自从我来这里已经有一段时间了。我一直全神贯注于尝试解决被黑客入侵的设备带来的无尽问题。我在家庭网络上架起了一座桥梁。它是TP-Link 841N,并且启用了wds,并作为网络上的客户端连接。Nmap告诉我端口22已打开,并且我尝试过几次刷新固件,并通过许多不同的代理进行下载,包括两个openvpn服务器,我的蜂窝连接和tor网络。最近,我也不得不给我的vps提供者pgp一个新密码,因为openvz Web面板一直被黑客入侵。这发生了3到4次,我的提供者不得不重设密码。因此,我用chkroot和rkhunter扫描了计算机中的rootkit,并收到了很多警告。我将在此处发布输出:(为格式化而编辑,1/19/15)
##Chrkrootkit output:##
root@linuxpc:~# chkrootkit
ROOTDIR is `/'
Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:
/usr/lib/debug/.build-id /usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit
/usr/lib/pymodules/python2.7/.path /usr/lib/jvm/.java-1.7.0-openjdk amd64.jinfo
/usr/lib/debug/.build-id
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Checking `sniffer'... lo: not promisc and no packet sniffer sockets
wlan0: PACKET SNIFFER(/sbin/wpa_supplicant[1850], /sbin/dhclient[3145])
Checking `wted'... 1 deletion(s) between Sat Jan 17 21:43:47 2015 and Sat Jan 17 21:48:36 2015
Checking `chkutmp'... The tty of the following user process(es) were not found in /var/run/utmp !
! RUID PID TTY CMD
! root 1463 tty7 /usr/bin/X :0 -background none -verbose -auth /var/run/gdm/auth-for-gdm-4y3SbT/database -seat seat0 -nolisten tcp vt7
chkutmp: nothing deleted
Checking `OSX_RSPLUG'... not infected
root@linuxpc:~# Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Searching: command not found
##------------##
#Rkhunter Output##
anon@linuxpc:~$ cat /var/log/rkhunter.log | grep Warning
[03:36:46] /usr/sbin/chroot [ Warning ]
[03:36:46] Warning: The file properties have changed:
[03:36:47] /usr/sbin/rsyslogd [ Warning ]
[03:36:47] Warning: The file properties have changed:
[03:36:48] /usr/bin/awk [ Warning ]
[03:36:48] Warning: The file properties have changed:
[03:36:48] /usr/bin/basename [ Warning ]
[03:36:48] Warning: The file properties have changed:
[03:36:49] /usr/bin/curl [ Warning ]
[03:36:49] Warning: The file '/usr/bin/curl' exists on the system, but it is not present in the rkhunter.dat file.
[03:36:49] /usr/bin/cut [ Warning ]
[03:36:49] Warning: The file properties have changed:
[03:36:49] /usr/bin/dirname [ Warning ]
[03:36:49] Warning: The file properties have changed:
[03:36:49] /usr/bin/du [ Warning ]
[03:36:49] Warning: The file properties have changed:
[03:36:50] /usr/bin/env [ Warning ]
[03:36:50] Warning: The file properties have changed:
[03:36:50] /usr/bin/file [ Warning ]
[03:36:50] Warning: The file properties have changed:
[03:36:50] /usr/bin/groups [ Warning ]
[03:36:50] Warning: The file properties have changed:
[03:36:50] /usr/bin/head [ Warning ]
[03:36:50] Warning: The file properties have changed:
[03:36:51] /usr/bin/id [ Warning ]
[03:36:51] Warning: The file properties have changed:
[03:36:51] /usr/bin/ldd [ Warning ]
[03:36:51] Warning: The file properties have changed:
[03:36:52] /usr/bin/logger [ Warning ]
[03:36:52] Warning: The file properties have changed:
[03:36:52] /usr/bin/mail [ Warning ]
[03:36:52] Warning: The file '/usr/bin/mail' exists on the system, but it is not present in the rkhunter.dat file.
[03:36:52] /usr/bin/md5sum [ Warning ]
[03:36:52] Warning: The file properties have changed:
[03:36:53] /usr/bin/runcon [ Warning ]
[03:36:53] Warning: The file properties have changed:
[03:36:53] /usr/bin/sha1sum [ Warning ]
[03:36:53] Warning: The file properties have changed:
[03:36:54] /usr/bin/sha224sum [ Warning ]
[03:36:54] Warning: The file properties have changed:
[03:36:54] /usr/bin/sha256sum [ Warning ]
[03:36:54] Warning: The file properties have changed:
[03:36:54] /usr/bin/sha384sum [ Warning ]
[03:36:54] Warning: The file properties have changed:
[03:36:54] /usr/bin/sha512sum [ Warning ]
[03:36:54] Warning: The file properties have changed:
[03:36:54] /usr/bin/sort [ Warning ]
[03:36:54] Warning: The file properties have changed:
[03:36:55] /usr/bin/stat [ Warning ]
[03:36:55] Warning: The file properties have changed:
[03:36:55] /usr/bin/tail [ Warning ]
[03:36:55] Warning: The file properties have changed:
[03:36:55] /usr/bin/test [ Warning ]
[03:36:55] Warning: The file properties have changed:
[03:36:56] /usr/bin/touch [ Warning ]
[03:36:56] Warning: The file properties have changed:
[03:36:56] /usr/bin/tr [ Warning ]
[03:36:56] Warning: The file properties have changed:
[03:36:56] /usr/bin/uniq [ Warning ]
[03:36:56] Warning: The file properties have changed:
[03:36:56] /usr/bin/users [ Warning ]
[03:36:56] Warning: The file properties have changed:
[03:36:57] /usr/bin/wc [ Warning ]
[03:36:57] Warning: The file properties have changed:
[03:36:57] /usr/bin/wget [ Warning ]
[03:36:57] Warning: The file properties have changed:
[03:36:57] /usr/bin/whatis [ Warning ]
[03:36:57] Warning: The file properties have changed:
[03:36:57] /usr/bin/whereis [ Warning ]
[03:36:57] Warning: The file properties have changed:
[03:36:58] /usr/bin/who [ Warning ]
[03:36:58] Warning: The file properties have changed:
[03:36:58] /usr/bin/whoami [ Warning ]
[03:36:58] Warning: The file properties have changed:
[03:36:58] /usr/bin/unhide.rb [ Warning ]
[03:36:58] Warning: The command '/usr/bin/unhide.rb' has been replaced by a script: /usr/bin/unhide.rb: Ruby script, ASCII text
[03:36:58] /usr/bin/gawk [ Warning ]
[03:36:58] Warning: The file '/usr/bin/gawk' exists on the system, but it is not present in the rkhunter.dat file.
[03:36:58] /usr/bin/bsd-mailx [ Warning ]
[03:36:58] Warning: The file '/usr/bin/bsd-mailx' exists on the system, but it is not present in the rkhunter.dat file.
[03:36:59] /sbin/fsck [ Warning ]
[03:36:59] Warning: The file properties have changed:
[03:36:59] /sbin/ifconfig [ Warning ]
[03:36:59] Warning: The file properties have changed:
[03:37:00] /sbin/route [ Warning ]
[03:37:00] Warning: The file properties have changed:
[03:37:01] /bin/bash [ Warning ]
[03:37:01] Warning: The file properties have changed:
[03:37:02] /bin/cat [ Warning ]
[03:37:02] Warning: The file properties have changed:
[03:37:02] /bin/chmod [ Warning ]
[03:37:02] Warning: The file properties have changed:
[03:37:02] /bin/chown [ Warning ]
[03:37:02] Warning: The file properties have changed:
[03:37:02] /bin/cp [ Warning ]
[03:37:02] Warning: The file properties have changed:
[03:37:03] /bin/date [ Warning ]
[03:37:03] Warning: The file properties have changed:
[03:37:03] /bin/df [ Warning ]
[03:37:03] Warning: The file properties have changed:
[03:37:03] /bin/dmesg [ Warning ]
[03:37:03] Warning: The file properties have changed:
[03:37:03] /bin/echo [ Warning ]
[03:37:03] Warning: The file properties have changed:
[03:37:04] /bin/ls [ Warning ]
[03:37:04] Warning: The file properties have changed:
[03:37:05] /bin/mktemp [ Warning ]
[03:37:05] Warning: The file properties have changed:
[03:37:05] /bin/more [ Warning ]
[03:37:05] Warning: The file properties have changed:
[03:37:05] /bin/mount [ Warning ]
[03:37:05] Warning: The file properties have changed:
[03:37:05] /bin/mv [ Warning ]
[03:37:05] Warning: The file properties have changed:
[03:37:06] /bin/netstat [ Warning ]
[03:37:06] Warning: The file properties have changed:
[03:37:06] /bin/pwd [ Warning ]
[03:37:06] Warning: The file properties have changed:
[03:37:06] /bin/readlink [ Warning ]
[03:37:06] Warning: The file properties have changed:
[03:37:07] /bin/touch [ Warning ]
[03:37:07] Warning: The file properties have changed:
[03:37:07] /bin/uname [ Warning ]
[03:37:07] Warning: The file properties have changed:
[03:37:08] /usr/bin/mawk [ Warning ]
[03:37:08] Warning: The file '/usr/bin/mawk' does not exist on the system, but it is present in the rkhunter.dat file.
[03:46:29] Checking /dev for suspicious file types [ Warning ]
[03:46:29] Warning: Suspicious file types found in /dev:
[03:46:29] Checking for hidden files and directories [ Warning ]
[03:46:29] Warning: Hidden directory found: '/etc/.java: directory '
[03:46:29] Warning: Hidden directory found: '/dev/.udev: directory '
[03:46:29] Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs'
## End Output##
我认为不久前我运行了propupdate,并且rkhunter肯定会给我很多警告。界面不正确的警告没有更早出现。有更多专业知识的人可以帮助我解释这些结果吗?我知道suckit rootkit可能是一个误报,但是Rkhunters让我感到紧张,以及我在vps上处理过的所有奇怪活动,这也是很长时间以来的tor出口节点。谢谢。
(更新1/19/15)我接受了您的建议,并删除了表明没有任何感染的行,并升级了rkhunter。然后,我运行新版本(1.4.2),并弹出以下警告:
[15:48:20] /usr/local/bin/rkhunter [ Warning ]
[15:48:20] Warning: The file '/usr/local/bin/rkhunter' exists on the system, but it is not present in the 'rkhunter.dat' file.
[15:48:20] /usr/sbin/adduser [ Warning ]
[15:48:20] Warning: The command '/usr/sbin/adduser' has been replaced by a script: /usr/sbin/adduser: Perl script, ASCII text executable
[15:48:20] /usr/sbin/chroot [ Warning ]
[15:48:20] Warning: The file properties have changed:
[15:48:22] /usr/sbin/rsyslogd [ Warning ]
[15:48:22] Warning: The file properties have changed:
[15:48:23] /usr/bin/awk [ Warning ]
[15:48:23] Warning: The file properties have changed:
[15:48:23] Warning: No symbolic link target found for file '/usr/bin/awk' in the 'rkhunter.dat' file.
[15:48:23] /usr/bin/basename [ Warning ]
[15:48:23] Warning: The file properties have changed:
[15:48:24] /usr/bin/curl [ Warning ]
[15:48:24] Warning: The file '/usr/bin/curl' exists on the system, but it is not present in the 'rkhunter.dat' file.
[15:48:24] /usr/bin/cut [ Warning ]
[15:48:24] Warning: The file properties have changed:
[15:48:24] /usr/bin/dirname [ Warning ]
[15:48:24] Warning: The file properties have changed:
[15:48:25] /usr/bin/du [ Warning ]
[15:48:25] Warning: The file properties have changed:
[15:48:25] /usr/bin/env [ Warning ]
[15:48:25] Warning: The file properties have changed:
[15:48:25] /usr/bin/file [ Warning ]
[15:48:25] Warning: The file properties have changed:
[15:48:25] /usr/bin/GET [ Warning ]
[15:48:25] Warning: No symbolic link target found for file '/usr/bin/GET' in the 'rkhunter.dat' file.
[15:48:26] /usr/bin/groups [ Warning ]
[15:48:26] Warning: The file properties have changed:
[15:48:26] /usr/bin/head [ Warning ]
[15:48:26] Warning: The file properties have changed:
[15:48:26] /usr/bin/id [ Warning ]
[15:48:26] Warning: The file properties have changed:
[15:48:27] /usr/bin/ldd [ Warning ]
[15:48:27] Warning: The file properties have changed:
[15:48:27] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script, ASCII text executable
[15:48:27] /usr/bin/less [ Warning ]
[15:48:27] Warning: No symbolic link target found for file '/usr/bin/less' in the 'rkhunter.dat' file.
[15:48:27] /usr/bin/locate [ Warning ]
[15:48:27] Warning: No symbolic link target found for file '/usr/bin/locate' in the 'rkhunter.dat' file.
[15:48:27] /usr/bin/logger [ Warning ]
[15:48:27] Warning: The file properties have changed:
[15:48:28] /usr/bin/mail [ Warning ]
[15:48:28] Warning: The file '/usr/bin/mail' exists on the system, but it is not present in the 'rkhunter.dat' file.
[15:48:28] /usr/bin/md5sum [ Warning ]
[15:48:28] Warning: The file properties have changed:
[15:48:29] /usr/bin/pkill [ Warning ]
[15:48:29] Warning: No symbolic link target found for file '/usr/bin/pkill' in the 'rkhunter.dat' file.
[15:48:29] /usr/bin/runcon [ Warning ]
[15:48:29] Warning: The file properties have changed:
[15:48:29] /usr/bin/sha1sum [ Warning ]
[15:48:29] Warning: The file properties have changed:
[15:48:30] /usr/bin/sha224sum [ Warning ]
[15:48:30] Warning: The file properties have changed:
[15:48:30] /usr/bin/sha256sum [ Warning ]
[15:48:30] Warning: The file properties have changed:
[15:48:30] /usr/bin/sha384sum [ Warning ]
[15:48:30] Warning: The file properties have changed:
[15:48:30] /usr/bin/sha512sum [ Warning ]
[15:48:30] Warning: The file properties have changed:
[15:48:31] /usr/bin/sort [ Warning ]
[15:48:31] Warning: The file properties have changed:
[15:48:31] /usr/bin/ssh [ Warning ]
[15:48:31] Warning: The file '/usr/bin/ssh' exists on the system, but it is not present in the 'rkhunter.dat' file.
[15:48:31] /usr/bin/stat [ Warning ]
[15:48:31] Warning: The file properties have changed:
[15:48:32] /usr/bin/tail [ Warning ]
[15:48:32] Warning: The file properties have changed:
[15:48:32] /usr/bin/telnet [ Warning ]
[15:48:32] Warning: The file '/usr/bin/telnet' exists on the system, but it is not present in the 'rkhunter.dat' file.
[15:48:32] /usr/bin/test [ Warning ]
[15:48:32] Warning: The file properties have changed:
[15:48:32] /usr/bin/touch [ Warning ]
[15:48:32] Warning: The file properties have changed:
[15:48:33] Warning: No symbolic link target found for file '/usr/bin/touch' in the 'rkhunter.dat' file.
[15:48:33] /usr/bin/tr [ Warning ]
[15:48:33] Warning: The file properties have changed:
[15:48:33] /usr/bin/uniq [ Warning ]
[15:48:33] Warning: The file properties have changed:
[15:48:33] /usr/bin/users [ Warning ]
[15:48:33] Warning: The file properties have changed:
[15:48:34] /usr/bin/w [ Warning ]
[15:48:34] Warning: No symbolic link target found for file '/usr/bin/w' in the 'rkhunter.dat' file.
[15:48:34] /usr/bin/wc [ Warning ]
[15:48:34] Warning: The file properties have changed:
[15:48:34] /usr/bin/wget [ Warning ]
[15:48:34] Warning: The file properties have changed:
[15:48:34] /usr/bin/whatis [ Warning ]
[15:48:34] Warning: The file properties have changed:
[15:48:34] /usr/bin/whereis [ Warning ]
[15:48:34] Warning: The file properties have changed:
[15:48:35] /usr/bin/which [ Warning ]
[15:48:35] Warning: No symbolic link target found for file '/usr/bin/which' in the 'rkhunter.dat' file.
[15:48:35] /usr/bin/who [ Warning ]
[15:48:35] Warning: The file properties have changed:
[15:48:35] /usr/bin/whoami [ Warning ]
[15:48:35] Warning: The file properties have changed:
[15:48:35] /usr/bin/gawk [ Warning ]
[15:48:35] Warning: The file '/usr/bin/gawk' exists on the system, but it is not present in the 'rkhunter.dat' file.
[15:48:35] /usr/bin/lwp-request [ Warning ]
[15:48:35] Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: Perl script, ASCII text executable
[15:48:35] /usr/bin/bsd-mailx [ Warning ]
[15:48:35] Warning: The file '/usr/bin/bsd-mailx' exists on the system, but it is not present in the 'rkhunter.dat' file.
[15:48:35] /usr/bin/telnet.netkit [ Warning ]
[15:48:36] Warning: The file '/usr/bin/telnet.netkit' exists on the system, but it is not present in the 'rkhunter.dat' file.
[15:48:36] /sbin/depmod [ Warning ]
[15:48:36] Warning: No symbolic link target found for file '/sbin/depmod' in the 'rkhunter.dat' file.
[15:48:36] /sbin/fsck [ Warning ]
[15:48:36] Warning: The file properties have changed:
[15:48:36] /sbin/ifconfig [ Warning ]
[15:48:36] Warning: The file properties have changed:
[15:48:37] /sbin/ifdown [ Warning ]
[15:48:37] Warning: No symbolic link target found for file '/sbin/ifdown' in the 'rkhunter.dat' file.
[15:48:37] /sbin/insmod [ Warning ]
[15:48:37] Warning: No symbolic link target found for file '/sbin/insmod' in the 'rkhunter.dat' file.
[15:48:37] /sbin/ip [ Warning ]
[15:48:37] Warning: No symbolic link target found for file '/sbin/ip' in the 'rkhunter.dat' file.
[15:48:37] /sbin/lsmod [ Warning ]
[15:48:37] Warning: No symbolic link target found for file '/sbin/lsmod' in the 'rkhunter.dat' file.
[15:48:38] /sbin/modinfo [ Warning ]
[15:48:38] Warning: No symbolic link target found for file '/sbin/modinfo' in the 'rkhunter.dat' file.
[15:48:38] /sbin/modprobe [ Warning ]
[15:48:38] Warning: No symbolic link target found for file '/sbin/modprobe' in the 'rkhunter.dat' file.
[15:48:38] /sbin/rmmod [ Warning ]
[15:48:38] Warning: No symbolic link target found for file '/sbin/rmmod' in the 'rkhunter.dat' file.
[15:48:38] /sbin/route [ Warning ]
[15:48:38] Warning: The file properties have changed:
[15:48:39] /bin/bash [ Warning ]
[15:48:39] Warning: The file properties have changed:
[15:48:39] /bin/cat [ Warning ]
[15:48:39] Warning: The file properties have changed:
[15:48:40] /bin/chmod [ Warning ]
[15:48:40] Warning: The file properties have changed:
[15:48:40] /bin/chown [ Warning ]
[15:48:40] Warning: The file properties have changed:
[15:48:40] /bin/cp [ Warning ]
[15:48:40] Warning: The file properties have changed:
[15:48:40] /bin/date [ Warning ]
[15:48:40] Warning: The file properties have changed:
[15:48:41] /bin/df [ Warning ]
[15:48:41] Warning: The file properties have changed:
[15:48:41] /bin/dmesg [ Warning ]
[15:48:41] Warning: The file properties have changed:
[15:48:41] /bin/echo [ Warning ]
[15:48:41] Warning: The file properties have changed:
[15:48:43] /bin/ls [ Warning ]
[15:48:43] Warning: The file properties have changed:
[15:48:43] /bin/lsmod [ Warning ]
[15:48:43] Warning: No symbolic link target found for file '/bin/lsmod' in the 'rkhunter.dat' file.
[15:48:43] /bin/mktemp [ Warning ]
[15:48:43] Warning: The file properties have changed:
[15:48:43] /bin/more [ Warning ]
[15:48:43] Warning: The file properties have changed:
[15:48:43] /bin/mount [ Warning ]
[15:48:43] Warning: The file properties have changed:
[15:48:44] /bin/mv [ Warning ]
[15:48:44] Warning: The file properties have changed:
[15:48:44] /bin/netstat [ Warning ]
[15:48:44] Warning: The file properties have changed:
[15:48:44] /bin/pwd [ Warning ]
[15:48:44] Warning: The file properties have changed:
[15:48:45] /bin/readlink [ Warning ]
[15:48:45] Warning: The file properties have changed:
[15:48:45] /bin/sh [ Warning ]
[15:48:45] Warning: No symbolic link target found for file '/bin/sh' in the 'rkhunter.dat' file.
[15:48:45] /bin/touch [ Warning ]
[15:48:45] Warning: The file properties have changed:
[15:48:46] /bin/uname [ Warning ]
[15:48:46] Warning: The file properties have changed:
[15:48:46] /bin/which [ Warning ]
[15:48:46] Warning: The command '/bin/which' has been replaced by a script: /bin/which: POSIX shell script, ASCII text executable
[15:48:46] /etc/rkhunter.conf [ Warning ]
[15:48:46] Warning: The file '/etc/rkhunter.conf' exists on the system, but it is not present in the 'rkhunter.dat' file.
[16:08:55] Checking /dev for suspicious file types [ Warning ]
[16:08:55] Warning: Suspicious file types found in /dev:
[16:08:55] Checking for hidden files and directories [ Warning ]
[16:08:55] Warning: Hidden directory found: /etc/.java: directory
[16:08:55] Warning: Hidden directory found: /dev/.udev: directory
[16:08:55] Warning: Hidden file found: /dev/.blkid.tab: ASCII text
[16:08:55] Warning: Hidden file found: /dev/.blkid.tab.old: ASCII text
[16:08:55] Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs'
我可以看到其中一些警告是由于升级rkhunter并在/ etc中包含旧的配置文件引起的,但是我对其他警告不太确定。您仍然认为事情看起来正常吗?我衷心感谢您的帮助。
本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句