질문&답변
클라우드/리눅스에 관한 질문과 답변을 주고 받는 곳입니다.
리눅스 분류

rootkit으로 점검한 결과입니다. 어떻게 치료해야하는지요?

작성자 정보

  • doly 작성
  • 작성일

컨텐츠 정보

본문

이렇게 치료를 하면되요.

정말 치료 경험이 있어 올립니다.

1. the most common thing you will see is when you run ls you will see this,

Quote:

ls: unrecognized prefix: do
ls: unparsable value for LS_COLORS environment variable.



2. Next try restarting syslog
Quote:

/etc/init.d/syslog restart

Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [FAILED]
Starting kernel logger: [ OK ]

3. Run CHkrootkit




Some info on what the rootkit installs/does:

Configuration files
/usr/include/file.h (for file hiding)
/usr/include/proc.h (for ps proc hiding)
/lib/lidps1.so (for pstree hiding)
/usr/include/hosts.h (for netstat and net-hiding)
/usr/include/log.h (for log hiding)
/lib/lblip.tk/ (backdoored ssh configuration files are in this directory)
/dev/sdr0 (systems md5 checksum)
/lib/ldd.so {placing tks(sniffer), tkp(parser) and tksb(log cleaner)}


Infected Binaries:
top, ps, pstree lsof, md5sum, dir, login, encrypt,ifconfig,find,ls,slocate,
tks,tksb,top,tkpnetstat,pg,syslogd,sz

Infected Librairies:
libproc.a,libproc.so.2.0.6,libproc.so

BackDoor which is located at /lib/lblip.tk:

shdc
shhk.pub
shk
shrs



Lets remove this bugger

Start by editing the /etc/rc.d/rc.sysinit, at the bottom you will see simular lines to:

Quote:

# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q


Remove them, this is the backdoor they installed. Addtionally run

Quote:

netstat -lntpe | grep xntps

find the pid and

kill -9 PIDNUMBER



Reinstall, needed binarys ( you will need to search for these you can also install from WHM ):

Quote:

procps*.rpm
psmisc*.rpm
findutils*.rpm
fileutils*.rpm
util-linux*.rpm
net-tools*.rpm
textutils*.rpm
sysklogd*.rpm



Remove their files:

cd /lib
rm -rf lblip.tk
rm -rf /usr/include/file.h
rm -rf /usr/include/proc.h
rm -rf /lib/lidps1.so
rm -rf /usr/include/hosts.h
rm -rf /usr/include/log.h
rm -rf /dev/sdr0
rm -rf /lib/ldd.so


Recompile your kernel, make sure you do this.

Reboot the server.


Run CHkrootkit again.

관련자료

댓글 0
등록된 댓글이 없습니다.

공지사항


뉴스광장


  • 현재 회원수 :  60,030 명
  • 현재 강좌수 :  35,756 개
  • 현재 접속자 :  75 명