[B]已找到原因并清除!具体过程见四楼[/B][/COLOR][/SIZE]

服务器上几乎所有的index.htm都被加入了IFRAME的代码 时间都是早上9:19分 拿了一个站的HTTP日记分析并没有发现9:19分的注入信息.难道LINUX的系统漏洞啊?请问有没有人和我一样?我现在也迷糊了 咋办啊?

[root@yourname ~]# uname -a
Linux yourname.com 2.6.9-5.ELsmp #1 SMP Wed Jan 5 19:30:39 EST 2005 i686 i686 i386 GNU/Linux

服务器上有APACHE MYSQL 和 FTP

Server version: Apache/2.0.52

mysql-4.1.10a-2.RHEL4.1

muddleftpd: version (1.3.14)


[root@yourname bin]# chkconfig --list
rpcsvcgssd 0ff 1ff 2ff 3n 4:on 5:on 6:off
readahead_early 0:off 1:off 2:off 3:off 4:off 5:on 6:off
irda 0:off 1:off 2:off 3:off 4:off 5:off 6:off
mysqld 0:off 1:off 2:off 3:on 4:on 5:on 6:off
pcmcia 0:off 1:off 2:on 3:on 4:on 5:on 6:off
cpuspeed 0:off 1:on 2:on 3:on 4:on 5:on 6:off
ypbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off
dc_server 0:off 1:off 2:off 3:off 4:off 5:off 6:off
saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
psacct 0:off 1:off 2:off 3:off 4:off 5:off 6:off
netplugd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
microcode_ctl 0:off 1:off 2:off 3:off 4:off 5:off 6:off
mdmpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
resin_a 0:off 1:off 2:off 3:on 4:on 5:on 6:off
bluetooth 0:off 1:off 2:off 3:off 4:off 5:off 6:off
readahead 0:off 1:off 2:off 3:off 4:off 5:on 6:off
haldaemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off
smartd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
kudzu 0:off 1:off 2:off 3:on 4:on 5:on 6:off
nscd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rpcgssd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
diskdump 0:off 1:off 2:off 3:off 4:off 5:off 6:off
dc_client 0:off 1:off 2:off 3:off 4:off 5:off 6:off
messagebus 0:off 1:off 2:off 3:on 4:on 5:on 6:off
autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
resin 0:off 1:off 2:off 3:off 4:off 5:off 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
NetworkManager 0:off 1:off 2:off 3:off 4:off 5:off 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rawdevices 0:off 1:off 2:off 3:on 4:on 5:on 6:off
syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
acpid 0:off 1:off 2:off 3:on 4:on 5:on 6:off
sendmail 0:off 1:off 2:off 3:off 4:off 5:off 6:off
spamassassin 0:off 1:off 2:off 3:off 4:off 5:off 6:off
apmd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
resin_b 0:off 1:off 2:off 3:on 4:on 5:on 6:off
isdn 0:off 1:off 2:on 3:on 4:on 5:on 6:off
irqbalance 0:off 1:off 2:off 3:on 4:on 5:on 6:off
httpd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
anacron 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rhnsd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
netdump 0:off 1:off 2:off 3:off 4:off 5:off 6:off
mdmonitor 0:off 1:off 2:on 3:on 4:on 5:on 6:off

需要提供各种系统日志, 各种用户$HOME/.bash_history 记录,
netstat -lnp 的输出, /sbin/lsmod 等

apache的最新版是2.0.59, 建议升级该服务

找到了一个用户 spamd 服务器被黑了,请问在哪里可以看到日记是从哪里进来的?并且如何看该用户的创建时间?

已经调查到服务器中了Linux.Backdoor.Kaiten木马，检查过程如下：

使用chkrootkit工具扫描系统
检查出来下边的问题：
[root@yourname ~]# chkrootkit -x chkutmp
ROOTDIR is `/'
=> possibly 4 deletion(s) detected in /var/run/utmp !
chkutmp: nothing deleted

调查/var/run/utmp属于哪个rpm宝，发现：
[root@yourname ~]# rpm -qf /var/run/utmp
initscripts-7.93.11.EL-1

用rpm校验是否被修改，查到
[root@yourname ~]# rpm -V initscripts
.......T  c /etc/inittab
S.5....T  c /etc/rc.d/rc.local
[root@yourname ~]#

检查/etc/rc.d/rc.local，发现异常内容：
[root@yourname ~]# cat /etc/rc.d/rc.local                                                                                                
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local
"/etc/X11/applnk/"
"/etc/X11/applnk/config"
"/var/spool/config"

检查列出的一个目录和两个文件：
[root@yourname ~]# ll /etc/X11/applnk/
total 32
-rwxr-xr-x  1 root root 31222 Dec 19 16:27 config
[root@yourname ~]# ll /etc/X11/applnk/config
-rwxr-xr-x  1 root root 31222 Dec 19 16:27 /etc/X11/applnk/config
[root@yourname ~]# rpm -qf /etc/X11/applnk/config
file /etc/X11/applnk/config is not owned by any package
[root@yourname ~]# ll /var/spool/config
-rwxr-xr-x  1 root root 31351 Jan 15 03:44 /var/spool/config

他们不属于任何RPM
[root@yourname ~]# rpm -qf /var/spool/config
file /var/spool/config is not owned by any package
[root@yourname ~]# file /var/spool/config
/var/spool/config: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.4.1, dynamically linked (uses shared libs), not stripped
[root@yourname ~]# ll /etc/rc.d/rc.local
-rwxr-xr-x  1 root root 287 Jan 15 03:45 /etc/rc.d/rc.local
[root@yourname ~]#

把这几个文件下载到windows上，被norton拦截，报警是Linux.Backdoor.Kaiten


又检查了系统其他地方，确认正常
[root@yourname ~]# which last
/usr/bin/last
[root@yourname ~]# rpm -qf /usr/bin/last
SysVinit-2.85-34
[root@yourname ~]# rpm -V SysVinit
[root@yourname ~]#

服务器上/home/spamd是恶意攻击者
正常的服务器上不应该有这个用户在。
logviper是一个利用内核漏洞提升权限的工具
可以让非root用户成为root，然后执行其他程序
具体的如何入侵，还在调查中。

为此执行了两个修复操作：
1) 更新kernel到as4update4，跨越了4个小版本，确保内核无漏洞
2) 查找所有文件，删除被插入的恶意代码

总结:我觉得还是因为kernel的原因,原来我们的内核版本太老了!大家记得多去ftp://linux.sinica.edu.tw/redhat/updates 看看有没有新版本 及时升级,不要让那些垃圾有机可乘

用户的创建时间通过相关目录,文件的创建/修改时间来确定,
记得如果安装 spamassassin, 系统中可能就用 spamd 这个账户.
如果有兴趣可以在虚拟机或者测试环境中分析一下两个 config 文件.
升级内核以后还需要检查服务器开放的端口和进程列表.

[QUOTE]把这几个文件下载到windows上，被norton拦截，报警是Linux.Backdoor.Kaiten[/QUOTE]

那个文件说是 Linux.Backdoor.Kaiten，

norton有linux下的杀毒软件，企业版10有个目录，好像就是.

technical details

Once Linux.Backdoor.Kaiten is executed, it performs the following actions:

   1. Opens a back door on the compromised computer, by using an IRC client to connect to the following IRC servers on port TCP 6667:

          * 66.119.66.107
          * irc.terra.com
          * independence.remoteserver.org
          * freedom.ns01.biz
          * networking.dyndns.org
          * liberty.no-ip.biz
          * xp.yi.org
          * 67.43.234.119
          * irc.newchrousty.org
          * Sympatico.Qc.Ca.NewChrousty.org
          * Trois-Rivieres.Qc.Ca.NewChrousty.org
          * Chat.NewChrousty.Org
          * Micro-ISP.NewChrousty.Org
          * LaLiPuS.NewChrousty.Org
          * 64.18.142.125
          * 80.188.198.35
          * irc-vod.myvnc.com

   2. Joins a predetermined IRC channel and listens for commands. These commands allow a remote attacker to perform the following actions on the compromised computer:

          * Perform a distributed denial of service attack using SYN and UDP
          * Download and execute remote files
          * Change client nickname
          * Change servers
          * Send UDP packets
          * Spoof an IP addresses
          * End processes
          * Enable or disable packeting
          * Carry out flooding methods
          * End the client application

   3. May modify the following system files:

          * /etc/rc.d/rc.local
          * /etc/rc.conf

recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

    * Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
    * If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
    * Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
    * Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
    * Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
    * Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
    * Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

removal instructions

If your Symantec antivirus product detects Linux.Backdoor.Kaiten, delete the infected files.

Once the threat attacks a computer, it is difficult to determine what else the computer has been exposed to. In most cases, changes other than those made by the threat will not have occurred. However, the author of the threat may have been able to use the threat to access the computer to make changes to it. Unless you can be absolutely sure that malicious activity has not been performed on the computer, we recommend completely reinstalling the operating system.

做个记录