我尝试登录我的管理员帐户,但它说密码不正确。自从我从 USB 驱动器复制粘贴它以来,它不可能是错误的。我重置了密码,安装了chkrootkit,发现我已经感染了rootkit。那我该怎么办,直接删除chkrootkit报告的文件呢?这是终端输出:
user1@user1-linux ~ $ sudo chkrootkit
[sudo] password for username:
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not infected
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not found
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not found
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not found
Checking `sshd'... not found
Checking `syslogd'... not tested
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not found
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for rootkit HiDrootkit's default files... nothing found
Searching for rootkit t0rn's default files... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for rootkit Lion's default files... nothing found
Searching for rootkit RSHA's default files... nothing found
Searching for rootkit RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:
/usr/lib/python3/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/jvm/.java-1.7.0-openjdk-amd64.jinfo /usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/pymodules/python2.7/.path /lib/modules/3.19.0-32-generic/vdso/.build-id
/lib/modules/3.19.0-32-generic/vdso/.build-id
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
Searching for suspect PHP files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
chkdirs: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... lo: not promisc and no packet sniffer sockets
eth0: PACKET SNIFFER(/sbin/dhclient[1166])
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... user user2 deleted or never logged from lastlog!
user user1 deleted or never logged from lastlog!
user user3 deleted or never logged from lastlog!
Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! rasmus 2650 pts/0 /usr/bin/xflux -l 60° -k 3400 -nofork
chkutmp: nothing deleted
Checking `OSX_RSPLUG'... not infected
抱歉格式混乱,我不知道如何让它正确显示。不管怎样,这些文件被感染了:
The following suspicious files and directories were found:
/usr/lib/python3/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/jvm/.java-1.7.0-openjdk-amd64.jinfo /usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/pymodules/python2.7/.path /lib/modules/3.19.0-32-generic/vdso/.build-id
/lib/modules/3.19.0-32-generic/vdso/.build-id
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
我还更改了防火墙设置,以便它记录任何可疑的操作。我现在在 Windows 上;我希望它不会传播到我的 Windows 分区?
编辑:我使用 Linux Mint 作为我的个人操作系统,因此网络不会受到影响。我只需擦拭驱动器即可。
答案1
网上的一些搜索表明它可能很可能是误报。检查您的chkrootkit版本:
$ chkrootkit -V
如果它低于版本0.50,它可能会返回误报Suckit,请参阅这里用于错误报告。
此外,有人指出造币厂网站妥协的于2016 年 2 月 20 日ISO 映像中存在后门,不确定这与您报告的内容有什么关系。但你仍然可以尝试一下:
如何检查您的 ISO 是否受到损害?
如果您仍有 ISO 文件,请使用命令“md5sum yourfile.iso”检查其 MD5 签名(其中 yourfile.iso 是 ISO 的名称)。
这有效签名如下:
6e7f7e03500747c6c3bfece2c9c8394f linuxmint-17.3-cinnamon-32bit.iso
e71a2aad8b58605e906dbea444dc4983 linuxmint-17.3-cinnamon-64bit.iso
30fef1aa1134c5f3778c77c4417f7238 linuxmint-17.3-cinnamon-nocodecs-32bit.iso
3406350a87c201cdca0927b1bc7c2ccd linuxmint-17.3-cinnamon-nocodecs-64bit.iso
df38af96e99726bb0a1ef3e5cd47563d linuxmint-17.3-cinnamon-oem-64bit.iso
如果您仍然拥有刻录的 DVD 或 USB 记忆棒,请使用它离线启动计算机或虚拟机(如果有疑问,请关闭路由器)并让它加载实时会话。
进入实时会话后,如果 中存在文件
/var/lib/man.cy,则这是受感染的 ISO。
最后,我不会对验证文件完整性有信心MD5或SHA-1总和,因为这些文件已经被破坏多年了,最好进行检查SHA-256或更高。
答案2
一般来说,您不必担心 Linux Rootkit 传播到 Windows 系统,但您必须意识到,受感染的网络可能会导致其上的任何系统出现类似问题。
不要删除/sbin/初始化!它控制您的启动/关闭,因此删除它将使您的系统无法启动。
chkrootkit 仅查找签名,它不会检查是否存在已知的 rootkit 文件,因此很容易出现误报。 Java 因触发这些误报而臭名昭著,许多其他编程工具也是如此。
您需要安装 rkhunter 并扫描您的系统,因为它会查找签名文件,但它也容易出现误报,因此不要在没有仔细检查文件是否属于那里的情况下太快地删除文件。
如果您的发行版有 livecd,您通常可以将 /sbin/init 复制到系统,并且它应该可以正常启动,但不能保证。
就个人而言,如果您确定您的密码在充当网络防火墙的系统上遭到泄露,我会选择全新安装并采取更彻底的措施来保护系统。
像 chkrootkit 和 rkhunter 这样的工具往往对端点系统更有用,特别是对家庭用户,而不是主要入口点,主要是因为本质上,它们总是在安全领域追逐新的发展,所以它们永远不会阻止最新的利用。
一旦防火墙被root,检查网络上的所有系统也很重要。 Linux 防火墙可能会更改密码来将您锁定,但 Windows 系统也很容易成为目标。
这种公然的攻击有可能意味着攻击者意图勒索您进入锁定的系统,因此请检查您的邮件日志,其中可能有一条索要金钱的消息,并且最好将问题报告给您所在地区的当局。区,以便他们可以协助追踪这些团体。
答案3
您可能希望考虑拍摄受感染磁盘的映像,并在映像的脱机副本上使用 sleuthkit 的尸检来创建时间线,并在 /sbin/init 文件更改时查找文件系统更改。 perp/rootkit 可能会 STOMP 修改、访问和创建的时间戳,但至少您可以了解他们想要什么。 - 将您的设备变成机器人、勒索软件或搜索您的网络。
请参阅http://www.sleuthkit.org/autopsy/docs/quick/
或者聘请当地经过认证的网络取证专家,他可能可以让您知道实际发生了什么。
答案4
我处理 root 工具包的最佳方法是擦除驱动器。然而;取决于您的数据的重要性。您可以创建另一个 SU / root 帐户并禁用/剥夺运行 rootkit 的帐户的权限。
您是否仔细检查过误报?