首页/杀毒教程/内容

我的一台linux肉鸡的容易手工入侵检测过程

杀毒教程2023-08-29 阅读()
[摘要]grep -e -ia s---ia------- /bin/ps s---ia------- /bin/ls s---ia------- /bin/netstat s---ia-----...
grep -e -ia

s---ia------- /bin/ps

s---ia------- /bin/ls

s---ia------- /bin/netstat

s---ia------- /sbin/ifconfig

s---ia------- /sbin/ttymon

s---ia------- /sbin/ttyload

s---ia------- /usr/bin/top

s---ia------- /usr/bin/md5sum

s---ia------- /usr/bin/pstree.x11

s---ia------- /usr/bin/find

s---ia------- /usr/bin/dir

s---ia------- /usr/bin/pstree

s---ia------- /usr/sbin/lsof

s---ia------- /usr/sbin/ttyload

s---ia------- /etc/sh.conf

[root@localhost bin]# chattr -iau ps ls netstat

[root@localhost bin]# rm -rf ps ls netstat

[root@localhost bin]# rz

rz waiting to receive.奫root@localhost bin]# chmod +x ps ls netstat

[root@localhost bin]# chattr +iau ps ls netstat

同样的方式把/usr/sbin/lsof、/usr/bin/find等都替换回来。

再用netstat看看端口吧:

[root@localhost bin]# netstat -lntp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name  

tcp        0      0 127.0.0.1:2208              0.0.0.0:*                   LISTEN      2298/hpiod         

tcp        0      0 0.0.0.0:1000                0.0.0.0:*                   LISTEN      2090/rpc.statd     

tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      2056/portmap       

tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      2883/vsftpd        

tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN      2315/cupsd         

tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      2361/sendmail: acce

tcp        0      0 0.0.0.0:65530               0.0.0.0:*                   LISTEN      2663/ttyload       (有东东出来了吧)

tcp        0      0 127.0.0.1:2207              0.0.0.0:*                   LISTEN      2303/python        

tcp        0      0 :::22                       :::*                        LISTEN      13935/sshd       

现在再用chkrootkit和rkhunter查一下看看:

[root@localhost .v]# ls

chkrootkit-0.48  chkrootkit.tar.gz  rkhunter  rkhunter-1.2.7.tar.gz

[root@localhost .v]# cd chkrootkit-0.48/

[root@localhost chkrootkit-0.48]# ./chkrootkit

ROOTDIR is `/'

Checking `amd'... not found

Checking `basename'... not infected

............(省略若干行)

Checking `ifconfig'... INFECTED

............(省略若干行)

Checking `pstree'... INFECTED

............(省略若干行)

Checking `top'... INFECTED

............(省略若干行)

Searching for t0rn's v8 defaults... Possible t0rn v8 \(or variation\) rootkit installed

............(省略若干行)

Searching for Showtee... Warning: Possible Showtee Rootkit installed 

............(省略若干行)

Searching for Romanian rootkit...  /usr/include/file.h /usr/include/proc.h

............(省略若干行)

上面几行都是有问题的。

下面用rkhunter, 它的log存在/var/log/rkhunter.log里面

[root@localhost rkhunter]# /usr/local/bin/rkhunter -c --createlogfile

Rootkit Hunter 1.2.7 is running

Determining OS... Unknown

Warning: This operating system is not fully supported!

Warning: Cannot find md5_not_known

All MD5 checks will be skipped!  (md5sum被替换了)

............(省略若干行)

   Rootkit 'SHV4'...                                          [ Warning! ]             (SHV4)

             --------------------------------------------------------------------------------

             Found parts of this rootkit/trojan by checking the default files and directories

             Please inspect the available files, by running this check with the parameter

             --createlogfile and check the log file (current file: /var/log/rkhunter.log).

             --------------------------------------------------------------------------------

[Press <ENTER> to continue]

   Rootkit 'SHV5'...                                          [ Warning! ]             (SHV5)

             --------------------------------------------------------------------------------

             Found parts of this rootkit/trojan by checking the default files and directories

             Please inspect the available files, by running this check with the parameter

             --createlogfile and check the log file (current file: /var/log/rkhunter.log).

             --------------------------------------------------------------------------------

............(省略若干行)

Scanning took 84 seconds

Scan results written to logfile (/var/log/rkhunter.log)

-----------------------------------------------------------------------

Do you have some problems, undetected rootkits, false positives, ideas

or suggestions?

Please e-mail me by filling in the contact form (@http://www.rootkit.nl)

-----------------------------------------------------------------------

下面我们看下log:

[root@localhost rkhunter]# cat /var/log/rkhunter.log

[15:16:51] Running Rootkit Hunter 1.2.7 on localhost.localdomain

[15:16:51]

Rootkit Hunter 1.2.7, Copyright 2003-2005, Michael Boelen

............(省略若干行)

[15:16:55] *** Start scan SHV4 ***

[15:16:55]   - File /etc/ld.so.hash... OK. Not found.

[15:16:55]   - File /lib/libext-2.so.7... OK. Not found.

[15:16:55]   - File /lib/lidps1.so... WARNING! Exists.  (找到一个文件)

[15:16:55]   - File /usr/sbin/xntps... OK. Not found.

[15:16:55]   - Directory /lib/security/.config... OK. Not found.

[15:16:55]   - Directory /lib/security/.config/ssh... OK. Not found.

[15:17:04] *** Start scan SHV5 ***

[15:17:04]   - File /etc/sh.conf... WARNING! Exists.   (找到一个文件)

[15:17:04]   - File /dev/srd0... OK. Not found.

[15:17:04]   - Directory /usr/lib/libsh... WARNING! Exists.  (找到一个目录)

............(省略若干行)

下面手工核对下, 因为工具都是对已有的检查, 如果改过的, 他就找不到了。

[root@localhost sbin]# netstat -anp

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name  

tcp        0      0 0.0.0.0:65530               0.0.0.0:*                   LISTEN      2663/ttyload       

............(省略若干行)

raw        0      0 0.0.0.0:1                   0.0.0.0:*                   7           2679/ttymon        

............(省略若干行)

发现2个不正常的

[root@localhost sbin]# ps aux(北联网教程,专业提供视频软件下载)

第1页  第2页  第3页  第4页  第5页  第6页  第7页  第8页 

……

相关阅读