Помогите, у меня может быть руткит
Прошло много времени с тех пор, как я был здесь. Я был очень озабочен попытками разобраться с бесконечными проблемами, когда мои устройства были взломаны. У меня установлен мост в моей домашней сети. Это TP-Link 841N, и у меня был включен wds, подключенный как клиент в моей сети. Nmap сообщает, что порт 22 открыт, и я несколько раз пытался перепрошить прошивку, загружая ее через множество различных прокси-серверов, включая два сервера openvpn, мое сотовое соединение и сеть tor. Мне также недавно пришлось, чтобы мой провайдер VPS ввел мне новый пароль, потому что веб-панель openvz продолжала взламываться. Это происходило 3 или 4 раза, и мой провайдер должен был сбросить пароль. Итак, я просканировал свой компьютер на наличие руткитов с помощью chkroot и rkhunter и получил довольно много предупреждений. Я выложу вывод здесь: (отредактировано для форматирования, 19.01.15)
##Chrkrootkit output:##
root@linuxpc:~# chkrootkit
ROOTDIR is `/'
Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:
/usr/lib/debug/.build-id /usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit
/usr/lib/pymodules/python2.7/.path /usr/lib/jvm/.java-1.7.0-openjdk amd64.jinfo
/usr/lib/debug/.build-id
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Checking `sniffer'... lo: not promisc and no packet sniffer sockets
wlan0: PACKET SNIFFER(/sbin/wpa_supplicant[1850], /sbin/dhclient[3145])
Checking `wted'... 1 deletion(s) between Sat Jan 17 21:43:47 2015 and Sat Jan 17 21:48:36 2015
Checking `chkutmp'... The tty of the following user process(es) were not found in /var/run/utmp !
! RUID PID TTY CMD
! root 1463 tty7 /usr/bin/X :0 -background none -verbose -auth /var/run/gdm/auth-for-gdm-4y3SbT/database -seat seat0 -nolisten tcp vt7
chkutmp: nothing deleted
Checking `OSX_RSPLUG'... not infected
root@linuxpc:~# Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Searching: command not found
##------------##
#Rkhunter Output##
anon@linuxpc:~$ cat /var/log/rkhunter.log | grep Warning
[03:36:46] /usr/sbin/chroot [ Warning ]
[03:36:46] Warning: The file properties have changed:
[03:36:47] /usr/sbin/rsyslogd [ Warning ]
[03:36:47] Warning: The file properties have changed:
[03:36:48] /usr/bin/awk [ Warning ]
[03:36:48] Warning: The file properties have changed:
[03:36:48] /usr/bin/basename [ Warning ]
[03:36:48] Warning: The file properties have changed:
[03:36:49] /usr/bin/curl [ Warning ]
[03:36:49] Warning: The file '/usr/bin/curl' exists on the system, but it is not present in the rkhunter.dat file.
[03:36:49] /usr/bin/cut [ Warning ]
[03:36:49] Warning: The file properties have changed:
[03:36:49] /usr/bin/dirname [ Warning ]
[03:36:49] Warning: The file properties have changed:
[03:36:49] /usr/bin/du [ Warning ]
[03:36:49] Warning: The file properties have changed:
[03:36:50] /usr/bin/env [ Warning ]
[03:36:50] Warning: The file properties have changed:
[03:36:50] /usr/bin/file [ Warning ]
[03:36:50] Warning: The file properties have changed:
[03:36:50] /usr/bin/groups [ Warning ]
[03:36:50] Warning: The file properties have changed:
[03:36:50] /usr/bin/head [ Warning ]
[03:36:50] Warning: The file properties have changed:
[03:36:51] /usr/bin/id [ Warning ]
[03:36:51] Warning: The file properties have changed:
[03:36:51] /usr/bin/ldd [ Warning ]
[03:36:51] Warning: The file properties have changed:
[03:36:52] /usr/bin/logger [ Warning ]
[03:36:52] Warning: The file properties have changed:
[03:36:52] /usr/bin/mail [ Warning ]
[03:36:52] Warning: The file '/usr/bin/mail' exists on the system, but it is not present in the rkhunter.dat file.
[03:36:52] /usr/bin/md5sum [ Warning ]
[03:36:52] Warning: The file properties have changed:
[03:36:53] /usr/bin/runcon [ Warning ]
[03:36:53] Warning: The file properties have changed:
[03:36:53] /usr/bin/sha1sum [ Warning ]
[03:36:53] Warning: The file properties have changed:
[03:36:54] /usr/bin/sha224sum [ Warning ]
[03:36:54] Warning: The file properties have changed:
[03:36:54] /usr/bin/sha256sum [ Warning ]
[03:36:54] Warning: The file properties have changed:
[03:36:54] /usr/bin/sha384sum [ Warning ]
[03:36:54] Warning: The file properties have changed:
[03:36:54] /usr/bin/sha512sum [ Warning ]
[03:36:54] Warning: The file properties have changed:
[03:36:54] /usr/bin/sort [ Warning ]
[03:36:54] Warning: The file properties have changed:
[03:36:55] /usr/bin/stat [ Warning ]
[03:36:55] Warning: The file properties have changed:
[03:36:55] /usr/bin/tail [ Warning ]
[03:36:55] Warning: The file properties have changed:
[03:36:55] /usr/bin/test [ Warning ]
[03:36:55] Warning: The file properties have changed:
[03:36:56] /usr/bin/touch [ Warning ]
[03:36:56] Warning: The file properties have changed:
[03:36:56] /usr/bin/tr [ Warning ]
[03:36:56] Warning: The file properties have changed:
[03:36:56] /usr/bin/uniq [ Warning ]
[03:36:56] Warning: The file properties have changed:
[03:36:56] /usr/bin/users [ Warning ]
[03:36:56] Warning: The file properties have changed:
[03:36:57] /usr/bin/wc [ Warning ]
[03:36:57] Warning: The file properties have changed:
[03:36:57] /usr/bin/wget [ Warning ]
[03:36:57] Warning: The file properties have changed:
[03:36:57] /usr/bin/whatis [ Warning ]
[03:36:57] Warning: The file properties have changed:
[03:36:57] /usr/bin/whereis [ Warning ]
[03:36:57] Warning: The file properties have changed:
[03:36:58] /usr/bin/who [ Warning ]
[03:36:58] Warning: The file properties have changed:
[03:36:58] /usr/bin/whoami [ Warning ]
[03:36:58] Warning: The file properties have changed:
[03:36:58] /usr/bin/unhide.rb [ Warning ]
[03:36:58] Warning: The command '/usr/bin/unhide.rb' has been replaced by a script: /usr/bin/unhide.rb: Ruby script, ASCII text
[03:36:58] /usr/bin/gawk [ Warning ]
[03:36:58] Warning: The file '/usr/bin/gawk' exists on the system, but it is not present in the rkhunter.dat file.
[03:36:58] /usr/bin/bsd-mailx [ Warning ]
[03:36:58] Warning: The file '/usr/bin/bsd-mailx' exists on the system, but it is not present in the rkhunter.dat file.
[03:36:59] /sbin/fsck [ Warning ]
[03:36:59] Warning: The file properties have changed:
[03:36:59] /sbin/ifconfig [ Warning ]
[03:36:59] Warning: The file properties have changed:
[03:37:00] /sbin/route [ Warning ]
[03:37:00] Warning: The file properties have changed:
[03:37:01] /bin/bash [ Warning ]
[03:37:01] Warning: The file properties have changed:
[03:37:02] /bin/cat [ Warning ]
[03:37:02] Warning: The file properties have changed:
[03:37:02] /bin/chmod [ Warning ]
[03:37:02] Warning: The file properties have changed:
[03:37:02] /bin/chown [ Warning ]
[03:37:02] Warning: The file properties have changed:
[03:37:02] /bin/cp [ Warning ]
[03:37:02] Warning: The file properties have changed:
[03:37:03] /bin/date [ Warning ]
[03:37:03] Warning: The file properties have changed:
[03:37:03] /bin/df [ Warning ]
[03:37:03] Warning: The file properties have changed:
[03:37:03] /bin/dmesg [ Warning ]
[03:37:03] Warning: The file properties have changed:
[03:37:03] /bin/echo [ Warning ]
[03:37:03] Warning: The file properties have changed:
[03:37:04] /bin/ls [ Warning ]
[03:37:04] Warning: The file properties have changed:
[03:37:05] /bin/mktemp [ Warning ]
[03:37:05] Warning: The file properties have changed:
[03:37:05] /bin/more [ Warning ]
[03:37:05] Warning: The file properties have changed:
[03:37:05] /bin/mount [ Warning ]
[03:37:05] Warning: The file properties have changed:
[03:37:05] /bin/mv [ Warning ]
[03:37:05] Warning: The file properties have changed:
[03:37:06] /bin/netstat [ Warning ]
[03:37:06] Warning: The file properties have changed:
[03:37:06] /bin/pwd [ Warning ]
[03:37:06] Warning: The file properties have changed:
[03:37:06] /bin/readlink [ Warning ]
[03:37:06] Warning: The file properties have changed:
[03:37:07] /bin/touch [ Warning ]
[03:37:07] Warning: The file properties have changed:
[03:37:07] /bin/uname [ Warning ]
[03:37:07] Warning: The file properties have changed:
[03:37:08] /usr/bin/mawk [ Warning ]
[03:37:08] Warning: The file '/usr/bin/mawk' does not exist on the system, but it is present in the rkhunter.dat file.
[03:46:29] Checking /dev for suspicious file types [ Warning ]
[03:46:29] Warning: Suspicious file types found in /dev:
[03:46:29] Checking for hidden files and directories [ Warning ]
[03:46:29] Warning: Hidden directory found: '/etc/.java: directory '
[03:46:29] Warning: Hidden directory found: '/dev/.udev: directory '
[03:46:29] Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs'
## End Output##
Я не думаю, что это было слишком давно, что я запустил propupdate, и rkhunter, конечно, дает мне много предупреждений. Предупреждение о смешном интерфейсе ранее не отображалось. Может кто-то с большим опытом, пожалуйста, помогите мне расшифровать эти результаты? Я знаю, что руткит suckit может быть ложным срабатыванием, но Rkhunters заставляет меня нервничать, наряду со всей странной активностью, с которой я сталкивался на моем vps, который также долгое время был узлом выхода tor. Благодарю.
(Обновление 19.01.15) Я воспользовался вашим советом и удалил строки о том, что ничего не было заражено, и обновил rkhunter. Затем я запустил новую версию (1.4.2), и всплыли эти предупреждения:
[15:48:20] /usr/local/bin/rkhunter [ Warning ]
[15:48:20] Warning: The file '/usr/local/bin/rkhunter' exists on the system, but it is not present in the 'rkhunter.dat' file.
[15:48:20] /usr/sbin/adduser [ Warning ]
[15:48:20] Warning: The command '/usr/sbin/adduser' has been replaced by a script: /usr/sbin/adduser: Perl script, ASCII text executable
[15:48:20] /usr/sbin/chroot [ Warning ]
[15:48:20] Warning: The file properties have changed:
[15:48:22] /usr/sbin/rsyslogd [ Warning ]
[15:48:22] Warning: The file properties have changed:
[15:48:23] /usr/bin/awk [ Warning ]
[15:48:23] Warning: The file properties have changed:
[15:48:23] Warning: No symbolic link target found for file '/usr/bin/awk' in the 'rkhunter.dat' file.
[15:48:23] /usr/bin/basename [ Warning ]
[15:48:23] Warning: The file properties have changed:
[15:48:24] /usr/bin/curl [ Warning ]
[15:48:24] Warning: The file '/usr/bin/curl' exists on the system, but it is not present in the 'rkhunter.dat' file.
[15:48:24] /usr/bin/cut [ Warning ]
[15:48:24] Warning: The file properties have changed:
[15:48:24] /usr/bin/dirname [ Warning ]
[15:48:24] Warning: The file properties have changed:
[15:48:25] /usr/bin/du [ Warning ]
[15:48:25] Warning: The file properties have changed:
[15:48:25] /usr/bin/env [ Warning ]
[15:48:25] Warning: The file properties have changed:
[15:48:25] /usr/bin/file [ Warning ]
[15:48:25] Warning: The file properties have changed:
[15:48:25] /usr/bin/GET [ Warning ]
[15:48:25] Warning: No symbolic link target found for file '/usr/bin/GET' in the 'rkhunter.dat' file.
[15:48:26] /usr/bin/groups [ Warning ]
[15:48:26] Warning: The file properties have changed:
[15:48:26] /usr/bin/head [ Warning ]
[15:48:26] Warning: The file properties have changed:
[15:48:26] /usr/bin/id [ Warning ]
[15:48:26] Warning: The file properties have changed:
[15:48:27] /usr/bin/ldd [ Warning ]
[15:48:27] Warning: The file properties have changed:
[15:48:27] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script, ASCII text executable
[15:48:27] /usr/bin/less [ Warning ]
[15:48:27] Warning: No symbolic link target found for file '/usr/bin/less' in the 'rkhunter.dat' file.
[15:48:27] /usr/bin/locate [ Warning ]
[15:48:27] Warning: No symbolic link target found for file '/usr/bin/locate' in the 'rkhunter.dat' file.
[15:48:27] /usr/bin/logger [ Warning ]
[15:48:27] Warning: The file properties have changed:
[15:48:28] /usr/bin/mail [ Warning ]
[15:48:28] Warning: The file '/usr/bin/mail' exists on the system, but it is not present in the 'rkhunter.dat' file.
[15:48:28] /usr/bin/md5sum [ Warning ]
[15:48:28] Warning: The file properties have changed:
[15:48:29] /usr/bin/pkill [ Warning ]
[15:48:29] Warning: No symbolic link target found for file '/usr/bin/pkill' in the 'rkhunter.dat' file.
[15:48:29] /usr/bin/runcon [ Warning ]
[15:48:29] Warning: The file properties have changed:
[15:48:29] /usr/bin/sha1sum [ Warning ]
[15:48:29] Warning: The file properties have changed:
[15:48:30] /usr/bin/sha224sum [ Warning ]
[15:48:30] Warning: The file properties have changed:
[15:48:30] /usr/bin/sha256sum [ Warning ]
[15:48:30] Warning: The file properties have changed:
[15:48:30] /usr/bin/sha384sum [ Warning ]
[15:48:30] Warning: The file properties have changed:
[15:48:30] /usr/bin/sha512sum [ Warning ]
[15:48:30] Warning: The file properties have changed:
[15:48:31] /usr/bin/sort [ Warning ]
[15:48:31] Warning: The file properties have changed:
[15:48:31] /usr/bin/ssh [ Warning ]
[15:48:31] Warning: The file '/usr/bin/ssh' exists on the system, but it is not present in the 'rkhunter.dat' file.
[15:48:31] /usr/bin/stat [ Warning ]
[15:48:31] Warning: The file properties have changed:
[15:48:32] /usr/bin/tail [ Warning ]
[15:48:32] Warning: The file properties have changed:
[15:48:32] /usr/bin/telnet [ Warning ]
[15:48:32] Warning: The file '/usr/bin/telnet' exists on the system, but it is not present in the 'rkhunter.dat' file.
[15:48:32] /usr/bin/test [ Warning ]
[15:48:32] Warning: The file properties have changed:
[15:48:32] /usr/bin/touch [ Warning ]
[15:48:32] Warning: The file properties have changed:
[15:48:33] Warning: No symbolic link target found for file '/usr/bin/touch' in the 'rkhunter.dat' file.
[15:48:33] /usr/bin/tr [ Warning ]
[15:48:33] Warning: The file properties have changed:
[15:48:33] /usr/bin/uniq [ Warning ]
[15:48:33] Warning: The file properties have changed:
[15:48:33] /usr/bin/users [ Warning ]
[15:48:33] Warning: The file properties have changed:
[15:48:34] /usr/bin/w [ Warning ]
[15:48:34] Warning: No symbolic link target found for file '/usr/bin/w' in the 'rkhunter.dat' file.
[15:48:34] /usr/bin/wc [ Warning ]
[15:48:34] Warning: The file properties have changed:
[15:48:34] /usr/bin/wget [ Warning ]
[15:48:34] Warning: The file properties have changed:
[15:48:34] /usr/bin/whatis [ Warning ]
[15:48:34] Warning: The file properties have changed:
[15:48:34] /usr/bin/whereis [ Warning ]
[15:48:34] Warning: The file properties have changed:
[15:48:35] /usr/bin/which [ Warning ]
[15:48:35] Warning: No symbolic link target found for file '/usr/bin/which' in the 'rkhunter.dat' file.
[15:48:35] /usr/bin/who [ Warning ]
[15:48:35] Warning: The file properties have changed:
[15:48:35] /usr/bin/whoami [ Warning ]
[15:48:35] Warning: The file properties have changed:
[15:48:35] /usr/bin/gawk [ Warning ]
[15:48:35] Warning: The file '/usr/bin/gawk' exists on the system, but it is not present in the 'rkhunter.dat' file.
[15:48:35] /usr/bin/lwp-request [ Warning ]
[15:48:35] Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: Perl script, ASCII text executable
[15:48:35] /usr/bin/bsd-mailx [ Warning ]
[15:48:35] Warning: The file '/usr/bin/bsd-mailx' exists on the system, but it is not present in the 'rkhunter.dat' file.
[15:48:35] /usr/bin/telnet.netkit [ Warning ]
[15:48:36] Warning: The file '/usr/bin/telnet.netkit' exists on the system, but it is not present in the 'rkhunter.dat' file.
[15:48:36] /sbin/depmod [ Warning ]
[15:48:36] Warning: No symbolic link target found for file '/sbin/depmod' in the 'rkhunter.dat' file.
[15:48:36] /sbin/fsck [ Warning ]
[15:48:36] Warning: The file properties have changed:
[15:48:36] /sbin/ifconfig [ Warning ]
[15:48:36] Warning: The file properties have changed:
[15:48:37] /sbin/ifdown [ Warning ]
[15:48:37] Warning: No symbolic link target found for file '/sbin/ifdown' in the 'rkhunter.dat' file.
[15:48:37] /sbin/insmod [ Warning ]
[15:48:37] Warning: No symbolic link target found for file '/sbin/insmod' in the 'rkhunter.dat' file.
[15:48:37] /sbin/ip [ Warning ]
[15:48:37] Warning: No symbolic link target found for file '/sbin/ip' in the 'rkhunter.dat' file.
[15:48:37] /sbin/lsmod [ Warning ]
[15:48:37] Warning: No symbolic link target found for file '/sbin/lsmod' in the 'rkhunter.dat' file.
[15:48:38] /sbin/modinfo [ Warning ]
[15:48:38] Warning: No symbolic link target found for file '/sbin/modinfo' in the 'rkhunter.dat' file.
[15:48:38] /sbin/modprobe [ Warning ]
[15:48:38] Warning: No symbolic link target found for file '/sbin/modprobe' in the 'rkhunter.dat' file.
[15:48:38] /sbin/rmmod [ Warning ]
[15:48:38] Warning: No symbolic link target found for file '/sbin/rmmod' in the 'rkhunter.dat' file.
[15:48:38] /sbin/route [ Warning ]
[15:48:38] Warning: The file properties have changed:
[15:48:39] /bin/bash [ Warning ]
[15:48:39] Warning: The file properties have changed:
[15:48:39] /bin/cat [ Warning ]
[15:48:39] Warning: The file properties have changed:
[15:48:40] /bin/chmod [ Warning ]
[15:48:40] Warning: The file properties have changed:
[15:48:40] /bin/chown [ Warning ]
[15:48:40] Warning: The file properties have changed:
[15:48:40] /bin/cp [ Warning ]
[15:48:40] Warning: The file properties have changed:
[15:48:40] /bin/date [ Warning ]
[15:48:40] Warning: The file properties have changed:
[15:48:41] /bin/df [ Warning ]
[15:48:41] Warning: The file properties have changed:
[15:48:41] /bin/dmesg [ Warning ]
[15:48:41] Warning: The file properties have changed:
[15:48:41] /bin/echo [ Warning ]
[15:48:41] Warning: The file properties have changed:
[15:48:43] /bin/ls [ Warning ]
[15:48:43] Warning: The file properties have changed:
[15:48:43] /bin/lsmod [ Warning ]
[15:48:43] Warning: No symbolic link target found for file '/bin/lsmod' in the 'rkhunter.dat' file.
[15:48:43] /bin/mktemp [ Warning ]
[15:48:43] Warning: The file properties have changed:
[15:48:43] /bin/more [ Warning ]
[15:48:43] Warning: The file properties have changed:
[15:48:43] /bin/mount [ Warning ]
[15:48:43] Warning: The file properties have changed:
[15:48:44] /bin/mv [ Warning ]
[15:48:44] Warning: The file properties have changed:
[15:48:44] /bin/netstat [ Warning ]
[15:48:44] Warning: The file properties have changed:
[15:48:44] /bin/pwd [ Warning ]
[15:48:44] Warning: The file properties have changed:
[15:48:45] /bin/readlink [ Warning ]
[15:48:45] Warning: The file properties have changed:
[15:48:45] /bin/sh [ Warning ]
[15:48:45] Warning: No symbolic link target found for file '/bin/sh' in the 'rkhunter.dat' file.
[15:48:45] /bin/touch [ Warning ]
[15:48:45] Warning: The file properties have changed:
[15:48:46] /bin/uname [ Warning ]
[15:48:46] Warning: The file properties have changed:
[15:48:46] /bin/which [ Warning ]
[15:48:46] Warning: The command '/bin/which' has been replaced by a script: /bin/which: POSIX shell script, ASCII text executable
[15:48:46] /etc/rkhunter.conf [ Warning ]
[15:48:46] Warning: The file '/etc/rkhunter.conf' exists on the system, but it is not present in the 'rkhunter.dat' file.
[16:08:55] Checking /dev for suspicious file types [ Warning ]
[16:08:55] Warning: Suspicious file types found in /dev:
[16:08:55] Checking for hidden files and directories [ Warning ]
[16:08:55] Warning: Hidden directory found: /etc/.java: directory
[16:08:55] Warning: Hidden directory found: /dev/.udev: directory
[16:08:55] Warning: Hidden file found: /dev/.blkid.tab: ASCII text
[16:08:55] Warning: Hidden file found: /dev/.blkid.tab.old: ASCII text
[16:08:55] Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs'
Я вижу, что некоторые из этих предупреждений вызваны обновлением rkhunter и наличием старых файлов конфигурации в /etc, но я не так уверен в других. Вы все еще думаете, что все выглядит нормально? Я искренне ценю помощь.
1 ответ
Решение
Если вы используете экспертные инструменты, также прочитайте руководство эксперта. У вас есть только предупреждения, без ошибок...;-)
Кроме того, руткиты - самые неприятные вредоносные программы, которые могут скрываться даже от охотников за руткитами. Прочтите FAQ, потому что правильный способ сделать это - загрузиться с live CD на CD-R или DVD-R (запишите один раз!), Смонтировать все свои жесткие диски только для чтения, установить программное обеспечение на RAM-диск и только тогда начинайте охоту.