能重复:
我如何知道我的 Linux 服务器是否已被黑客入侵?
我的服务器被黑了 紧急求助

我正在运行 CentOS 5.3,以下是“chkrootkit”的结果:

Possible t0rn v8 \(or variation\) rootkit installed

Warning: Possible Showtee Rootkit installed
 /usr/include/file.h /usr/include/proc.h
Warning: `//root/.mysql_history' file size is zero
INFECTED (PORTS:  465)
You have    61 process hidden for readdir command
You have    62 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
 The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! root         3040 tty2   /sbin/mingetty tty2
! root         3041 tty3   /sbin/mingetty tty3
! root         3042 tty4   /sbin/mingetty tty4
! root         3043 tty5   /sbin/mingetty tty5
! root         3046 tty6   /sbin/mingetty tty6

我不明白这些警告是什么意思。

服务器是否受到感染或者存在危险?

编辑:

让我补充一下,我首先在命令行上收到了奇怪的消息:

Unknown HZ value! (##) Assume 100

然后我跟着这个很棒的说明并用新文件替换被黑的文件。我替换了:

/sbin/ifconfig
/bin/netstat
/usr/bin/pstree
/usr/bin/top

据报道,它们都被“chkrootkit”感染了。

现在我重新运行“chkrootkit”并得到了上述输出。如何消除所有警告?

编辑2:

在使用以下命令检查 rpm 完整性后,rpm -vVa | grep 'S\.5\.\.\.\.\T' > rpmverify.txt我得到了以下结果:

S.5....T  c /etc/mail/spamassassin/local.cf
S.5....T  c /etc/pam.d/system-auth
S.5....T  c /etc/sudoers
S.5....T  c /etc/samba/smb.conf
S.5....T    /opt/drweb/lib/drweb32.dll
S.5....T    /var/drweb/bases/drw50000.vdb
S.5....T    /var/drweb/bases/drw50001.vdb
S.5....T    /var/drweb/bases/drw50002.vdb
S.5....T    /var/drweb/bases/drw50003.vdb
S.5....T    /var/drweb/bases/drw50004.vdb
S.5....T    /var/drweb/bases/drw50005.vdb
S.5....T    /var/drweb/bases/drw50006.vdb
S.5....T    /var/drweb/bases/drw50007.vdb
S.5....T    /var/drweb/bases/drw50008.vdb
S.5....T    /var/drweb/bases/drw50009.vdb
S.5....T    /var/drweb/bases/drw50010.vdb
S.5....T    /var/drweb/bases/drw50011.vdb
S.5....T    /var/drweb/bases/drw50012.vdb
S.5....T    /var/drweb/bases/drw50013.vdb
S.5....T    /var/drweb/bases/drw50014.vdb
S.5....T    /var/drweb/bases/drw50015.vdb
S.5....T    /var/drweb/bases/drw50016.vdb
S.5....T    /var/drweb/bases/drw50017.vdb
S.5....T    /var/drweb/bases/drw50018.vdb
S.5....T    /var/drweb/bases/drw50019.vdb
S.5....T    /var/drweb/bases/drw50020.vdb
S.5....T    /var/drweb/bases/drw50021.vdb
S.5....T    /var/drweb/bases/drw50022.vdb
S.5....T    /var/drweb/bases/drw50023.vdb
S.5....T    /var/drweb/bases/drw50024.vdb
S.5....T    /var/drweb/bases/drw50025.vdb
S.5....T    /var/drweb/bases/drw50026.vdb
S.5....T    /var/drweb/bases/drw50027.vdb
S.5....T    /var/drweb/bases/drw50028.vdb
S.5....T    /var/drweb/bases/drw50029.vdb
S.5....T    /var/drweb/bases/drwebase.vdb
S.5....T    /var/drweb/bases/drwnasty.vdb
S.5....T    /var/drweb/bases/drwrisky.vdb
S.5....T    /var/drweb/bases/drwtoday.vdb
S.5....T    /var/drweb/bases/dwn50001.vdb
S.5....T    /var/drweb/bases/dwn50002.vdb
S.5....T    /var/drweb/bases/dwntoday.vdb
S.5....T    /var/drweb/bases/dwr50001.vdb
S.5....T    /var/drweb/bases/dwrtoday.vdb
S.5....T    /bin/basename
S.5....T    /bin/cat
S.5....T    /bin/chgrp
S.5....T    /bin/chmod
S.5....T    /bin/chown
S.5....T    /bin/cp
S.5....T    /bin/cut
S.5....T    /bin/dd
S.5....T    /bin/df
S.5....T    /bin/env
S.5....T    /bin/false
S.5....T    /bin/link
S.5....T    /bin/ln
S.5....T  c /etc/proftpd.conf
S.5....T  c /root/.bash_profile
S.5....T  c /etc/httpd/conf.d/mailman.conf
S.5....T    /usr/lib/mailman/Mailman/mm_cfg.pyc
S.5....T  c /etc/drweb/drweb32.ini
S.5....T    /opt/drweb/ldwrap.sh
S.5....T  c /etc/drweb/users.conf
S.5....T    /usr/share/psa-horde/imp/compose.php
S.5....T    /usr/share/psa-horde/imp/contacts.php
S.5....T    /usr/local/psa/admin/plib/api-common/cuMail.php
S.5....T    /usr/local/psa/admin/sbin/autoinstaller
S.5....T    /usr/local/psa/admin/htdocs/modules/watchdog/stats-graph.php
S.5....T    /usr/local/psa/etc/modules/watchdog/monitrc
S.5....T    /usr/local/psa/etc/modules/watchdog/wdcollect.inc.php
S.5....T    /usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter      /db/backdoorports.dat
S.5....T    /usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter/db/mirrors.dat
S.5....T    /usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter/db/programs_bad.dat
S.5....T    /usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter/db/suspscan.dat
S.5....T  c /etc/courier-imap/imapd.cnf
S.5....T  c /etc/php.ini
S.5....T  c /etc/ssh/sshd_config
S.5....T  c /etc/syslog.conf
S.5....T  c /etc/sysconfig/named
S.5....T  c /etc/httpd/conf.d/ssl.conf
S.5....T  c /etc/smartd.conf
S.5....T  c /etc/vsftpd/vsftpd.conf
S.5....T    /usr/share/psa-horde/util/icon_browser.php
S.5....T  c /etc/init.d/psa
S.5....T    /usr/lib/plesk-9.0/key-handler
S.5....T    /usr/local/psa/admin/htdocs/domains/databases/phpMyAdmin/librari/config.default.php
S.5....T    /usr/local/psa/admin/plib/class.ComponentsChecker.php
S.5....T    /usr/local/psa/admin/plib/class.ComponentsShow.php
S.5....T    /usr/local/psa/admin/plib/class.RestartServForm.php
S.5....T    /usr/local/psa/admin/plib/class.ServiceControl.php
S.5....T    /usr/local/psa/admin/sbin/packagemng
S.5....T    /usr/local/psa/admin/plib/backup/BackupCreateBackupNowForm.php
S.5....T  c /etc/samba/smbusers
S.5....T  c /etc/pam.d/ekshell
S.5....T  c /etc/pam.d/kshell
S.5....T  c /etc/printcap
S.5....T  c /etc/my.cnf
S.5....T    /usr/bin/spf_example_static
S.5....T    /usr/bin/spfd_static
S.5....T    /usr/bin/spfquery_static
S.5....T    /usr/bin/spftest_static
S.5....T    /usr/lib/libspf2.so.2.1.0
S.5....T  c /etc/awstats/awstats.model.conf
S.5....T    /usr/local/sso/base/Cookie.php
S.5....T  c /etc/httpd/conf/httpd.conf
S.5....T    /usr/sbin/suexec

这有帮助吗?

编辑3:

core utils重新安装后rpm检查结果如下:

S.5....T  c /etc/mail/spamassassin/local.cf
S.5....T  c /etc/pam.d/system-auth
S.5....T  c /etc/sudoers
S.5....T  c /etc/samba/smb.conf
S.5....T    /opt/drweb/lib/drweb32.dll
S.5....T    /var/drweb/bases/drw50000.vdb
S.5....T    /var/drweb/bases/drw50001.vdb
S.5....T    /var/drweb/bases/drw50002.vdb
S.5....T    /var/drweb/bases/drw50003.vdb
S.5....T    /var/drweb/bases/drw50004.vdb
S.5....T    /var/drweb/bases/drw50005.vdb
S.5....T    /var/drweb/bases/drw50006.vdb
S.5....T    /var/drweb/bases/drw50007.vdb
S.5....T    /var/drweb/bases/drw50008.vdb
S.5....T    /var/drweb/bases/drw50009.vdb
S.5....T    /var/drweb/bases/drw50010.vdb
S.5....T    /var/drweb/bases/drw50011.vdb
S.5....T    /var/drweb/bases/drw50012.vdb
S.5....T    /var/drweb/bases/drw50013.vdb
S.5....T    /var/drweb/bases/drw50014.vdb
S.5....T    /var/drweb/bases/drw50015.vdb
S.5....T    /var/drweb/bases/drw50016.vdb
S.5....T    /var/drweb/bases/drw50017.vdb
S.5....T    /var/drweb/bases/drw50018.vdb
S.5....T    /var/drweb/bases/drw50019.vdb
S.5....T    /var/drweb/bases/drw50020.vdb
S.5....T    /var/drweb/bases/drw50021.vdb
S.5....T    /var/drweb/bases/drw50022.vdb
S.5....T    /var/drweb/bases/drw50023.vdb
S.5....T    /var/drweb/bases/drw50024.vdb
S.5....T    /var/drweb/bases/drw50025.vdb
S.5....T    /var/drweb/bases/drw50026.vdb
S.5....T    /var/drweb/bases/drw50027.vdb
S.5....T    /var/drweb/bases/drw50028.vdb
S.5....T    /var/drweb/bases/drw50029.vdb
S.5....T    /var/drweb/bases/drwebase.vdb
S.5....T    /var/drweb/bases/drwnasty.vdb
S.5....T    /var/drweb/bases/drwrisky.vdb
S.5....T    /var/drweb/bases/drwtoday.vdb
S.5....T    /var/drweb/bases/dwn50001.vdb
S.5....T    /var/drweb/bases/dwn50002.vdb
S.5....T    /var/drweb/bases/dwntoday.vdb
S.5....T    /var/drweb/bases/dwr50001.vdb
S.5....T    /var/drweb/bases/dwrtoday.vdb
S.5....T  c /etc/proftpd.conf
S.5....T  c /etc/profile.d/colorls.csh
S.5....T  c /etc/profile.d/colorls.sh
S.5....T  c /root/.bash_profile
S.5....T  c /etc/httpd/conf.d/mailman.conf
S.5....T    /usr/lib/mailman/Mailman/mm_cfg.pyc
S.5....T  c /etc/drweb/drweb32.ini
S.5....T    /opt/drweb/ldwrap.sh
S.5....T  c /etc/drweb/users.conf
S.5....T    /usr/share/psa-horde/imp/compose.php
S.5....T    /usr/share/psa-horde/imp/contacts.php
S.5....T    /usr/local/psa/admin/plib/api-common/cuMail.php
S.5....T    /usr/local/psa/admin/sbin/autoinstaller
S.5....T    /usr/local/psa/admin/htdocs/modules/watchdog/stats-graph.php
S.5....T    /usr/local/psa/etc/modules/watchdog/monitrc
S.5....T    /usr/local/psa/etc/modules/watchdog/wdcollect.inc.php
S.5....T    /usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter /db/backdoorports.dat
S.5....T    /usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter/db/mirrors.dat
S.5....T    /usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter/db/programs_bad.dat
S.5....T    /usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter/db/suspscan.dat
S.5....T  c /etc/courier-imap/imapd.cnf
S.5....T  c /etc/php.ini
S.5....T  c /etc/ssh/sshd_config
S.5....T  c /etc/syslog.conf
S.5....T  c /etc/sysconfig/named
S.5....T  c /etc/httpd/conf.d/ssl.conf
S.5....T  c /etc/smartd.conf
S.5....T  c /etc/vsftpd/vsftpd.conf
S.5....T    /usr/share/psa-horde/util/icon_browser.php
S.5....T  c /etc/init.d/psa
S.5....T    /usr/lib/plesk-9.0/key-handler
S.5....T    /usr/local/psa/admin/htdocs/domains/databases/phpMyAdmin/libraries/config.default.php
S.5....T    /usr/local/psa/admin/plib/class.ComponentsChecker.php
S.5....T    /usr/local/psa/admin/plib/class.ComponentsShow.php
S.5....T    /usr/local/psa/admin/plib/class.RestartServForm.php
S.5....T    /usr/local/psa/admin/plib/class.ServiceControl.php
S.5....T    /usr/local/psa/admin/sbin/packagemng
S.5....T    /usr/local/psa/admin/plib/backup/BackupCreateBackupNowForm.php
S.5....T  c /etc/samba/smbusers
S.5....T  c /etc/pam.d/ekshell
S.5....T  c /etc/pam.d/kshell
S.5....T  c /etc/printcap
S.5....T  c /etc/my.cnf
S.5....T    /usr/bin/spf_example_static
S.5....T    /usr/bin/spfd_static
S.5....T    /usr/bin/spfquery_static
S.5....T    /usr/bin/spftest_static
S.5....T    /usr/lib/libspf2.so.2.1.0
S.5....T  c /etc/awstats/awstats.model.conf
S.5....T    /usr/local/sso/base/Cookie.php
S.5....T  c /etc/httpd/conf/httpd.conf
S.5....T    /usr/sbin/suexec

答案1

这是一个 CentOS 系统。我通常会修复这些 rootkit,但是如果你以前没有这样做过,那么你检测/获取所有内容的机会就很小了……

您可以从 RPM 验证开始......

跑步rpm -vVa | grep 'S\.5\.\.\.\.\T' > rpmverify.txt

然后检查 中的输出rpmverify.txt。这样您就可以检查哪些二进制文件和配置文件与 RPM 数据库中的校验和不匹配。这是我修复这些系统的第一个地方(确保没有未经授权的网络守护程序/服务正在运行)。


编辑:

我看到了 RPM verify 命令的输出。如果yum仍然有效,请运行yum install yum-utils以获取该yumdownloader命令的访问权限。

根据您的输出,您的coreutils可能软件包httpd已被破坏(cat、df、dd、chown、cp 等)。运行yumdownloader coreutils以获取 rpm。它将下载到您当前的目录中。我会强制重新安装 RPM(rpm -ivh --force coreutils*)并重新运行我上面建议的验证。


更新:

黑客/rootkit 通常会用木马版本替换二进制文件,并在文件上设置不可变标志,以防止它们被删除。

请通过运行查看 /bin/ls 二进制文件的属性lsattr /bin/ls

您可能会在输出中看到“a”、“u”、“i”和“s”。chattr -uisa在同一文件上运行应该会删除不可变标志并允许您运行 rpm 安装。

属性看起来应该是这样的:

[root@kitteh ~]# lsattr /bin/ls
------------- /bin/ls

对 RPM 安装中失败的任何其他文件重复此操作。您可能还需要更改/删除封闭目录中的那些属性...

相关内容