The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

форумы
правила/FAQ
поиск
регистрация
вход
слежка
RSS



Версия для распечатки Пред. тема | След. тема
Новые ответы [ Отслеживать ]
Откуда на сервере руткит???, !*! Xray_Linux_Root, 21-Апр-04, 06:49  [смотреть все]
Вчера поимел нехилый опыт восстановления системы на одном из Linux'овых серверов после его компрометации. Вовремя обнаружить данную ситуацию помогла утилита http://www.chkrootkit.org/
Восстановить то восстановил, только вот на душе не спокойно, т.к. не могу выявить ни обидчика ни способ загрузки руткита на сервак, атака естественно была из вне, логи вычищены, но возможно не полностью. Что сделал первым делом: перетащил сервак на своё рабочее место и загрузился на оном с LiveCD, сделал полные образа инфицированной системы (для того чтобы можно было детально установить способ взлома).
Ломали просто ради развлечения, т.к. сам дистрибутив руткита так и оставили валяться в каталоге /tmp. Отрубил на нём ssh вообще, почистил /etc/passwd & /etc/group & /etc/shadow. Сейчас пока на ночь вытаскиваю из него соску с Internet. Пока не ломанули ещё раз устанавливаю snort, у прова взял статистику по ip-шнику в фомате flow-stat. На момент атаки из "слушающих" служб на серваке были запущены: Apache-1.3.27, sendmail-8.11.2,proftpd-1.2.9,bind-8.2.3.
Ответить | Сообщить модератору
  • Откуда на сервере руткит???, !*! bear50rus, 13:36 , 21-Апр-04 (1)
    • Откуда на сервере руткит???, !*! Xray_Linux_Root, 13:58 , 21-Апр-04 (2)
      В общем то вот что за руткит:

      -+-+-+-+-+-+-+-+-+-+<> !! LeGi0N oF DooM PreSenTs: !! <>-+-+-+-+-+-+-+-+-+-+
                             !!       Linux Version      !!

                           _/           _/_/_/_/_/     _/_/_/
                          _/           _/      _/     _/    _/
                         _/           _/      _/     _/     _/
                        _/           _/      _/     _/      _/
                       _/           _/      _/     _/      _/
                      _/ E G I O N _/      _/ F   _/     _/ O O M
                     _/_/_/_/_/   _/_/_/_/_/     _/_/_/_/

                         revisioned by ^blood^ on 15/10/2002

              Thanks to: Zico - }Fr3ddi3{ - Teppista - B|4cK - maSSiccio

                              www.legionofdoom.da.ru

                   [+] !! PRIVATE EDITION !! DO NOT DISTRIBUITE. [+]

      -+-+-+-+-+-+-+-+-+-+<> !! LeGi0N oF DooM r00t-kit !!  <>-+-+-+-+-+-+-+-+-+-+

      А вот отчёт chkrootkit:
      ROOTDIR is `/'
      Checking `amd'... not found
      Checking `basename'... not infected
      Checking `biff'... not found
      Checking `chfn'... not infected
      Checking `chsh'... not infected
      Checking `cron'... not infected
      Checking `date'... not infected
      Checking `du'... not infected
      Checking `dirname'... not infected
      Checking `echo'... not infected
      Checking `egrep'... not infected
      Checking `env'... not infected
      Checking `find'... not infected
      Checking `fingerd'... not infected
      Checking `gpm'... not infected
      Checking `grep'... not infected
      Checking `hdparm'... not infected
      Checking `su'... not infected
      Checking `ifconfig'... INFECTED
      Checking `inetd'... not tested
      Checking `inetdconf'... not found
      Checking `identd'... not infected
      Checking `init'... not infected
      Checking `killall'... not infected
      Checking `ldsopreload'... not infected
      Checking `login'... INFECTED
      Checking `ls'... not infected
      Checking `lsof'... not infected
      Checking `mail'... not infected
      Checking `mingetty'... not infected
      Checking `netstat'... not infected
      Checking `named'... not infected
      Checking `passwd'... not infected
      Checking `pidof'... not infected
      Checking `pop2'... not found
      Checking `pop3'... not found
      Checking `ps'... not infected
      Checking `pstree'... INFECTED
      Checking `rpcinfo'... not infected
      Checking `rlogind'... not infected
      Checking `rshd'... not infected
      Checking `slogin'... not infected
      Checking `sendmail'... not infected
      Checking `sshd'... not infected
      Checking `syslogd'... not infected
      Checking `tar'... not infected
      Checking `tcpd'... not infected
      Checking `tcpdump'... not infected
      Checking `top'... not infected
      Checking `telnetd'... not infected
      Checking `timed'... not infected
      Checking `traceroute'... not infected
      Checking `vdir'... not infected
      Checking `w'... not infected
      Checking `write'... not infected
      Checking `aliens'... /etc/ld.so.hash
      Searching for sniffer's logs, it may take a while... nothing found
      Searching for HiDrootkit's default dir... nothing found
      Searching for t0rn's default files and dirs... nothing found
      Searching for t0rn's v8 defaults... Possible t0rn v8 \(or variation\) rootkit installed
      Searching for Lion Worm default files and dirs... nothing found
      Searching for RSHA's default files and dir... nothing found
      Searching for RH-Sharpe's default files... nothing found
      Searching for Ambient's rootkit (ark) default files and dirs... nothing found
      Searching for suspicious files and dirs, it may take a while...
      /usr/lib/perl5/5.6.0/i386-linux/.packlist /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Digest/MD5/.packlist /lib/modules/2.2.19-3.asp/.rhkmvtag /lib/modules/2.2.19-3.aspsmp/.rhkmvtag

      Searching for LPD Worm files and dirs... nothing found
      Searching for Ramen Worm files and dirs... nothing found
      Searching for Maniac files and dirs... nothing found
      Searching for RK17 files and dirs... ./chkrootkit: [: /var/www/cgi-bin: binary operator expected
      ./chkrootkit: [: /var/www/cgi-bin: binary operator expected
      ./chkrootkit: [: /var/www/cgi-bin: binary operator expected
      ./chkrootkit: [: /var/www/cgi-bin: binary operator expected
      ./chkrootkit: [: /var/www/cgi-bin: binary operator expected
      ./chkrootkit: [: /var/www/cgi-bin: binary operator expected
      ./chkrootkit: [: /var/www/cgi-bin: binary operator expected
      ./chkrootkit: [: /var/www/cgi-bin: binary operator expected
      ./chkrootkit: [: /var/www/cgi-bin: binary operator expected
      ./chkrootkit: [: /var/www/cgi-bin: binary operator expected
      ./chkrootkit: [: /var/www/cgi-bin: binary operator expected
      ./chkrootkit: [: /var/www/cgi-bin: binary operator expected
      ./chkrootkit: [: /var/www/cgi-bin: binary operator expected
      ./chkrootkit: [: /var/www/cgi-bin: binary operator expected
      ./chkrootkit: [: /var/www/cgi-bin: binary operator expected
      ./chkrootkit: [: /var/www/cgi-bin: binary operator expected
      ./chkrootkit: [: /var/www/cgi-bin: binary operator expected
      ./chkrootkit: [: /var/www/cgi-bin: binary operator expected
      ./chkrootkit: [: /var/www/cgi-bin: binary operator expected
      nothing found
      Searching for Ducoci rootkit... nothing found
      Searching for Adore Worm... nothing found
      Searching for ShitC Worm... nothing found
      Searching for Omega Worm... nothing found
      Searching for Sadmind/IIS Worm... nothing found
      Searching for MonKit... nothing found
      Searching for Showtee... Warning: Possible Showtee Rootkit installed
      Searching for OpticKit... nothing found
      Searching for T.R.K... nothing found
      Searching for Mithra... nothing found
      Searching for OBSD rk v1... nothing found
      Searching for LOC rootkit ... nothing found
      Searching for Romanian rootkit ...  /usr/include/file.h /usr/include/proc.h
      Searching for HKRK rootkit ... nothing found
      Searching for Suckit rootkit ... nothing found
      Searching for Volc rootkit ... nothing found
      Searching for Gold2 rootkit ... nothing found
      Searching for TC2 Worm default files and dirs... nothing found
      Searching for Anonoying rootkit default files and dirs... nothing found
      Searching for ZK rootkit default files and dirs... nothing found
      Searching for ShKit rootkit default files and dirs... Possible ShKit rootkit installed
      Searching for AjaKit rootkit default files and dirs... nothing found
      Searching for zaRwT rootkit default files and dirs... nothing found
      Searching for anomalies in shell history files... Warning: `//root/.bash_history' file size is zero
      nothing found
      Checking `asp'... not infected
      Checking `bindshell'... not infected
      Checking `lkm'... You have     3 process hidden for ps command
      Warning: Possible LKM Trojan installed
      Checking `rexedcs'... not found
      Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets
      eth1: not promisc and no PF_PACKET sockets
      tun0: not promisc and no PF_PACKET sockets
      Checking `w55808'... not infected
      Checking `wted'... nothing deleted
      Checking `scalper'... not infected
      Checking `slapper'... not infected
      Checking `z2'... nothing deleted

      Ответить | Сообщить модератору

Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру