linux服务器被黑，看看它是怎样进来的。大家研究！

saiy828

linux服务器被黑，看看它是怎样进来的。大家研究！
系统环境：RH7.2   rpm包没有升级。server安装方式。
开有：wu-ftp ,ssh服务
用chkrootkit-0.45检查结果如下：
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not infected
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not infected
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... can't exec ./strings-static, not tested
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not found
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... INFECTED
Checking `rpcinfo'... not infected
Checking `rlogind'... not infected
Checking `rshd'... not infected
Checking `slogin'... not infected
Checking `sendmail'... not found
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not infected
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... Possible t0rn v8 \(or variation\) rootkit installed
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.6.0/i386-linux/.packlist /usr/lib/.lib
/usr/lib/.lib
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... Warning: Possible Showtee Rootkit installed
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit...  /usr/include/file.h /usr/include/proc.h
Searching for HKRK rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... INFECTED (PORTS:  3049)
Checking `lkm'... Checking `rexedcs'... not found
Checking `sniffer'... not tested: can't exec ./ifpromisc
Checking `w55808'... not infected
Checking `wted'... not tested: can't exec ./chkwtmp
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... not tested: can't exec ./chklastlog
Checking `chkutmp'... not tested: can't exec ./chkutmp


怎么不让传附件？

saiy828

被黑之后，让人加了http ,senfmail服务。现在apache,sendmail包我已经卸载。下一步要卸在wu-ftp，我估计最大的漏洞来自ftp。
linux下有什么好的检查系统安全性的工具。请大家赐教。

hellolinux

我是菜鸟,我想关注这个问题.

日志中没有线索吗,不过,可能已经被破坏.

记得有个软件,只要修改文件中的文件,就要向roo发mail

竟然被加了http,senfmail服务?有何居心?

saiy828

http://www.linuxsir.org/bbs/attachment.php?attachmentid=26241

大家看看这个附件，诺顿查出它有木马的。这是那个服务的木马。
我想是wu-fto的。

saiy828

我发现问题之后就一直在找方法解决，不过我是没动黑客做的东西，我还想引他在出来，网页我看了是连接到www.ebay.com的不到一天中国电信就来电话了，说我们服务器上有非法网页，我就把网页删了。

hellolinux

wuftp听说漏洞挺多的,

ecto

同情，还好，没有什么损失，我前一段时间弄win的，ddos，防火墙都不管用，不知道怎么得罪了他们！！

你这个还好，还用了点自己的技术攻击，ddos的纯粹就是拿别人的东西。。。。。无奈

aib

RH7.2??不知道WU-FTP的版本是多少.......

WU-FTP2.6x有一个很严重的溢出漏洞,出了那么多年,你不是不知道吧?

尽快升级WU-FTP吧...

saiy828

WU-FTP 漏洞是知道，一般不开的
2.6.18版就是有漏洞
看来RH7.2的不可以在用了
看看这个附件http://www.linuxsir.org/bbs/attachment.php?attachmentid=26241

saiy828

期待中……………………
大家说说高见