黑客CentOS 5服务器 – 可能的rootkit安装?

可能重复:
我如何知道我的Linux服务器是否被黑客入侵?
我的服务器被黑了应急

我正在运行CentOS 5.3,这里是“chkrootkit”的结果:

Possible t0rn v8 \(or variation\) rootkit installed Warning: Possible Showtee Rootkit installed /usr/include/file.h /usr/include/proc.h Warning: `//root/.mysql_history' file size is zero INFECTED (PORTS: 465) You have 61 process hidden for readdir command You have 62 process hidden for ps command chkproc: Warning: Possible LKM Trojan installed The tty of the following user process(es) were not found in /var/run/utmp ! ! RUID PID TTY CMD ! root 3040 tty2 /sbin/mingetty tty2 ! root 3041 tty3 /sbin/mingetty tty3 ! root 3042 tty4 /sbin/mingetty tty4 ! root 3043 tty5 /sbin/mingetty tty5 ! root 3046 tty6 /sbin/mingetty tty6 

我不明白这些警告是什么意思。

服务器是感染还是处于危险之中?

编辑:

让我补充一点,我先在命令行中得到了一些奇怪的消息:

 Unknown HZ value! (##) Assume 100 

然后我遵循这个伟大的指示,并用新的文件replace我的黑客文件。 我replace了:

 /sbin/ifconfig /bin/netstat /usr/bin/pstree /usr/bin/top 

他们都被“chkrootkit”感染了。

现在我重新运行“chkrootkit”并获得了上面的输出。 如何着手摆脱所有的警告?

编辑2:

rpm -vVa | grep 'S\.5\.\.\.\.\T' > rpmverify.txt检查rpm完整性后 rpm -vVa | grep 'S\.5\.\.\.\.\T' > rpmverify.txt这就是我得到的:

 S.5....T c /etc/mail/spamassassin/local.cf S.5....T c /etc/pam.d/system-auth S.5....T c /etc/sudoers S.5....T c /etc/samba/smb.conf S.5....T /opt/drweb/lib/drweb32.dll S.5....T /var/drweb/bases/drw50000.vdb S.5....T /var/drweb/bases/drw50001.vdb S.5....T /var/drweb/bases/drw50002.vdb S.5....T /var/drweb/bases/drw50003.vdb S.5....T /var/drweb/bases/drw50004.vdb S.5....T /var/drweb/bases/drw50005.vdb S.5....T /var/drweb/bases/drw50006.vdb S.5....T /var/drweb/bases/drw50007.vdb S.5....T /var/drweb/bases/drw50008.vdb S.5....T /var/drweb/bases/drw50009.vdb S.5....T /var/drweb/bases/drw50010.vdb S.5....T /var/drweb/bases/drw50011.vdb S.5....T /var/drweb/bases/drw50012.vdb S.5....T /var/drweb/bases/drw50013.vdb S.5....T /var/drweb/bases/drw50014.vdb S.5....T /var/drweb/bases/drw50015.vdb S.5....T /var/drweb/bases/drw50016.vdb S.5....T /var/drweb/bases/drw50017.vdb S.5....T /var/drweb/bases/drw50018.vdb S.5....T /var/drweb/bases/drw50019.vdb S.5....T /var/drweb/bases/drw50020.vdb S.5....T /var/drweb/bases/drw50021.vdb S.5....T /var/drweb/bases/drw50022.vdb S.5....T /var/drweb/bases/drw50023.vdb S.5....T /var/drweb/bases/drw50024.vdb S.5....T /var/drweb/bases/drw50025.vdb S.5....T /var/drweb/bases/drw50026.vdb S.5....T /var/drweb/bases/drw50027.vdb S.5....T /var/drweb/bases/drw50028.vdb S.5....T /var/drweb/bases/drw50029.vdb S.5....T /var/drweb/bases/drwebase.vdb S.5....T /var/drweb/bases/drwnasty.vdb S.5....T /var/drweb/bases/drwrisky.vdb S.5....T /var/drweb/bases/drwtoday.vdb S.5....T /var/drweb/bases/dwn50001.vdb S.5....T /var/drweb/bases/dwn50002.vdb S.5....T /var/drweb/bases/dwntoday.vdb S.5....T /var/drweb/bases/dwr50001.vdb S.5....T /var/drweb/bases/dwrtoday.vdb S.5....T /bin/basename S.5....T /bin/cat S.5....T /bin/chgrp S.5....T /bin/chmod S.5....T /bin/chown S.5....T /bin/cp S.5....T /bin/cut S.5....T /bin/dd S.5....T /bin/df S.5....T /bin/env S.5....T /bin/false S.5....T /bin/link S.5....T /bin/ln S.5....T c /etc/proftpd.conf S.5....T c /root/.bash_profile S.5....T c /etc/httpd/conf.d/mailman.conf S.5....T /usr/lib/mailman/Mailman/mm_cfg.pyc S.5....T c /etc/drweb/drweb32.ini S.5....T /opt/drweb/ldwrap.sh S.5....T c /etc/drweb/users.conf S.5....T /usr/share/psa-horde/imp/compose.php S.5....T /usr/share/psa-horde/imp/contacts.php S.5....T /usr/local/psa/admin/plib/api-common/cuMail.php S.5....T /usr/local/psa/admin/sbin/autoinstaller S.5....T /usr/local/psa/admin/htdocs/modules/watchdog/stats-graph.php S.5....T /usr/local/psa/etc/modules/watchdog/monitrc S.5....T /usr/local/psa/etc/modules/watchdog/wdcollect.inc.php S.5....T /usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter /db/backdoorports.dat S.5....T /usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter/db/mirrors.dat S.5....T /usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter/db/programs_bad.dat S.5....T /usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter/db/suspscan.dat S.5....T c /etc/courier-imap/imapd.cnf S.5....T c /etc/php.ini S.5....T c /etc/ssh/sshd_config S.5....T c /etc/syslog.conf S.5....T c /etc/sysconfig/named S.5....T c /etc/httpd/conf.d/ssl.conf S.5....T c /etc/smartd.conf S.5....T c /etc/vsftpd/vsftpd.conf S.5....T /usr/share/psa-horde/util/icon_browser.php S.5....T c /etc/init.d/psa S.5....T /usr/lib/plesk-9.0/key-handler S.5....T /usr/local/psa/admin/htdocs/domains/databases/phpMyAdmin/librari/config.default.php S.5....T /usr/local/psa/admin/plib/class.ComponentsChecker.php S.5....T /usr/local/psa/admin/plib/class.ComponentsShow.php S.5....T /usr/local/psa/admin/plib/class.RestartServForm.php S.5....T /usr/local/psa/admin/plib/class.ServiceControl.php S.5....T /usr/local/psa/admin/sbin/packagemng S.5....T /usr/local/psa/admin/plib/backup/BackupCreateBackupNowForm.php S.5....T c /etc/samba/smbusers S.5....T c /etc/pam.d/ekshell S.5....T c /etc/pam.d/kshell S.5....T c /etc/printcap S.5....T c /etc/my.cnf S.5....T /usr/bin/spf_example_static S.5....T /usr/bin/spfd_static S.5....T /usr/bin/spfquery_static S.5....T /usr/bin/spftest_static S.5....T /usr/lib/libspf2.so.2.1.0 S.5....T c /etc/awstats/awstats.model.conf S.5....T /usr/local/sso/base/Cookie.php S.5....T c /etc/httpd/conf/httpd.conf S.5....T /usr/sbin/suexec 

这有帮助吗?

编辑3:

core utils重新安装后,下面是rpm检查结果:

 S.5....T c /etc/mail/spamassassin/local.cf S.5....T c /etc/pam.d/system-auth S.5....T c /etc/sudoers S.5....T c /etc/samba/smb.conf S.5....T /opt/drweb/lib/drweb32.dll S.5....T /var/drweb/bases/drw50000.vdb S.5....T /var/drweb/bases/drw50001.vdb S.5....T /var/drweb/bases/drw50002.vdb S.5....T /var/drweb/bases/drw50003.vdb S.5....T /var/drweb/bases/drw50004.vdb S.5....T /var/drweb/bases/drw50005.vdb S.5....T /var/drweb/bases/drw50006.vdb S.5....T /var/drweb/bases/drw50007.vdb S.5....T /var/drweb/bases/drw50008.vdb S.5....T /var/drweb/bases/drw50009.vdb S.5....T /var/drweb/bases/drw50010.vdb S.5....T /var/drweb/bases/drw50011.vdb S.5....T /var/drweb/bases/drw50012.vdb S.5....T /var/drweb/bases/drw50013.vdb S.5....T /var/drweb/bases/drw50014.vdb S.5....T /var/drweb/bases/drw50015.vdb S.5....T /var/drweb/bases/drw50016.vdb S.5....T /var/drweb/bases/drw50017.vdb S.5....T /var/drweb/bases/drw50018.vdb S.5....T /var/drweb/bases/drw50019.vdb S.5....T /var/drweb/bases/drw50020.vdb S.5....T /var/drweb/bases/drw50021.vdb S.5....T /var/drweb/bases/drw50022.vdb S.5....T /var/drweb/bases/drw50023.vdb S.5....T /var/drweb/bases/drw50024.vdb S.5....T /var/drweb/bases/drw50025.vdb S.5....T /var/drweb/bases/drw50026.vdb S.5....T /var/drweb/bases/drw50027.vdb S.5....T /var/drweb/bases/drw50028.vdb S.5....T /var/drweb/bases/drw50029.vdb S.5....T /var/drweb/bases/drwebase.vdb S.5....T /var/drweb/bases/drwnasty.vdb S.5....T /var/drweb/bases/drwrisky.vdb S.5....T /var/drweb/bases/drwtoday.vdb S.5....T /var/drweb/bases/dwn50001.vdb S.5....T /var/drweb/bases/dwn50002.vdb S.5....T /var/drweb/bases/dwntoday.vdb S.5....T /var/drweb/bases/dwr50001.vdb S.5....T /var/drweb/bases/dwrtoday.vdb S.5....T c /etc/proftpd.conf S.5....T c /etc/profile.d/colorls.csh S.5....T c /etc/profile.d/colorls.sh S.5....T c /root/.bash_profile S.5....T c /etc/httpd/conf.d/mailman.conf S.5....T /usr/lib/mailman/Mailman/mm_cfg.pyc S.5....T c /etc/drweb/drweb32.ini S.5....T /opt/drweb/ldwrap.sh S.5....T c /etc/drweb/users.conf S.5....T /usr/share/psa-horde/imp/compose.php S.5....T /usr/share/psa-horde/imp/contacts.php S.5....T /usr/local/psa/admin/plib/api-common/cuMail.php S.5....T /usr/local/psa/admin/sbin/autoinstaller S.5....T /usr/local/psa/admin/htdocs/modules/watchdog/stats-graph.php S.5....T /usr/local/psa/etc/modules/watchdog/monitrc S.5....T /usr/local/psa/etc/modules/watchdog/wdcollect.inc.php S.5....T /usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter /db/backdoorports.dat S.5....T /usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter/db/mirrors.dat S.5....T /usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter/db/programs_bad.dat S.5....T /usr/local/psa/var/modules/watchdog/lib/rkhunter/lib/rkhunter/db/suspscan.dat S.5....T c /etc/courier-imap/imapd.cnf S.5....T c /etc/php.ini S.5....T c /etc/ssh/sshd_config S.5....T c /etc/syslog.conf S.5....T c /etc/sysconfig/named S.5....T c /etc/httpd/conf.d/ssl.conf S.5....T c /etc/smartd.conf S.5....T c /etc/vsftpd/vsftpd.conf S.5....T /usr/share/psa-horde/util/icon_browser.php S.5....T c /etc/init.d/psa S.5....T /usr/lib/plesk-9.0/key-handler S.5....T /usr/local/psa/admin/htdocs/domains/databases/phpMyAdmin/libraries/config.default.php S.5....T /usr/local/psa/admin/plib/class.ComponentsChecker.php S.5....T /usr/local/psa/admin/plib/class.ComponentsShow.php S.5....T /usr/local/psa/admin/plib/class.RestartServForm.php S.5....T /usr/local/psa/admin/plib/class.ServiceControl.php S.5....T /usr/local/psa/admin/sbin/packagemng S.5....T /usr/local/psa/admin/plib/backup/BackupCreateBackupNowForm.php S.5....T c /etc/samba/smbusers S.5....T c /etc/pam.d/ekshell S.5....T c /etc/pam.d/kshell S.5....T c /etc/printcap S.5....T c /etc/my.cnf S.5....T /usr/bin/spf_example_static S.5....T /usr/bin/spfd_static S.5....T /usr/bin/spfquery_static S.5....T /usr/bin/spftest_static S.5....T /usr/lib/libspf2.so.2.1.0 S.5....T c /etc/awstats/awstats.model.conf S.5....T /usr/local/sso/base/Cookie.php S.5....T c /etc/httpd/conf/httpd.conf S.5....T /usr/sbin/suexec 

这是一个CentOS系统。 我通常会修复这些rootkit,但是如果以前没有这样做的话,你会发现/得到所有东西的机会很渺茫。

你可以从一个RPMvalidation开始

运行rpm -vVa | grep 'S\.5\.\.\.\.\T' > rpmverify.txt rpm -vVa | grep 'S\.5\.\.\.\.\T' > rpmverify.txt

然后检查rpmverify.txt的输出。 这将允许您检查哪些二进制文件和configuration文件与RPM数据库中的校验和不匹配。 这是我开始修复这些系统的第一个地方(确保没有未经授权的networking守护进程/服务正在运行之后)。


编辑:

我看到你的RPMvalidation命令的输出。 如果您的yum仍然有效,请运行yum install yum-utils以访问yumdownloader命令。

根据你的输出,你的coreutils可能httpd软件包已经被攻破(cat,df,dd,chown,cp等)。 运行yumdownloader coreutils来获取rpm。 它会下载到你的当前目录。 我会强制重新安装RPM( rpm -ivh --force coreutils* )并重新运行我上面build议的validation。


更新:

黑客/ rootkit通常会用Trojaned版本replace二进制文件,并在文件上设置不可变标志,以防止它们被删除。

请通过运行lsattr /bin/ls来查看/ bin / ls二进制文件的属性。

您可能会在输出中看到“a”,“u”,“i”和“s”。 在同一个文件上运行chattr -uisa应该删除不可变的标志并允许你运行rpm安装。

属性应该如下所示:

 [root@kitteh ~]# lsattr /bin/ls ------------- /bin/ls 

重复执行RPM安装中失败的任何其他文件。 您可能还需要更改/删除封闭目录中的这些属性…