怀疑机器被别人入侵，郁闷

zhn158 · 发表于 2006-6-6 18:47:20

我的系统是FC5 。今天重启机器，突然注意到dhcpd，和 named服务启动的信息，我明明是关掉的。到系统里用图形界面看，确实是被关掉了，但每次重启机器上面两个服务都会自己启动；查看/etc/rc.d/init.d/NetworkManager的内容发现有下面里面有启动上面两个服务的信息，如下：

start()
{
echo $"Setting network parameters... "
sysctl -e -p /etc/sysctl.conf >/dev/null 2>&1
if [ ! -e /var/lock/subsys/dhcdbd ]; then
service dhcdbd start
fi
if [ ! -e /var/lock/subsys/named ]; then
service named start
fi
echo -n $"Starting NetworkManager daemon: "
daemon --check $servicename $processname --pid-file=$pidfile
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$servicename
}

复制代码

NetworkManager 这个服务我是开启的。

/tmp目录里有个奇怪的文件 5y60c7qr.exe，那位好心人把自己的/etc/rc.d/init.d/NetworkManager贴上来，让俺对比一下，最好也把/etc/rc.d/init.d/dhcdbd 和 /etc/rc.d/init.d/named 两个文件的内容贴上来，如果需要我把5y60c7qr.exe贴在附件里，请高手帮忙看一下，是不是木马之类的程序。

另外：哪位高手指教一下，怎么确认机器有没有受到攻击

zhn158 · 发表于 2006-6-6 18:52:20

另外/etc/services的日期变成了2007年4月，5y60c7qr.exe 这个奇怪的文件的日期也是2007年4月

tangfl · 发表于 2006-6-8 00:08:29

偶的fc5是做桌面的，看了看跟你的不同
偶的服务器是用as的，也跟你的不同
建议找一些服务器入侵检测脚本试一下

tangfl · 发表于 2006-6-8 00:12:50

贴个示范：

#!/bin/sh
#———————————————
# Linux Incident Response Script
# modefied by tangfl
# 2006-5-6
# Contact: tangfulin@126.com
# http://tangfl.cbw.org.cn
#———————————————

# Fix it yourself if any problem !

cFR=”\033[40;31m”
cNO=”\033[00m”
cFG=”\033[01;32m”

resultDir=”/var/tangfl”
errFile=”/var/tangfl/stderr”
outFile=”/var/tangfl/stdout”

mkdir $resultDir
rm -rf `eval echo $resultDir/*`
date +%Y-%m-%d/%H:%M >> /var/tangfl/ir
echo -e “$cFR Info

cNO Detection Started…,Be sure to run this as root”
echo -e “$cFG Info

cNO detecting os version info…”
echo ” ——————” >> /var/tangfl/ir
echo “| OS Version info |” >> /var/tangfl/ir
echo ” ——————” >> /var/tangfl/ir
uname -a >> /var/tangfl/ir
cat /etc/issue >> /var/tangfl/ir
echo -e “\n\n\n” >> /var/tangfl/ir

echo -e “$cFG Info

cNO detecting Current login and CPU load…”
echo ” —————————–” >> /var/tangfl/ir
echo “| Current login and CPU load |” >> /var/tangfl/ir
echo ” —————————–” >> /var/tangfl/ir
w >> /var/tangfl/ir
echo -e “\n\n\n” >> /var/tangfl/ir

echo -e “$cFG Info

cNO detecting recent logins…”
echo ” —————-” >> /var/tangfl/ir
echo “| Recent logins |” >> /var/tangfl/ir
echo ” —————-” >> /var/tangfl/ir
last >> /var/tangfl/ir 2>>$errFile
echo -e “\n\n\n” >> /var/tangfl/ir

echo -e “$cFG Info

cNO detecting process info…”
echo ” —————-” >> /var/tangfl/ir
echo “| Process info |” >> /var/tangfl/ir
echo ” —————-” >> /var/tangfl/ir
ps aux >> /var/tangfl/ir
echo -e “\n\n\n” >> /var/tangfl/ir
strings -f /proc/[0-9]*/cmdline >> /var/tangfl/ir 2>>$errFile
echo -e “\n\n\n” >> /var/tangfl/ir
ls -al /proc/[0-9]*/exe >> /var/tangfl/ir 2>>$errFile
echo -e “\n\n\n” >> /var/tangfl/ir

echo -e “$cFG Info

cNO detecting autostart programs and modules…”
echo ” ————————–” >> /var/tangfl/ir
echo “| modules.conf & rc.local |” >> /var/tangfl/ir
echo ” ————————–” >> /var/tangfl/ir
echo “/etc/modules.conf:” >> /var/tangfl/ir
cat /etc/modules.conf >> /var/tangfl/ir
echo -e “\n\n\n” >> /var/tangfl/ir
echo “/etc/rc.local:” >> /var/tangfl/ir
cat /etc/rc.local >> /var/tangfl/ir
echo -e “\n\n\n” >> /var/tangfl/ir

echo -e “$cFG Info

cNO detecting login backdoor…”
echo ” ————————” >> /var/tangfl/ir
echo “| Detect login backdoor |” >> /var/tangfl/ir
echo ” ————————” >> /var/tangfl/ir
strings /bin/login >> /var/tangfl/login_fingerprint 2>>$errFile
strings `which sshd` >> /var/tangfl/sshd_fingerprint 2>>$errFile

echo -e “$cFG Info

cNO detecting network info…”
echo ” —————” >> /var/tangfl/ir
echo “| Network info |” >> /var/tangfl/ir
echo ” —————” >> /var/tangfl/ir
ifconfig -a >> /var/tangfl/ir
echo -e “\n\n\n” >> /var/tangfl/ir
netstat -anp >> /var/tangfl/ir
echo -e “\n\n\n” >> /var/tangfl/ir
lsof >> /var/tangfl/ir 2>>$errFile
echo -e “\n\n\n” >> /var/tangfl/ir

echo -e “$cFG Info

cNO detecting cpu load…”
echo ” ———-” >> /var/tangfl/ir
echo “| CPU Load |” >> /var/tangfl/ir
echo ” ———-” >> /var/tangfl/ir
top -b n1>> /var/tangfl/ir
sleep 2
echo -e “\n\n\n” >> /var/tangfl/ir

echo -e “$cFG Info

cNO detecting Kernel modules list…”
echo ” ———————” >> /var/tangfl/ir
echo “| Kenrel Modules List |” >> /var/tangfl/ir
echo ” ———————” >> /var/tangfl/ir
lsmod >> /var/tangfl/ir 2>>$errFile
echo -e “\n\n\n” >> /var/tangfl/ir
lsmod | grep -v Module | awk ‘{ print $1 }’ | xargs modinfo >> /var/tangfl/ir 2>>$errFile
echo -e “\n\n\n” >> /var/tangfl/ir

echo -e “$cFG Info:$cNO detecting account info…”
echo ” —————” >> /var/tangfl/ir
echo “| Account info |” >> /var/tangfl/ir
echo ” —————” >> /var/tangfl/ir
cat /etc/passwd >> /var/tangfl/ir
echo -e “\n\n\n” >> /var/tangfl/ir
cat /etc/shadow >> /var/tangfl/ir
echo -e “\n\n\n” >> /var/tangfl/ir

echo -e “$cFG Info:$cNO detecting trusted relationship”
echo ” ———————–” >> /var/tangfl/ir
echo “| Trusted relationship |” >> /var/tangfl/ir
echo ” ———————–” >> /var/tangfl/ir
cat /etc/hosts >> /var/tangfl/ir
echo -e “\n\n\n” >> /var/tangfl/ir
if [ -f /etc/hosts.equiv ];
then
cat /etc/hosts.equiv >> /var/tangfl/ir
echo -e “\n\n\n” >> /var/tangfl/ir
else
echo “no /etc/hosts.equiv” >> /var/tangfl/ir
fi

if [ -f ~/.rhosts ];
then
cat ~/.rhosts >> /var/tangfl/ir
echo -e “\n\n\n” >> /var/tangfl/ir
else
echo -e “Error:\tno rhosts file” >> /var/tangfl/ir
fi

echo -e “$cFG Info:$cNO detecting autostart services…”
echo ” ———————” >> /var/tangfl/ir
echo “| Autostart services |” >> /var/tangfl/ir
echo ” ———————” >> /var/tangfl/ir
runlevelTemp=`cat /etc/inittab | grep initdefault | grep id | cut -d: -f2`
#or runlevelTemp=`who -r | awk ‘{print $2}’`
#or runlevelTemp=`runlevel | awk ‘{print $2}’`
ls -al `eval echo /etc/rc.d/rc$runlevelTemp.d/` >> /var/tangfl/ir 2>>$errFile
echo -e “\n\n\n” >> /var/tangfl/ir

echo -e “$cFG Info:$cNO detecting /tmp directory…”
echo ” —————-” >> /var/tangfl/ir
echo “| /tmp directory |” >> /var/tangfl/ir
echo ” —————-” >> /var/tangfl/ir
ls -al /tmp >> /var/tangfl/ir
echo -e “\n\n\n” >> /var/tangfl/ir

echo -e “$cFG Info:$cNO dumping .bash_history…”
cat ~/.bash_history >> /var/tangfl/bash_history.txt

echo -e “$cFG Info:$cNO detecting schedualr…”
echo ” ———–” >> /var/tangfl/ir
echo “| schedular |” >> /var/tangfl/ir
echo ” ———–” >> /var/tangfl/ir
atq >> /var/tangfl/ir 2>>$errFile
echo -e “\n\n\n” >> /var/tangfl/ir
crontab -l >> /var/tangfl/ir 2>>$errFile
echo -e “\n\n\n” >> /var/tangfl/ir

echo -e “$cFG Info:$cNO detecting ip forward…”
echo ” ——————-” >> /var/tangfl/ir
echo “| IP forward option |” >> /var/tangfl/ir
echo ” ——————-” >> /var/tangfl/ir
echo “/proc/sys/net/ipv4/ip_forward” >> /var/tangfl/ir
cat /proc/sys/net/ipv4/ip_forward >> /var/tangfl/ir
echo -e “\n\n\n” >> /var/tangfl/ir

#————————————————————–
# if Internet is available and gcc is prepared,
# you could cancel the commentary to start the following section
#—————————————————————
mkdir /var/tangfl/tmp
cd /var/tangfl/tmp
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar -zxvf chkrootkit.tar.gz
rm -rf ./chkrootkit.tar.gz
cd chkrootkit* && make all
echo ” ——————-” >> /var/tangfl/ir
echo “| Chkrootkit result |” >> /var/tangfl/ir
echo ” ——————-” >> /var/tangfl/ir
./chkrootkit >> /var/tangfl/ir
echo -e “\n\n\n” >> /var/tangfl/ir
cd ../ && rm -rf ./tmp

echo -e “$cFG Info:$cNO Searching for … and suid files, how long it takes depends on the amount of disk files”
echo ” —————” >> /var/tangfl/ir
echo “| … file list |” >> /var/tangfl/ir
echo ” —————” >> /var/tangfl/ir
find / -name “\.\.\.” -print >>　/var/tangfl/ir
echo -e “\n\n\n” >> /var/tangfl/ir

echo ” —————-” >> /var/tangfl/ir
echo “| Suid file list |” >> /var/tangfl/ir
echo ” —————-” >> /var/tangfl/ir
find / -perm -4000 -print | xargs ls -al >> /var/tangfl/ir
echo -e “\n\n\n” >> /var/tangfl/ir

echo -e “$cFG Info:$cNO Dumping logs, you could do this work manually except for the large ones”
cp /var/log/messages* /var/tangfl/
cp /var/log/secure* /var/tangfl/
cp /var/run/utmp /var/tangfl/utmp
cp /var/log/wtmp /var/tangfl/wtmp

echo -e “$cFG Info:$cNO Dumping 3 timestamps for echo file under /”
cd /
echo -e “$cFG Info:$cNO Please wait,it will take several minutes…”

ls -alRu >> /var/tangfl/access 2>>$errFile
ls -lRc >> /var/tangfl/modification 2>>$errFile
ls -lR >> /var/tangfl/creation 2>>$errFile

echo -e “$cFG Info:$cNO Compressing…”
cd /var/tangfl/
tar -cvf ir.tar ./tangfl 2>>$errFile
gzip ir.tar 2>>$errFile

date +%Y-%m-%d/%H:%M >> /var/tangfl/ir
echo -e “$cFR Finished $cNO: check everything in /var/tangfl/ir.tar.gz!”
echo -e “$cFR Don’t forget to exec ++ rm -rf /var/tangfl ++ before you leave!$cNO”
#rm -f $0

nig.daemon · 发表于 2006-6-8 01:43:03

我没改过默认是这样的!!

#!/bin/sh
#
# NetworkManager: NetworkManager daemon
#
# chkconfig: - 98 02
# description: This is a daemon for automatically switching network \
# connections to the best available connection. \
#
# processname: NetworkManager
# pidfile: /var/run/NetworkManager/NetworkManager.pid
#

prefix=/usr
exec_prefix=/usr
sbindir=/usr/sbin

NETWORKMANAGER_BIN=${sbindir}/NetworkManager

# Sanity checks.
[ -x $NETWORKMANAGER_BIN ] || exit 1

# We need /sbin/ip
[ -x /sbin/ip ] || exit 1

# Source function library.
. /etc/rc.d/init.d/functions

# so we can rearrange this easily
processname=NetworkManager
servicename=NetworkManager
pidfile=/var/run/NetworkManager/NetworkManager.pid

RETVAL=0

start()
{
echo $"Setting network parameters... "
sysctl -e -p /etc/sysctl.conf >/dev/null 2>&1

if [ ! -e /var/lock/subsys/dhcdbd ]; then
service dhcdbd start
fi

if [ ! -e /var/lock/subsys/named ]; then
service named start
fi

echo -n $"Starting NetworkManager daemon: "
daemon --check $servicename $processname --pid-file=$pidfile
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$servicename
}

stop()
{
echo -n $"Stopping NetworkManager daemon: "
killproc -p $pidfile $servicename
RETVAL=$?
echo
if [ $RETVAL -eq 0 ]; then
rm -f /var/lock/subsys/$servicename
rm -f $pidfile
fi
}

# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status -p $pidfile $processname
RETVAL=$?
;;
restart)
stop
start
;;
condrestart)
if [ -f /var/lock/subsys/$servicename ]; then
stop
start
fi
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart}"
;;
esac
exit $RETVAL

edxi · 发表于 2006-6-8 10:20:29

tangfl，请问这个入侵检测脚本怎么用，谢谢

		自动登录	找回密码
密码			注册