服务器异常疑似黑客入侵大侠请支招

uncooldog

上班发现服务器的邮件服务没有启动,怀疑是被重启过了

有几个地方异常的:

1, 不能记录日志, /var/log/messages 和 /var/log/secure 都是昨天以前的记录,今天的记录没有
2, 不能修改密码, 修改root密码时,出现asswd: Authentication failure的提示,修改其他用户密码时,出现passwd: Authentication token manipulation error

小弟经验尚浅,望各位朋友帮忙参详一下,是什么问题导致的,如何解决,谢谢了

rcazy

查看一下root目录下的.bash_history,.bash_logout,.bash_profile,.bashrc 看下有没出有异常记录吧

飘雪心辰

=========================
操作系统版本号？netstat -lnp结果？
如果是RPM管理的，马上 rpm -Va > aa，再把aa贴出来简单的看一看，
装个chkrootkit马上检查一下,http://www.chkrootkit.org/

[ 本帖最后由 飘雪心辰 于 2006-12-21 10:30 编辑 ]

uncooldog

谢谢飘雪心辰
以下是命令结果,不能修改密码的情况我恢复了下/etc/shadow就可以了,但我不明白为什么会损坏
看这些结果好像是没什么问题吧,系统服务开的端口也就http, ssh, ftp smtp, pop3,rtsp,named这些,iptables里限制了这些端口,只是为了用ftp开放了30000-40000的端口了
现在就是系统日志不能记录,一直就停在20号的不动了,不知道怎么解决,望不吝赐教

uname -a 结果:
Linux ******* 2.6.9-5.ELsmp #1 SMP Wed Jan 5 19:30:39 EST 2005 i686 i686 i386 GNU/Linux


netstat -lnp 结果:
tcp        0      0 0.0.0.0:995                 0.0.0.0:*                   LISTEN      6753/tcpserver
tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN      1970/mysqld
tcp        0      0 0.0.0.0:110                 0.0.0.0:*                   LISTEN      6754/tcpserver
tcp        0      0 127.0.0.1:783               0.0.0.0:*                   LISTEN      6781/perl
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      1798/portmap
tcp        0      0 ***.***.***.***:53             0.0.0.0:*                   LISTEN      2280/named
tcp        0      0 127.0.0.1:53                0.0.0.0:*                   LISTEN      2280/named
tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      2230/vsftpd
tcp        0      0 0.0.0.0:25                  0.0.0.0:*                   LISTEN      6769/tcpserver
tcp        0      0 127.0.0.1:953               0.0.0.0:*                   LISTEN      2280/named
tcp        0      0 :::8000                     :::*                        LISTEN      2297/hlxserverplus
tcp        0      0 :::9090                     :::*                        LISTEN      2297/hlxserverplus
tcp        0      0 ::ffff:127.0.0.1:8005       :::*                        LISTEN      2186/java
tcp        0      0 :::8009                     :::*                        LISTEN      2186/java
tcp        0      0 :::554                      :::*                        LISTEN      2297/hlxserverplus
tcp        0      0 :::2222                     :::*                        LISTEN      1932/sshd
tcp        0      0 :::8080                     :::*                        LISTEN      2186/java
tcp        0      0 :::80                       :::*                        LISTEN      1590/httpd
tcp        0      0 :::13333                    :::*                        LISTEN      2297/hlxserverplus
udp        0      0 0.0.0.0:32769           0.0.0.0:*                           2280/named
udp        0      0 0.0.0.0:32771           0.0.0.0:*                           2297/hlxserverplus
udp        0      0 0.0.0.0:32772           0.0.0.0:*                           2297/hlxserverplus
udp        0      0 0.0.0.0:9875            0.0.0.0:*                           2297/hlxserverplus
udp        0      0 ***.***.***.***:53         0.0.0.0:*                           2280/named
udp        0      0 127.0.0.1:53            0.0.0.0:*                           2280/named
udp        0      0 0.0.0.0:111             0.0.0.0:*                           1798/portmap
udp        0      0 :::32770                :::*                                2280/named
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
unix  2      [ ACC ]     STREAM     LISTENING     4916   2072/xfs            /tmp/.font-unix/fs7100
unix  2      [ ACC ]     STREAM     LISTENING     4723   1970/mysqld         /tmp/mysql.sock
unix  2      [ ACC ]     STREAM     LISTENING     4651   1922/acpid          /var/run/acpid.socket
unix  2      [ ACC ]     STREAM     LISTENING     31236  6764/clamd          /tmp/clamd
unix  2      [ ACC ]     STREAM     LISTENING     4854   2034/htt_server     /var/run/iiim/.iiimp-unix/9010
unix  2      [ ACC ]     STREAM     LISTENING     4975   2101/dbus-daemon-1  /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     4772   2002/gpm            /dev/gpmctl


chkrootkit 结果:

ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not infected
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.8.5/i386-linux-thread-multi/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi/auto/Gaim/.packlist

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for HKRK rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... chkutmp: nothing deleted

uncooldog

rpm -Va 的结果看不懂

........C   /usr/lib/gconv/gconv-modules.cache
........?   /bin/rpm
........?   /usr/bin/rpm2cpio
........?   /usr/lib/rpm/rpmd
........?   /usr/lib/rpm/rpmdb_deadlock
........?   /usr/lib/rpm/rpmdb_dump
........?   /usr/lib/rpm/rpmdb_load
........?   /usr/lib/rpm/rpmdb_stat
........?   /usr/lib/rpm/rpmdb_svc
........?   /usr/lib/rpm/rpmdb_verify
........?   /usr/lib/rpm/rpmfile
........?   /usr/lib/rpm/rpmi
........?   /usr/lib/rpm/rpmk
........?   /usr/lib/rpm/rpmq
S.5....TC c /etc/xinetd.d/eklogin
S.5....TC c /etc/xinetd.d/gssftp
S.5....TC c /etc/xinetd.d/klogin
S.5....TC c /etc/xinetd.d/krb5-telnet
S.5....TC c /etc/xinetd.d/kshell
S.5....T. c /etc/sysconfig/pcmcia
S.5....TC c /etc/xinetd.d/chargen
.......TC c /etc/xinetd.d/chargen-udp
S.5....TC c /etc/xinetd.d/daytime
S.5....TC c /etc/xinetd.d/daytime-udp
S.5....TC c /etc/xinetd.d/echo
S.5....TC c /etc/xinetd.d/echo-udp
S.5....TC c /etc/xinetd.d/time
S.5....TC c /etc/xinetd.d/time-udp
Unsatisfied dependencies for fetchmail-6.2.5-6.i386: smtpdaemon
S.5....T. c /etc/xml/catalog
S.5....T. c /usr/share/sgml/docbook/xmlcatalog
........?   /usr/X11R6/bin/xscreensaver
........?   /usr/bin/rpmgraph
........?   /usr/lib/rpm/rpmcache
.......TC c /etc/xinetd.d/rsync
.M.......   /opt
........?   /proc
........?   /selinux
........?   /sys
.....U...   /tmp
.M.......   /usr/local
.M.......   /usr/local/bin
missing     /var/mail
missing     /var/spool/mail
.......T. c /etc/krb5.conf
........?   /usr/lib/librpmbuild-4.3.so
S.5....T. c /etc/pam.d/system-auth
.....UG..   /usr/libexec/hal.hotplug
S.5....T. c /etc/openldap/ldap.conf
........?   /usr/bin/aspell
S.5....T. c /etc/krb.conf
S.5....T. c /etc/ldap.conf
.......T. c /etc/ssh/ssh_config
Unsatisfied dependencies for mdadm-1.6.0-2.i386: smtpdaemon
.M.......   /etc/cups
S.5....TC c /etc/cups/cupsd.conf
.......TC c /etc/cups/printers.conf
.M5....TC c /etc/xinetd.d/cups-lpd
.....UG..   /usr/bin/cancel.cups
.....UG..   /usr/bin/lp.cups
.....UG..   /usr/bin/lpq.cups
.....UG..   /usr/bin/lpr.cups
.....UG..   /usr/bin/lprm.cups
.....UG..   /usr/bin/lpstat.cups
.....UG..   /usr/sbin/lpc.cups
.....UG.. d /usr/share/man/man1/lp-cups.1.gz
.....UG.. d /usr/share/man/man1/lpq-cups.1.gz
.....UG.. d /usr/share/man/man1/lpr-cups.1.gz
.....UG.. d /usr/share/man/man1/lprm-cups.1.gz
.....UG.. d /usr/share/man/man1/lpstat-cups.1.gz
.....UG.. d /usr/share/man/man8/lpc-cups.8.gz
.M.......   /var/spool/cups/tmp
.......T. c /etc/yp.conf
........?   /usr/bin/elinks
Unsatisfied dependencies for mutt-1.4.1-10.i386: smtpdaemon
S.5....T. c /etc/samba/smb.conf
S.5....TC c /usr/share/a2ps/afm/fonts.map
S.5....T. c /etc/sysconfig/system-config-securitylevel
S.5....TC c /etc/sysconfig/rhn/rhn-applet
SM5....TC   /usr/share/rhn/rhn_applet/rhn_applet.pyc
SM5....TC   /usr/share/rhn/rhn_applet/rhn_applet_animation.pyc
SM5....TC   /usr/share/rhn/rhn_applet/rhn_applet_apt.pyc
SM5....TC   /usr/share/rhn/rhn_applet/rhn_applet_dialogs.pyc
SM5....TC   /usr/share/rhn/rhn_applet/rhn_applet_model.pyc
SM5....TC   /usr/share/rhn/rhn_applet/rhn_applet_protocols.pyc
SM5....TC   /usr/share/rhn/rhn_applet/rhn_applet_rpc.pyc
SM5....TC   /usr/share/rhn/rhn_applet/rhn_applet_rpm.pyc
SM5....TC   /usr/share/rhn/rhn_applet/rhn_applet_version.pyc
SM5....TC   /usr/share/rhn/rhn_applet/rhn_applet_yum.pyc
SM5....TC   /usr/share/rhn/rhn_applet/rhn_sources.pyc
SM5....TC   /usr/share/rhn/rhn_applet/rhn_utils.pyc
........?   /usr/X11R6/bin/beforelight
........?   /usr/lib/rpm/javadeps
........?   /usr/lib/rpm/rpmb
........?   /usr/lib/rpm/rpmdeps
.....UG..   /usr/lib/jvm-exports/java-1.4.2-gcj-1.4.2.0
.....UG..   /usr/lib/jvm/java-1.4.2-gcj-1.4.2.0/jre
.....UG..   /usr/lib/jvm/java-1.4.2-gcj-1.4.2.0/jre/bin/java
.....UG..   /usr/lib/jvm/java-1.4.2-gcj-1.4.2.0/jre/bin/rmiregistry
.....UG..   /etc/X11/xinit/xinput.d/iiimf
.....UG..   /etc/X11/xinit/xinput.d/iiimf
S.5....TC   /usr/share/firstboot/modules/eula.pyc
........? c /etc/group
........? c /etc/passwd
S.5....T. c /etc/profile
S.5....TC c /etc/hotplug/usb.usermap
........C c /usr/share/info/dir
S.5....T? c /etc/inittab
S.5....T. c /etc/rc.d/rc.local
.......T. c /etc/libuser.conf
........?   /usr/bin/bzip2
S.5....T. c /etc/pam_smb.conf
S.5....T. c /etc/ssh/sshd_config
........?   /var/lib/nfs/rpc_pipefs
S.5....TC c /etc/sysconfig/rhn/up2date-uuid
SM5....TC   /usr/share/firstboot/modules/rhn_activate_gui.pyc
SM5....TC   /usr/share/firstboot/modules/rhn_login_gui.pyc
SM5....TC   /usr/share/firstboot/modules/rhn_newaccount_gui.pyc
SM5....TC   /usr/share/firstboot/modules/rhn_optout_gui.pyc
SM5....TC   /usr/share/firstboot/modules/rhn_shared.pyc
Unsatisfied dependencies for redhat-lsb-1.3-5.2.i386: /usr/sbin/sendmail
........C c /etc/X11/fs/config
........C   /var/lib/scrollkeeper
.....UG..   /usr/bin/etags.emacs
Unsatisfied dependencies for mysql-devel-4.1.7-4.RHEL4.1.i386: mysql = 4.1.7
....L...C   /usr/include/mysql
missing     /usr/include/mysql/chardefs.h
S.5...GTC   /usr/include/mysql/errmsg.h
missing     /usr/include/mysql/history.h
S.5...GTC   /usr/include/mysql/keycache.h
missing     /usr/include/mysql/keymaps.h
S.5...GTC   /usr/include/mysql/m_ctype.h
S.5...GTC   /usr/include/mysql/m_string.h
......GTC   /usr/include/mysql/my_alloc.h
S.5...GTC   /usr/include/mysql/my_config.h
S.5...GTC   /usr/include/mysql/my_dbug.h
......GTC   /usr/include/mysql/my_dir.h
......GTC   /usr/include/mysql/my_getopt.h
S.5...GTC   /usr/include/mysql/my_global.h
S.5...GTC   /usr/include/mysql/my_list.h
......GTC   /usr/include/mysql/my_net.h
......GTC   /usr/include/mysql/my_no_pthread.h
S.5...GTC   /usr/include/mysql/my_pthread.h
......GTC   /usr/include/mysql/my_semaphore.h
S.5...GTC   /usr/include/mysql/my_sys.h
......GTC   /usr/include/mysql/my_xml.h
S.5...GTC   /usr/include/mysql/mysql.h
S.5...GTC   /usr/include/mysql/mysql_com.h
......GTC   /usr/include/mysql/mysql_embed.h
S.5...GTC   /usr/include/mysql/mysql_time.h
S.5...GTC   /usr/include/mysql/mysql_version.h
......GTC   /usr/include/mysql/mysqld_error.h
S.5...GTC   /usr/include/mysql/raid.h
missing     /usr/include/mysql/readline.h
missing     /usr/include/mysql/rlmbutil.h
missing     /usr/include/mysql/rlprivate.h
missing     /usr/include/mysql/rlshell.h
missing     /usr/include/mysql/rltypedefs.h
......GTC   /usr/include/mysql/sql_common.h
......GTC   /usr/include/mysql/sql_state.h
......GTC   /usr/include/mysql/sslopt-case.h
......GTC   /usr/include/mysql/sslopt-longopts.h
......GTC   /usr/include/mysql/sslopt-vars.h
missing     /usr/include/mysql/tilde.h
S.5...GTC   /usr/include/mysql/typelib.h
missing     /usr/include/mysql/xmalloc.h
....L...C   /usr/lib/mysql
S.5...GTC   /usr/lib/mysql/libdbug.a
missing     /usr/lib/mysql/libheap.a
missing     /usr/lib/mysql/libmerge.a
missing     /usr/lib/mysql/libmyisam.a
missing     /usr/lib/mysql/libmyisammrg.a
S.5...GTC   /usr/lib/mysql/libmysqlclient.a
missing     /usr/lib/mysql/libmysqlclient.so
S.5...GTC   /usr/lib/mysql/libmysqlclient_r.a
missing     /usr/lib/mysql/libmysqlclient_r.so
S.5...GTC   /usr/lib/mysql/libmystrings.a
S.5...GTC   /usr/lib/mysql/libmysys.a
missing     /usr/lib/mysql/libnisam.a
missing     /usr/lib/mysql/libvio.a

showrun

不好确定，如果有IDS的话，就好说了。

飘雪心辰

＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
你这个内核的漏洞是有的，跟我公司的服务器一样，只要一个普通用户的权限或者能跟服务器进行交互就能干掉服务器提升为超级用户。我公司是老总不关心，我都懒得去升，知道就好了，黑客有本事的就来攻，我等着呢。

原帖由 uncooldog 于 2006-12-21 09:37 发表
上班发现服务器的邮件服务没有启动,怀疑是被重启过了
2, 不能修改密码, 修改root密码时,出现asswd: Authentication failure的提示,修改其他用户密码时,出现passwd: Authentication token manipulation error

你修改root密码出错多半跟这个文件有关，不妨把/etc/pam.d/system-auth文件内容扔出来，还有

1. 
   
2. stat /etc/pam.d/system-auth
   
3. stat /tmp
   
4. ll /tmp/
   

复制代码

的结果也扔出来看一下。

原帖由 uncooldog 于 2006-12-22 09:20 发表
S.5....T. c /etc/pam.d/system-auth

从结果上看还有这两个文件S.5....T. c /etc/profile,S.5....T? c /etc/inittab(这个估计装qmail时改掉的）注意一下。
还有：

Unsatisfied dependencies for mysql-devel-4.1.7-4.RHEL4.1.i386: mysql = 4.1.7
....L...C   /usr/include/mysql
missing     /usr/include/mysql/chardefs.h
S.5...GTC   /usr/include/mysql/errmsg.h
missing     /usr/include/mysql/history.h
S.5...GTC   /usr/include/mysql/keycache.h
missing     /usr/include/mysql/keymaps.h

你这个mysql-devel开发包怎么会这样。

现在就是系统日志不能记录,一直就停在20号的不动了,不知道怎么解决

你试试

1. service syslogd status

复制代码

结果怎么样？messages日志显示什么？

如果可以的话，可以把这个星期的messages文件扔出来。

枫影谁用了

原帖由 飘雪心辰 于 2006-12-22 12:13 发表
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
你这个内核的漏洞是有的，跟我公司的服务器一样，只要一个普通用户的权限或者能跟服务器进行交互就能干掉服务器提升为超级用户。我公司是老总不关心，我都懒得去升，知道就 ...

请问从何处得来这个内核有漏洞?

2.6.9-11.EL那这个内核呢?

飘雪心辰

====================
我从这里看出来的：

uname -a 结果:
Linux ******* 2.6.9-5.ELsmp #1 SMP Wed Jan 5 19:30:39 EST 2005 i686 i686 i386 GNU/Linux

至于你嘛

请问从何处得来这个内核有漏洞?

2.6.9-11.EL那这个内核呢?

还不是一样使用红帽的内核，我有exploits，能把普通用户变超级用户，再说清茶的“网络安全”版块早就有人发过这种exploits。你换个让我不认识的版本号来，我就闭嘴

jiangdaoyou

有可能是你的ssh或ftp服务有漏洞，具我所知，一些版本的linux上自带的ssh及ftp软件有溢出漏洞，hacker扫描攻击后会导致/etc/shadow损坏