s---ia------- /bin/ps
s---ia------- /bin/ls
s---ia------- /bin/netstat
s---ia------- /sbin/ifconfig
s---ia------- /sbin/ttymon
s---ia------- /sbin/ttyload
s---ia------- /usr/bin/top
s---ia------- /usr/bin/md5sum
s---ia------- /usr/bin/pstree.x11
s---ia------- /usr/bin/find
s---ia------- /usr/bin/dir
s---ia------- /usr/bin/pstree
s---ia------- /usr/sbin/lsof
s---ia------- /usr/sbin/ttyload
s---ia------- /etc/sh.conf
[root@localhost bin]# chattr -iau ps ls netstat
[root@localhost bin]# rm -rf ps ls netstat
[root@localhost bin]# rz
rz waiting to receive.奫root@localhost bin]# chmod +x ps ls netstat
[root@localhost bin]# chattr +iau ps ls netstat
同样的方式把/usr/sbin/lsof、/usr/bin/find等都替换回来。
再用netstat看看端口吧:
[root@localhost bin]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 2298/hpiod
tcp 0 0 0.0.0.0:1000 0.0.0.0:* LISTEN 2090/rpc.statd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2056/portmap
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 2883/vsftpd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2315/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2361/sendmail: acce
tcp 0 0 0.0.0.0:65530 0.0.0.0:* LISTEN 2663/ttyload (有东东出来了吧)
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 2303/python
tcp 0 0 :::22 :::* LISTEN 13935/sshd
现在再用chkrootkit和rkhunter查一下看看:
[root@localhost .v]# ls
chkrootkit-0.48 chkrootkit.tar.gz rkhunter rkhunter-1.2.7.tar.gz
[root@localhost .v]# cd chkrootkit-0.48/
[root@localhost chkrootkit-0.48]# ./chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
............(省略若干行)
Checking `ifconfig'... INFECTED
............(省略若干行)
Checking `pstree'... INFECTED
............(省略若干行)
Checking `top'... INFECTED
............(省略若干行)
Searching for t0rn's v8 defaults... Possible t0rn v8 \(or variation\) rootkit installed
............(省略若干行)
Searching for Showtee... Warning: Possible Showtee Rootkit installed
............(省略若干行)
Searching for Romanian rootkit... /usr/include/file.h /usr/include/proc.h
............(省略若干行)
上面几行都是有问题的。
下面用rkhunter, 它的log存在/var/log/rkhunter.log里面
[root@localhost rkhunter]# /usr/local/bin/rkhunter -c --createlogfile
Rootkit Hunter 1.2.7 is running
Determining OS... Unknown
Warning: This operating system is not fully supported!
Warning: Cannot find md5_not_known
All MD5 checks will be skipped! (md5sum被替换了)
............(省略若干行)
Rootkit 'SHV4'... [ Warning! ] (SHV4)
--------------------------------------------------------------------------------
Found parts of this rootkit/trojan by checking the default files and directories
Please inspect the available files, by running this check with the parameter
--createlogfile and check the log file (current file: /var/log/rkhunter.log).
--------------------------------------------------------------------------------
[Press <ENTER> to continue]
Rootkit 'SHV5'... [ Warning! ] (SHV5)
--------------------------------------------------------------------------------
Found parts of this rootkit/trojan by checking the default files and directories
Please inspect the available files, by running this check with the parameter
--createlogfile and check the log file (current file: /var/log/rkhunter.log).
--------------------------------------------------------------------------------
............(省略若干行)
Scanning took 84 seconds
Scan results written to logfile (/var/log/rkhunter.log)
-----------------------------------------------------------------------
Do you have some problems, undetected rootkits, false positives, ideas
or suggestions?
Please e-mail me by filling in the contact form (@http://www.rootkit.nl)
-----------------------------------------------------------------------
下面我们看下log:
[root@localhost rkhunter]# cat /var/log/rkhunter.log
[15:16:51] Running Rootkit Hunter 1.2.7 on localhost.localdomain
[15:16:51]
Rootkit Hunter 1.2.7, Copyright 2003-2005, Michael Boelen
............(省略若干行)
[15:16:55] *** Start scan SHV4 ***
[15:16:55] - File /etc/ld.so.hash... OK. Not found.
[15:16:55] - File /lib/libext-2.so.7... OK. Not found.
[15:16:55] - File /lib/lidps1.so... WARNING! Exists. (找到一个文件)
[15:16:55] - File /usr/sbin/xntps... OK. Not found.
[15:16:55] - Directory /lib/security/.config... OK. Not found.
[15:16:55] - Directory /lib/security/.config/ssh... OK. Not found.
[15:17:04] *** Start scan SHV5 ***
[15:17:04] - File /etc/sh.conf... WARNING! Exists. (找到一个文件)
[15:17:04] - File /dev/srd0... OK. Not found.
[15:17:04] - Directory /usr/lib/libsh... WARNING! Exists. (找到一个目录)
............(省略若干行)
下面手工核对下, 因为工具都是对已有的检查, 如果改过的, 他就找不到了。
[root@localhost sbin]# netstat -anp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:65530 0.0.0.0:* LISTEN 2663/ttyload
............(省略若干行)
raw 0 0 0.0.0.0:1 0.0.0.0:* 7 2679/ttymon
............(省略若干行)
发现2个不正常的
[root@localhost sbin]# ps aux(北联网教程,专业提供视频软件下载)
……