|
|
[root@jtomron chkrootkit-0.45]# ./chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not infected
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... INFECTED
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... INFECTED
Checking `rpcinfo'... not infected
Checking `rlogind'... not infected
Checking `rshd'... not infected
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not infected
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... Possible t0rn v8 \(or variation\) rootkit in
stalled
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist /usr/lib/openoffice/share
/gnome/net/.directory /usr/lib/openoffice/share/gnome/net/.order /usr/lib/openof
fice/share/kde/net/applnk/OpenOffice.org/.directory /usr/lib/openoffice/share/kd
e/net/applnk/OpenOffice.org/.order
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... Warning: Possible Showtee Rootkit installed
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... /usr/include/file.h /usr/include/proc.h
Searching for HKRK rootkit... nothing found
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... ERROR: Thread display not implemented.
********* simple selection ********* ********* selection by list *********
-A all processes -C by command name
-N negate selection -G by real group ID (supports names)
-a all w/ tty except session leaders -U by real user ID (supports names)
-d all except session leaders -g by session leader OR by group name
-e all processes -p by process ID
T all processes on this terminal -s processes in the sessions given
a all w/ tty, including other users -t by tty
g all, even group leaders! -u by effective user ID (supports names)
r only running processes U processes for specified users
x processes w/o controlling ttys t by tty
*********** output format ********** *********** long options ***********
-o,o user-defined -f full --Group --User --pid --cols
-j,j job control s signal --group --user --sid --rows
-O,O preloaded -o v virtual memory --cumulative --format --deselect
-l,l long u user-oriented --sort --tty --forest --version
X registers --heading --no-heading
********* misc options *********
-V,V show version L list format codes f ASCII art forest
-m,m show threads S children in sum -y change -l format
-n,N set namelist file c true command name n numeric WCHAN,UID
-w,w wide output e show environment -H process heirarchy
OooPS!
chkproc: Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets
eth1: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... chkutmp: nothing deleted
[root@jtomron chkrootkit-0.45]#
以上是我用chkrootkit检查的结果
以下是我的messages上的log,但是我怀疑log已经全部被删除了.bash_history当中全部是我用过的命令)以下好像是说用户眼张没有通过,但是一旦中了rootkit那么root帐号肯定是没有什么安全性了
Jun 22 02:45:21 jtomron last message repeated 2 times
Jun 22 02:45:21 jtomron vsftpd(pam_unix)[3064]: authentication failure; logname=
uid=0 euid=0 tty= ruser= rhost=202.109.129.109 user=test
Jun 22 02:45:21 jtomron vsftpd: warning: can't get client address: Bad file desc
riptor
Jun 22 02:45:22 jtomron vsftpd(pam_unix)[3066]: authentication failure; logname=
uid=0 euid=0 tty= ruser= rhost=202.109.129.109 user=test
Jun 22 02:45:22 jtomron vsftpd: warning: can't get client address: Bad file desc
riptor
Jun 22 02:45:22 jtomron vsftpd(pam_unix)[3068]: authentication failure; logname=
uid=0 euid=0 tty= ruser= rhost=202.109.129.109 user=test
Jun 22 02:45:22 jtomron vsftpd(pam_unix)[3070]: check pass; user unknown
Jun 22 02:45:22 jtomron vsftpd(pam_unix)[3070]: authentication failure; logname=
uid=0 euid=0 tty= ruser= rhost=202.109.129.109
Jun 22 02:45:22 jtomron vsftpd: warning: can't get client address: Bad file desc
riptor
Jun 22 02:45:23 jtomron vsftpd(pam_unix)[3072]: check pass; user unknown
Jun 22 02:45:23 jtomron vsftpd(pam_unix)[3072]: authentication failure; logname=
uid=0 euid=0 tty= ruser= rhost=202.109.129.109
Jun 22 02:45:23 jtomron vsftpd(pam_unix)[3074]: check pass; user unknown
Jun 22 02:45:23 jtomron vsftpd(pam_unix)[3074]: authentication failure; logname=
uid=0 euid=0 tty= ruser= rhost=202.109.129.109
Jun 22 02:45:23 jtomron vsftpd: warning: can't get client address: Bad file desc
riptor
哪位大大帮我看看 |
|
IP卡
狗仔卡
发表于 2005-6-22 17:22:09
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡