Cela fait longtemps que je ne suis pas ici. Je suis très préoccupé par le fait d'essayer de résoudre d'innombrables problèmes de piratage de mes appareils. J'ai un pont installé sur mon réseau domestique. Il s’agit d’un TP-Link 841N sur lequel wds est activé et connecté en tant que client sur mon réseau. Nmap m'indique que le port 22 est ouvert et j'ai essayé de mettre à jour le micrologiciel plusieurs fois, en le téléchargeant via de nombreux serveurs proxy, y compris deux serveurs openvpn, ma connexion cellulaire et le réseau. J'ai aussi récemment eu besoin d'un nouveau mot de passe pour mon fournisseur de vps pgp parce que le panneau web openvz continuait à se faire pirater. Cela s'est produit 3 ou 4 fois et mon fournisseur a dû réinitialiser le mot de passe. Alors, j'ai scanné mon ordinateur pour y trouver des rootkits avec chkroot et rkhunter, et j'ai reçu quelques avertissements. Je vais poster le résultat ici: (Edité pour le formatage, 19/01/15)
##Chrkrootkit output:##
root@linuxpc:~# chkrootkit
ROOTDIR is `/'
Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:
/usr/lib/debug/.build-id /usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit
/usr/lib/pymodules/python2.7/.path /usr/lib/jvm/.Java-1.7.0-openjdk AMD64.jinfo
/usr/lib/debug/.build-id
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Checking `sniffer'... lo: not promisc and no packet sniffer sockets
wlan0: PACKET SNIFFER(/sbin/wpa_supplicant[1850], /sbin/dhclient[3145])
Checking `wted'... 1 deletion(s) between Sat Jan 17 21:43:47 2015 and Sat Jan 17 21:48:36 2015
Checking `chkutmp'... The tty of the following user process(es) were not found in /var/run/utmp !
! RUID PID TTY CMD
! root 1463 tty7 /usr/bin/X :0 -background none -verbose -auth /var/run/gdm/auth-for-gdm-4y3SbT/database -seat seat0 -nolisten tcp vt7
chkutmp: nothing deleted
Checking `OSX_RSPLUG'... not infected
root@linuxpc:~# Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Searching: command not found
##------------##
#Rkhunter Output##
anon@linuxpc:~$ cat /var/log/rkhunter.log | grep Warning
[03:36:46] /usr/sbin/chroot [ Warning ]
[03:36:46] Warning: The file properties have changed:
[03:36:47] /usr/sbin/rsyslogd [ Warning ]
[03:36:47] Warning: The file properties have changed:
[03:36:48] /usr/bin/awk [ Warning ]
[03:36:48] Warning: The file properties have changed:
[03:36:48] /usr/bin/basename [ Warning ]
[03:36:48] Warning: The file properties have changed:
[03:36:49] /usr/bin/curl [ Warning ]
[03:36:49] Warning: The file '/usr/bin/curl' exists on the system, but it is not present in the rkhunter.dat file.
[03:36:49] /usr/bin/cut [ Warning ]
[03:36:49] Warning: The file properties have changed:
[03:36:49] /usr/bin/dirname [ Warning ]
[03:36:49] Warning: The file properties have changed:
[03:36:49] /usr/bin/du [ Warning ]
[03:36:49] Warning: The file properties have changed:
[03:36:50] /usr/bin/env [ Warning ]
[03:36:50] Warning: The file properties have changed:
[03:36:50] /usr/bin/file [ Warning ]
[03:36:50] Warning: The file properties have changed:
[03:36:50] /usr/bin/groups [ Warning ]
[03:36:50] Warning: The file properties have changed:
[03:36:50] /usr/bin/head [ Warning ]
[03:36:50] Warning: The file properties have changed:
[03:36:51] /usr/bin/id [ Warning ]
[03:36:51] Warning: The file properties have changed:
[03:36:51] /usr/bin/ldd [ Warning ]
[03:36:51] Warning: The file properties have changed:
[03:36:52] /usr/bin/logger [ Warning ]
[03:36:52] Warning: The file properties have changed:
[03:36:52] /usr/bin/mail [ Warning ]
[03:36:52] Warning: The file '/usr/bin/mail' exists on the system, but it is not present in the rkhunter.dat file.
[03:36:52] /usr/bin/md5sum [ Warning ]
[03:36:52] Warning: The file properties have changed:
[03:36:53] /usr/bin/runcon [ Warning ]
[03:36:53] Warning: The file properties have changed:
[03:36:53] /usr/bin/sha1sum [ Warning ]
[03:36:53] Warning: The file properties have changed:
[03:36:54] /usr/bin/sha224sum [ Warning ]
[03:36:54] Warning: The file properties have changed:
[03:36:54] /usr/bin/sha256sum [ Warning ]
[03:36:54] Warning: The file properties have changed:
[03:36:54] /usr/bin/sha384sum [ Warning ]
[03:36:54] Warning: The file properties have changed:
[03:36:54] /usr/bin/sha512sum [ Warning ]
[03:36:54] Warning: The file properties have changed:
[03:36:54] /usr/bin/sort [ Warning ]
[03:36:54] Warning: The file properties have changed:
[03:36:55] /usr/bin/stat [ Warning ]
[03:36:55] Warning: The file properties have changed:
[03:36:55] /usr/bin/tail [ Warning ]
[03:36:55] Warning: The file properties have changed:
[03:36:55] /usr/bin/test [ Warning ]
[03:36:55] Warning: The file properties have changed:
[03:36:56] /usr/bin/touch [ Warning ]
[03:36:56] Warning: The file properties have changed:
[03:36:56] /usr/bin/tr [ Warning ]
[03:36:56] Warning: The file properties have changed:
[03:36:56] /usr/bin/uniq [ Warning ]
[03:36:56] Warning: The file properties have changed:
[03:36:56] /usr/bin/users [ Warning ]
[03:36:56] Warning: The file properties have changed:
[03:36:57] /usr/bin/wc [ Warning ]
[03:36:57] Warning: The file properties have changed:
[03:36:57] /usr/bin/wget [ Warning ]
[03:36:57] Warning: The file properties have changed:
[03:36:57] /usr/bin/whatis [ Warning ]
[03:36:57] Warning: The file properties have changed:
[03:36:57] /usr/bin/whereis [ Warning ]
[03:36:57] Warning: The file properties have changed:
[03:36:58] /usr/bin/who [ Warning ]
[03:36:58] Warning: The file properties have changed:
[03:36:58] /usr/bin/whoami [ Warning ]
[03:36:58] Warning: The file properties have changed:
[03:36:58] /usr/bin/unhide.rb [ Warning ]
[03:36:58] Warning: The command '/usr/bin/unhide.rb' has been replaced by a script: /usr/bin/unhide.rb: Ruby script, ASCII text
[03:36:58] /usr/bin/gawk [ Warning ]
[03:36:58] Warning: The file '/usr/bin/gawk' exists on the system, but it is not present in the rkhunter.dat file.
[03:36:58] /usr/bin/bsd-mailx [ Warning ]
[03:36:58] Warning: The file '/usr/bin/bsd-mailx' exists on the system, but it is not present in the rkhunter.dat file.
[03:36:59] /sbin/fsck [ Warning ]
[03:36:59] Warning: The file properties have changed:
[03:36:59] /sbin/ifconfig [ Warning ]
[03:36:59] Warning: The file properties have changed:
[03:37:00] /sbin/route [ Warning ]
[03:37:00] Warning: The file properties have changed:
[03:37:01] /bin/bash [ Warning ]
[03:37:01] Warning: The file properties have changed:
[03:37:02] /bin/cat [ Warning ]
[03:37:02] Warning: The file properties have changed:
[03:37:02] /bin/chmod [ Warning ]
[03:37:02] Warning: The file properties have changed:
[03:37:02] /bin/chown [ Warning ]
[03:37:02] Warning: The file properties have changed:
[03:37:02] /bin/cp [ Warning ]
[03:37:02] Warning: The file properties have changed:
[03:37:03] /bin/date [ Warning ]
[03:37:03] Warning: The file properties have changed:
[03:37:03] /bin/df [ Warning ]
[03:37:03] Warning: The file properties have changed:
[03:37:03] /bin/dmesg [ Warning ]
[03:37:03] Warning: The file properties have changed:
[03:37:03] /bin/echo [ Warning ]
[03:37:03] Warning: The file properties have changed:
[03:37:04] /bin/ls [ Warning ]
[03:37:04] Warning: The file properties have changed:
[03:37:05] /bin/mktemp [ Warning ]
[03:37:05] Warning: The file properties have changed:
[03:37:05] /bin/more [ Warning ]
[03:37:05] Warning: The file properties have changed:
[03:37:05] /bin/mount [ Warning ]
[03:37:05] Warning: The file properties have changed:
[03:37:05] /bin/mv [ Warning ]
[03:37:05] Warning: The file properties have changed:
[03:37:06] /bin/netstat [ Warning ]
[03:37:06] Warning: The file properties have changed:
[03:37:06] /bin/pwd [ Warning ]
[03:37:06] Warning: The file properties have changed:
[03:37:06] /bin/readlink [ Warning ]
[03:37:06] Warning: The file properties have changed:
[03:37:07] /bin/touch [ Warning ]
[03:37:07] Warning: The file properties have changed:
[03:37:07] /bin/uname [ Warning ]
[03:37:07] Warning: The file properties have changed:
[03:37:08] /usr/bin/mawk [ Warning ]
[03:37:08] Warning: The file '/usr/bin/mawk' does not exist on the system, but it is present in the rkhunter.dat file.
[03:46:29] Checking /dev for suspicious file types [ Warning ]
[03:46:29] Warning: Suspicious file types found in /dev:
[03:46:29] Checking for hidden files and directories [ Warning ]
[03:46:29] Warning: Hidden directory found: '/etc/.Java: directory '
[03:46:29] Warning: Hidden directory found: '/dev/.udev: directory '
[03:46:29] Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs'
## End Output##
Je ne pense pas que c’était il ya très longtemps que j’ai couru une propupdate, et rkhunter me donne bien des avertissements. L'avertissement d'interface promiscious n'était pas apparu plus tôt. Quelqu'un de plus expérimenté peut-il m'aider à déchiffrer ces résultats? Je sais que le rootkit suckit peut être un faux positif, mais Rkhunters me rend nerveux, de même que toute l'activité étrange que j'ai subie sur mon vps, qui a également été un nœud de sortie pour longtemps. Merci.
(Mise à jour 1/19/15) J'ai suivi votre conseil et supprimé les lignes indiquant que rien n'était infecté et mis à niveau rkhunter. J'ai ensuite lancé la nouvelle version (1.4.2) et ces avertissements sont apparus:
[15:48:20] /usr/local/bin/rkhunter [ Warning ]
[15:48:20] Warning: The file '/usr/local/bin/rkhunter' exists on the system, but it is not present in the 'rkhunter.dat' file.
[15:48:20] /usr/sbin/adduser [ Warning ]
[15:48:20] Warning: The command '/usr/sbin/adduser' has been replaced by a script: /usr/sbin/adduser: Perl script, ASCII text executable
[15:48:20] /usr/sbin/chroot [ Warning ]
[15:48:20] Warning: The file properties have changed:
[15:48:22] /usr/sbin/rsyslogd [ Warning ]
[15:48:22] Warning: The file properties have changed:
[15:48:23] /usr/bin/awk [ Warning ]
[15:48:23] Warning: The file properties have changed:
[15:48:23] Warning: No symbolic link target found for file '/usr/bin/awk' in the 'rkhunter.dat' file.
[15:48:23] /usr/bin/basename [ Warning ]
[15:48:23] Warning: The file properties have changed:
[15:48:24] /usr/bin/curl [ Warning ]
[15:48:24] Warning: The file '/usr/bin/curl' exists on the system, but it is not present in the 'rkhunter.dat' file.
[15:48:24] /usr/bin/cut [ Warning ]
[15:48:24] Warning: The file properties have changed:
[15:48:24] /usr/bin/dirname [ Warning ]
[15:48:24] Warning: The file properties have changed:
[15:48:25] /usr/bin/du [ Warning ]
[15:48:25] Warning: The file properties have changed:
[15:48:25] /usr/bin/env [ Warning ]
[15:48:25] Warning: The file properties have changed:
[15:48:25] /usr/bin/file [ Warning ]
[15:48:25] Warning: The file properties have changed:
[15:48:25] /usr/bin/GET [ Warning ]
[15:48:25] Warning: No symbolic link target found for file '/usr/bin/GET' in the 'rkhunter.dat' file.
[15:48:26] /usr/bin/groups [ Warning ]
[15:48:26] Warning: The file properties have changed:
[15:48:26] /usr/bin/head [ Warning ]
[15:48:26] Warning: The file properties have changed:
[15:48:26] /usr/bin/id [ Warning ]
[15:48:26] Warning: The file properties have changed:
[15:48:27] /usr/bin/ldd [ Warning ]
[15:48:27] Warning: The file properties have changed:
[15:48:27] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again Shell script, ASCII text executable
[15:48:27] /usr/bin/less [ Warning ]
[15:48:27] Warning: No symbolic link target found for file '/usr/bin/less' in the 'rkhunter.dat' file.
[15:48:27] /usr/bin/locate [ Warning ]
[15:48:27] Warning: No symbolic link target found for file '/usr/bin/locate' in the 'rkhunter.dat' file.
[15:48:27] /usr/bin/logger [ Warning ]
[15:48:27] Warning: The file properties have changed:
[15:48:28] /usr/bin/mail [ Warning ]
[15:48:28] Warning: The file '/usr/bin/mail' exists on the system, but it is not present in the 'rkhunter.dat' file.
[15:48:28] /usr/bin/md5sum [ Warning ]
[15:48:28] Warning: The file properties have changed:
[15:48:29] /usr/bin/pkill [ Warning ]
[15:48:29] Warning: No symbolic link target found for file '/usr/bin/pkill' in the 'rkhunter.dat' file.
[15:48:29] /usr/bin/runcon [ Warning ]
[15:48:29] Warning: The file properties have changed:
[15:48:29] /usr/bin/sha1sum [ Warning ]
[15:48:29] Warning: The file properties have changed:
[15:48:30] /usr/bin/sha224sum [ Warning ]
[15:48:30] Warning: The file properties have changed:
[15:48:30] /usr/bin/sha256sum [ Warning ]
[15:48:30] Warning: The file properties have changed:
[15:48:30] /usr/bin/sha384sum [ Warning ]
[15:48:30] Warning: The file properties have changed:
[15:48:30] /usr/bin/sha512sum [ Warning ]
[15:48:30] Warning: The file properties have changed:
[15:48:31] /usr/bin/sort [ Warning ]
[15:48:31] Warning: The file properties have changed:
[15:48:31] /usr/bin/ssh [ Warning ]
[15:48:31] Warning: The file '/usr/bin/ssh' exists on the system, but it is not present in the 'rkhunter.dat' file.
[15:48:31] /usr/bin/stat [ Warning ]
[15:48:31] Warning: The file properties have changed:
[15:48:32] /usr/bin/tail [ Warning ]
[15:48:32] Warning: The file properties have changed:
[15:48:32] /usr/bin/telnet [ Warning ]
[15:48:32] Warning: The file '/usr/bin/telnet' exists on the system, but it is not present in the 'rkhunter.dat' file.
[15:48:32] /usr/bin/test [ Warning ]
[15:48:32] Warning: The file properties have changed:
[15:48:32] /usr/bin/touch [ Warning ]
[15:48:32] Warning: The file properties have changed:
[15:48:33] Warning: No symbolic link target found for file '/usr/bin/touch' in the 'rkhunter.dat' file.
[15:48:33] /usr/bin/tr [ Warning ]
[15:48:33] Warning: The file properties have changed:
[15:48:33] /usr/bin/uniq [ Warning ]
[15:48:33] Warning: The file properties have changed:
[15:48:33] /usr/bin/users [ Warning ]
[15:48:33] Warning: The file properties have changed:
[15:48:34] /usr/bin/w [ Warning ]
[15:48:34] Warning: No symbolic link target found for file '/usr/bin/w' in the 'rkhunter.dat' file.
[15:48:34] /usr/bin/wc [ Warning ]
[15:48:34] Warning: The file properties have changed:
[15:48:34] /usr/bin/wget [ Warning ]
[15:48:34] Warning: The file properties have changed:
[15:48:34] /usr/bin/whatis [ Warning ]
[15:48:34] Warning: The file properties have changed:
[15:48:34] /usr/bin/whereis [ Warning ]
[15:48:34] Warning: The file properties have changed:
[15:48:35] /usr/bin/which [ Warning ]
[15:48:35] Warning: No symbolic link target found for file '/usr/bin/which' in the 'rkhunter.dat' file.
[15:48:35] /usr/bin/who [ Warning ]
[15:48:35] Warning: The file properties have changed:
[15:48:35] /usr/bin/whoami [ Warning ]
[15:48:35] Warning: The file properties have changed:
[15:48:35] /usr/bin/gawk [ Warning ]
[15:48:35] Warning: The file '/usr/bin/gawk' exists on the system, but it is not present in the 'rkhunter.dat' file.
[15:48:35] /usr/bin/lwp-request [ Warning ]
[15:48:35] Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: Perl script, ASCII text executable
[15:48:35] /usr/bin/bsd-mailx [ Warning ]
[15:48:35] Warning: The file '/usr/bin/bsd-mailx' exists on the system, but it is not present in the 'rkhunter.dat' file.
[15:48:35] /usr/bin/telnet.netkit [ Warning ]
[15:48:36] Warning: The file '/usr/bin/telnet.netkit' exists on the system, but it is not present in the 'rkhunter.dat' file.
[15:48:36] /sbin/depmod [ Warning ]
[15:48:36] Warning: No symbolic link target found for file '/sbin/depmod' in the 'rkhunter.dat' file.
[15:48:36] /sbin/fsck [ Warning ]
[15:48:36] Warning: The file properties have changed:
[15:48:36] /sbin/ifconfig [ Warning ]
[15:48:36] Warning: The file properties have changed:
[15:48:37] /sbin/ifdown [ Warning ]
[15:48:37] Warning: No symbolic link target found for file '/sbin/ifdown' in the 'rkhunter.dat' file.
[15:48:37] /sbin/insmod [ Warning ]
[15:48:37] Warning: No symbolic link target found for file '/sbin/insmod' in the 'rkhunter.dat' file.
[15:48:37] /sbin/ip [ Warning ]
[15:48:37] Warning: No symbolic link target found for file '/sbin/ip' in the 'rkhunter.dat' file.
[15:48:37] /sbin/lsmod [ Warning ]
[15:48:37] Warning: No symbolic link target found for file '/sbin/lsmod' in the 'rkhunter.dat' file.
[15:48:38] /sbin/modinfo [ Warning ]
[15:48:38] Warning: No symbolic link target found for file '/sbin/modinfo' in the 'rkhunter.dat' file.
[15:48:38] /sbin/modprobe [ Warning ]
[15:48:38] Warning: No symbolic link target found for file '/sbin/modprobe' in the 'rkhunter.dat' file.
[15:48:38] /sbin/rmmod [ Warning ]
[15:48:38] Warning: No symbolic link target found for file '/sbin/rmmod' in the 'rkhunter.dat' file.
[15:48:38] /sbin/route [ Warning ]
[15:48:38] Warning: The file properties have changed:
[15:48:39] /bin/bash [ Warning ]
[15:48:39] Warning: The file properties have changed:
[15:48:39] /bin/cat [ Warning ]
[15:48:39] Warning: The file properties have changed:
[15:48:40] /bin/chmod [ Warning ]
[15:48:40] Warning: The file properties have changed:
[15:48:40] /bin/chown [ Warning ]
[15:48:40] Warning: The file properties have changed:
[15:48:40] /bin/cp [ Warning ]
[15:48:40] Warning: The file properties have changed:
[15:48:40] /bin/date [ Warning ]
[15:48:40] Warning: The file properties have changed:
[15:48:41] /bin/df [ Warning ]
[15:48:41] Warning: The file properties have changed:
[15:48:41] /bin/dmesg [ Warning ]
[15:48:41] Warning: The file properties have changed:
[15:48:41] /bin/echo [ Warning ]
[15:48:41] Warning: The file properties have changed:
[15:48:43] /bin/ls [ Warning ]
[15:48:43] Warning: The file properties have changed:
[15:48:43] /bin/lsmod [ Warning ]
[15:48:43] Warning: No symbolic link target found for file '/bin/lsmod' in the 'rkhunter.dat' file.
[15:48:43] /bin/mktemp [ Warning ]
[15:48:43] Warning: The file properties have changed:
[15:48:43] /bin/more [ Warning ]
[15:48:43] Warning: The file properties have changed:
[15:48:43] /bin/mount [ Warning ]
[15:48:43] Warning: The file properties have changed:
[15:48:44] /bin/mv [ Warning ]
[15:48:44] Warning: The file properties have changed:
[15:48:44] /bin/netstat [ Warning ]
[15:48:44] Warning: The file properties have changed:
[15:48:44] /bin/pwd [ Warning ]
[15:48:44] Warning: The file properties have changed:
[15:48:45] /bin/readlink [ Warning ]
[15:48:45] Warning: The file properties have changed:
[15:48:45] /bin/sh [ Warning ]
[15:48:45] Warning: No symbolic link target found for file '/bin/sh' in the 'rkhunter.dat' file.
[15:48:45] /bin/touch [ Warning ]
[15:48:45] Warning: The file properties have changed:
[15:48:46] /bin/uname [ Warning ]
[15:48:46] Warning: The file properties have changed:
[15:48:46] /bin/which [ Warning ]
[15:48:46] Warning: The command '/bin/which' has been replaced by a script: /bin/which: POSIX Shell script, ASCII text executable
[15:48:46] /etc/rkhunter.conf [ Warning ]
[15:48:46] Warning: The file '/etc/rkhunter.conf' exists on the system, but it is not present in the 'rkhunter.dat' file.
[16:08:55] Checking /dev for suspicious file types [ Warning ]
[16:08:55] Warning: Suspicious file types found in /dev:
[16:08:55] Checking for hidden files and directories [ Warning ]
[16:08:55] Warning: Hidden directory found: /etc/.Java: directory
[16:08:55] Warning: Hidden directory found: /dev/.udev: directory
[16:08:55] Warning: Hidden file found: /dev/.blkid.tab: ASCII text
[16:08:55] Warning: Hidden file found: /dev/.blkid.tab.old: ASCII text
[16:08:55] Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs'
Je peux voir que certains de ces avertissements sont dus à la mise à jour de rkhunter et à la présence d'anciens fichiers de configuration dans/etc, mais je ne suis pas sûr des autres. Pensez-vous toujours que les choses semblent normales? J'apprécie sincèrement l'aide.
Si vous utilisez des outils experts, également lisez le manuel de l'expert . Vous avez des avertissements seulement, pas d'erreurs ...; -)
En outre, les rootkits sont les programmes malveillants les plus malveillants et peuvent se cacher même des chasseurs de rootkits. Lisez la FAQ car la bonne façon de faire est d’amorcer à partir d’un live CD sur un CD-R ou un DVD-R (écriture unique!), Montez tous vos disques durs en lecture seule, installez le logiciel sur le disque RAM et seulement alors commence la recherche.