Computer ???
No. | 403 |
Name. | swindler |
Subject. | ShKit rootkit 백도어 제거 |
Main Cate. | Linux |
Sub Cate. | |
Date. | 2009-10-01 15:43 |
Hit. | 3842 (211.36.27.8) |
File. | |
1. the most common thing you will see is when you run ls you will see this, Quote: ls: unrecognized prefix: do ls: unparsable value for LS_COLORS environment variable. 2. Next try restarting syslog Quote: /etc/init.d/syslog restart Shutting down kernel logger: [ OK ] Shutting down system logger: [ OK ] Starting system logger: [FAILED] Starting kernel logger: [ OK ] 3. Run CHkrootkit Some info on what the rootkit installs/does: Configuration files /usr/include/file.h (for file hiding) /usr/include/proc.h (for ps proc hiding) /lib/lidps1.so (for pstree hiding) /usr/include/hosts.h (for netstat and net-hiding) /usr/include/log.h (for log hiding) /lib/lblip.tk/ (backdoored ssh configuration files are in this directory) /dev/sdr0 (systems md5 checksum) /lib/ldd.so {placing tks(sniffer), tkp(parser) and tksb(log cleaner)} Infected Binaries: top, ps, pstree lsof, md5sum, dir, login, encrypt,ifconfig,find,ls,slocate, tks,tksb,top,tkpnetstat,pg,syslogd,sz Infected Librairies: libproc.a,libproc.so.2.0.6,libproc.so BackDoor which is located at /lib/lblip.tk: shdc shhk.pub shk shrs Lets remove this bugger Start by editing the /etc/rc.d/rc.sysinit, at the bottom you will see simular lines to: Quote: # Xntps (NTPv3 daemon) startup.. /usr/sbin/xntps -q Remove them, this is the backdoor they installed. Addtionally run Quote: netstat -lntpe | grep xntps find the pid and kill -9 PIDNUMBER Reinstall, needed binarys ( you will need to search for these you can also install from WHM ): Quote: procps*.rpm psmisc*.rpm findutils*.rpm fileutils*.rpm util-linux*.rpm net-tools*.rpm textutils*.rpm sysklogd*.rpm Remove their files: cd /lib rm -rf lblip.tk rm -rf /usr/include/file.h rm -rf /usr/include/proc.h rm -rf /lib/lidps1.so rm -rf /usr/include/hosts.h rm -rf /usr/include/log.h rm -rf /dev/sdr0 rm -rf /lib/ldd.so Recompile your kernel, make sure you do this. Reboot the server. Run CHkrootkit again. [바로가기 링크] : http://coolx.net/cboard/computer/403 |
|
|
|
[Modify] [Delete] | [Reply] [List] |