免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
论坛 备份版区 攻防交流区 求助,怎么样清除suckit后门程序?
最近访问板块 发新帖
查看: 3304 | 回复: 3
打印 上一主题 下一主题

求助,怎么样清除suckit后门程序? [复制链接]

zwexin

论坛徽章:
0
跳转到指定楼层
1 [收藏(0)] [报告]
发表于 2005-12-28 20:37 |只看该作者 |倒序浏览
公司linux as3 web服务器突然出现流量增大,有过多连接,异常进程现象。使用chkrootkit检查发现中了suckit后门。按照网上的办法:\r\nfor i in `seq 1 33000`; do test -f $i/cmdline && (cat $i/cmdline; echo \"--$i\"); done\r\n\r\n在/proc察看如下:\r\n\r\ninit [3]--1\r\n--2\r\n--3\r\n--4\r\n--5\r\n--6\r\n--7\r\n--8\r\n--9\r\n--10\r\n--11\r\n--17\r\n--18\r\n--19\r\n--20\r\n--73\r\n--201\r\n--202\r\n--203\r\n--204\r\n--205\r\n--206\r\n--207\r\nsyslogd-m0--468\r\nklogd-x--472\r\nportmap--481\r\nrpc.statd--500\r\n/usr/sbin/sshd--523\r\nrpc.rquotad--540\r\n--544\r\n--545\r\n--546\r\n--547\r\n--548\r\n--549\r\n--550\r\n--551\r\n--552\r\n--553\r\nrpc.mountd--559\r\ncrond--568\r\n/usr/local/bin/rsync--daemon--589\r\n/sbin/mingettytty1--621\r\n/sbin/mingettytty2--623\r\n/sbin/mingettytty3--624\r\n/sbin/mingettytty4--625\r\n/sbin/mingettytty5--626\r\n/sbin/mingettytty6--627\r\n/usr/apache/bin/httpd--9681\r\n/usr/apache/bin/httpd--19268\r\n/usr/apache/bin/httpd--19269\r\n/usr/apache/bin/httpd--19270\r\n/usr/apache/bin/httpd--19271\r\n/usr/apache/bin/httpd--19272\r\n/usr/apache/bin/httpd--19273\r\n/usr/apache/bin/httpd--19274\r\n/usr/apache/bin/httpd--19275\r\n/usr/apache/bin/httpd--19276\r\n/usr/apache/bin/httpd--19277\r\n/usr/apache/bin/httpd--19278\r\n/usr/apache/bin/httpd--19279\r\n/usr/apache/bin/httpd--19280\r\n/usr/apache/bin/httpd--19281\r\n/usr/apache/bin/httpd--19282\r\n/usr/apache/bin/httpd--19283\r\n/usr/apache/bin/httpd--19284\r\n/usr/apache/bin/httpd--19285\r\n/usr/apache/bin/httpd--19286\r\n/usr/apache/bin/httpd--19287\r\n/usr/apache/bin/httpd--19288\r\n/usr/apache/bin/httpd--19289\r\n/usr/apache/bin/httpd--19290\r\n/usr/apache/bin/httpd--19291\r\n/usr/apache/bin/httpd--19292\r\n/usr/apache/bin/httpd--19293\r\n/usr/apache/bin/httpd--19294\r\n/usr/apache/bin/httpd--19295\r\n/usr/apache/bin/httpd--19296\r\n/usr/apache/bin/httpd--19297\r\n/usr/apache/bin/httpd--19298\r\n/usr/apache/bin/httpd--19299\r\n/usr/apache/bin/httpd--19300\r\n/usr/apache/bin/httpd--19301\r\n/usr/apache/bin/httpd--19302\r\n/usr/apache/bin/httpd--19303\r\n/usr/apache/bin/httpd--19304\r\n/usr/apache/bin/httpd--19305\r\n/usr/apache/bin/httpd--19306\r\n/usr/apache/bin/httpd--19307\r\n/usr/apache/bin/httpd--19308\r\n/usr/apache/bin/httpd--19309\r\n/usr/apache/bin/httpd--19310\r\n/usr/apache/bin/httpd--19311\r\n/usr/apache/bin/httpd--19312\r\n/usr/apache/bin/httpd--19313\r\n/usr/apache/bin/httpd--19314\r\n/usr/apache/bin/httpd--19315\r\n/usr/apache/bin/httpd--19316\r\n/usr/apache/bin/httpd--19317\r\n/usr/apache/bin/httpd--19318\r\n/usr/apache/bin/httpd--19319\r\n/usr/apache/bin/httpd--19320\r\n/usr/apache/bin/httpd--19321\r\n/usr/apache/bin/httpd--19324\r\n/usr/apache/bin/httpd--19325\r\n/usr/apache/bin/httpd--19326\r\n/usr/apache/bin/httpd--19327\r\n/usr/apache/bin/httpd--19328\r\n/usr/apache/bin/httpd--19329\r\n/usr/apache/bin/httpd--19330\r\n/usr/apache/bin/httpd--19331\r\n/usr/apache/bin/httpd--19332\r\n/usr/apache/bin/httpd--19333\r\n/usr/apache/bin/httpd--19334\r\n/usr/apache/bin/httpd--19335\r\n/usr/apache/bin/httpd--19336\r\n/usr/apache/bin/httpd--19337\r\n/usr/apache/bin/httpd--19338\r\n/usr/apache/bin/httpd--19339\r\n/usr/apache/bin/httpd--19340\r\n/usr/apache/bin/httpd--19341\r\n/usr/apache/bin/httpd--19342\r\n/usr/apache/bin/httpd--19343\r\n/usr/apache/bin/httpd--19344\r\n/usr/apache/bin/httpd--19345\r\n/usr/apache/bin/httpd--19346\r\n/usr/apache/bin/httpd--19347\r\n/usr/apache/bin/httpd--19348\r\n/usr/apache/bin/httpd--19349\r\n/usr/apache/bin/httpd--19350\r\n/usr/apache/bin/httpd--19351\r\n/usr/apache/bin/httpd--19354\r\n/usr/apache/bin/httpd--19355\r\n/usr/apache/bin/httpd--19356\r\n/usr/apache/bin/httpd--19357\r\n/usr/apache/bin/httpd--19358\r\n/usr/apache/bin/httpd--19359\r\n/usr/apache/bin/httpd--19360\r\n/usr/apache/bin/httpd--19361\r\n/usr/apache/bin/httpd--19362\r\n/usr/apache/bin/httpd--19363\r\n/usr/apache/bin/httpd--19364\r\n/usr/apache/bin/httpd--19365\r\n/usr/apache/bin/httpd--19366\r\n/usr/apache/bin/httpd--19367\r\n/usr/apache/bin/httpd--19368\r\n/usr/apache/bin/httpd--19369\r\n/usr/apache/bin/httpd--19370\r\n/usr/apache/bin/httpd--19371\r\n/usr/apache/bin/httpd--19372\r\n/usr/apache/bin/httpd--19373\r\n/usr/apache/bin/httpd--19374\r\n/usr/apache/bin/httpd--19376\r\n/usr/apache/bin/httpd--19378\r\n/usr/apache/bin/httpd--19383\r\n/usr/apache/bin/httpd--19384\r\n/usr/apache/bin/httpd--19385\r\n/usr/apache/bin/httpd--19386\r\n/usr/apache/bin/httpd--19387\r\n/usr/apache/bin/httpd--19388\r\n/usr/apache/bin/httpd--19389\r\n/usr/apache/bin/httpd--19390\r\n/usr/apache/bin/httpd--19391\r\n/usr/apache/bin/httpd--19392\r\n/usr/apache/bin/httpd--19393\r\n/usr/apache/bin/httpd--19394\r\n/usr/apache/bin/httpd--19428\r\n/usr/apache/bin/httpd--19429\r\n/usr/apache/bin/httpd--19430\r\n/usr/apache/bin/httpd--19566\r\n/usr/apache/bin/httpd--19567\r\n/usr/apache/bin/httpd--19568\r\n/usr/apache/bin/httpd--19569\r\n/usr/apache/bin/httpd--19571\r\n/usr/apache/bin/httpd--19573\r\n/usr/apache/bin/httpd--19574\r\n/usr/apache/bin/httpd--19575\r\n/usr/apache/bin/httpd--19578\r\n/usr/apache/bin/httpd--19579\r\n/usr/apache/bin/httpd--19580\r\n/usr/apache/bin/httpd--19581\r\n/usr/apache/bin/httpd--19582\r\n/usr/apache/bin/httpd--19583\r\n/usr/apache/bin/httpd--19586\r\n/usr/apache/bin/httpd--19587\r\n/usr/apache/bin/httpd--19588\r\n/usr/apache/bin/httpd--19589\r\n/usr/apache/bin/httpd--19595\r\n/usr/apache/bin/httpd--21013\r\n/usr/apache/bin/httpd--21165\r\n/usr/apache/bin/httpd--21171\r\n/usr/apache/bin/httpd--21174\r\n/usr/apache/bin/httpd--21175\r\n/usr/apache/bin/httpd--21176\r\n/usr/apache/bin/httpd--21177\r\n/usr/apache/bin/httpd--21182\r\n/usr/apache/bin/httpd--21183\r\n/usr/apache/bin/httpd--21184\r\n/usr/apache/bin/httpd--21185\r\n/usr/apache/bin/httpd--21191\r\n/usr/apache/bin/httpd--21195\r\n/usr/apache/bin/httpd--21200\r\n/usr/apache/bin/httpd--21240\r\n/usr/apache/bin/httpd--21249\r\n/usr/apache/bin/httpd--21265\r\n/usr/apache/bin/httpd--21275\r\n/usr/apache/bin/httpd--21276\r\n/usr/apache/bin/httpd--21277\r\n/usr/apache/bin/httpd--21278\r\n/usr/apache/bin/httpd--21279\r\n/usr/apache/bin/httpd--21280\r\n/usr/apache/bin/httpd--21281\r\n/usr/apache/bin/httpd--21286\r\n/usr/apache/bin/httpd--21287\r\n/usr/apache/bin/httpd--21288\r\n/usr/apache/bin/httpd--21289\r\n/usr/apache/bin/httpd--21290\r\n/usr/apache/bin/httpd--21291\r\n/usr/apache/bin/httpd--21292\r\n/usr/apache/bin/httpd--21293\r\n/usr/apache/bin/httpd--21294\r\n/usr/apache/bin/httpd--21295\r\n/usr/apache/bin/httpd--21296\r\n/usr/apache/bin/httpd--21297\r\n/usr/apache/bin/httpd--21298\r\n/usr/apache/bin/httpd--21299\r\n/usr/apache/bin/httpd--21300\r\n/usr/apache/bin/httpd--21301\r\n/usr/apache/bin/httpd--21302\r\n/usr/apache/bin/httpd--21344\r\n/usr/apache/bin/httpd--21345\r\n/usr/apache/bin/httpd--21347\r\n/usr/apache/bin/httpd--21348\r\n/usr/apache/bin/httpd--21363\r\n/usr/apache/bin/httpd--21369\r\n/usr/apache/bin/httpd--21373\r\n/usr/apache/bin/httpd--21377\r\n/usr/apache/bin/httpd--21831\r\n/usr/apache/bin/httpd--21844\r\n/usr/apache/bin/httpd--21847\r\n/usr/apache/bin/httpd--21848\r\n/usr/apache/bin/httpd--21850\r\n/usr/apache/bin/httpd--21851\r\n/usr/apache/bin/httpd--21852\r\n/usr/apache/bin/httpd--21853\r\n/usr/apache/bin/httpd--21854\r\n/usr/apache/bin/httpd--21857\r\n/usr/apache/bin/httpd--21859\r\n/usr/apache/bin/httpd--21860\r\n/usr/apache/bin/httpd--21861\r\n/usr/apache/bin/httpd--21862\r\n/usr/apache/bin/httpd--21863\r\n/usr/apache/bin/httpd--21864\r\n/usr/apache/bin/httpd--21865\r\n/usr/apache/bin/httpd--21866\r\n/usr/apache/bin/httpd--21867\r\n/usr/apache/bin/httpd--21868\r\n/usr/apache/bin/httpd--21869\r\n/usr/apache/bin/httpd--21870\r\n/usr/apache/bin/httpd--21871\r\n/usr/apache/bin/httpd--21872\r\n/usr/apache/bin/httpd--21873\r\n/usr/apache/bin/httpd--21874\r\n/usr/apache/bin/httpd--21875\r\n/usr/apache/bin/httpd--21876\r\n/usr/apache/bin/httpd--21877\r\n/usr/apache/bin/httpd--21878\r\n/usr/apache/bin/httpd--21879\r\n/usr/apache/bin/httpd--21880\r\n/usr/apache/bin/httpd--21881\r\n/usr/apache/bin/httpd--21882\r\n/usr/apache/bin/httpd--21883\r\n/usr/apache/bin/httpd--21887\r\n/usr/apache/bin/httpd--21888\r\n/usr/apache/bin/httpd--21901\r\nsshd: root@pts/0--21969\r\n-bash--21972\r\n/usr/apache/bin/httpd--22057\r\n/usr/apache/bin/httpd--22058\r\n/usr/apache/bin/httpd--22059\r\n/usr/apache/bin/httpd--22060\r\n/usr/apache/bin/httpd--22061\r\n/usr/apache/bin/httpd--22062\r\n/usr/apache/bin/httpd--22063\r\n/usr/apache/bin/httpd--22064\r\n\r\n\r\n没有看见suckit进程。\r\n请问大家有没有其他方法清除?\r\n谢谢!
ayazero

论坛徽章:
0
2 [报告]
发表于 2005-12-29 09:32 |只看该作者
Q: How I can make suckit to run automatically each reboot of machine ?\r\n  A: The generic way (as the install script does) is to\r\n     rename /sbin/init to /sbin/init<hidesuffix>, and place sk binary\r\n     instead of /sbin/init, so suckit will get resident imediatelly\r\n     after boot. However, when it will get resident, all of such changes\r\n     will be stealthed  If you can\'t fiddle with /sbin/init, you\r\n     still can place binary to somewhere into /etc/rc.d/rc3.d/S##<hidesuffix>\r\n     or such.\r\n
\r\n\r\nsuckit 是ring3下通过读写/dev/kmem在ring0做hook的后门
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
ayazero

论坛徽章:
0
3 [报告]
发表于 2005-12-29 09:33 |只看该作者
suckit2我这里没有源码,所以不太清楚,不过应该不难找
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
zwexin

论坛徽章:
0
4 [报告]
发表于 2005-12-29 10:34 |只看该作者
谢谢老大,我先试试啦!\n\n[ 本帖最后由 zwexin 于 2005-12-29 10:50 编辑 ]
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
未成年举报专区
中国互联网协会会员  联系我们:huangweiwei@itpub.net
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP