نمایش نتایج: از شماره 1 تا 1 , از مجموع 1

موضوع: Detect and Clean a hacked server T0rnkit Tutorial

  1. #1
    مدیر کل Vahid آواتار ها
    تاریخ عضویت
    Aug 2008
    نوشته ها
    2,724
    تشکر تشکر کرده 
    435
    تشکر تشکر شده 
    6,958
    تشکر شده در
    2,085 پست

    پیش فرض Detect and Clean a hacked server T0rnkit Tutorial

    T0rn Rootkit
    Tornkit is a rootkit, a set of programs that is used by an intruder to have unrestricted access to a compromised Linux system. Tornkit is also attempts to hide its presence.
    The t0rn rootkit is designed for speed. By that I mean that it was designed to install quickly on Linux machines. T0rn can do this because it takes very little skill to install and run. All of the binaries that the attacker would need come pre-compiled and the installation process is as simple as ./t0rn. T0rn comes standard with a log cleaner called t0rnsb, a sniffer named t0rns and a log parser called t0rnp.

    I am including this so that you all diag and clean up your hacked server.
    First of all,
    Login to WHM as root
    Click Tweak Settings
    and please remove the tick from
    Allow cPanel users to reset their password via email

    Step 1. run chkrootkit, and you will see some INFECTED lines. It will also report that some process are hidden from the ps
    chkrootkit
    Checking `ifconfig'... INFECTED
    Checking `login'... INFECTED
    Checking `pstree'... INFECTED
    and also:
    Checking `lkm'... You have X process hidden for ps command
    Warning: Possible LKM Trojan installed


    Step 2. /etc/init.d/syslog restart
    Shutting down kernel logger: [ OK ]
    Shutting down system logger: [ OK ]
    Starting system logger: [FAILED]
    Starting kernel logger: [ OK ] Step 3. top
    top: error while loading shared libraries: libncurses.so.4: cannot open shared object file: No such file or directory
    Step 4. tail /etc/rc.d/rc.sysinit
    # Xntps (NTPv3 daemon) startup..
    /usr/sbin/xntps -q
    --------------------------------------------------------

    OK.. looks like someone got to your server as well. Since we know what rootkit it is, let us investigate further.
    Configuration files
    <please use cat /path/filename/ to read what the files contain>

    /usr/include/file.h (for file hiding)
    /usr/include/proc.h (for ps proc hiding)
    /lib/lidps1.so (for pstree hiding)
    /usr/include/hosts.h (for netstat and net-hiding)
    /usr/include/log.h (for log hiding)
    /lib/lblip.tk/ (backdoored ssh configuration files are in this directory)
    /dev/sdr0 (systems md5 checksum)
    /lib/ldd.so {placing tks(sniffer), tkp(parser) and tksb(log cleaner)}

    Infected Binaries:
    top, ps, pstree lsof, md5sum, dir, login, encrypt,ifconfig,find,ls,slocate,
    tks,tksb,top,tkpnetstat,pg,syslogd,sz
    Infected Librairies:
    libproc.a,libproc.so.2.0.6,libproc.so
    BackDoor: (located at /lib/lblip.tk)
    shdc
    shhk.pub
    shk
    shrs

    --------------------------------------------------------


    Now, Lets start the cleaning process:

    Step 1.
    pico /etc/rc.d/rc.sysinit
    remove the lines that show
    # Xntps (NTPv3 daemon) startup..
    /usr/sbin/xntps -q

    Step 2.
    reboot the system
    WARNING: 2 servers got their kernel removed after reboot.
    If your's is the case and that is what the DataCenter complains after reboot, please ask them to do the following:
    reboot the system using the redhat CD into rescue mode
    chroot to the /mnt/sysimage
    reinstall kernel packages
    that should fix it.
    -- since already in resuce mode, perhaps also ask them to --force install the following rpm's
    procps*.rpm
    psmisc*.rpm
    findutils*.rpm
    fileutils*.rpm
    util-linux*.rpm
    net-tools*.rpm
    textutils*.rpm
    sysklogd*.rpm
    Step 3.
    After the system is up
    cd /lib
    rm -rf lblip.tk
    Step 4.
    remove the configuration files given above.
    Step 5.
    cat /etc/redhat-release
    note down your version of redhat, then from
    www.rpmfind.net
    search for the following rpm's
    procps*.rpm
    psmisc*.rpm
    findutils*.rpm
    fileutils*.rpm
    util-linux*.rpm
    net-tools*.rpm
    textutils*.rpm
    sysklogd*.rpm
    -- and rpm --force install them

    Step 6.
    if you see the hosts.h file, it says to hide all IP's from
    cat /usr/include/hosts.h
    193.60
    thus, if you want, you can block all the IP's from 193.60 to your server via iptables.
    Step 7.
    If all goes OK,
    please reboot the server, and run chkrootkit again...
    You should be OK!

    برای پیش رفت در علم آسانسوری وجود ندارد پله ها را باید پیاده رفت /./ همیشه این یادتان باشد که دست بالای دست بسیار است.
    يادمان باشد براي يك بار ايستادن صد ها بار افتاده ايم /./ بک آپ مهمترین رمز موفقیت هاستینگ /./ امنیت مطلق نیست.
    ارتباط مستقیم با من :
    Admin -{(@)}- WebHostingTalk . ir

  2. تعداد تشکر ها از Vahid به دلیل پست مفید


  3. # ADS




     

اطلاعات موضوع

کاربرانی که در حال مشاهده این موضوع هستند

در حال حاضر 1 کاربر در حال مشاهده این موضوع است. (0 کاربران و 1 مهمان ها)

موضوعات مشابه

  1. استفاده از Crawler Detect در وردپرس
    توسط naghmesra در انجمن Wordpress
    پاسخ ها: 5
    آخرين نوشته: April 3rd, 2017, 12:54
  2. مشکل گوگل وب مستر We do not detect any structured data on your site.
    توسط kurdcoffee در انجمن سوالات و مشکلات
    پاسخ ها: 2
    آخرين نوشته: January 6th, 2017, 16:19
  3. قالب هاستینگ Clean Hosting
    توسط itm7.com در انجمن اسکریپت های دیگر
    پاسخ ها: 0
    آخرين نوشته: March 31st, 2014, 23:53
  4. R-Wipe & Clean 9.8 build 1837 + Portable - پاکسازی ویندوز
    توسط parsiaplus در انجمن مباحث دیگر
    پاسخ ها: 0
    آخرين نوشته: November 17th, 2012, 00:33
  5. ارور ها دادن فایل های که litespeed Detect می کند
    توسط pyaz در انجمن سی پنل CPanel
    پاسخ ها: 8
    آخرين نوشته: June 11th, 2011, 16:10

مجوز های ارسال و ویرایش

  • شما نمیتوانید موضوع جدیدی ارسال کنید
  • شما امکان ارسال پاسخ را ندارید
  • شما نمیتوانید فایل پیوست کنید.
  • شما نمیتوانید پست های خود را ویرایش کنید
  •