从 sshd 中删除共享库

从 sshd 中删除共享库
mv /lib64/libkeyutils.so.1.9 /root
service sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd: /usr/sbin/sshd: error while loading shared libraries: libkeyutils.so.1: cannot open shared object file: No such file or directory
                                                           [FAILED]

如何将其从 SSHD 中删除?

需要修复此问题: http://www.webhostingtalk.com/showpost.php?p=8548338&postcount=4

参考一下我听说的这个漏洞: http://blog.solidshellsecurity.com/2013/02/18/0day-linuxcentos-sshd-spam-exploit-libkeyutils-so-1-9/

他们没有使用 root 登录,甚至没有生成 bash 进程。如果将 lib 移出,并重新启动 sshd,他们就无法再登录了。

关键是找出它们是如何进入的。完全升级的、ssh 密钥受限的 sshd,在非标准端口上受到攻击。我的客户都没有受到攻击,但我收到了很多关于这个问题的销售咨询,所以我不知道这些机器的完整历史记录。

[/lib64]# rpm -vV openssh
.........    /etc/ssh
.........  c /etc/ssh/moduli
.........    /usr/bin/ssh-keygen
.........    /usr/libexec/openssh
.........    /usr/libexec/openssh/ssh-keysign
.........    /usr/share/doc/openssh-5.3p1
.........  d /usr/share/doc/openssh-5.3p1/CREDITS
.........  d /usr/share/doc/openssh-5.3p1/ChangeLog
.........  d /usr/share/doc/openssh-5.3p1/INSTALL
.........  d /usr/share/doc/openssh-5.3p1/LICENCE
.........  d /usr/share/doc/openssh-5.3p1/OVERVIEW
.........  d /usr/share/doc/openssh-5.3p1/PROTOCOL
.........  d /usr/share/doc/openssh-5.3p1/PROTOCOL.agent
.........  d /usr/share/doc/openssh-5.3p1/README
.........  d /usr/share/doc/openssh-5.3p1/README.dns
.........  d /usr/share/doc/openssh-5.3p1/README.nss
.........  d /usr/share/doc/openssh-5.3p1/README.platform
.........  d /usr/share/doc/openssh-5.3p1/README.privsep
.........  d /usr/share/doc/openssh-5.3p1/README.smartcard
.........  d /usr/share/doc/openssh-5.3p1/README.tun
.........  d /usr/share/doc/openssh-5.3p1/TODO
.........  d /usr/share/doc/openssh-5.3p1/WARNING.RNG
.........  d /usr/share/man/man1/ssh-keygen.1.gz
.........  d /usr/share/man/man8/ssh-keysign.8.gz
[/lib64]# rpm -vV openssh-clients
S.5....T.  c /etc/ssh/ssh_config
.........    /usr/bin/.ssh.hmac
.........    /usr/bin/scp
.........    /usr/bin/sftp
.........    /usr/bin/slogin
.........    /usr/bin/ssh
.........    /usr/bin/ssh-add
.........    /usr/bin/ssh-agent
.........    /usr/bin/ssh-copy-id
.........    /usr/bin/ssh-keyscan
.........  d /usr/share/man/man1/scp.1.gz
.........  d /usr/share/man/man1/sftp.1.gz
.........  d /usr/share/man/man1/slogin.1.gz
.........  d /usr/share/man/man1/ssh-add.1.gz
.........  d /usr/share/man/man1/ssh-agent.1.gz
.........  d /usr/share/man/man1/ssh-copy-id.1.gz
.........  d /usr/share/man/man1/ssh-keyscan.1.gz
.........  d /usr/share/man/man1/ssh.1.gz
.........  d /usr/share/man/man5/ssh_config.5.gz
[/lib64]# rpm -vV openssh-server
.......T.  c /etc/pam.d/ssh-keycat
S.5....T.  c /etc/pam.d/sshd
.........    /etc/rc.d/init.d/sshd
S.5....T.  c /etc/ssh/sshd_config
.........  c /etc/sysconfig/sshd
.........    /usr/libexec/openssh/sftp-server
.........    /usr/libexec/openssh/ssh-keycat
.........    /usr/sbin/.sshd.hmac
.........    /usr/sbin/sshd
.........    /usr/share/doc/openssh-server-5.3p1
.........  d /usr/share/doc/openssh-server-5.3p1/HOWTO.ssh-keycat
.........  d /usr/share/man/man5/moduli.5.gz
.........  d /usr/share/man/man5/sshd_config.5.gz
.........  d /usr/share/man/man8/sftp-server.8.gz
.........  d /usr/share/man/man8/sshd.8.gz
.........    /var/empty/sshd

[/lib64]# rpm -qf /lib64/libkeyutils.so.1.9
file /lib64/libkeyutils.so.1.9 is not owned by any package
[/lib64]# rpm -vV keyutils-libs
....L....    /lib64/libkeyutils.so.1
.........    /lib64/libkeyutils.so.1.3
.........    /usr/share/doc/keyutils-libs-1.4
.........  d /usr/share/doc/keyutils-libs-1.4/LICENCE.LGPL

答案1

您的 SSH 守护程序和系统可能会受到损害!!

您不能信任服务器上安装的现有 SSH 守护程序。

要进行快速检查,请对现有软件包运行 RPM 验证。您可以使用以下命令执行此操作:

rpm -vV openssh-server
rpm -vV openssh-clients
rpm -vV openssh

用 grep 搜索每个命令的输出S\.5。这将告诉你二进制文件是否已更改。

临时修复方法是重新安装 openssh 设置,但这超出了此问题的范围。请参阅以下内容...

我该如何处理受到感染的服务器?

fsck 修复后,sshd 立即发生核心转储

`/etc/inittab` 中最后一行以下的条目 - 可能被黑客入侵?

相关内容