我的一台linux肉鸡的容易手工入侵检测过程

............（省略若干行）

sh-3.1# cp ssh_config sshd_config /etc/ssh/

sh-3.1# /etc/rc.d/init.d/sshd restart

鍋滄�� sshd锛                                              [纭�瀹歖

鍚�鍔� sshd锛                                              [纭�瀹歖

ok了， 用我们的sshdoor登录。

[root@localhost ~]# id

uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=system_u:system_r:unconfined_t:SystemLow-SystemHigh

[root@localhost ~]# netstat -lntp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name  

tcp        0      0 127.0.0.1:2208              0.0.0.0:*                   LISTEN      2298/hpiod         

tcp        0      0 0.0.0.0:1000                0.0.0.0:*                   LISTEN      2090/rpc.statd     

tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      2056/portmap       

tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      2883/vsftpd        

tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN      2315/cupsd         

tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      2361/sendmail: acce    

tcp        0      0 127.0.0.1:2207              0.0.0.0:*                   LISTEN      2303/python            

总感觉这系统怪怪的， 连22端口都看不到， 应该替换了netstat了， 先看看有没有其他被替换掉的系统文件吧。

[root@localhost ~]# rpm -qaV

S.5..UG.   /bin/netstat

S.5..UG.   /sbin/ifconfig

S.5....T   /usr/bin/ssh-keygen

S.5....T c /etc/sysconfig/system-config-securitylevel

S.5..UG.   /usr/sbin/lsof

.M......   /var/tux

S.5....T c /etc/inittab

S.5....T   /usr/share/texmf-var/fonts/map/dvipdfm/updmap/dvipdfm_dl14.map

S.5....T   /usr/share/texmf-var/fonts/map/dvipdfm/updmap/dvipdfm_ndl14.map

S.5....T   /usr/share/texmf-var/fonts/map/pdftex/updmap/pdftex_dl14.map

S.5....T   /usr/share/texmf-var/fonts/map/pdftex/updmap/pdftex_ndl14.map

S.5....T   /usr/share/texmf-var/web2c/aleph.fmt

S.5....T   /usr/share/texmf-var/web2c/amstex.fmt

S.5....T   /usr/share/texmf-var/web2c/bamstex.fmt

S.5....T   /usr/share/texmf-var/web2c/bplain.fmt

S.5....T   /usr/share/texmf-var/web2c/cont-en.fmt

S.5....T   /usr/share/texmf-var/web2c/etex.fmt

..5....T   /usr/share/texmf-var/web2c/metafun.mem

S.5....T   /usr/share/texmf-var/web2c/mf.base

..5....T   /usr/share/texmf-var/web2c/mpost.mem

S.5....T   /usr/share/texmf-var/web2c/mptopdf.fmt

S.5....T   /usr/share/texmf-var/web2c/omega.fmt

S.5....T   /usr/share/texmf-var/web2c/pdfetex.fmt

S.5....T   /usr/share/texmf-var/web2c/pdftex.fmt

S.5....T   /usr/share/texmf-var/web2c/tex.fmt

.......T c /etc/kdump.conf

S.5....T c /etc/printcap

..5....T c /etc/pki/nssdb/secmod.db

....L... c /etc/pam.d/system-auth

.M...... c /etc/cups/classes.conf

.......T c /etc/audit/auditd.conf

missing     /usr/sbin/nscd

S.5....T c /etc/sysconfig/named

.M......   /var/named

SM5..UG.   /bin/ps

SM5..UG.   /usr/bin/top

SM5....T c /etc/sysconfig/iptables-config

S.5..UG.   /usr/bin/find

divlink: /usr/lib/libGL.so.1.2.#divlink#.crFdQJ Could not trace symbol resolving

S.?.....   /usr/lib/libGL.so.1.2

S.5....T c /etc/ppp/chap-secrets

S.5....T c /etc/ppp/pap-secrets

S.5....T c /etc/xml/catalog

S.5....T c /usr/share/sgml/docbook/xmlcatalog

S.5....T c /etc/ssh/ssh_config

S.5....T   /usr/bin/scp

S.5....T   /usr/bin/sftp

S.5....T   /usr/bin/ssh

S.5....T   /usr/bin/ssh-add

SM5...GT   /usr/bin/ssh-agent

S.5....T   /usr/bin/ssh-keyscan

S.5....T   /usr/share/texmf-var/fonts/map/dvips/updmap/builtin35.map

S.5....T   /usr/share/texmf-var/fonts/map/dvips/updmap/download35.map

S.5....T   /usr/share/texmf-var/fonts/map/dvips/updmap/ps2pk.map

S.5....T   /usr/share/texmf-var/fonts/map/dvips/updmap/psfonts_pk.map

S.5....T   /usr/share/texmf-var/fonts/map/dvips/updmap/psfonts_t1.map

S.5....T   /etc/sgml/docbook-slides.cat

S.5....T   /usr/share/icons/hicolor/icon-theme.cache

S.5..UG.   /bin/ls

S.5..UG.   /usr/bin/dir

S.5..UG.   /usr/bin/md5sum

S.5..UG.   /usr/bin/pstree

S.5....T c /etc/syslog.conf

S.5....T c /etc/ssh/sshd_config

S.5....T   /usr/sbin/sshd

missing     /var/lib/texmf/ls-R

S.5....T   /etc/sgml/docbook-simple.cat

S.5....T c /etc/vsftpd/vsftpd.conf

.M......   /var/ftp/pub

S.5....T c /etc/mailcap

......G.   /var/cache/samba/winbindd_privileged

.......T c /etc/mail/sendmail.cf

SM5....T c /etc/mail/submit.cf

S.5....T c /var/log/mail/statistics

..5....T c /usr/lib/security/classpath.security

S.5....T c /etc/sane.d/dll.conf

还好rpm没替换， 看来系统的好些命令被替换了， 嘿嘿， 有同行在啊。

不好意思， 那我就要T你下去了。 下面先检查一下， 当然这个系统不可靠了， 我们先替换回可靠的命令：

[root@localhost bin]# cp -f /home/ldc/.v/dir /usr/bin/dir

cp: cannot remove `/usr/bin/dir': Operation not permitted

chattr加了iau了。

[root@localhost bin]# chattr -iau /usr/bin/dir

[root@localhost bin]# cp -f /home/ldc/.v/dir /usr/bin/dir

ok了。 看看还有什么吧：

[root@localhost chkrootkit-0.48]# lsattr /bin /sbin /usr/bin /usr/sbin /etc