Chinaunix

标题: 新安装系统，被篡改密码，请求指点,谢谢 [打印本页]

---

作者: softbeast    时间: 2008-05-22 15:05
标题: 新安装系统，被篡改密码，请求指点,谢谢
昨天刚装的系统，debian 4.0 r3版本。服务器也刚上线，没人知道。但今天早上突然root密码被改了。root用了托管公司安装的默认rootroot为密码。

以下是其中一部分的auth.log ，有个叫adi的用户加入，后来又删掉了那个组。@@ 比较头疼啊。刚弄这个系统，都不知道需要注意什么。  这个log表后面我再加了一个现在的用户列表（/etc/passwd）的内容，希望能帮我看看里面是不是还有什么暗藏的用户（我没开新用户）。

顺便问下，这个入侵的人是不是会放什么东西在我服务器上，然后通过这个东西再次登录我的服务器？谢谢大家。



May 22 16:38:12 fih sshd[6184]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=209.40.64.220
May 22 16:38:14 fih sshd[6184]: Failed password for invalid user erika from 209.40.64.220 port 50064 ssh2
May 22 16:38:16 fih sshd[6186]: reverse mapping checking getaddrinfo for 209-40-64-220-wantel.net [209.40.64.220] failed - POSSIBLE BREAK-IN ATTEMPT!
May 22 16:38:16 fih sshd[6186]: Invalid user eva from 209.40.64.220
May 22 16:38:16 fih sshd[6186]: pam_unix(sshd:auth): check pass; user unknown
May 22 16:38:16 fih sshd[6186]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=209.40.64.220
May 22 16:38:18 fih sshd[6186]: Failed password for invalid user eva from 209.40.64.220 port 50181 ssh2
May 22 16:38:20 fih sshd[6188]: reverse mapping checking getaddrinfo for 209-40-64-220-wantel.net [209.40.64.220] failed - POSSIBLE BREAK-IN ATTEMPT!
May 22 16:38:20 fih sshd[6188]: Invalid user flora from 209.40.64.220
May 22 16:38:20 fih sshd[6188]: pam_unix(sshd:auth): check pass; user unknown
May 22 16:38:20 fih sshd[6188]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=209.40.64.220
May 22 16:38:22 fih sshd[6188]: Failed password for invalid user flora from 209.40.64.220 port 50289 ssh2
May 22 16:38:26 fih sshd[6190]: reverse mapping checking getaddrinfo for 209-40-64-220-wantel.net [209.40.64.220] failed - POSSIBLE BREAK-IN ATTEMPT!
May 22 16:38:26 fih sshd[6190]: Invalid user franziska from 209.40.64.220
May 22 16:38:26 fih sshd[6190]: pam_unix(sshd:auth): check pass; user unknown
May 22 16:38:26 fih sshd[6190]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=209.40.64.220
May 22 16:38:29 fih sshd[6190]: Failed password for invalid user franziska from 209.40.64.220 port 50414 ssh2
May 22 16:38:30 fih sshd[6192]: reverse mapping checking getaddrinfo for 209-40-64-220-wantel.net [209.40.64.220] failed - POSSIBLE BREAK-IN ATTEMPT!
May 22 16:38:30 fih sshd[6192]: Invalid user frauke from 209.40.64.220
May 22 16:38:30 fih sshd[6192]: pam_unix(sshd:auth): check pass; user unknown
May 22 16:38:30 fih sshd[6192]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=209.40.64.220
May 22 16:38:33 fih sshd[6192]: Failed password for invalid user frauke from 209.40.64.220 port 50633 ssh2
May 22 16:39:01 fih CRON[6196]: pam_unix(cron:session): session opened for user root by (uid=0)
May 22 16:39:01 fih CRON[6196]: pam_unix(cron:session): session closed for user root
May 22 16:44:47 fih passwd[6165]: pam_unix(passwd:chauthtok): password changed for adi
May 22 16:45:07 fih chfn[6204]: changed user `adi' information
May 22 16:45:07 fih userdel[6206]: delete user `adi'
May 22 16:45:07 fih userdel[6206]: removed group `adi' owned by `adi'
May 22 16:57:29 fih sshd[6237]: Did not receive identification string from 60.2.91.228
May 22 17:09:01 fih CRON[6238]: pam_unix(cron:session): session opened for user root by (uid=0)
May 22 17:09:01 fih CRON[6238]: pam_unix(cron:session): session closed for user root
May 22 17:17:01 fih CRON[6246]: pam_unix(cron:session): session opened for user root by (uid=0)
May 22 17:17:01 fih CRON[6246]: pam_unix(cron:session): session closed for user root
May 22 17:39:01 fih CRON[6249]: pam_unix(cron:session): session opened for user root by (uid=0)
May 22 17:39:01 fih CRON[6249]: pam_unix(cron:session): session closed for user root
May 22 18:09:01 fih CRON[6257]: pam_unix(cron:session): session opened for user root by (uid=0)
May 22 18:09:01 fih CRON[6257]: pam_unix(cron:session): session closed for user root
May 22 18:17:01 fih CRON[6265]: pam_unix(cron:session): session opened for user root by (uid=0)
May 22 18:17:01 fih CRON[6265]: pam_unix(cron:session): session closed for user root
May 22 18:39:01 fih CRON[6268]: pam_unix(cron:session): session opened for user root by (uid=0)
May 22 18:39:01 fih CRON[6268]: pam_unix(cron:session): session closed for user root
May 22 19:05:53 fih sshd[6276]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.188.206.245  user=root
May 22 19:05:55 fih sshd[6276]: Failed password for root from 210.188.206.245 port 56773 ssh2
May 22 19:05:56 fih sshd[6278]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.188.206.245  user=root
May 22 19:05:58 fih sshd[6278]: Failed password for root from 210.188.206.245 port 57344 ssh2
May 22 19:06:00 fih sshd[6280]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.188.206.245  user=root
May 22 19:06:01 fih sshd[6280]: Failed password for root from 210.188.206.245 port 57773 ssh2
May 22 19:06:02 fih sshd[6282]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.188.206.245  user=root
May 22 19:06:04 fih sshd[6282]: Failed password for root from 210.188.206.245 port 58190 ssh2
May 22 19:06:05 fih sshd[6284]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.188.206.245  user=root
May 22 19:06:07 fih sshd[6284]: Failed password for root from 210.188.206.245 port 58531 ssh2
May 22 19:06:09 fih sshd[6286]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.188.206.245  user=root
May 22 19:06:10 fih sshd[6286]: Failed password for root from 210.188.206.245 port 59038 ssh2
May 22 19:06:11 fih sshd[6288]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.188.206.245  user=root
May 22 19:06:13 fih sshd[6288]: Failed password for root from 210.188.206.245 port 59428 ssh2
May 22 19:06:14 fih sshd[6290]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.188.206.245  user=root
May 22 19:06:15 fih sshd[6290]: Failed password for root from 210.188.206.245 port 59805 ssh2
May 22 19:06:17 fih sshd[6292]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.188.206.245  user=root
May 22 19:06:19 fih sshd[6292]: Failed password for root from 210.188.206.245 port 60144 ssh2
May 22 19:06:21 fih sshd[6294]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.188.206.245  user=root
May 22 19:06:23 fih sshd[6294]: Failed password for root from 210.188.206.245 port 60632 ssh2
May 22 19:06:25 fih sshd[6296]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.188.206.245  user=root
May 22 19:06:27 fih sshd[6296]: Failed password for root from 210.188.206.245 port 32886 ssh2
May 22 19:06:28 fih sshd[6298]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.188.206.245  user=root
May 22 19:06:30 fih sshd[6298]: Failed password for root from 210.188.206.245 port 33324 ssh2
May 22 19:06:31 fih sshd[6300]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.188.206.245  user=root
May 22 19:06:33 fih sshd[6300]: Failed password for root from 210.188.206.245 port 33802 ssh2
May 22 19:06:35 fih sshd[6302]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.188.206.245  user=root
May 22 19:06:36 fih sshd[6302]: Failed password for root from 210.188.206.245 port 34352 ssh2
May 22 19:06:37 fih sshd[6304]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.188.206.245  user=root
May 22 19:06:39 fih sshd[6304]: Failed password for root from 210.188.206.245 port 34791 ssh2
May 22 19:06:40 fih sshd[6306]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.188.206.245  user=root
May 22 19:06:43 fih sshd[6306]: Failed password for root from 210.188.206.245 port 35245 ssh2
May 22 19:06:44 fih sshd[6308]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.188.206.245  user=root
May 22 19:06:46 fih sshd[6308]: Failed password for root from 210.188.206.245 port 35751 ssh2
May 22 19:06:47 fih sshd[6310]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.188.206.245  user=root
May 22 19:06:48 fih sshd[6310]: Failed password for root from 210.188.206.245 port 36206 ssh2
May 22 19:06:50 fih sshd[6312]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.188.206.245  user=root
May 22 19:06:51 fih sshd[6312]: Failed password for root from 210.188.206.245 port 36585 ssh2
May 22 19:06:52 fih sshd[6314]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.188.206.245  user=root
May 22 19:06:54 fih sshd[6314]: Failed password for root from 210.188.206.245 port 36945 ssh2
May 22 19:06:56 fih sshd[6316]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.188.206.245  user=root
May 22 19:06:57 fih sshd[6316]: Failed password for root from 210.188.206.245 port 37448 ssh2
May 22 19:06:58 fih sshd[6318]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.188.206.245  user=root
May 22 19:07:00 fih sshd[6318]: Failed password for root from 210.188.206.245 port 37832 ssh2
May 22 19:07:01 fih sshd[6320]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.188.206.245  user=root
May 22 19:07:03 fih sshd[6320]: Failed password for root from 210.188.206.245 port 38212 ssh2




以下是/etc/passwd


root:0:0:root:/root:/bin/bash
daemon:1:1:daemon:/usr/sbin:/bin/sh
bin:2:2:bin:/bin:/bin/sh
sys:3:3:sys:/dev:/bin/sh
sync:4:65534:sync:/bin:/bin/sync
games:5:60:games:/usr/games:/bin/sh
man:6:12:man:/var/cache/man:/bin/sh
lp:7:7:lp:/var/spool/lpd:/bin/sh
mail:8:8:mail:/var/mail:/bin/sh
news:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
root1:x:1000:1000:root1,,,:/home/root1:/bin/bash
sshd:x:100:65534::/var/run/sshd:/usr/sbin/nologin
libuuid:x:101:103::/var/lib/libuuid:/bin/sh
mysql:x:102:104:MySQL Server,,,:/var/lib/mysql:/bin/false

---

作者: swordfish.cn    时间: 2008-05-22 16:31
有没有搞错啊，是个用户就有可交互登陆的 shell，看来是个雏儿。
要检查有没有后门什么的，试一下 rootkit hunter 吧。

---

作者: sision    时间: 2008-05-22 16:40
等待，等待

---

作者: softbeast    时间: 2008-05-22 16:44
我是那种超级菜的。。。。。所以得请教各位。几乎没什么概念 555

---

作者: softbeast    时间: 2008-05-23 00:19
  顶一下。。。新手区来的人不多么。@@

---

作者: kerrywu    时间: 2008-05-23 08:50
哥们，目前系统是否有其它后门程序，可以用chkconfig看看，有哪些异常。

有很多瞬时服务是我们不需要的，或者是系统不提供的服务。有些服务本身就存在
很大的安全隐患。比如telnet、ftp、rlogin、rcp等等。应该通过使用inetd、xinetd
将其关闭。
对于独立守护进程，我们也可以将不需要服务关闭。在/etc/init.d/下面的文件都是被
软链接到/etc/rcN.d/下面，对应于某个运行级别来管理其是否应该启动或停止。
所以我们也应该到/etc/rcN.d/下面将这个链接文件删除掉。

---

欢迎光临 Chinaunix (http://bbs.chinaunix.net/)

Powered by Discuz! X3.2