我正在运行 CentOS 5.3,以下是“chkrootkit”的结果:
Possible t0rn v8 \(or variation\) rootkit installed
Warning: Possible Showtee Rootkit installed
/usr/include/file.h /usr/include/proc.h
Warning: `//root/.mysql_history' file size is zero
INFECTED (PORTS: 465)
You have 61 process hidden for readdir command
You have 62 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 3040 tty2 /sbin/mingetty tty2
! root 3041 tty3 /sbin/mingetty tty3
! root 3042 tty4 /sbin/mingetty tty4
! root 3043 tty5 /sbin/mingetty tty5
! root 3046 tty6 /sbin/mingetty tty6
我不明白这些警告是什么意思。
服务器是否受到感染或者存在危险?
编辑:
让我补充一下,我首先在命令行上收到了奇怪的消息:
Unknown HZ value! (##) Assume 100
然后我跟着这个很棒的说明并用新文件替换被黑的文件。我替换了:
/sbin/ifconfig
/bin/netstat
/usr/bin/pstree
/usr/bin/top
据报道,它们都被“chkrootkit”感染了。
现在我重新运行“chkrootkit”并得到了上述输出。如何消除所有警告?
编辑2:
在使用以下命令检查 rpm 完整性后,rpm -vVa | grep 'S\.5\.\.\.\.\T' > rpmverify.txt我得到了以下结果:
S.5....T c /etc/mail/spamassassin/local.cf
S.5....T c /etc/pam.d/system-auth
S.5....T c /etc/sudoers
S.5....T c /etc/samba/smb.conf
S.5....T /opt/drweb/lib/drweb32.dll
S.5....T /var/drweb/bases/drw50000.vdb
S.5....T /var/drweb/bases/drw50001.vdb
S.5....T /var/drweb/bases/drw50002.vdb
S.5....T /var/drweb/bases/drw50003.vdb
S.5....T /var/drweb/bases/drw50004.vdb
S.5....T /var/drweb/bases/drw50005.vdb
S.5....T /var/drweb/bases/drw50006.vdb
S.5....T /var/drweb/bases/drw50007.vdb
S.5....T /var/drweb/bases/drw50008.vdb
S.5....T /var/drweb/bases/drw50009.vdb
S.5....T /var/drweb/bases/drw50010.vdb
S.5....T /var/drweb/bases/drw50011.vdb
S.5....T /var/drweb/bases/drw50012.vdb
S.5....T /var/drweb/bases/drw50013.vdb
S.5....T /var/drweb/bases/drw50014.vdb
S.5....T /var/drweb/bases/drw50015.vdb
S.5....T /var/drweb/bases/drw50016.vdb
S.5....T /var/drweb/bases/drw50017.vdb
S.5....T /var/drweb/bases/drw50018.vdb
S.5....T /var/drweb/bases/drw50019.vdb
S.5....T /var/drweb/bases/drw50020.vdb
S.5....T /var/drweb/bases/drw50021.vdb
S.5....T /var/drweb/bases/drw50022.vdb
S.5....T /var/drweb/bases/drw50023.vdb
S.5....T /var/drweb/bases/drw50024.vdb
S.5....T /var/drweb/bases/drw50025.vdb
S.5....T /var/drweb/bases/drw50026.vdb
S.5....T /var/drweb/bases/drw50027.vdb
S.5....T /var/drweb/bases/drw50028.vdb
S.5....T /var/drweb/bases/drw50029.vdb
S.5....T /var/drweb/bases/drwebase.vdb
S.5....T /var/drweb/bases/drwnasty.vdb
S.5....T /var/drweb/bases/drwrisky.vdb
S.5....T /var/drweb/bases/drwtoday.vdb
S.5....T /var/drweb/bases/dwn50001.vdb
S.5....T /var/drweb/bases/dwn50002.vdb
S.5....T /var/drweb/bases/dwntoday.vdb
S.5....T /var/drweb/bases/dwr50001.vdb
S.5....T /var/drweb/bases/dwrtoday.vdb
S.5....T /bin/basename
S.5....T /bin/cat
S.5....T /bin/chgrp
S.5....T /bin/chmod
S.5....T /bin/chown
S.5....T /bin/cp
S.5....T /bin/cut
S.5....T /bin/dd
S.5....T /bin/df
S.5....T /bin/env
S.5....T /bin/false
S.5....T /bin/link
S.5....T /bin/ln
S.5....T c /etc/proftpd.conf
S.5....T c /root/.bash_profile
S.5....T c /etc/httpd/conf.d/mailman.conf
S.5....T /usr/lib/mailman/Mailman/mm_cfg.pyc
S.5....T c /etc/drweb/drweb32.ini
S.5....T /opt/drweb/ldwrap.sh
S.5....T c /etc/drweb/users.conf
S.5....T /usr/share/psa-horde/imp/compose.php
S.5....T /usr/share/psa-horde/imp/contacts.php
S.5....T /usr/local/psa/admin/plib/api-common/cuMail.php
S.5....T /usr/local/psa/admin/sbin/autoinstaller
S.5....T /usr/local/psa/admin/htdocs/modules/watchdog/stats-graph.php
S.5....T /usr/local/psa/etc/modules/watchdog/monitrc
S.5....T /usr/local/psa/etc/modules/watchdog/wdcollect.inc.php
S.5....T /usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter /db/backdoorports.dat
S.5....T /usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter/db/mirrors.dat
S.5....T /usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter/db/programs_bad.dat
S.5....T /usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter/db/suspscan.dat
S.5....T c /etc/courier-imap/imapd.cnf
S.5....T c /etc/php.ini
S.5....T c /etc/ssh/sshd_config
S.5....T c /etc/syslog.conf
S.5....T c /etc/sysconfig/named
S.5....T c /etc/httpd/conf.d/ssl.conf
S.5....T c /etc/smartd.conf
S.5....T c /etc/vsftpd/vsftpd.conf
S.5....T /usr/share/psa-horde/util/icon_browser.php
S.5....T c /etc/init.d/psa
S.5....T /usr/lib/plesk-9.0/key-handler
S.5....T /usr/local/psa/admin/htdocs/domains/databases/phpMyAdmin/librari/config.default.php
S.5....T /usr/local/psa/admin/plib/class.ComponentsChecker.php
S.5....T /usr/local/psa/admin/plib/class.ComponentsShow.php
S.5....T /usr/local/psa/admin/plib/class.RestartServForm.php
S.5....T /usr/local/psa/admin/plib/class.ServiceControl.php
S.5....T /usr/local/psa/admin/sbin/packagemng
S.5....T /usr/local/psa/admin/plib/backup/BackupCreateBackupNowForm.php
S.5....T c /etc/samba/smbusers
S.5....T c /etc/pam.d/ekshell
S.5....T c /etc/pam.d/kshell
S.5....T c /etc/printcap
S.5....T c /etc/my.cnf
S.5....T /usr/bin/spf_example_static
S.5....T /usr/bin/spfd_static
S.5....T /usr/bin/spfquery_static
S.5....T /usr/bin/spftest_static
S.5....T /usr/lib/libspf2.so.2.1.0
S.5....T c /etc/awstats/awstats.model.conf
S.5....T /usr/local/sso/base/Cookie.php
S.5....T c /etc/httpd/conf/httpd.conf
S.5....T /usr/sbin/suexec
这有帮助吗?
编辑3:
core utils重新安装后rpm检查结果如下:
S.5....T c /etc/mail/spamassassin/local.cf
S.5....T c /etc/pam.d/system-auth
S.5....T c /etc/sudoers
S.5....T c /etc/samba/smb.conf
S.5....T /opt/drweb/lib/drweb32.dll
S.5....T /var/drweb/bases/drw50000.vdb
S.5....T /var/drweb/bases/drw50001.vdb
S.5....T /var/drweb/bases/drw50002.vdb
S.5....T /var/drweb/bases/drw50003.vdb
S.5....T /var/drweb/bases/drw50004.vdb
S.5....T /var/drweb/bases/drw50005.vdb
S.5....T /var/drweb/bases/drw50006.vdb
S.5....T /var/drweb/bases/drw50007.vdb
S.5....T /var/drweb/bases/drw50008.vdb
S.5....T /var/drweb/bases/drw50009.vdb
S.5....T /var/drweb/bases/drw50010.vdb
S.5....T /var/drweb/bases/drw50011.vdb
S.5....T /var/drweb/bases/drw50012.vdb
S.5....T /var/drweb/bases/drw50013.vdb
S.5....T /var/drweb/bases/drw50014.vdb
S.5....T /var/drweb/bases/drw50015.vdb
S.5....T /var/drweb/bases/drw50016.vdb
S.5....T /var/drweb/bases/drw50017.vdb
S.5....T /var/drweb/bases/drw50018.vdb
S.5....T /var/drweb/bases/drw50019.vdb
S.5....T /var/drweb/bases/drw50020.vdb
S.5....T /var/drweb/bases/drw50021.vdb
S.5....T /var/drweb/bases/drw50022.vdb
S.5....T /var/drweb/bases/drw50023.vdb
S.5....T /var/drweb/bases/drw50024.vdb
S.5....T /var/drweb/bases/drw50025.vdb
S.5....T /var/drweb/bases/drw50026.vdb
S.5....T /var/drweb/bases/drw50027.vdb
S.5....T /var/drweb/bases/drw50028.vdb
S.5....T /var/drweb/bases/drw50029.vdb
S.5....T /var/drweb/bases/drwebase.vdb
S.5....T /var/drweb/bases/drwnasty.vdb
S.5....T /var/drweb/bases/drwrisky.vdb
S.5....T /var/drweb/bases/drwtoday.vdb
S.5....T /var/drweb/bases/dwn50001.vdb
S.5....T /var/drweb/bases/dwn50002.vdb
S.5....T /var/drweb/bases/dwntoday.vdb
S.5....T /var/drweb/bases/dwr50001.vdb
S.5....T /var/drweb/bases/dwrtoday.vdb
S.5....T c /etc/proftpd.conf
S.5....T c /etc/profile.d/colorls.csh
S.5....T c /etc/profile.d/colorls.sh
S.5....T c /root/.bash_profile
S.5....T c /etc/httpd/conf.d/mailman.conf
S.5....T /usr/lib/mailman/Mailman/mm_cfg.pyc
S.5....T c /etc/drweb/drweb32.ini
S.5....T /opt/drweb/ldwrap.sh
S.5....T c /etc/drweb/users.conf
S.5....T /usr/share/psa-horde/imp/compose.php
S.5....T /usr/share/psa-horde/imp/contacts.php
S.5....T /usr/local/psa/admin/plib/api-common/cuMail.php
S.5....T /usr/local/psa/admin/sbin/autoinstaller
S.5....T /usr/local/psa/admin/htdocs/modules/watchdog/stats-graph.php
S.5....T /usr/local/psa/etc/modules/watchdog/monitrc
S.5....T /usr/local/psa/etc/modules/watchdog/wdcollect.inc.php
S.5....T /usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter /db/backdoorports.dat
S.5....T /usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter/db/mirrors.dat
S.5....T /usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter/db/programs_bad.dat
S.5....T /usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter/db/suspscan.dat
S.5....T c /etc/courier-imap/imapd.cnf
S.5....T c /etc/php.ini
S.5....T c /etc/ssh/sshd_config
S.5....T c /etc/syslog.conf
S.5....T c /etc/sysconfig/named
S.5....T c /etc/httpd/conf.d/ssl.conf
S.5....T c /etc/smartd.conf
S.5....T c /etc/vsftpd/vsftpd.conf
S.5....T /usr/share/psa-horde/util/icon_browser.php
S.5....T c /etc/init.d/psa
S.5....T /usr/lib/plesk-9.0/key-handler
S.5....T /usr/local/psa/admin/htdocs/domains/databases/phpMyAdmin/libraries/config.default.php
S.5....T /usr/local/psa/admin/plib/class.ComponentsChecker.php
S.5....T /usr/local/psa/admin/plib/class.ComponentsShow.php
S.5....T /usr/local/psa/admin/plib/class.RestartServForm.php
S.5....T /usr/local/psa/admin/plib/class.ServiceControl.php
S.5....T /usr/local/psa/admin/sbin/packagemng
S.5....T /usr/local/psa/admin/plib/backup/BackupCreateBackupNowForm.php
S.5....T c /etc/samba/smbusers
S.5....T c /etc/pam.d/ekshell
S.5....T c /etc/pam.d/kshell
S.5....T c /etc/printcap
S.5....T c /etc/my.cnf
S.5....T /usr/bin/spf_example_static
S.5....T /usr/bin/spfd_static
S.5....T /usr/bin/spfquery_static
S.5....T /usr/bin/spftest_static
S.5....T /usr/lib/libspf2.so.2.1.0
S.5....T c /etc/awstats/awstats.model.conf
S.5....T /usr/local/sso/base/Cookie.php
S.5....T c /etc/httpd/conf/httpd.conf
S.5....T /usr/sbin/suexec
答案1
这是一个 CentOS 系统。我通常会修复这些 rootkit,但是如果你以前没有这样做过,那么你检测/获取所有内容的机会就很小了……
您可以从 RPM 验证开始......
跑步rpm -vVa | grep 'S\.5\.\.\.\.\T' > rpmverify.txt
然后检查 中的输出rpmverify.txt。这样您就可以检查哪些二进制文件和配置文件与 RPM 数据库中的校验和不匹配。这是我修复这些系统的第一个地方(确保没有未经授权的网络守护程序/服务正在运行)。
编辑:
我看到了 RPM verify 命令的输出。如果yum仍然有效,请运行yum install yum-utils以获取该yumdownloader命令的访问权限。
根据您的输出,您的coreutils和可能软件包httpd已被破坏(cat、df、dd、chown、cp 等)。运行yumdownloader coreutils以获取 rpm。它将下载到您当前的目录中。我会强制重新安装 RPM(rpm -ivh --force coreutils*)并重新运行我上面建议的验证。
更新:
黑客/rootkit 通常会用木马版本替换二进制文件,并在文件上设置不可变标志,以防止它们被删除。
请通过运行查看 /bin/ls 二进制文件的属性lsattr /bin/ls。
您可能会在输出中看到“a”、“u”、“i”和“s”。chattr -uisa在同一文件上运行应该会删除不可变标志并允许您运行 rpm 安装。
属性看起来应该是这样的:
[root@kitteh ~]# lsattr /bin/ls
------------- /bin/ls
对 RPM 安装中失败的任何其他文件重复此操作。您可能还需要更改/删除封闭目录中的那些属性...