리눅스 분류
rootkit으로 점검한 결과입니다. 어떻게 치료해야하는지요?
작성자 정보
- doly 작성
- 작성일
컨텐츠 정보
- 2,961 조회
- 0 추천
- 목록
본문
이렇게 치료를 하면되요.
정말 치료 경험이 있어 올립니다.
1. the most common thing you will see is when you run ls you will see this,
| Quote: |
ls: unrecognized prefix: do ls: unparsable value for LS_COLORS environment variable. |
2. Next try restarting syslog
| Quote: |
/etc/init.d/syslog restart Shutting down kernel logger: [ OK ] Shutting down system logger: [ OK ] Starting system logger: [FAILED] Starting kernel logger: [ OK ] 3. Run CHkrootkit |
Some info on what the rootkit installs/does:
Configuration files
/usr/include/file.h (for file hiding)
/usr/include/proc.h (for ps proc hiding)
/lib/lidps1.so (for pstree hiding)
/usr/include/hosts.h (for netstat and net-hiding)
/usr/include/log.h (for log hiding)
/lib/lblip.tk/ (backdoored ssh configuration files are in this directory)
/dev/sdr0 (systems md5 checksum)
/lib/ldd.so {placing tks(sniffer), tkp(parser) and tksb(log cleaner)}
Infected Binaries:
top, ps, pstree lsof, md5sum, dir, login, encrypt,ifconfig,find,ls,slocate,
tks,tksb,top,tkpnetstat,pg,syslogd,sz
Infected Librairies:
libproc.a,libproc.so.2.0.6,libproc.so
BackDoor which is located at /lib/lblip.tk:
shdc
shhk.pub
shk
shrs
Lets remove this bugger
Start by editing the /etc/rc.d/rc.sysinit, at the bottom you will see simular lines to:
| Quote: |
# Xntps (NTPv3 daemon) startup.. /usr/sbin/xntps -q |
Remove them, this is the backdoor they installed. Addtionally run
| Quote: |
netstat -lntpe | grep xntps find the pid and kill -9 PIDNUMBER |
Reinstall, needed binarys ( you will need to search for these you can also install from WHM ):
| Quote: |
procps*.rpm psmisc*.rpm findutils*.rpm fileutils*.rpm util-linux*.rpm net-tools*.rpm textutils*.rpm sysklogd*.rpm |
Remove their files:
cd /lib
rm -rf lblip.tk
rm -rf /usr/include/file.h
rm -rf /usr/include/proc.h
rm -rf /lib/lidps1.so
rm -rf /usr/include/hosts.h
rm -rf /usr/include/log.h
rm -rf /dev/sdr0
rm -rf /lib/ldd.so
Recompile your kernel, make sure you do this.
Reboot the server.
Run CHkrootkit again.
관련자료
-
이전
-
다음
댓글 0
등록된 댓글이 없습니다.
