mv /lib64/libkeyutils.so.1.9 /root
service sshd restart
Stopping sshd: [ OK ]
Starting sshd: /usr/sbin/sshd: error while loading shared libraries: libkeyutils.so.1: cannot open shared object file: No such file or directory
[FAILED]
如何将其从 SSHD 中删除?
需要修复此问题: http://www.webhostingtalk.com/showpost.php?p=8548338&postcount=4
参考一下我听说的这个漏洞: http://blog.solidshellsecurity.com/2013/02/18/0day-linuxcentos-sshd-spam-exploit-libkeyutils-so-1-9/
他们没有使用 root 登录,甚至没有生成 bash 进程。如果将 lib 移出,并重新启动 sshd,他们就无法再登录了。
关键是找出它们是如何进入的。完全升级的、ssh 密钥受限的 sshd,在非标准端口上受到攻击。我的客户都没有受到攻击,但我收到了很多关于这个问题的销售咨询,所以我不知道这些机器的完整历史记录。
[/lib64]# rpm -vV openssh
......... /etc/ssh
......... c /etc/ssh/moduli
......... /usr/bin/ssh-keygen
......... /usr/libexec/openssh
......... /usr/libexec/openssh/ssh-keysign
......... /usr/share/doc/openssh-5.3p1
......... d /usr/share/doc/openssh-5.3p1/CREDITS
......... d /usr/share/doc/openssh-5.3p1/ChangeLog
......... d /usr/share/doc/openssh-5.3p1/INSTALL
......... d /usr/share/doc/openssh-5.3p1/LICENCE
......... d /usr/share/doc/openssh-5.3p1/OVERVIEW
......... d /usr/share/doc/openssh-5.3p1/PROTOCOL
......... d /usr/share/doc/openssh-5.3p1/PROTOCOL.agent
......... d /usr/share/doc/openssh-5.3p1/README
......... d /usr/share/doc/openssh-5.3p1/README.dns
......... d /usr/share/doc/openssh-5.3p1/README.nss
......... d /usr/share/doc/openssh-5.3p1/README.platform
......... d /usr/share/doc/openssh-5.3p1/README.privsep
......... d /usr/share/doc/openssh-5.3p1/README.smartcard
......... d /usr/share/doc/openssh-5.3p1/README.tun
......... d /usr/share/doc/openssh-5.3p1/TODO
......... d /usr/share/doc/openssh-5.3p1/WARNING.RNG
......... d /usr/share/man/man1/ssh-keygen.1.gz
......... d /usr/share/man/man8/ssh-keysign.8.gz
[/lib64]# rpm -vV openssh-clients
S.5....T. c /etc/ssh/ssh_config
......... /usr/bin/.ssh.hmac
......... /usr/bin/scp
......... /usr/bin/sftp
......... /usr/bin/slogin
......... /usr/bin/ssh
......... /usr/bin/ssh-add
......... /usr/bin/ssh-agent
......... /usr/bin/ssh-copy-id
......... /usr/bin/ssh-keyscan
......... d /usr/share/man/man1/scp.1.gz
......... d /usr/share/man/man1/sftp.1.gz
......... d /usr/share/man/man1/slogin.1.gz
......... d /usr/share/man/man1/ssh-add.1.gz
......... d /usr/share/man/man1/ssh-agent.1.gz
......... d /usr/share/man/man1/ssh-copy-id.1.gz
......... d /usr/share/man/man1/ssh-keyscan.1.gz
......... d /usr/share/man/man1/ssh.1.gz
......... d /usr/share/man/man5/ssh_config.5.gz
[/lib64]# rpm -vV openssh-server
.......T. c /etc/pam.d/ssh-keycat
S.5....T. c /etc/pam.d/sshd
......... /etc/rc.d/init.d/sshd
S.5....T. c /etc/ssh/sshd_config
......... c /etc/sysconfig/sshd
......... /usr/libexec/openssh/sftp-server
......... /usr/libexec/openssh/ssh-keycat
......... /usr/sbin/.sshd.hmac
......... /usr/sbin/sshd
......... /usr/share/doc/openssh-server-5.3p1
......... d /usr/share/doc/openssh-server-5.3p1/HOWTO.ssh-keycat
......... d /usr/share/man/man5/moduli.5.gz
......... d /usr/share/man/man5/sshd_config.5.gz
......... d /usr/share/man/man8/sftp-server.8.gz
......... d /usr/share/man/man8/sshd.8.gz
......... /var/empty/sshd
和
[/lib64]# rpm -qf /lib64/libkeyutils.so.1.9
file /lib64/libkeyutils.so.1.9 is not owned by any package
[/lib64]# rpm -vV keyutils-libs
....L.... /lib64/libkeyutils.so.1
......... /lib64/libkeyutils.so.1.3
......... /usr/share/doc/keyutils-libs-1.4
......... d /usr/share/doc/keyutils-libs-1.4/LICENCE.LGPL
答案1
您的 SSH 守护程序和系统可能会受到损害!!
您不能信任服务器上安装的现有 SSH 守护程序。
要进行快速检查,请对现有软件包运行 RPM 验证。您可以使用以下命令执行此操作:
rpm -vV openssh-server
rpm -vV openssh-clients
rpm -vV openssh
用 grep 搜索每个命令的输出S\.5
。这将告诉你二进制文件是否已更改。
临时修复方法是重新安装 openssh 设置,但这超出了此问题的范围。请参阅以下内容...