chkrootkit 결과입니다..좀 봐주세요
작성자 정보
- 이기광 작성
- 작성일
컨텐츠 정보
- 3,786 조회
- 0 추천
-
목록
본문
홈페이가 돌아가고 있는 서버입니다..
설치한지 얼마되지는 않았구요
그래도 혹시나하고 chkrootkit을 돌려 봤습니다
# ./chkrootk > find2.txt
# more find2.txt를 했습니다
--중간생략--
Checking `z2'...Checking `wted'...Nothing deleted
Checking `sniffer'...
eth0 is not promisc
Checking `aliens'...No suspect files
Searching for sniffer's logs, please wait MANY minutes...Nothing found
Searching for t0rn's default files and dirs ...Nothing found
Checking `lkm'...You have 11 process hidden for readdir command
You have 11 process hidden for ps command
Warning: Possible LKM Trojan instaled
이렇게 나오네요
그래서 chkproc -v를 몇번 해봤는데요 나오는 내용은 같습니다
[root@www chkrootkit-0.17]# ./chkproc -v
You have 11 process hidden for readdir command
You have 11 process hidden for ps command
[root@www chkrootkit-0.17]#
이렇게 나옵니다
제 생각에는 lkm이 install이 된것 같은데요
어떤 프로세스가 lkm인지 모르겠습니다..
[root@www chkrootkit-0.17]# ps -aux |more
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.3/FAQ
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 3500 560 ? S Oct25 0:04 init [5]
root 2 0.0 0.0 0 0 ? S Oct25 0:00 [migration/0]
root 3 0.0 0.0 0 0 ? SN Oct25 0:00 [ksoftirqd/0]
root 4 0.0 0.0 0 0 ? S Oct25 0:00 [migration/1]
root 5 0.0 0.0 0 0 ? SN Oct25 0:00 [ksoftirqd/1]
root 6 0.0 0.0 0 0 ? S Oct25 0:00 [migration/2]
root 7 0.0 0.0 0 0 ? SN Oct25 0:00 [ksoftirqd/2]
root 8 0.0 0.0 0 0 ? S Oct25 0:00 [migration/3]
root 9 0.0 0.0 0 0 ? SN Oct25 0:00 [ksoftirqd/3]
root 10 0.0 0.0 0 0 ? S< Oct25 0:00 [events/0]
root 11 0.0 0.0 0 0 ? S< Oct25 0:00 [events/1]
root 12 0.0 0.0 0 0 ? S< Oct25 0:00 [events/2]
root 13 0.0 0.0 0 0 ? S< Oct25 0:00 [events/3]
root 14 0.0 0.0 0 0 ? S< Oct25 0:00 [khelper]
root 15 0.0 0.0 0 0 ? S< Oct25 0:00 [kacpid]
root 44 0.0 0.0 0 0 ? S< Oct25 0:00 [kblockd/0]
root 45 0.0 0.0 0 0 ? S< Oct25 0:00 [kblockd/1]
root 46 0.0 0.0 0 0 ? S< Oct25 0:00 [kblockd/2]
root 47 0.0 0.0 0 0 ? S< Oct25 0:00 [kblockd/3]
root 57 0.0 0.0 0 0 ? S Oct25 0:00 [pdflush]
root 58 0.0 0.0 0 0 ? S Oct25 0:00 [pdflush]
root 60 0.0 0.0 0 0 ? S< Oct25 0:00 [aio/0]
root 61 0.0 0.0 0 0 ? S< Oct25 0:00 [aio/1]
root 62 0.0 0.0 0 0 ? S< Oct25 0:00 [aio/2]
root 63 0.0 0.0 0 0 ? S< Oct25 0:00 [aio/3]
root 48 0.0 0.0 0 0 ? S Oct25 0:00 [khubd]
root 59 0.0 0.0 0 0 ? S Oct25 0:01 [kswapd0]
root 136 0.0 0.0 0 0 ? S Oct25 0:00 [kseriod]
root 207 0.0 0.0 0 0 ? S Oct25 0:00 [scsi_eh_0]
root 221 0.0 0.0 0 0 ? S Oct25 0:00 [scsi_eh_1]
root 1089 0.0 0.0 2232 448 ? S<s Oct25 0:00 udevd
root 1823 0.0 0.0 3160 596 ? Ss Oct25 0:15 syslogd -m 0
root 1827 0.0 0.0 2660 488 ? Ss Oct25 0:00 klogd -x
root 1838 0.0 0.0 2044 472 ? Ss Oct25 0:00 irqbalance
rpc 1849 0.0 0.0 2624 584 ? Ss Oct25 0:00 portmap
rpcuser 1869 0.0 0.0 3488 760 ? Ss Oct25 0:00 rpc.statd
root 1903 0.0 0.0 4664 1008 ? Ss Oct25 0:00 rpc.idmapd
root 1971 0.0 0.0 2280 576 ? S Oct25 0:00 /usr/sbin/smartd
root 1981 0.0 0.0 3320 560 ? Ss Oct25 0:00 /usr/sbin/acpid
root 2054 0.0 0.1 5160 1656 ? Ss Oct25 0:27 /usr/sbin/sshd
root 2069 0.0 0.0 3780 872 ? Ss Oct25 0:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
root 2088 0.0 0.3 7632 3152 ? Ss Oct25 0:00 sendmail: accepting connections
smmsp 2096 0.0 0.2 8308 2596 ? Ss Oct25 0:00 sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue
root 2107 0.0 0.0 3204 544 ? Ss Oct25 0:00 gpm -m /dev/input/mice -t imps2
htt 2137 0.0 0.0 3060 328 ? Ss Oct25 0:00 /usr/sbin/htt -retryonerror 0
htt 2138 0.0 0.4 30716 4468 ? Sl Oct25 0:00 htt_server -nodaemon
canna 2150 0.0 1.7 19488 17632 ? Ss Oct25 0:00 /usr/sbin/cannaserver -syslog -u canna
root 2162 0.0 0.0 5116 852 ? Ss Oct25 0:00 crond
xfs 2203 0.0 0.3 6388 3264 ? Ss Oct25 0:00 xfs -droppriv -daemon
daemon 2222 0.0 0.0 2796 648 ? Ss Oct25 0:00 /usr/sbin/atd
dbus 2241 0.0 0.1 13644 1316 ? Ssl Oct25 0:00 dbus-daemon-1 --system
root 2255 0.0 0.1 4708 1040 ? Ss Oct25 0:00 cups-config-daemon
root 2266 0.0 0.5 7992 5604 ? Ss Oct25 4:53 hald
root 2273 0.0 0.1 6588 1196 ? S Oct25 0:00 /bin/sh /usr/local/mysql/bin/safe_mysqld
mysql 2293 0.0 0.4 22492 4760 ? S Oct25 0:00 /usr/local/mysql/libexec/mysqld --basedir=/usr/local/mysql --datadir=/usr/local
/mysql/data --user=mysql --pid-file=/usr/local/mysql/data/pid --skip-locking
mysql 2310 0.0 0.4 22492 4760 ? S Oct25 0:01 /usr/local/mysql/libexec/mysqld --basedir=/usr/local/mysql --datadir=/usr/local
/mysql/data --user=mysql --pid-file=/usr/local/mysql/data/--skip-locking
mysql 2311 0.0 0.4 22492 4760 ? S Oct25 0:01 /usr/local/mysql/libexec/mysqld --basedir=/usr/local/mysql --datadir=/usr/local
/mysql/data --user=mysql --pid-file=/usr/local/mysql/data/--skip-locking
root 2393 0.0 0.5 16024 5588 ? Ss Oct25 0:01 /usr/local/apache/bin/httpd -k start
root 2400 0.0 0.0 2032 404 tty1 Ss+ Oct25 0:00 /sbin/mingetty tty1
root 2401 0.0 0.0 2276 408 tty2 Ss+ Oct25 0:00 /sbin/mingetty tty2
root 2403 0.0 0.0 1860 408 tty3 Ss+ Oct25 0:00 /sbin/mingetty tty3
root 2405 0.0 0.0 2108 408 tty4 Ss+ Oct25 0:00 /sbin/mingetty tty4
root 2407 0.0 0.0 2708 408 tty5 Ss+ Oct25 0:00 /sbin/mingetty tty5
root 2412 0.0 0.0 1748 408 tty6 Ss+ Oct25 0:00 /sbin/mingetty tty6
root 2413 0.0 0.2 13052 2344 ? Ss Oct25 0:00 /usr/bin/gdm-binary -nodaemon
root 2886 0.0 0.2 13808 3104 ? S Oct25 0:00 /usr/bin/gdm-binary -nodaemon
root 2889 0.0 1.3 17516 13856 ? S Oct25 1:50 /usr/X11R6/bin/X :0 -audit 0 -auth /var/gdm/:0.Xauth -nolisten tcp vt7
root 3032 0.0 0.1 5204 1132 ? Ss Oct25 0:00 /usr/bin/ssh-agent -s
root 17364 0.0 1.1 33984 11488 ? Ss Nov18 0:00 /usr/bin/gnome-session
root 17388 0.0 0.7 13640 7740 ? S Nov18 0:00 /usr/libexec/gconfd-2 13
root 17389 0.0 0.1 5980 1088 ? S Nov18 0:00 /bin/bash /etc/X11/xdm/Xsession default
root 17393 0.0 0.1 6572 1352 ? S Nov18 0:00 httx
root 17395 0.0 0.3 23824 3328 ? Sl Nov18 0:00 htt_xbe
root 17398 0.0 0.1 4972 1128 ? Ss Nov18 0:00 /usr/bin/ssh-agent -s
root 17431 0.0 0.0 3228 656 ? S Nov18 0:00 /usr/bin/dbus-launch --exit-with-session /etc/X11/xinit/Xclients
root 17432 0.0 0.1 13664 1268 ? Ssl Nov18 0:00 dbus-daemon-1 --fork --print-pid 8 --print-address 6 --session
root 17438 0.0 0.0 4076 912 ? S Nov18 0:00 /usr/bin/gnome-keyring-daemon
root 17440 0.0 0.2 9344 2728 ? Ss Nov18 0:00 /usr/libexec/bonobo-activation-server --ac-activate --ior-output-fd=18
root 17444 0.0 0.6 21476 7096 ? S Nov18 0:00 /usr/libexec/gnome-settings-daemon --oaf-activate-iid=OAFIID:GNOME_SettingsDaem
on --oaf-ior-fd=22
root 17451 0.0 0.1 2768 1284 ? S Nov18 0:00 /usr/libexec/gam_server
root 17483 0.0 0.8 26872 8648 ? Ss Nov18 0:00 /usr/bin/metacity --sm-client-id=default1
root 17487 0.0 1.2 34556 13340 ? Ss Nov18 0:00 gnome-panel --sm-client-id default2
root 17489 0.0 1.6 51448 16896 ? Ssl Nov18 0:00 nautilus --no-default-window --sm-client-id default3
root 17491 0.0 0.6 19552 6412 ? Ss Nov18 0:00 gnome-volume-manager --sm-client-id default6
root 17493 0.0 0.7 31612 7620 ? Ss Nov18 0:00 eggcups --sm-client-id default5
root 17495 0.0 0.4 13600 4360 ? Ss Nov18 0:00 pam-panel-icon --sm-client-id default0
root 17498 0.0 1.7 41828 18620 ? SNs Nov18 0:00 /usr/bin/python /usr/bin/rhn-applet-gui --sm-client-id default4
root 17499 0.0 0.0 1564 516 ? S Nov18 0:00 /sbin/pam_timestamp_check -d root
root 17502 0.0 0.3 23024 3652 ? Sl Nov18 0:00 /usr/libexec/gnome-vfs-daemon --oaf-activate-iid=OAFIID:GNOME_VFS_Daemon_Factor
y --oaf-ior-fd=28
root 17512 0.0 0.0 4020 696 ? S Nov18 0:00 /usr/libexec/mapping-daemon
root 17514 0.0 1.0 34088 11332 ? S Nov18 0:00 /usr/libexec/wnck-applet --oaf-activate-iid=OAFIID:GNOME_Wncklet_Factory --oaf-
ior-fd=30
root 17516 0.0 0.9 23420 9600 ? S Nov18 0:00 /usr/libexec/mixer_applet2 --oaf-activate-iid=OAFIID:GNOME_MixerApplet_Factory
--oaf-ior-fd=32
root 17518 0.0 0.9 32112 9668 ? S Nov18 0:00 /usr/libexec/clock-applet --oaf-activate-iid=OAFIID:GNOME_ClockApplet_Factory -
-oaf-ior-fd=34
root 17520 0.0 0.6 20176 7004 ? S Nov18 0:00 /usr/libexec/notification-area-applet --oaf-activate-iid=OAFIID:GNOME_Notificat
ionAreaApplet_Factory --oaf-ior-fd=36
root 17522 0.0 0.9 31296 9576 ? S Nov18 0:00 /usr/libexec/gnome-im-switcher-applet --oaf-activate-iid=OAFIID:GNOME_imswitche
r_Factory --oaf-ior-fd=38
root 20396 0.0 0.3 12124 3744 ? Ss 04:02 0:00 cupsd
nobody 26866 0.0 0.6 16904 6780 ? S 12:25 0:00 /usr/local/apache/bin/httpd -k start
nobody 26896 0.0 0.6 16828 6720 ? S 12:34 0:00 /usr/local/apache/bin/httpd -k start
nobody 26970 0.0 0.6 16740 6620 ? S 12:38 0:00 /usr/local/apache/bin/httpd -k start
nobody 26973 0.0 0.6 16804 6736 ? S 12:38 0:00 /usr/local/apache/bin/httpd -k start
nobody 26993 0.0 0.6 16716 6520 ? S 12:38 0:00 /usr/local/apache/bin/httpd -k start
nobody 27002 0.0 0.6 16680 6568 ? S 12:40 0:00 /usr/local/apache/bin/httpd -k start
nobody 27005 0.0 0.6 16740 6528 ? S 12:40 0:00 /usr/local/apache/bin/httpd -k start
nobody 27008 0.0 0.6 16844 6604 ? S 12:40 0:00 /usr/local/apache/bin/httpd -k start
nobody 27014 0.0 0.6 16636 6480 ? S 12:40 0:00 /usr/local/apache/bin/httpd -k start
nobody 27015 0.0 0.6 16932 6752 ? S 12:40 0:00 /usr/local/apache/bin/httpd -k start
root 27081 0.0 0.2 8304 2192 ? Ss 12:46 0:00 sshd: root@pts/1
root 27083 0.0 0.1 5872 1476 pts/1 Ss 12:46 0:00 -bash
root 28065 0.0 0.0 2624 780 pts/1 R+ 13:15 0:00 ps -aux
root 28066 0.0 0.0 5064 584 pts/1 S+ 13:15 0:00 more
어떤게 lkm 프로세서 인지 좀 가르쳐 주세요 그리고 삭제하는 방법도 가르쳐 주세요
관련자료
-
이전
-
다음
