chkroot 검색결과입니다
글쓴이: DefaultX / 작성시간: 화, 2005/12/27 - 9:22오전
ifconfig, pstree가 감염되었고, LKM Trojan 가 설치되었다고 나옵니다
우선 무얼 어떻게 해야할지 모르겠습니다
서버 운영능력이 부실해서 ....
[root@dream chkrootkit-0.44]# ./chkrootkit ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not infected Checking `gpm'... not infected Checking `grep'... not infected Checking `hdparm'... not infected Checking `su'... not infected Checking `ifconfig'... INFECTED Checking `inetd'... not tested Checking `inetdconf'... not found Checking `identd'... not found Checking `init'... not infected Checking `killall'... not infected Checking `ldsopreload'... not infected Checking `login'... not infected Checking `ls'... not infected Checking `lsof'... not infected Checking `mail'... not infected Checking `mingetty'... not infected Checking `netstat'... not infected Checking `named'... not found Checking `passwd'... not infected Checking `pidof'... not infected Checking `pop2'... not found Checking `pop3'... not found Checking `ps'... not infected Checking `pstree'... INFECTED Checking `rpcinfo'... not infected Checking `rlogind'... not found Checking `rshd'... not found Checking `slogin'... not infected Checking `sendmail'... not infected Checking `sshd'... /usr/bin/strings: Warning: '/' is not an ordinary file not infected Checking `syslogd'... not infected Checking `tar'... not infected Checking `tcpd'... not infected Checking `tcpdump'... not infected Checking `top'... not infected Checking `telnetd'... not infected Checking `timed'... not found Checking `traceroute'... not infected Checking `vdir'... not infected Checking `w'... not infected Checking `write'... not infected Checking `aliens'... no suspect files Searching for sniffer's logs, it may take a while... nothing found Searching for HiDrootkit's default dir... nothing found Searching for t0rn's default files and dirs... nothing found Searching for t0rn's v8 defaults... Possible t0rn v8 \(or variation\) rootkit installed Searching for Lion Worm default files and dirs... nothing found Searching for RSHA's default files and dir... nothing found Searching for RH-Sharpe's default files... nothing found Searching for Ambient's rootkit (ark) default files and dirs... nothing found Searching for suspicious files and dirs, it may take a while... /usr/lib/perl5/5.6.1/i686-linux/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/MIME/Base64/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Mail/.packlist /usr/lib/php/pear/.registry /usr/lib/php/pear/.filemap /usr/lib/php/pear/.lock /usr/lib/php/pear/.registry Searching for LPD Worm files and dirs... nothing found Searching for Ramen Worm files and dirs... nothing found Searching for Maniac files and dirs... nothing found Searching for RK17 files and dirs... nothing found Searching for Ducoci rootkit... nothing found Searching for Adore Worm... nothing found Searching for ShitC Worm... nothing found Searching for Omega Worm... nothing found Searching for Sadmind/IIS Worm... nothing found Searching for MonKit... nothing found Searching for Showtee... Warning: Possible Showtee Rootkit installed Searching for OpticKit... nothing found Searching for T.R.K... nothing found Searching for Mithra... nothing found Searching for OBSD rk v1... nothing found Searching for LOC rootkit... nothing found Searching for Romanian rootkit... /usr/include/file.h /usr/include/proc.h Searching for HKRK rootkit... nothing found Searching for Suckit rootkit... Warning: /sbin/init INFECTED Searching for Volc rootkit... nothing found Searching for Gold2 rootkit... nothing found Searching for TC2 Worm default files and dirs... nothing found Searching for Anonoying rootkit default files and dirs... nothing found Searching for ZK rootkit default files and dirs... nothing found Searching for ShKit rootkit default files and dirs... nothing found Searching for AjaKit rootkit default files and dirs... nothing found Searching for zaRwT rootkit default files and dirs... nothing found Searching for Madalin rootkit default files... nothing found Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... warning, got bogus unix line. not infected Checking `lkm'... You have 2 process hidden for readdir command You have 4 process hidden for ps command Warning: Possible LKM Trojan installed Checking `rexedcs'... not found Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets Checking `w55808'... not infected Checking `wted'... nothing deleted Checking `scalper'... not infected Checking `slapper'... not infected Checking `z2'... nothing deleted [root@dream chkrootkit-0.44]#
Forums:
자료 백업 받으시고 무조건? 새로 까시는것이 좋습니다. ;)
자료 백업 받으시고
무조건? 새로 까시는것이 좋습니다. ;)
일단 필요한 작업은 어떤 경로를 통해서 침입을 했는지 확인한 후 고치고
일단 필요한 작업은 어떤 경로를 통해서 침입을 했는지 확인한 후 고치고 설치된 백도어를 모두 찾아서 제거를 해야 합니다. 그렇지 않으면 백도어를 통해서 다시 들어오게되죠. 그런데 문제가... 백도어를 다 찾는다는게 정말 힘듭니다. chkroot 같은 프로그램이 다 찾아주는것도 아니고 사람이 일일이 찾아야 하는데 정말 중요한 서버라면 전문가에게 의뢰하셔서 작업을 하시는게 좋습니다.
그렇지 않다면 윗분 말씀대로 새로 설치하고 이전 침입경로에 대해 픽스를 하신 후에 다시 운영을 하시는게 가장 좋은 방법입니다.
======================
BLOG : http://superkkt.com
루트킷에 당한 컴퓨터에게 자비란 없습니다.다시 까시기 바랍니다.
루트킷에 당한 컴퓨터에게 자비란 없습니다.
다시 까시기 바랍니다. (물론 보안 설정은 하셔야..)
RET ;My life :P
그나마 chkrootkit이나 rkhunter 등으로 나오면 다행이지요.
그나마 chkrootkit이나 rkhunter 등으로 나오면 다행이지요..
재설치를 하신다면 재설치시에는 사용자 계정들도 모두 다르게
하는 것이 바람직합니다.
George double you Bush has two brains, the left and the right, like normal people. But the problem is that there is nothing right in his left brain and there is nothing left in his right brain"
댓글 달기