我来这里已经有一段时间了。我一直专注于解决设备被黑客入侵的无休止的问题。我在我的家庭网络上设置了一个桥接器。它是 TP-Link 841N,我启用了 wds,作为客户端连接到我的网络。Nmap 告诉我端口 22 是开放的,我尝试重新刷新固件几次,通过许多不同的代理下载它,包括两个 openvpn 服务器、我的蜂窝连接和 tor 网络。我最近还不得不让我的 vps 提供商 pgp 给我一个新密码,因为 openvz 网络面板一直被黑客入侵。这种情况发生了 3 到 4 次,我的提供商不得不重置密码。因此,我使用 chkroot 和 rkhunter 扫描了我的计算机中的 rootkit,并收到了不少警告。我将在此处发布输出:(已编辑格式,2015 年 1 月 19 日)
##Chrkrootkit output:##
root@linuxpc:~# chkrootkit
ROOTDIR is `/'
Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:
/usr/lib/debug/.build-id /usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit
/usr/lib/pymodules/python2.7/.path /usr/lib/jvm/.java-1.7.0-openjdk amd64.jinfo
/usr/lib/debug/.build-id
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Checking `sniffer'... lo: not promisc and no packet sniffer sockets
wlan0: PACKET SNIFFER(/sbin/wpa_supplicant[1850], /sbin/dhclient[3145])
Checking `wted'... 1 deletion(s) between Sat Jan 17 21:43:47 2015 and Sat Jan 17 21:48:36 2015
Checking `chkutmp'... The tty of the following user process(es) were not found in /var/run/utmp !
! RUID PID TTY CMD
! root 1463 tty7 /usr/bin/X :0 -background none -verbose -auth /var/run/gdm/auth-for-gdm-4y3SbT/database -seat seat0 -nolisten tcp vt7
chkutmp: nothing deleted
Checking `OSX_RSPLUG'... not infected
root@linuxpc:~# Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Searching: command not found
##------------##
#Rkhunter Output##
anon@linuxpc:~$ cat /var/log/rkhunter.log | grep Warning
[03:36:46] /usr/sbin/chroot [ Warning ]
[03:36:46] Warning: The file properties have changed:
[03:36:47] /usr/sbin/rsyslogd [ Warning ]
[03:36:47] Warning: The file properties have changed:
[03:36:48] /usr/bin/awk [ Warning ]
[03:36:48] Warning: The file properties have changed:
[03:36:48] /usr/bin/basename [ Warning ]
[03:36:48] Warning: The file properties have changed:
[03:36:49] /usr/bin/curl [ Warning ]
[03:36:49] Warning: The file '/usr/bin/curl' exists on the system, but it is not present in the rkhunter.dat file.
[03:36:49] /usr/bin/cut [ Warning ]
[03:36:49] Warning: The file properties have changed:
[03:36:49] /usr/bin/dirname [ Warning ]
[03:36:49] Warning: The file properties have changed:
[03:36:49] /usr/bin/du [ Warning ]
[03:36:49] Warning: The file properties have changed:
[03:36:50] /usr/bin/env [ Warning ]
[03:36:50] Warning: The file properties have changed:
[03:36:50] /usr/bin/file [ Warning ]
[03:36:50] Warning: The file properties have changed:
[03:36:50] /usr/bin/groups [ Warning ]
[03:36:50] Warning: The file properties have changed:
[03:36:50] /usr/bin/head [ Warning ]
[03:36:50] Warning: The file properties have changed:
[03:36:51] /usr/bin/id [ Warning ]
[03:36:51] Warning: The file properties have changed:
[03:36:51] /usr/bin/ldd [ Warning ]
[03:36:51] Warning: The file properties have changed:
[03:36:52] /usr/bin/logger [ Warning ]
[03:36:52] Warning: The file properties have changed:
[03:36:52] /usr/bin/mail [ Warning ]
[03:36:52] Warning: The file '/usr/bin/mail' exists on the system, but it is not present in the rkhunter.dat file.
[03:36:52] /usr/bin/md5sum [ Warning ]
[03:36:52] Warning: The file properties have changed:
[03:36:53] /usr/bin/runcon [ Warning ]
[03:36:53] Warning: The file properties have changed:
[03:36:53] /usr/bin/sha1sum [ Warning ]
[03:36:53] Warning: The file properties have changed:
[03:36:54] /usr/bin/sha224sum [ Warning ]
[03:36:54] Warning: The file properties have changed:
[03:36:54] /usr/bin/sha256sum [ Warning ]
[03:36:54] Warning: The file properties have changed:
[03:36:54] /usr/bin/sha384sum [ Warning ]
[03:36:54] Warning: The file properties have changed:
[03:36:54] /usr/bin/sha512sum [ Warning ]
[03:36:54] Warning: The file properties have changed:
[03:36:54] /usr/bin/sort [ Warning ]
[03:36:54] Warning: The file properties have changed:
[03:36:55] /usr/bin/stat [ Warning ]
[03:36:55] Warning: The file properties have changed:
[03:36:55] /usr/bin/tail [ Warning ]
[03:36:55] Warning: The file properties have changed:
[03:36:55] /usr/bin/test [ Warning ]
[03:36:55] Warning: The file properties have changed:
[03:36:56] /usr/bin/touch [ Warning ]
[03:36:56] Warning: The file properties have changed:
[03:36:56] /usr/bin/tr [ Warning ]
[03:36:56] Warning: The file properties have changed:
[03:36:56] /usr/bin/uniq [ Warning ]
[03:36:56] Warning: The file properties have changed:
[03:36:56] /usr/bin/users [ Warning ]
[03:36:56] Warning: The file properties have changed:
[03:36:57] /usr/bin/wc [ Warning ]
[03:36:57] Warning: The file properties have changed:
[03:36:57] /usr/bin/wget [ Warning ]
[03:36:57] Warning: The file properties have changed:
[03:36:57] /usr/bin/whatis [ Warning ]
[03:36:57] Warning: The file properties have changed:
[03:36:57] /usr/bin/whereis [ Warning ]
[03:36:57] Warning: The file properties have changed:
[03:36:58] /usr/bin/who [ Warning ]
[03:36:58] Warning: The file properties have changed:
[03:36:58] /usr/bin/whoami [ Warning ]
[03:36:58] Warning: The file properties have changed:
[03:36:58] /usr/bin/unhide.rb [ Warning ]
[03:36:58] Warning: The command '/usr/bin/unhide.rb' has been replaced by a script: /usr/bin/unhide.rb: Ruby script, ASCII text
[03:36:58] /usr/bin/gawk [ Warning ]
[03:36:58] Warning: The file '/usr/bin/gawk' exists on the system, but it is not present in the rkhunter.dat file.
[03:36:58] /usr/bin/bsd-mailx [ Warning ]
[03:36:58] Warning: The file '/usr/bin/bsd-mailx' exists on the system, but it is not present in the rkhunter.dat file.
[03:36:59] /sbin/fsck [ Warning ]
[03:36:59] Warning: The file properties have changed:
[03:36:59] /sbin/ifconfig [ Warning ]
[03:36:59] Warning: The file properties have changed:
[03:37:00] /sbin/route [ Warning ]
[03:37:00] Warning: The file properties have changed:
[03:37:01] /bin/bash [ Warning ]
[03:37:01] Warning: The file properties have changed:
[03:37:02] /bin/cat [ Warning ]
[03:37:02] Warning: The file properties have changed:
[03:37:02] /bin/chmod [ Warning ]
[03:37:02] Warning: The file properties have changed:
[03:37:02] /bin/chown [ Warning ]
[03:37:02] Warning: The file properties have changed:
[03:37:02] /bin/cp [ Warning ]
[03:37:02] Warning: The file properties have changed:
[03:37:03] /bin/date [ Warning ]
[03:37:03] Warning: The file properties have changed:
[03:37:03] /bin/df [ Warning ]
[03:37:03] Warning: The file properties have changed:
[03:37:03] /bin/dmesg [ Warning ]
[03:37:03] Warning: The file properties have changed:
[03:37:03] /bin/echo [ Warning ]
[03:37:03] Warning: The file properties have changed:
[03:37:04] /bin/ls [ Warning ]
[03:37:04] Warning: The file properties have changed:
[03:37:05] /bin/mktemp [ Warning ]
[03:37:05] Warning: The file properties have changed:
[03:37:05] /bin/more [ Warning ]
[03:37:05] Warning: The file properties have changed:
[03:37:05] /bin/mount [ Warning ]
[03:37:05] Warning: The file properties have changed:
[03:37:05] /bin/mv [ Warning ]
[03:37:05] Warning: The file properties have changed:
[03:37:06] /bin/netstat [ Warning ]
[03:37:06] Warning: The file properties have changed:
[03:37:06] /bin/pwd [ Warning ]
[03:37:06] Warning: The file properties have changed:
[03:37:06] /bin/readlink [ Warning ]
[03:37:06] Warning: The file properties have changed:
[03:37:07] /bin/touch [ Warning ]
[03:37:07] Warning: The file properties have changed:
[03:37:07] /bin/uname [ Warning ]
[03:37:07] Warning: The file properties have changed:
[03:37:08] /usr/bin/mawk [ Warning ]
[03:37:08] Warning: The file '/usr/bin/mawk' does not exist on the system, but it is present in the rkhunter.dat file.
[03:46:29] Checking /dev for suspicious file types [ Warning ]
[03:46:29] Warning: Suspicious file types found in /dev:
[03:46:29] Checking for hidden files and directories [ Warning ]
[03:46:29] Warning: Hidden directory found: '/etc/.java: directory '
[03:46:29] Warning: Hidden directory found: '/dev/.udev: directory '
[03:46:29] Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs'
## End Output##
我记得我运行 propupdate 的时间并不长,rkhunter 确实给了我很多警告。混杂接口警告之前没有出现。有更专业的人能帮我解释这些结果吗?我知道 suckit rootkit 可能是误报,但 Rkhunters 让我很紧张,还有我在 vps 上处理的所有奇怪活动,它也是很长时间以来的 tor 出口节点。谢谢。
(2015 年 1 月 19 日更新)我采纳了您的建议,删除了“未感染任何病毒”的行,并升级了 rkhunter。然后我运行了新版本 (1.4.2),弹出以下警告:
[15:48:20] /usr/local/bin/rkhunter [ Warning ]
[15:48:20] Warning: The file '/usr/local/bin/rkhunter' exists on the system, but it is not present in the 'rkhunter.dat' file.
[15:48:20] /usr/sbin/adduser [ Warning ]
[15:48:20] Warning: The command '/usr/sbin/adduser' has been replaced by a script: /usr/sbin/adduser: Perl script, ASCII text executable
[15:48:20] /usr/sbin/chroot [ Warning ]
[15:48:20] Warning: The file properties have changed:
[15:48:22] /usr/sbin/rsyslogd [ Warning ]
[15:48:22] Warning: The file properties have changed:
[15:48:23] /usr/bin/awk [ Warning ]
[15:48:23] Warning: The file properties have changed:
[15:48:23] Warning: No symbolic link target found for file '/usr/bin/awk' in the 'rkhunter.dat' file.
[15:48:23] /usr/bin/basename [ Warning ]
[15:48:23] Warning: The file properties have changed:
[15:48:24] /usr/bin/curl [ Warning ]
[15:48:24] Warning: The file '/usr/bin/curl' exists on the system, but it is not present in the 'rkhunter.dat' file.
[15:48:24] /usr/bin/cut [ Warning ]
[15:48:24] Warning: The file properties have changed:
[15:48:24] /usr/bin/dirname [ Warning ]
[15:48:24] Warning: The file properties have changed:
[15:48:25] /usr/bin/du [ Warning ]
[15:48:25] Warning: The file properties have changed:
[15:48:25] /usr/bin/env [ Warning ]
[15:48:25] Warning: The file properties have changed:
[15:48:25] /usr/bin/file [ Warning ]
[15:48:25] Warning: The file properties have changed:
[15:48:25] /usr/bin/GET [ Warning ]
[15:48:25] Warning: No symbolic link target found for file '/usr/bin/GET' in the 'rkhunter.dat' file.
[15:48:26] /usr/bin/groups [ Warning ]
[15:48:26] Warning: The file properties have changed:
[15:48:26] /usr/bin/head [ Warning ]
[15:48:26] Warning: The file properties have changed:
[15:48:26] /usr/bin/id [ Warning ]
[15:48:26] Warning: The file properties have changed:
[15:48:27] /usr/bin/ldd [ Warning ]
[15:48:27] Warning: The file properties have changed:
[15:48:27] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script, ASCII text executable
[15:48:27] /usr/bin/less [ Warning ]
[15:48:27] Warning: No symbolic link target found for file '/usr/bin/less' in the 'rkhunter.dat' file.
[15:48:27] /usr/bin/locate [ Warning ]
[15:48:27] Warning: No symbolic link target found for file '/usr/bin/locate' in the 'rkhunter.dat' file.
[15:48:27] /usr/bin/logger [ Warning ]
[15:48:27] Warning: The file properties have changed:
[15:48:28] /usr/bin/mail [ Warning ]
[15:48:28] Warning: The file '/usr/bin/mail' exists on the system, but it is not present in the 'rkhunter.dat' file.
[15:48:28] /usr/bin/md5sum [ Warning ]
[15:48:28] Warning: The file properties have changed:
[15:48:29] /usr/bin/pkill [ Warning ]
[15:48:29] Warning: No symbolic link target found for file '/usr/bin/pkill' in the 'rkhunter.dat' file.
[15:48:29] /usr/bin/runcon [ Warning ]
[15:48:29] Warning: The file properties have changed:
[15:48:29] /usr/bin/sha1sum [ Warning ]
[15:48:29] Warning: The file properties have changed:
[15:48:30] /usr/bin/sha224sum [ Warning ]
[15:48:30] Warning: The file properties have changed:
[15:48:30] /usr/bin/sha256sum [ Warning ]
[15:48:30] Warning: The file properties have changed:
[15:48:30] /usr/bin/sha384sum [ Warning ]
[15:48:30] Warning: The file properties have changed:
[15:48:30] /usr/bin/sha512sum [ Warning ]
[15:48:30] Warning: The file properties have changed:
[15:48:31] /usr/bin/sort [ Warning ]
[15:48:31] Warning: The file properties have changed:
[15:48:31] /usr/bin/ssh [ Warning ]
[15:48:31] Warning: The file '/usr/bin/ssh' exists on the system, but it is not present in the 'rkhunter.dat' file.
[15:48:31] /usr/bin/stat [ Warning ]
[15:48:31] Warning: The file properties have changed:
[15:48:32] /usr/bin/tail [ Warning ]
[15:48:32] Warning: The file properties have changed:
[15:48:32] /usr/bin/telnet [ Warning ]
[15:48:32] Warning: The file '/usr/bin/telnet' exists on the system, but it is not present in the 'rkhunter.dat' file.
[15:48:32] /usr/bin/test [ Warning ]
[15:48:32] Warning: The file properties have changed:
[15:48:32] /usr/bin/touch [ Warning ]
[15:48:32] Warning: The file properties have changed:
[15:48:33] Warning: No symbolic link target found for file '/usr/bin/touch' in the 'rkhunter.dat' file.
[15:48:33] /usr/bin/tr [ Warning ]
[15:48:33] Warning: The file properties have changed:
[15:48:33] /usr/bin/uniq [ Warning ]
[15:48:33] Warning: The file properties have changed:
[15:48:33] /usr/bin/users [ Warning ]
[15:48:33] Warning: The file properties have changed:
[15:48:34] /usr/bin/w [ Warning ]
[15:48:34] Warning: No symbolic link target found for file '/usr/bin/w' in the 'rkhunter.dat' file.
[15:48:34] /usr/bin/wc [ Warning ]
[15:48:34] Warning: The file properties have changed:
[15:48:34] /usr/bin/wget [ Warning ]
[15:48:34] Warning: The file properties have changed:
[15:48:34] /usr/bin/whatis [ Warning ]
[15:48:34] Warning: The file properties have changed:
[15:48:34] /usr/bin/whereis [ Warning ]
[15:48:34] Warning: The file properties have changed:
[15:48:35] /usr/bin/which [ Warning ]
[15:48:35] Warning: No symbolic link target found for file '/usr/bin/which' in the 'rkhunter.dat' file.
[15:48:35] /usr/bin/who [ Warning ]
[15:48:35] Warning: The file properties have changed:
[15:48:35] /usr/bin/whoami [ Warning ]
[15:48:35] Warning: The file properties have changed:
[15:48:35] /usr/bin/gawk [ Warning ]
[15:48:35] Warning: The file '/usr/bin/gawk' exists on the system, but it is not present in the 'rkhunter.dat' file.
[15:48:35] /usr/bin/lwp-request [ Warning ]
[15:48:35] Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: Perl script, ASCII text executable
[15:48:35] /usr/bin/bsd-mailx [ Warning ]
[15:48:35] Warning: The file '/usr/bin/bsd-mailx' exists on the system, but it is not present in the 'rkhunter.dat' file.
[15:48:35] /usr/bin/telnet.netkit [ Warning ]
[15:48:36] Warning: The file '/usr/bin/telnet.netkit' exists on the system, but it is not present in the 'rkhunter.dat' file.
[15:48:36] /sbin/depmod [ Warning ]
[15:48:36] Warning: No symbolic link target found for file '/sbin/depmod' in the 'rkhunter.dat' file.
[15:48:36] /sbin/fsck [ Warning ]
[15:48:36] Warning: The file properties have changed:
[15:48:36] /sbin/ifconfig [ Warning ]
[15:48:36] Warning: The file properties have changed:
[15:48:37] /sbin/ifdown [ Warning ]
[15:48:37] Warning: No symbolic link target found for file '/sbin/ifdown' in the 'rkhunter.dat' file.
[15:48:37] /sbin/insmod [ Warning ]
[15:48:37] Warning: No symbolic link target found for file '/sbin/insmod' in the 'rkhunter.dat' file.
[15:48:37] /sbin/ip [ Warning ]
[15:48:37] Warning: No symbolic link target found for file '/sbin/ip' in the 'rkhunter.dat' file.
[15:48:37] /sbin/lsmod [ Warning ]
[15:48:37] Warning: No symbolic link target found for file '/sbin/lsmod' in the 'rkhunter.dat' file.
[15:48:38] /sbin/modinfo [ Warning ]
[15:48:38] Warning: No symbolic link target found for file '/sbin/modinfo' in the 'rkhunter.dat' file.
[15:48:38] /sbin/modprobe [ Warning ]
[15:48:38] Warning: No symbolic link target found for file '/sbin/modprobe' in the 'rkhunter.dat' file.
[15:48:38] /sbin/rmmod [ Warning ]
[15:48:38] Warning: No symbolic link target found for file '/sbin/rmmod' in the 'rkhunter.dat' file.
[15:48:38] /sbin/route [ Warning ]
[15:48:38] Warning: The file properties have changed:
[15:48:39] /bin/bash [ Warning ]
[15:48:39] Warning: The file properties have changed:
[15:48:39] /bin/cat [ Warning ]
[15:48:39] Warning: The file properties have changed:
[15:48:40] /bin/chmod [ Warning ]
[15:48:40] Warning: The file properties have changed:
[15:48:40] /bin/chown [ Warning ]
[15:48:40] Warning: The file properties have changed:
[15:48:40] /bin/cp [ Warning ]
[15:48:40] Warning: The file properties have changed:
[15:48:40] /bin/date [ Warning ]
[15:48:40] Warning: The file properties have changed:
[15:48:41] /bin/df [ Warning ]
[15:48:41] Warning: The file properties have changed:
[15:48:41] /bin/dmesg [ Warning ]
[15:48:41] Warning: The file properties have changed:
[15:48:41] /bin/echo [ Warning ]
[15:48:41] Warning: The file properties have changed:
[15:48:43] /bin/ls [ Warning ]
[15:48:43] Warning: The file properties have changed:
[15:48:43] /bin/lsmod [ Warning ]
[15:48:43] Warning: No symbolic link target found for file '/bin/lsmod' in the 'rkhunter.dat' file.
[15:48:43] /bin/mktemp [ Warning ]
[15:48:43] Warning: The file properties have changed:
[15:48:43] /bin/more [ Warning ]
[15:48:43] Warning: The file properties have changed:
[15:48:43] /bin/mount [ Warning ]
[15:48:43] Warning: The file properties have changed:
[15:48:44] /bin/mv [ Warning ]
[15:48:44] Warning: The file properties have changed:
[15:48:44] /bin/netstat [ Warning ]
[15:48:44] Warning: The file properties have changed:
[15:48:44] /bin/pwd [ Warning ]
[15:48:44] Warning: The file properties have changed:
[15:48:45] /bin/readlink [ Warning ]
[15:48:45] Warning: The file properties have changed:
[15:48:45] /bin/sh [ Warning ]
[15:48:45] Warning: No symbolic link target found for file '/bin/sh' in the 'rkhunter.dat' file.
[15:48:45] /bin/touch [ Warning ]
[15:48:45] Warning: The file properties have changed:
[15:48:46] /bin/uname [ Warning ]
[15:48:46] Warning: The file properties have changed:
[15:48:46] /bin/which [ Warning ]
[15:48:46] Warning: The command '/bin/which' has been replaced by a script: /bin/which: POSIX shell script, ASCII text executable
[15:48:46] /etc/rkhunter.conf [ Warning ]
[15:48:46] Warning: The file '/etc/rkhunter.conf' exists on the system, but it is not present in the 'rkhunter.dat' file.
[16:08:55] Checking /dev for suspicious file types [ Warning ]
[16:08:55] Warning: Suspicious file types found in /dev:
[16:08:55] Checking for hidden files and directories [ Warning ]
[16:08:55] Warning: Hidden directory found: /etc/.java: directory
[16:08:55] Warning: Hidden directory found: /dev/.udev: directory
[16:08:55] Warning: Hidden file found: /dev/.blkid.tab: ASCII text
[16:08:55] Warning: Hidden file found: /dev/.blkid.tab.old: ASCII text
[16:08:55] Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs'
我可以看到其中一些警告是由于升级 rkhunter 和 /etc 中的配置文件过旧而引起的,但我不太确定其他警告。您仍然认为一切正常吗?我真诚地感谢您的帮助。