Moi kaikille Olen tässä veittänyt jo useamman unettoman yön työpaikan linux serverin kanssa (redhat 9) sieltä kun löytyy kaikenmaailmaan troijalaisia ja ne pitäisi saada siivottua. Uudelleen asennus ei ole vaihtoehto koska palvelimella on asiakkaiden kotisivuja. Ajattelin nyt kysyä neuvoa viisaammiltani että mitä asialle olisi tehtävissä? Rautapalomuuri kenties. Alla Rootkit Hunterin lokitiedosto järjestelmän scannauksesta ja löytyneistä aukoista. Olisin kovasti kiitollinen jos asiaan löytyisi jonkinlainen ratkaisu, saisin yönikin nukuttua hiukan paremmin. Terveisin: Janne Silvo ========================================== [22:16:37] Info: Shell /bin/bash [22:16:37] ------------------------ Configuration check -------------------------- [22:16:37] Parsing configuration file (/usr/local/etc/rkhunter.conf) [22:16:37] Info: No mail-on-warning address configured [22:16:37] Info: Using /usr/local/rkhunter/lib/rkhunter/tmp as temporary directory [22:16:37] Info: Using /usr/local/rkhunter/lib/rkhunter/db as database directory [22:16:37] Info: Using '/usr/sbin /usr/bin /usr/local/bin /usr/local/sbin /bin /sbin /sw/bin /usr/local/libexec /usr/libexec' as binary directory [22:16:37] -------------------------- Application scan --------------------------- [22:16:37] Found /usr/sbin/lsof [22:16:37] Found /usr/sbin/prelink [22:16:37] Found /usr/bin/find [22:16:37] Found /usr/bin/lynx [22:16:37] Found /usr/bin/lsattr [22:16:37] Found /usr/bin/md5sum [22:16:37] Found /usr/bin/nmap [22:16:37] Found /usr/bin/stat [22:16:37] Found /usr/bin/strings [22:16:37] Found /usr/bin/wget [22:16:37] Found /usr/bin/readlink [22:16:37] Found /usr/bin/perl (version 5.8.0) [22:16:37] Found /bin/ls [22:16:37] Found /bin/ps [22:16:37] Found /sbin/ip [22:16:37] Found /sbin/ifconfig [22:16:37] Found /sbin/lsmod [22:16:37] Info: WGET found [22:16:37] Info: NMAP found [22:16:37] Info: LSOF found [22:16:37] Info: ip found [22:16:37] Application scan ended [22:16:37] ---------------------------- System checks ---------------------------- [22:16:37] Info: kernel is 2.4 [22:16:37] Info: Found /etc/redhat-release [22:16:37] Info: Full OS name = Red Hat Linux release 9 (Shrike) [22:16:37] Info: OS ID = 116 [22:16:37] Info: Found MD5 command /usr/bin/md5sum [22:16:37] Info: Perl version 5.8.0 found [22:16:38] Info: Perl module Digest::MD5 installed (version 2.20). [22:16:38] Info: Perl module Digest::SHA1 installed (version 2.01). [22:16:38] Info: Using perl module Digest::MD5 to verify MD5 hashes [22:16:38] Info: using /usr/local/rkhunter/lib/rkhunter/tmp as temporary directory [22:16:38] Info: UID is zero (root) [22:16:38] ---------------------------- File checks ----------------------------- [22:16:38] Checking /usr/local/rkhunter/lib/rkhunter/db/md5blacklist.dat... OK [22:16:38] Checking /usr/local/rkhunter/lib/rkhunter/db/mirrors.dat... OK [22:16:38] Checking /usr/local/rkhunter/lib/rkhunter/db/programs_bad.dat... OK [22:16:38] Checking /usr/local/rkhunter/lib/rkhunter/db/programs_good.dat... OK [22:16:38] ------------------------------ Selftests ------------------------------ [22:16:38] Strings selftest: scanning for string /usr/sbin/ntpsx... OK [22:16:38] Strings selftest: scanning for string /usr/lib/.../ls... OK [22:16:38] Strings selftest: scanning for string /usr/lib/.../netstat... OK [22:16:38] Strings selftest: scanning for string /usr/lib/.../lsof... OK [22:16:38] Strings selftest: scanning for string /usr/lib/.../bkit-ssh/bkit-shdcfg... OK [22:16:38] Strings selftest: scanning for string /usr/lib/.../bkit-ssh/bkit-shhk... OK [22:16:38] Strings selftest: scanning for string /usr/lib/.../bkit-ssh/bkit-pw... OK [22:16:38] Strings selftest: scanning for string /usr/lib/.../bkit-ssh/bkit-shrs... OK [22:16:38] Strings selftest: scanning for string /usr/lib/.../uconf.inv... OK [22:16:38] Strings selftest: scanning for string /usr/lib/.../psr... OK [22:16:38] Strings selftest: scanning for string /usr/lib/.../find... OK [22:16:38] Strings selftest: scanning for string /usr/lib/.../pstree... OK [22:16:38] Strings selftest: scanning for string /usr/lib/.../slocate... OK [22:16:38] Strings selftest: scanning for string /usr/lib/.../du... OK [22:16:38] Strings selftest: scanning for string /usr/lib/.../top... OK [22:16:38] Strings selftest: scanning for string /usr/lib/...... OK [22:16:38] Strings selftest: scanning for string /usr/lib/.../bkit-ssh... OK [22:16:38] Strings selftest: scanning for string /usr/lib/.bkit-... OK [22:16:38] Strings selftest: scanning for string /tmp/.bkp... OK [22:16:38] Strings selftest: scanning for string /tmp/.cinik... OK [22:16:38] Strings selftest: scanning for string /tmp/.font-unix/.cinik... OK [22:16:38] Strings selftest: scanning for string /lib/.sso... OK [22:16:38] Strings selftest: scanning for string /lib/.so... OK [22:16:38] Strings selftest: scanning for string /var/run/...dica/clean... OK [22:16:38] Strings selftest: scanning for string /var/run/...dica/xl... OK [22:16:38] Strings selftest: scanning for string /var/run/...dica/xdr... OK [22:16:38] Strings selftest: scanning for string /var/run/...dica/psg... OK [22:16:38] Strings selftest: scanning for string /var/run/...dica/secure... OK [22:16:38] Strings selftest: scanning for string /var/run/...dica/rdx... OK [22:16:38] Strings selftest: scanning for string /var/run/...dica/va... OK [22:16:38] Strings selftest: scanning for string /var/run/...dica/cl.sh... OK [22:16:38] Strings selftest: scanning for string /usr/bin/.etc... OK [22:16:38] Strings selftest: scanning for string /usr/lib/.fx/sched_host.2... OK [22:16:38] Strings selftest: scanning for string /usr/lib/.fx/random_d.2... OK [22:16:38] Strings selftest: scanning for string /usr/lib/.fx/set_pid.2... OK [22:16:38] Strings selftest: scanning for string /usr/lib/.fx/cons.saver... OK [22:16:38] Strings selftest: scanning for string /usr/lib/.fx/adore/adore/adore.ko... OK [22:16:38] Strings selftest: scanning for string /bin/sysback... OK [22:16:38] Strings selftest: scanning for string /usr/local/bin/sysback... OK [22:16:38] Strings selftest: scanning for string /usr/lib/.tbd... OK [22:16:39] Strings selftest: scanning for string /dev/.lib/lib/lib/t0rns... OK [22:16:39] Strings selftest: scanning for string /dev/.lib/lib/lib/du... OK [22:16:39] Strings selftest: scanning for string /dev/.lib/lib/lib/ls... OK [22:16:39] Strings selftest: scanning for string /dev/.lib/lib/lib/t0rnsb... OK [22:16:39] Strings selftest: scanning for string /dev/.lib/lib/lib/ps... OK [22:16:39] Strings selftest: scanning for string /dev/.lib/lib/lib/t0rnp... OK [22:16:39] Strings selftest: scanning for string /dev/.lib/lib/lib/find... OK [22:16:39] Strings selftest: scanning for string /dev/.lib/lib/lib/ifconfig... OK [22:16:39] Strings selftest: scanning for string /dev/.lib/lib/lib/pg... OK [22:16:39] Strings selftest: scanning for string /dev/.lib/lib/lib/ssh.tgz... OK [22:16:39] Strings selftest: scanning for string /dev/.lib/lib/lib/top... OK [22:16:39] Strings selftest: scanning for string /dev/.lib/lib/lib/sz... OK [22:16:39] Strings selftest: scanning for string /dev/.lib/lib/lib/login... OK [22:16:39] Strings selftest: scanning for string /dev/.lib/lib/lib/in.fingerd... OK [22:16:39] Strings selftest: scanning for string /dev/.lib/lib/lib/1i0n.sh... OK [22:16:39] Strings selftest: scanning for string /dev/.lib/lib/lib/pstree... OK [22:16:39] Strings selftest: scanning for string /dev/.lib/lib/lib/in.telnetd... OK [22:16:39] Strings selftest: scanning for string /dev/.lib/lib/lib/mjy... OK [22:16:39] Strings selftest: scanning for string /dev/.lib/lib/lib/sush... OK [22:16:39] Strings selftest: scanning for string /dev/.lib/lib/lib/tfn... OK [22:16:39] Strings selftest: scanning for string /dev/.lib/lib/lib/name... OK [22:16:39] Strings selftest: scanning for string /dev/.lib/lib/lib/getip.sh... OK [22:16:39] Strings selftest: scanning for string /usr/info/.torn/sh*... OK [22:16:39] Strings selftest: scanning for string /usr/src/.puta/... OK [22:16:39] Strings selftest: scanning for string /usr/src/.puta/.1addr... OK [22:16:39] Strings selftest: scanning for string /usr/src/.puta/.1file... OK [22:16:39] Strings selftest: scanning for string /usr/src/.puta/.1proc... OK [22:16:39] Strings selftest: scanning for string /usr/src/.puta/.1logz... OK [22:16:39] Strings selftest: scanning for string /usr/info/.t0rn/... OK [22:16:39] Strings selftest: scanning for string /dev/.lib/... OK [22:16:39] Strings selftest: scanning for string /dev/.lib/lib/... OK [22:16:39] Strings selftest: scanning for string /dev/.lib/lib/lib/... OK [22:16:39] Strings selftest: scanning for string /dev/.lib/lib/lib/dev/... OK [22:16:39] Strings selftest: scanning for string /dev/.lib/lib/scan/... OK [22:16:39] Strings selftest: scanning for string /usr/src/.puta/... OK [22:16:39] Strings selftest: scanning for string /usr/man/man1/man1/... OK [22:16:39] Strings selftest: scanning for string /usr/man/man1/man1/lib/... OK [22:16:39] Strings selftest: scanning for string /usr/man/man1/man1/lib/.lib/... OK [22:16:39] Strings selftest: scanning for string /usr/man/man1/man1/lib/.lib/.backup/... OK [22:16:39] ---------------------------- MD5 hash tests --------------------------- [22:16:39] Starting MD5 checksum test (/usr/local/rkhunter/lib/rkhunter/scripts/filehashmd5.pl) [22:16:40] /bin/cat hash valid, found in database [22:16:40] /bin/cat Hash NOT valid (My MD5: 6756949642336efe1fb32db1216932d0, expected: c52d73ca16432dfd64b37895877c79b1) [22:16:40] /bin/chmod Hash NOT valid (My MD5: a130256106e1a4bee275120cb623abcc, expected: 40bf7e8ba33aea01600279c12fe094e1) [22:16:40] /bin/chmod hash valid, found in database [22:16:40] /bin/chown Hash NOT valid (My MD5: c2257bbb9fd008a0e464d08e5fc5067f, expected: 00589e479ca8c00caf509e3e8d367fa5) [22:16:40] /bin/chown hash valid, found in database [22:16:41] /bin/dmesg hash valid, found in database [22:16:41] /bin/egrep hash valid, found in database [22:16:41] /bin/env hash valid, found in database [22:16:41] /bin/env Hash NOT valid (My MD5: b6d02320e7f1c3487f6975505dc14b1f, expected: c8d6c82b0dbc337fd2bc4df221c000a9) [22:16:41] /bin/fgrep hash valid, found in database [22:16:42] /bin/grep Hash NOT valid (My MD5: a0e8e279a22c75ffeacc1407ab4155c3, expected: 836d6c0c912495e7b9c0cb8afefd7b00) [22:16:42] /bin/grep hash valid, found in database [22:16:42] /bin/kill hash valid, found in database [22:16:42] /bin/login hash valid, found in database [22:16:42] /bin/ls Hash NOT valid (My MD5: 9e7165f965254830d0525fda3168fd7d, expected: 774cb14b70080573906bbd26df7a9c58) [22:16:42] /bin/ls Hash NOT valid (My MD5: 9e7165f965254830d0525fda3168fd7d, expected: dbc1a18b2e447e0e0f7c139b1cc79454) [22:16:42] Using whitelists to compare MD5 hash (searching for 9e7165f965254830d0525fda3168fd7d) [22:16:42] No whitelisted MD5 hash found for /bin/ls [22:16:42] MD5 hash for my file (/bin/ls) is 9e7165f965254830d0525fda3168fd7d, but is not in database [22:16:42] End of whitelist compare [22:16:42] Checking /bin/ls against hashes in database (774cb14b70080573906bbd26df7a9c58 dbc1a18b2e447e0e0f7c139b1cc79454) failed [22:16:42] RPM info: your package 'coreutils-4.5.3-19' [22:16:42] RPM info: packages in database: [22:16:42] --- [22:16:42] 116:/bin/ls:9e7165f965254830d0525fda3168fd7d:-:-:coreutils-4.5.3-19 [22:16:42] --- [22:16:43] /bin/mount hash valid, found in database [22:16:43] /bin/netstat Hash NOT valid (My MD5: c0e8b6ff00433730794eda274c56de3f, expected: 5bd8ff28ded16db282d1ccc31b0fc163) [22:16:43] Using whitelists to compare MD5 hash (searching for c0e8b6ff00433730794eda274c56de3f) [22:16:43] No whitelisted MD5 hash found for /bin/netstat [22:16:43] MD5 hash for my file (/bin/netstat) is c0e8b6ff00433730794eda274c56de3f, but is not in database [22:16:43] End of whitelist compare [22:16:43] Checking /bin/netstat against hashes in database (5bd8ff28ded16db282d1ccc31b0fc163) failed [22:16:43] RPM info: your package 'net-tools-1.60-12' [22:16:43] RPM info: packages in database: [22:16:43] --- [22:16:43] 116:/bin/netstat:c0e8b6ff00433730794eda274c56de3f:-:-:net-tools-1.60-12 [22:16:43] --- [22:16:43] /bin/ps Hash NOT valid (My MD5: a71c756f78583895afe7e03336686f8b, expected: 8cc6f96d1bd21250b731eb0ac85214a7) [22:16:43] Using whitelists to compare MD5 hash (searching for a71c756f78583895afe7e03336686f8b) [22:16:43] No whitelisted MD5 hash found for /bin/ps [22:16:43] MD5 hash for my file (/bin/ps) is a71c756f78583895afe7e03336686f8b, but is not in database [22:16:43] End of whitelist compare [22:16:43] Checking /bin/ps against hashes in database (8cc6f96d1bd21250b731eb0ac85214a7) failed [22:16:43] RPM info: your package 'procps-2.0.11-6' [22:16:43] RPM info: packages in database: [22:16:43] --- [22:16:43] 116:/bin/ps:a71c756f78583895afe7e03336686f8b:-:-rocps-2.0.11-6 [22:16:43] --- [22:16:43] /bin/su hash valid, found in database [22:16:44] /bin/su Hash NOT valid (My MD5: cd6ee4b7a38964be2f9a0f7f4c4a8301, expected: d4fa41311fdd3f7f24609127b1790b08) [22:16:44] /sbin/chkconfig hash valid, found in database [22:16:44] /sbin/depmod hash valid, found in database [22:16:44] /sbin/ifconfig hash valid, found in database [22:16:44] /sbin/init hash valid, found in database [22:16:45] /sbin/insmod hash valid, found in database [22:16:45] /sbin/modinfo hash valid, found in database [22:16:45] /sbin/runlevel hash valid, found in database [22:16:45] /sbin/sysctl hash valid, found in database [22:16:45] /sbin/syslogd hash valid, found in database [22:16:45] /sbin/syslogd Hash NOT valid (My MD5: 4f1c0a24761deb8fd95e467add18a97f, expected: e9fbb8e1b24e099d4f92842be45a529c) [22:16:46] /usr/bin/file hash valid, found in database [22:16:46] /usr/bin/find Hash NOT valid (My MD5: 98596eaad65b9f748fca2dcf48a9b3ef, expected: a888d4a141b95f2acb8a974b6f789aea) [22:16:46] Using whitelists to compare MD5 hash (searching for 98596eaad65b9f748fca2dcf48a9b3ef) [22:16:46] No whitelisted MD5 hash found for /usr/bin/find [22:16:46] MD5 hash for my file (/usr/bin/find) is 98596eaad65b9f748fca2dcf48a9b3ef, but is not in database [22:16:46] End of whitelist compare [22:16:46] Checking /usr/bin/find against hashes in database (a888d4a141b95f2acb8a974b6f789aea) failed [22:16:46] RPM info: your package 'findutils-4.1.7-9' [22:16:46] RPM info: packages in database: [22:16:46] --- [22:16:46] 116:/usr/bin/find:98596eaad65b9f748fca2dcf48a9b3ef:-:-:findutils-4.1.7-9 [22:16:46] --- [22:16:46] /usr/bin/kill hash valid, found in database [22:16:46] /usr/bin/kill Hash NOT valid (My MD5: 36d36ded8c3c7f45baf6fda99d8db5c4, expected: 3f4bd90e796865d75a9711a3ae9ccd6d) [22:16:46] /usr/bin/killall hash valid, found in database [22:16:47] /usr/bin/lsattr hash valid, found in database [22:16:47] /usr/bin/pstree Hash NOT valid (My MD5: a1931a396d9a7ffbcd0c7612627073ba, expected: 090877d544ff6dcd1a728cf3de93ddf2) [22:16:47] Using whitelists to compare MD5 hash (searching for a1931a396d9a7ffbcd0c7612627073ba) [22:16:47] No whitelisted MD5 hash found for /usr/bin/pstree [22:16:47] MD5 hash for my file (/usr/bin/pstree) is a1931a396d9a7ffbcd0c7612627073ba, but is not in database [22:16:47] End of whitelist compare [22:16:47] Checking /usr/bin/pstree against hashes in database (090877d544ff6dcd1a728cf3de93ddf2) failed [22:16:47] RPM info: your package 'psmisc-21.2-4' [22:16:47] RPM info: packages in database: [22:16:47] --- [22:16:47] 116:/usr/bin/pstree:a1931a396d9a7ffbcd0c7612627073ba:-:-smisc-21.2-4 [22:16:47] --- [22:16:47] /usr/bin/sha1sum hash valid, found in database [22:16:47] /usr/bin/sha1sum Hash NOT valid (My MD5: c4e073a633444153a689678377428603, expected: f3166bc9612c9cbbf602c5201e6389d7) [22:16:47] /usr/bin/stat hash valid, found in database [22:16:48] /usr/bin/stat Hash NOT valid (My MD5: 862c89c6e28ed7a0808e5ae86a54af90, expected: c515198b1d57e7658a629476a8674b38) [22:16:48] /usr/bin/users hash valid, found in database [22:16:48] /usr/bin/users Hash NOT valid (My MD5: 0c115819cf5c1dc4fbca835eaeebce35, expected: 263e1c3d0ec7d5d0cb4d90c0373726a2) [22:16:48] /usr/bin/w hash valid, found in database [22:16:48] /usr/bin/watch hash valid, found in database [22:16:48] /usr/bin/who hash valid, found in database [22:16:49] /usr/bin/who Hash NOT valid (My MD5: 0b650274f7512f888abbd17996fc22e0, expected: 4b4232362b4b3b4979eaf425160d9239) [22:16:49] /usr/bin/whoami Hash NOT valid (My MD5: ade297bf5065deeebdde8c38a5a1aef7, expected: 065d66b1a558e193c6fb678f78fc96d9) [22:16:49] /usr/bin/whoami hash valid, found in database [22:17:10] ------------------------------ Rootkits ------------------------------ [22:17:10] *** Start scan 55808 Trojan - Variant A *** [22:17:10] - File /tmp/.../r... OK. Not found. [22:17:10] - File /tmp/.../a... OK. Not found. [22:17:10] Checking /etc/passwd for presence of ADM worm OK [22:17:10] *** Start scan AjaKit *** [22:17:10] - File /dev/tux/.addr... OK. Not found. [22:17:10] - File /dev/tux/.proc... OK. Not found. [22:17:10] - File /dev/tux/.file... OK. Not found. [22:17:10] - File /lib/.libgh-gh/cleaner... OK. Not found. [22:17:10] - File /lib/.libgh-gh/Patch/patch... OK. Not found. [22:17:10] - File /lib/.libgh-gh/sb0k... OK. Not found. [22:17:10] - Directory /dev/tux... OK. Not found. [22:17:10] - Directory /lib/.libgh-gh... OK. Not found. [22:17:10] *** Start scan aPa Kit *** [22:17:10] - File /usr/share/.aPa... OK. Not found. [22:17:10] *** Start scan Apache Worm *** [22:17:10] - File /bin/.log... OK. Not found. [22:17:10] *** Start scan Ambient (ark) Rootkit *** [22:17:10] - File /usr/lib/.ark?... OK. Not found. [22:17:10] - File /dev/ptyxx/.log... OK. Not found. [22:17:10] - File /dev/ptyxx/.file... OK. Not found. [22:17:11] - Directory /dev/ptyxx... OK. Not found. [22:17:11] *** Start scan Balaur Rootkit *** [22:17:11] - File /usr/lib/liblog.o... OK. Not found. [22:17:11] - Directory /usr/lib/.kinetic... OK. Not found. [22:17:11] - Directory /usr/lib/.egcs... OK. Not found. [22:17:11] - Directory /usr/lib/.wormie... OK. Not found. [22:17:11] *** Start scan BeastKit *** [22:17:11] - File /usr/sbin/arobia... OK. Not found. [22:17:11] - File /usr/sbin/idrun... OK. Not found. [22:17:11] - File /usr/lib/elm/arobia/elm... OK. Not found. [22:17:11] - File /usr/lib/elm/arobia/elm/hk... OK. Not found. [22:17:11] - File /usr/lib/elm/arobia/elm/hk.pub... OK. Not found. [22:17:11] - File /usr/lib/elm/arobia/elm/sc... OK. Not found. [22:17:11] - File /usr/lib/elm/arobia/elm/sd.pp... OK. Not found. [22:17:11] - File /usr/lib/elm/arobia/elm/sdco... OK. Not found. [22:17:11] - File /usr/lib/elm/arobia/elm/srsd... OK. Not found. [22:17:11] - Directory /lib/ldd.so/bktools... OK. Not found. [22:17:11] *** Start scan beX2 *** [22:17:11] - Directory //usr/include/bex... OK. Not found. [22:17:11] *** Start scan BOBKit *** [22:17:11] - File /usr/sbin/ntpsx... OK. Not found. [22:17:11] - File /usr/lib/.../ls... OK. Not found. [22:17:11] - File /usr/lib/.../netstat... OK. Not found. [22:17:11] - File /usr/lib/.../lsof... OK. Not found. [22:17:11] - File /usr/lib/.../bkit-ssh/bkit-shdcfg... OK. Not found. [22:17:11] - File /usr/lib/.../bkit-ssh/bkit-shhk... OK. Not found. [22:17:11] - File /usr/lib/.../bkit-ssh/bkit-pw... OK. Not found. [22:17:11] - File /usr/lib/.../bkit-ssh/bkit-shrs... OK. Not found. [22:17:11] - File /usr/lib/.../uconf.inv... OK. Not found. [22:17:11] - File /usr/lib/.../psr... OK. Not found. [22:17:11] - File /usr/lib/.../find... OK. Not found. [22:17:11] - File /usr/lib/.../pstree... OK. Not found. [22:17:11] - File /usr/lib/.../slocate... OK. Not found. [22:17:11] - File /usr/lib/.../du... OK. Not found. [22:17:11] - File /usr/lib/.../top... OK. Not found. [22:17:11] - Directory /usr/lib/...... OK. Not found. [22:17:11] - Directory /usr/lib/.../bkit-ssh... OK. Not found. [22:17:11] - Directory /usr/lib/.bkit-... OK. Not found. [22:17:11] - Directory /tmp/.bkp... OK. Not found. [22:17:11] *** Start scan CiNIK Worm (Slapper.B variant) *** [22:17:11] - File /tmp/.cinik... OK. Not found. [22:17:11] *** Start scan Danny-Boy's Abuse Kit *** [22:17:11] *** Start scan Devil RootKit *** [22:17:11] - File /var/lib/games/.src... OK. Not found. [22:17:11] - File /dev/dsx... OK. Not found. [22:17:11] - File /dev/caca... OK. Not found. [22:17:11] *** Start scan Dica *** [22:17:11] - File /lib/.sso... OK. Not found. [22:17:11] - File /lib/.so... OK. Not found. [22:17:11] - File /var/run/...dica/clean... OK. Not found. [22:17:12] - File /var/run/...dica/xl... OK. Not found. [22:17:12] - File /var/run/...dica/xdr... OK. Not found. [22:17:12] - File /var/run/...dica/psg... OK. Not found. [22:17:12] - File /var/run/...dica/secure... OK. Not found. [22:17:12] - File /var/run/...dica/rdx... OK. Not found. [22:17:12] - File /var/run/...dica/va... OK. Not found. [22:17:12] - File /var/run/...dica/cl.sh... OK. Not found. [22:17:12] - File /usr/bin/.etc... OK. Not found. [22:17:12] - Directory /var/run/...dica... OK. Not found. [22:17:12] - Directory /var/run/...dica/mh... OK. Not found. [22:17:12] - Directory /var/run/...dica/scan... OK. Not found. [22:17:12] *** Start scan Dreams Rootkit *** [22:17:12] - File /dev/ttyoa... WARNING! Exists. [22:17:12] - File /dev/ttyof... WARNING! Exists. [22:17:12] - File /dev/ttyop... WARNING! Exists. [22:17:12] - File /usr/bin/sense... WARNING! Exists. [22:17:12] - File /usr/bin/sl2... WARNING! Exists. [22:17:12] - File /usr/bin/logclear... WARNING! Exists. [22:17:12] - File /usr/bin/(swapd)... WARNING! Exists. [22:17:12] - File /usr/bin/snfs... OK. Not found. [22:17:12] - File /usr/lib/libsss... WARNING! Exists. [22:17:12] - Directory /dev/ida/.hpd... WARNING! Exists. [22:17:22] *** Start scan Duarawkz *** [22:17:22] - File /usr/bin/duarawkz/loginpass... OK. Not found. [22:17:22] - Directory /usr/bin/duarawkz... OK. Not found. [22:17:22] *** Start scan Flea Linux Rootkit *** [22:17:22] - File /etc/ld.so.hash... OK. Not found. [22:17:22] - File /lib/security/.config/ssh/ssh_host_key... OK. Not found. [22:17:22] - File /lib/security/.config/ssh/ssh_host_key.pub... OK. Not found. [22:17:22] - File /lib/security/.config/ssh/ssh_random_seed... OK. Not found. [22:17:22] - File /usr/bin/ssh2d... OK. Not found. [22:17:22] - File /usr/lib/ldlibns.so... OK. Not found. [22:17:22] - File /usr/lib/ldlibpst.so... OK. Not found. [22:17:22] - File /usr/lib/ldlibdu.so... OK. Not found. [22:17:22] - File /usr/lib/ldlibct.so... OK. Not found. [22:17:22] - Directory /lib/security/.config/ssh... OK. Not found. [22:17:22] - Directory /dev/..0... OK. Not found. [22:17:22] - Directory /dev/..0/backup... OK. Not found. [22:17:22] *** Start scan FreeBSD Rootkit *** [22:17:22] - File /usr/lib/.fx/sched_host.2... OK. Not found. [22:17:22] - File /usr/lib/.fx/random_d.2... OK. Not found. [22:17:22] - File /usr/lib/.fx/set_pid.2... OK. Not found. [22:17:22] - File /usr/lib/.fx/cons.saver... OK. Not found. [22:17:22] - File /usr/lib/.fx/adore/adore/adore.ko... OK. Not found. [22:17:22] - File /bin/sysback... OK. Not found. [22:17:22] - File /usr/local/bin/sysback... OK. Not found. [22:17:22] - Directory /usr/lib/.fx... OK. Not found. [22:17:22] - Directory /usr/lib/.fx/adore... OK. Not found. [22:17:22] *** Start scan fusk`it Rootkit *** [22:17:22] - File /dev/proc/fuckit/hax0r... OK. Not found. [22:17:22] - File /dev/proc/fuckit/hax0rshell... OK. Not found. [22:17:22] - File /dev/proc/fuckit/config/lports... OK. Not found. [22:17:22] - File /dev/proc/fuckit/config/rports... OK. Not found. [22:17:22] - File /dev/proc/fuckit/config/rkconf... OK. Not found. [22:17:22] - File /dev/proc/fuckit/config/password... OK. Not found. [22:17:22] - File /dev/proc/fuckit/config/progs... OK. Not found. [22:17:22] - File /dev/proc/system-bins/init... OK. Not found. [22:17:22] *** Start scan GasKit *** [22:17:22] - File /dev/dev/gaskit/sshd/sshdd... OK. Not found. [22:17:22] - Directory /dev/dev... OK. Not found. [22:17:22] - Directory /dev/dev/gaskit... OK. Not found. [22:17:22] - Directory /dev/dev/gaskit/sshd... OK. Not found. [22:17:22] *** Start scan Heroin LKM *** [22:17:22] ksyms file seems to be clean [22:17:23] *** Start scan HjC Kit *** [22:17:23] - Directory /dev/.hijackerz... OK. Not found. [22:17:23] *** Start scan ignoKit *** [22:17:23] - File /lib/defs/p... OK. Not found. [22:17:23] - File /lib/defs/q... OK. Not found. [22:17:23] - File /lib/defs/r... OK. Not found. [22:17:23] - File /lib/defs/s... OK. Not found. [22:17:23] - File /lib/defs/t... OK. Not found. [22:17:23] - File /usr/lib/defs/p... OK. Not found. [22:17:23] - File /usr/lib/defs/p... OK. Not found. [22:17:23] - File /usr/lib/defs/p... OK. Not found. [22:17:23] - File /usr/lib/defs/p... OK. Not found. [22:17:23] - File /usr/lib/defs/p... OK. Not found. [22:17:23] - File /usr/lib/.libigno/pkunsec... OK. Not found. [22:17:23] - File /usr/lib/.libigno/.igno/psybnc/psybnc... OK. Not found. [22:17:23] - Directory /usr/lib/.libigno... OK. Not found. [22:17:23] - Directory /usr/lib/.libigno/.igno/... OK. Not found. [22:17:23] *** Start scan ImperalsS-FBRK *** [22:17:23] - Directory /dev/fd/.88... OK. Not found. [22:17:23] - Directory /dev/fd/.99... OK. Not found. [22:17:23] *** Start scan Irix Rootkit *** [22:17:23] - Directory /dev/pts/01... OK. Not found. [22:17:23] - Directory /dev/pts/01/backup... OK. Not found. [22:17:23] - Directory /dev/pts/01/etc... OK. Not found. [22:17:23] - Directory /dev/pts/01/tmp... OK. Not found. [22:17:23] *** Start scan Kitko *** [22:17:23] - Directory /usr/src/redhat/SRPMS/...... OK. Not found. [22:17:23] *** Start scan Knark *** [22:17:23] - File /proc/knark/pids... OK. Not found. [22:17:23] - Directory /proc/knark... OK. Not found. [22:17:23] *** Start scan Li0n Worm *** [22:17:23] - File /bin/in.telnetd... OK. Not found. [22:17:23] - File /bin/mjy... OK. Not found. [22:17:23] - File /usr/man/man1/man1/lib/.lib/mjy... OK. Not found. [22:17:23] - File /usr/man/man1/man1/lib/.lib/in.telnetd... OK. Not found. [22:17:23] - File /usr/man/man1/man1/lib/.lib/.x... OK. Not found. [22:17:23] - File /dev/.lib/lib/scan/1i0n.sh... OK. Not found. [22:17:23] - File /dev/.lib/lib/scan/hack.sh... OK. Not found. [22:17:23] - File /dev/.lib/lib/scan/bind... OK. Not found. [22:17:23] - File /dev/.lib/lib/scan/randb... OK. Not found. [22:17:23] - File /dev/.lib/lib/scan/scan.sh... OK. Not found. [22:17:23] - File /dev/.lib/lib/scan/pscan... OK. Not found. [22:17:23] - File /dev/.lib/lib/scan/star.sh... OK. Not found. [22:17:23] - File /dev/.lib/lib/scan/bindx.sh... OK. Not found. [22:17:23] - File /dev/.lib/lib/scan/bindname.log... OK. Not found. [22:17:23] - File /dev/.lib/lib/1i0n.sh... OK. Not found. [22:17:23] - File /dev/.lib/lib/lib/netstat... OK. Not found. [22:17:23] - File /dev/.lib/lib/lib/dev/.1addr... OK. Not found. [22:17:23] - File /dev/.lib/lib/lib/dev/.1logz... OK. Not found. [22:17:23] - File /dev/.lib/lib/lib/dev/.1proc... OK. Not found. [22:17:23] - File /dev/.lib/lib/lib/dev/.1file... OK. Not found. [22:17:23] *** Start scan Lockit / LJK2 *** [22:17:23] - File /usr/lib/libmen.oo/.LJK2/ssh_config... OK. Not found. [22:17:24] - File /usr/lib/libmen.oo/.LJK2/ssh_host_key... OK. Not found. [22:17:24] - File /usr/lib/libmen.oo/.LJK2/ssh_host_key.pub... OK. Not found. [22:17:24] - File /usr/lib/libmen.oo/.LJK2/ssh_random_seed*... OK. Not found. [22:17:24] - File /usr/lib/libmen.oo/.LJK2/sshd_config... OK. Not found. [22:17:24] - File /usr/lib/libmen.oo/.LJK2/backdoor/RK1bd... OK. Not found. [22:17:24] - File /usr/lib/libmen.oo/.LJK2/backup/du... OK. Not found. [22:17:24] - File /usr/lib/libmen.oo/.LJK2/backup/ifconfig... OK. Not found. [22:17:24] - File /usr/lib/libmen.oo/.LJK2/backup/inetd.conf... OK. Not found. [22:17:24] - File /usr/lib/libmen.oo/.LJK2/backup/locate... OK. Not found. [22:17:24] - File /usr/lib/libmen.oo/.LJK2/backup/login... OK. Not found. [22:17:24] - File /usr/lib/libmen.oo/.LJK2/backup/ls... OK. Not found. [22:17:24] - File /usr/lib/libmen.oo/.LJK2/backup/netstat... OK. Not found. [22:17:24] - File /usr/lib/libmen.oo/.LJK2/backup/ps... OK. Not found. [22:17:24] - File /usr/lib/libmen.oo/.LJK2/backup/pstree... OK. Not found. [22:17:24] - File /usr/lib/libmen.oo/.LJK2/backup/rc.sysinit... OK. Not found. [22:17:24] - File /usr/lib/libmen.oo/.LJK2/backup/syslogd... OK. Not found. [22:17:24] - File /usr/lib/libmen.oo/.LJK2/backup/tcpd... OK. Not found. [22:17:24] - File /usr/lib/libmen.oo/.LJK2/backup/top... OK. Not found. [22:17:24] - File /usr/lib/libmen.oo/.LJK2/clean/RK1sauber... OK. Not found. [22:17:24] - File /usr/lib/libmen.oo/.LJK2/clean/RK1wted... OK. Not found. [22:17:24] - File /usr/lib/libmen.oo/.LJK2/hack/RK1parser... OK. Not found. [22:17:24] - File /usr/lib/libmen.oo/.LJK2/hack/RK1sniff... OK. Not found. [22:17:24] - File /usr/lib/libmen.oo/.LJK2/hide/.RK1addr... OK. Not found. [22:17:24] - File /usr/lib/libmen.oo/.LJK2/hide/.RK1dir... OK. Not found. [22:17:24] - File /usr/lib/libmen.oo/.LJK2/hide/.RK1log... OK. Not found. [22:17:24] - File /usr/lib/libmen.oo/.LJK2/hide/.RK1proc... OK. Not found. [22:17:24] - File /usr/lib/libmen.oo/.LJK2/hide/RK1phidemod.c... OK. Not found. [22:17:24] - File /usr/lib/libmen.oo/.LJK2/modules/README.modules... OK. Not found. [22:17:24] - File /usr/lib/libmen.oo/.LJK2/modules/RK1hidem.c... OK. Not found. [22:17:24] - File /usr/lib/libmen.oo/.LJK2/modules/RK1phide... OK. Not found. [22:17:24] - File /usr/lib/libmen.oo/.LJK2/sshconfig/RK1ssh... OK. Not found. [22:17:24] - Directory /usr/lib/libmen.oo/.LJK2... OK. Not found. [22:17:24] *** Start scan MRK *** [22:17:24] - File /dev/ida/.inet/pid... OK. Not found. [22:17:24] - File /dev/ida/.inet/ssh_host_key... OK. Not found. [22:17:24] - File /dev/ida/.inet/ssh_random_seed... OK. Not found. [22:17:24] - File /dev/ida/.inet/tcp.log... OK. Not found. [22:17:24] - Directory /dev/ida/.inet... OK. Not found. [22:17:24] - Directory /var/spool/cron/.sh... OK. Not found. [22:17:24] *** Start scan Ni0 Rootkit *** [22:17:24] - File /var/lock/subsys/...datafile.../...net...... OK. Not found. [22:17:24] - File /var/lock/subsys/...datafile.../...port...... OK. Not found. [22:17:24] - File /var/lock/subsys/...datafile.../...ps...... OK. Not found. [22:17:24] - File /var/lock/subsys/...datafile.../...file...... OK. Not found. [22:17:24] - Directory /tmp/waza... OK. Not found. [22:17:24] - Directory /var/lock/subsys/...datafile...... OK. Not found. [22:17:24] - Directory /usr/sbin/es... OK. Not found. [22:17:24] *** Start scan RootKit for SunOS / NSDAP *** [22:17:24] - File /usr/lib/vold/nsdap/.kit... OK. Not found. [22:17:24] - File /usr/lib/vold/nsdap/defines... OK. Not found. [22:17:24] - File /usr/lib/vold/nsdap/patcher... OK. Not found. [22:17:24] - File /usr/lib/vold/nsdap/pg... OK. Not found. [22:17:24] - File /usr/lib/vold/nsdap/cleaner... OK. Not found. [22:17:24] - File /usr/lib/vold/nsdap/utime... OK. Not found. [22:17:24] - File /usr/lib/vold/nsdap/crypt... OK. Not found. [22:17:24] - File /usr/lib/vold/nsdap/findkit... OK. Not found. [22:17:24] - File /usr/lib/vold/nsdap/sn2... OK. Not found. [22:17:24] - File /usr/lib/vold/nsdap/sniffload... OK. Not found. [22:17:24] - File /usr/lib/vold/nsdap/runsniff... OK. Not found. [22:17:24] - File /usr/lib/lpset... OK. Not found. [22:17:24] - Directory /usr/lib/vold/nsdap... OK. Not found. [22:17:24] *** Start scan Optic Kit (Tux) *** [22:17:24] - Directory /dev/tux... OK. Not found. [22:17:24] - Directory /usr/bin/xchk... OK. Not found. [22:17:25] - Directory /usr/bin/xsf... OK. Not found. [22:17:25] - Directory /usr/bin/ssh2d... OK. Not found. [22:17:25] *** Start scan Oz Rootkit *** [22:17:25] - File /dev/.oz/.nap/rkit/terror... OK. Not found. [22:17:25] - Directory /dev/.oz... OK. Not found. [22:17:25] *** Start scan Portacelo *** [22:17:25] - File /var/lib/.../.ak... OK. Not found. [22:17:25] - File /var/lib/.../.hk... OK. Not found. [22:17:25] - File /var/lib/.../.rs... OK. Not found. [22:17:25] - File /var/lib/.../.p... OK. Not found. [22:17:25] - File /var/lib/.../getty... OK. Not found. [22:17:25] - File /var/lib/.../lkt.o... OK. Not found. [22:17:25] - File /var/lib/.../show... OK. Not found. [22:17:25] - File /var/lib/.../nlkt.o... OK. Not found. [22:17:25] - File /var/lib/.../ssshrc... OK. Not found. [22:17:25] - File /var/lib/.../sssh_equiv... OK. Not found. [22:17:25] - File /var/lib/.../sssh_known_hosts... OK. Not found. [22:17:25] - File /var/lib/.../sssh_pid... OK. Not found. [22:17:25] - File ~/.sssh/known_hosts... OK. Not found. [22:17:25] *** Start scan R3dstorm Toolkit *** [22:17:25] - File /var/log/tk02/see_all... OK. Not found. [22:17:25] - File /bin/.../sshd/sbin/sshd1... OK. Not found. [22:17:25] - File /bin/.../hate/sk... OK. Not found. [22:17:25] - File /bin/.../see_all... OK. Not found. [22:17:25] - Directory /var/log/tk02... OK. Not found. [22:17:25] - Directory /var/log/tk02/old... OK. Not found. [22:17:25] - Directory /bin/...... OK. Not found. [22:17:25] *** Start scan RH-Sharpe's rootkit *** [22:17:25] - File /bin/lps... OK. Not found. [22:17:25] - File /usr/bin/lpstree... OK. Not found. [22:17:25] - File /usr/bin/ltop... OK. Not found. [22:17:25] - File /usr/bin/lkillall... OK. Not found. [22:17:25] - File /usr/bin/ldu... OK. Not found. [22:17:25] - File /usr/bin/lnetstat... OK. Not found. [22:17:25] - File /usr/bin/wp... OK. Not found. [22:17:25] - File /usr/bin/shad... OK. Not found. [22:17:25] - File /usr/bin/vadim... OK. Not found. [22:17:25] - File /usr/bin/slice... OK. Not found. [22:17:25] - File /usr/bin/cleaner... OK. Not found. [22:17:25] - File /usr/include/rpcsvc/du... OK. Not found. [22:17:25] *** Start scan RSHA's rootkit *** [22:17:25] - File /bin/kr4p... OK. Not found. [22:17:25] - File /usr/bin/n3tstat... OK. Not found. [22:17:25] - File /usr/bin/chsh2... OK. Not found. [22:17:25] - File /usr/bin/slice2... OK. Not found. [22:17:25] - File /usr/src/linux/arch/alpha/lib/.lib/.1proc... OK. Not found. [22:17:25] - File /etc/rc.d/arch/alpha/lib/.lib/.1addr... OK. Not found. [22:17:25] - Directory /etc/rc.d/rsha... OK. Not found. [22:17:25] - Directory /etc/rc.d/arch/alpha/lib/.lib... OK. Not found. [22:17:25] Debug: Sebek LKM [22:17:25] *** Start scan Scalper Worm *** [22:17:26] - File /tmp/.a... OK. Not found. [22:17:26] - File /tmp/.uua... OK. Not found. [22:17:26] *** Start scan Shutdown *** [22:17:26] - File /usr/man/man5/.. /.dir/scannah/asus... OK. Not found. [22:17:26] - File /usr/man/man5/.. /.dir/see... OK. Not found. [22:17:26] - File /usr/man/man5/.. /.dir/nscd... OK. Not found. [22:17:26] - File /usr/man/man5/.. /.dir/alpd... OK. Not found. [22:17:26] - File /etc/rc.d/rc.local ... OK. Not found. [22:17:26] - Directory /usr/man/man5/.. /.dir/... OK. Not found. [22:17:26] - Directory /usr/man/man5/.. /.dir/scannah... OK. Not found. [22:17:26] - Directory /etc/rc.d/rc0.d/.. /.dir... OK. Not found. [22:17:26] *** Start scan SHV4 *** [22:17:26] - File /etc/ld.so.hash... OK. Not found. [22:17:26] - File /lib/libext-2.so.7... OK. Not found. [22:17:26] - File /lib/lidps1.so... WARNING! Exists. [22:17:26] - File /usr/sbin/xntps... OK. Not found. [22:17:26] - Directory /lib/security/.config... OK. Not found. [22:17:26] - Directory /lib/security/.config/ssh... OK. Not found. [22:17:29] *** Start scan SHV5 *** [22:17:29] - File /etc/sh.conf... WARNING! Exists. [22:17:29] - File /dev/srd0... WARNING! Exists. [22:17:29] - Directory /usr/lib/libsh... WARNING! Exists. [22:17:30] *** Start scan Sin Rootkit *** [22:17:30] - File /dev/.haos/haos1/.f/Denyed... OK. Not found. [22:17:30] - File /dev/ttyoa... WARNING! Exists. [22:17:30] - File /dev/ttyof... WARNING! Exists. [22:17:30] - File /dev/ttyop... WARNING! Exists. [22:17:30] - File /dev/ttyos... OK. Not found. [22:17:30] - File /usr/lib/.lib... OK. Not found. [22:17:30] - File /usr/lib/sn/.X... OK. Not found. [22:17:30] - File /usr/lib/sn/.sys... OK. Not found. [22:17:30] - File /usr/lib/ld/.X... OK. Not found. [22:17:30] - File /usr/man/man1/...... OK. Not found. [22:17:30] - File /usr/man/man1/.../.m... OK. Not found. [22:17:30] - File /usr/man/man1/.../.w... OK. Not found. [22:17:30] - Directory /usr/lib/sn... OK. Not found. [22:17:30] - Directory /usr/lib/man1/...... OK. Not found. [22:17:30] - Directory /dev/.haos... OK. Not found. [22:17:31] *** Start scan Slapper *** [22:17:31] - File /tmp/.bugtraq... OK. Not found. [22:17:31] - File /tmp/.uubugtraq... OK. Not found. [22:17:31] - File /tmp/.bugtraq.c... OK. Not found. [22:17:31] - File /tmp/httpd... OK. Not found. [22:17:31] - File /tmp/.unlock... OK. Not found. [22:17:31] - File /tmp/update... OK. Not found. [22:17:31] - File /tmp/.cinik... OK. Not found. [22:17:31] - File /tmp/.b... OK. Not found. [22:17:31] *** Start scan Sneakin Rootkit *** [22:17:31] - Directory /tmp/.X11-unix/.../rk... OK. Not found. [22:17:31] *** Start scan Suckit Rootkit *** [22:17:31] - File /sbin/initsk12... OK. Not found. [22:17:31] - File /sbin/initxrk... OK. Not found. [22:17:31] - File /usr/bin/null... OK. Not found. [22:17:31] - File /usr/share/locale/sk/.sk12/sk... OK. Not found. [22:17:31] - File /etc/rc.d/rc0.d/S23kmdac... OK. Not found. [22:17:31] - File /etc/rc.d/rc1.d/S23kmdac... OK. Not found. [22:17:31] - File /etc/rc.d/rc2.d/S23kmdac... OK. Not found. [22:17:31] - File /etc/rc.d/rc3.d/S23kmdac... OK. Not found. [22:17:31] - File /etc/rc.d/rc4.d/S23kmdac... OK. Not found. [22:17:31] - File /etc/rc.d/rc5.d/S23kmdac... OK. Not found. [22:17:31] - File /etc/rc.d/rc6.d/S23kmdac... OK. Not found. [22:17:31] - Directory /dev/sdhu0/tehdrakg... OK. Not found. [22:17:31] - Directory /etc/.MG... OK. Not found. [22:17:31] - Directory /usr/share/locale/sk/.sk12... OK. Not found. [22:17:31] - Directory /usr/lib/perl5/site_perl/i386-linux/auto/TimeDate/.packlist... OK. Not found. [22:17:32] *** Start scan SunOS Rootkit *** [22:17:32] - File /etc/ld.so.hash... OK. Not found. [22:17:32] - File /lib/libext-2.so.7... OK. Not found. [22:17:32] - File /usr/bin/ssh2d... OK. Not found. [22:17:32] - File /bin/xlogin... OK. Not found. [22:17:32] - File /usr/lib/crth.o... OK. Not found. [22:17:32] - File /usr/lib/crtz.o... OK. Not found. [22:17:32] - File /sbin/login... OK. Not found. [22:17:32] - File /lib/security/.config/sn... OK. Not found. [22:17:32] - File /lib/security/.config/lpsched... OK. Not found. [22:17:32] - File /dev/kmod... OK. Not found. [22:17:32] - File /dev/dos... OK. Not found. [22:17:32] *** Start scan Superkit *** [22:17:32] - File /usr/man/.sman/sk... OK. Not found. [22:17:32] *** Start scan TBD (Telnet BackDoor) *** [22:17:32] - File /usr/lib/.tbd... OK. Not found. [22:17:32] *** Start scan TeLeKiT *** [22:17:32] - File /usr/man/man3/.../TeLeKiT/bin/sniff... OK. Not found. [22:17:32] - File /usr/man/man3/.../TeLeKiT/bin/telnetd... OK. Not found. [22:17:32] - File /usr/man/man3/.../TeLeKiT/bin/teleulo... OK. Not found. [22:17:32] - File /usr/man/man3/.../cl... OK. Not found. [22:17:32] - File /dev/ptyr... OK. Not found. [22:17:32] - File /dev/ptyp... OK. Not found. [22:17:32] - File /dev/ptyq... OK. Not found. [22:17:32] - File /dev/hda06... OK. Not found. [22:17:32] - File /usr/info/libc1.so... OK. Not found. [22:17:32] - Directory /usr/man/man3/...... OK. Not found. [22:17:32] - Directory /usr/man/man3/.../lsniff... OK. Not found. [22:17:32] - Directory /usr/man/man3/.../TeLeKiT... OK. Not found. [22:17:32] *** Start scan T0rn Rootkit *** [22:17:32] - File /dev/.lib/lib/lib/t0rns... OK. Not found. [22:17:32] - File /dev/.lib/lib/lib/du... OK. Not found. [22:17:32] - File /dev/.lib/lib/lib/ls... OK. Not found. [22:17:32] - File /dev/.lib/lib/lib/t0rnsb... OK. Not found. [22:17:32] - File /dev/.lib/lib/lib/ps... OK. Not found. [22:17:32] - File /dev/.lib/lib/lib/t0rnp... OK. Not found. [22:17:32] - File /dev/.lib/lib/lib/find... OK. Not found. [22:17:32] - File /dev/.lib/lib/lib/ifconfig... OK. Not found. [22:17:32] - File /dev/.lib/lib/lib/pg... OK. Not found. [22:17:32] - File /dev/.lib/lib/lib/ssh.tgz... OK. Not found. [22:17:32] - File /dev/.lib/lib/lib/top... OK. Not found. [22:17:32] - File /dev/.lib/lib/lib/sz... OK. Not found. [22:17:32] - File /dev/.lib/lib/lib/login... OK. Not found. [22:17:32] - File /dev/.lib/lib/lib/in.fingerd... OK. Not found. [22:17:32] - File /dev/.lib/lib/lib/1i0n.sh... OK. Not found. [22:17:32] - File /dev/.lib/lib/lib/pstree... OK. Not found. [22:17:32] - File /dev/.lib/lib/lib/in.telnetd... OK. Not found. [22:17:32] - File /dev/.lib/lib/lib/mjy... OK. Not found. [22:17:32] - File /dev/.lib/lib/lib/sush... OK. Not found. [22:17:32] - File /dev/.lib/lib/lib/tfn... OK. Not found. [22:17:32] - File /dev/.lib/lib/lib/name... OK. Not found. [22:17:32] - File /dev/.lib/lib/lib/getip.sh... OK. Not found. [22:17:32] - File /usr/info/.torn/sh*... OK. Not found. [22:17:32] - File /usr/src/.puta/... OK. Not found. [22:17:32] - File /usr/src/.puta/.1addr... OK. Not found. [22:17:32] - File /usr/src/.puta/.1file... OK. Not found. [22:17:32] - File /usr/src/.puta/.1proc... OK. Not found. [22:17:32] - File /usr/src/.puta/.1logz... OK. Not found. [22:17:32] - File /usr/info/.t0rn/... OK. Not found. [22:17:32] - Directory /dev/.lib/... OK. Not found. [22:17:33] - Directory /dev/.lib/lib/... OK. Not found. [22:17:33] - Directory /dev/.lib/lib/lib/... OK. Not found. [22:17:33] - Directory /dev/.lib/lib/lib/dev/... OK. Not found. [22:17:33] - Directory /dev/.lib/lib/scan/... OK. Not found. [22:17:33] - Directory /usr/src/.puta/... OK. Not found. [22:17:33] - Directory /usr/man/man1/man1/... OK. Not found. [22:17:33] - Directory /usr/man/man1/man1/lib/... OK. Not found. [22:17:33] - Directory /usr/man/man1/man1/lib/.lib/... OK. Not found. [22:17:33] - Directory /usr/man/man1/man1/lib/.lib/.backup/... OK. Not found. [22:17:33] *** Start scan Trojanit Kit *** [22:17:33] - File /bin/.ls... OK. Not found. [22:17:33] - File /bin/.ps... OK. Not found. [22:17:33] - File /bin/.netstat... OK. Not found. [22:17:33] - File /usr/bin/.nop... OK. Not found. [22:17:33] - File /usr/bin/.who... OK. Not found. [22:17:33] *** Start scan Tuxtendo *** [22:17:33] - File /dev/tux/.addr... OK. Not found. [22:17:33] - File /dev/tux/.cron... OK. Not found. [22:17:33] - File /dev/tux/.file... OK. Not found. [22:17:33] - File /dev/tux/.log... OK. Not found. [22:17:33] - File /dev/tux/.proc... OK. Not found. [22:17:33] - File /dev/tux/backup/crontab... OK. Not found. [22:17:33] - File /dev/tux/backup/df... OK. Not found. [22:17:33] - File /dev/tux/backup/dir... OK. Not found. [22:17:33] - File /dev/tux/backup/find... OK. Not found. [22:17:33] - File /dev/tux/backup/ifconfig... OK. Not found. [22:17:33] - File /dev/tux/backup/locate... OK. Not found. [22:17:33] - File /dev/tux/backup/netstat... OK. Not found. [22:17:33] - File /dev/tux/backup/ps... OK. Not found. [22:17:33] - File /dev/tux/backup/pstree... OK. Not found. [22:17:33] - File /dev/tux/backup/syslogd... OK. Not found. [22:17:33] - File /dev/tux/backup/tcpd... OK. Not found. [22:17:33] - File /dev/tux/backup/top... OK. Not found. [22:17:33] - File /dev/tux/backup/updatedb... OK. Not found. [22:17:33] - File /dev/tux/backup/vdir... OK. Not found. [22:17:33] - Directory /dev/tux... OK. Not found. [22:17:33] - Directory /dev/tux/ssh2... OK. Not found. [22:17:33] - Directory /dev/tux/backup... OK. Not found. [22:17:33] *** Start scan URK *** [22:17:33] - File /usr/man/man1/xxxxxxbin/find... OK. Not found. [22:17:33] - File /usr/man/man1/xxxxxxbin/du... OK. Not found. [22:17:33] - File /usr/man/man1/xxxxxxbin/ps... OK. Not found. [22:17:33] - File /tmp/conf.inf... OK. Not found. [22:17:33] - Directory /usr/man/man1/xxxxxxbin... OK. Not found. [22:17:33] *** Start scan VcKit *** [22:17:33] - Directory /usr/include/linux/modules/lib.so... OK. Not found. [22:17:33] - Directory /usr/include/linux/modules/lib.so/bin... OK. Not found. [22:17:33] *** Start scan Volc Rootkit *** [22:17:33] - Directory /var/spool/.recent... OK. Not found. [22:17:33] - Directory /var/spool/.recent/.files... OK. Not found. [22:17:33] - Directory /usr/lib/volc... OK. Not found. [22:17:33] - Directory /usr/lib/volc/backup... OK. Not found. [22:17:33] *** Start scan X-Org SunOS Rootkit *** [22:17:33] - File /usr/lib/libX.a/bin/tmpfl... OK. Not found. [22:17:33] - File /usr/lib/libX.a/bin/rps... OK. Not found. [22:17:33] - File /usr/bin/srload... OK. Not found. [22:17:33] - File /usr/lib/libX.a/bin/sparcv7/rps... OK. Not found. [22:17:33] - File /usr/sbin/modcheck... OK. Not found. [22:17:33] - Directory /usr/lib/libX.a... OK. Not found. [22:17:34] - Directory /usr/lib/libX.a/bin... OK. Not found. [22:17:34] - Directory /usr/lib/libX.a/bin/sparcv7... OK. Not found. [22:17:34] - Directory /usr/share/man...... OK. Not found. [22:17:34] *** Start scan zaRwT.KiT Rootkit *** [22:17:34] - File /dev/rd/s/sendmeil... OK. Not found. [22:17:34] - File /dev/ttyf... OK. Not found. [22:17:34] - File /dev/ttyp... OK. Not found. [22:17:34] - File /dev/ttyn... OK. Not found. [22:17:34] - File /rk/tulz... OK. Not found. [22:17:34] - Directory /rk... OK. Not found. [22:17:34] - Directory /dev/rd/s... OK. Not found. [22:17:34] ------------------------------ Malware ------------------------------ [22:17:34] Start scan for common used known (and unknown) rootkit files... [22:17:34] [Start string tests] [22:17:34] /sbin/init clean (string: /dev/proc/fuckit) [22:17:34] /sbin/init clean (string: fusk) [22:17:34] /sbin/init clean (string: backdoor) [22:17:34] /bin/login clean (string: vt200) [22:17:34] /bin/login clean (string: /usr/bin/xstat) [22:17:34] /bin/login clean (string: /bin/envpc) [22:17:34] /bin/login clean (string: l4m3r0x) [22:17:34] /bin/login clean (string: /usr/lib/.tbd) [22:17:34] /bin/ls clean (string: /dev/ptyxx/.file) [22:17:34] /bin/ls clean (string: /dev/sgk) [22:17:34] /bin/ls clean (string: /var/lock/subsys/...datafile...) [22:17:34] /bin/ls clean (string: /usr/lib/.tbd) [22:17:34] /bin/netstat clean (string: /dev/proc/fuckit) [22:17:34] /bin/netstat clean (string: /lib/.sso) [22:17:35] /bin/netstat clean (string: /var/lock/subsys/...datafile...) [22:17:35] /bin/netstat clean (string: /dev/caca) [22:17:35] Warning: /bin/netstat NOT clean (string: /dev/ttyoa) [22:17:35] /bin/netstat clean (string: syg) [22:17:35] /usr/sbin/nscd clean (string: sshd_config) [22:17:35] /bin/ps clean (string: /dev/pts/01) [22:17:35] /bin/ps clean (string: tw33dl3) [22:17:35] /bin/ps clean (string: psniff) [22:17:35] /bin/ps clean (string: /var/lock/subsys/...datafile...) [22:17:35] /usr/sbin/rpc.nfsd clean (string: cant open log) [22:17:35] /usr/sbin/rpc.nfsd clean (string: sniff.pid) [22:17:35] /usr/sbin/rpc.nfsd clean (string: tcp.log) [22:17:35] /usr/sbin/sshd clean (string: /dev/ptyxx) [22:17:35] /sbin/syslogd clean (string: promiscuous) [22:17:35] /sbin/syslogd clean (string: /usr/lib/.tbd) [22:17:35] /usr/sbin/tcpd clean (string: /dev/xdta) [22:17:35] /usr/bin/top clean (string: /usr/lib/.tbd) [22:17:36] Warning: Found unexpected strings in some files! [22:17:36] [End string tests] [22:17:36] Scanning for presence of /dev/sdr0 (file)... OK (not found) [22:17:36] Scanning for presence of /tmp/.syshackfile (file)... OK (not found) [22:17:36] Scanning for presence of /tmp/.bash_history (file)... OK (not found) [22:17:36] Scanning for presence of /usr/info/.clib (file)... OK (not found) [22:17:36] Scanning for presence of /usr/sbin/tcp.log (file)... OK (not found) [22:17:36] Scanning for presence of /usr/bin/take/pid (file)... OK (not found) [22:17:36] Scanning for presence of /sbin/create (file)... OK (not found) [22:17:36] Scanning for presence of /dev/ttypz (file)... OK (not found) [22:17:36] Scanning for presence of /usr/bin/take (dir)... OK (not found) [22:17:36] Scanning for presence of /usr/src/.lib (dir)... OK (not found) [22:17:36] Scanning for presence of /usr/share/man/man1/.1c (dir)... OK (not found) [22:17:36] Scanning for presence of /lib/lblip.tk (dir)... OK (not found) [22:17:36] Scanning for presence of /usr/sbin/... (dir)... OK (not found) [22:17:36] Scanning for presence of /usr/share/.gun (dir)... OK (not found) [22:17:36] -------------------------- Open files tests --------------------------- [22:17:36] Scanning running processes... OK [22:17:38] Scanned for 'backdoor|adore.so|mod_rootme.so|phide_mod.o|lbk.ko|vlogger.o|cleaner.o|mod_klgr.o|hydra|hydra.restore' [22:17:38] ----------------------- Login backdoors check ------------------------- [22:17:38] Checking /usr/X11R6/bin/.,/copy/... [ OK ] Not found [22:17:38] Checking /dev/rd... [ OK ] Not found [22:17:38] Scanning for software related files and intrusions... [22:17:38] Checking /usr/lib/libice.log... [ WARNING! ] Possible sniffer log found. [22:17:43] Operating system is Linux and /etc/xinetd.conf found. Starting xinetd configuration scan... [22:17:43] Info: Service /etc/xinetd.d/sgi_fam enabled [22:17:44] xinetd.conf seems to be clean [22:17:44] End of xinetd configuration scan [22:17:44] Checking /usr/bin/netstat... Not found [22:17:44] Checking /bin/ps... [ OK ] [22:17:44] Checking /bin/ls... [ OK ] [22:17:44] Checking /usr/bin/w... [ OK ] [22:17:44] Checking /usr/bin/who... [ OK ] [22:17:44] Checking /bin/netstat... [ OK ] [22:17:44] Checking /usr/bin/netstat... Not found [22:17:45] Checking /bin/login... [ OK ] [22:17:45] --------------------------- File attributes --------------------------- [22:17:45] Checking /usr/sbin file attributes [22:17:48] Checking /usr/bin file attributes [22:18:07] Checking /usr/local/bin file attributes [22:18:07] Checking /usr/local/sbin file attributes [22:18:07] Checking /bin file attributes [22:18:08] Checking /sbin file attributes [22:18:10] Checking /sw/bin file attributes [22:18:10] Checking /usr/local/libexec file attributes [22:18:10] Checking /usr/libexec file attributes [22:18:10] ----------------------------- LKM modules ----------------------------- [22:18:58] ------------------------------- Backdoors ----------------------------- [22:18:59] Checking network interfaces (promiscuous mode)... [ OK ] [22:18:59] Performed successful test with `ip` [22:24:57] ---------------------------- System checks ---------------------------- [22:24:58] Checking for passwordless user accounts... [22:25:55] ---------------------------- History files ---------------------------- [22:26:06] Start scanning for hidden files in /dev... [22:26:06] Value of hiddendirs: [22:26:06] End of scanning /dev [22:26:06] Start scanning for hidden files in /bin... [22:26:06] Value of hiddendirs: [22:26:06] End of scanning /bin [22:26:06] Start scanning for hidden files in /usr... [22:26:06] Value of hiddendirs: [22:26:06] End of scanning /usr [22:26:06] Start scanning for hidden files in /usr/man... [22:26:06] End of scanning /usr/man [22:26:06] Start scanning for hidden files in /usr/man/man1... [22:26:06] End of scanning /usr/man/man1 [22:26:06] Start scanning for hidden files in /usr/man/man8... [22:26:06] End of scanning /usr/man/man8 [22:26:06] Start scanning for hidden files in /usr/bin... [22:26:06] Value of hiddendirs: [22:26:06] End of scanning /usr/bin [22:26:06] Start scanning for hidden files in /usr/sbin... [22:26:06] Value of hiddendirs: [22:26:06] End of scanning /usr/sbin [22:26:06] Start scanning for hidden files in /sbin... [22:26:06] Value of hiddendirs: [22:26:06] End of scanning /sbin [22:26:06] Start scanning for hidden files in /etc... [22:26:06] Value of hiddendirs: /etc/.pwd.lock /etc/.aumixrc [22:26:06] End of scanning /etc [22:26:06] Hidden file/dir /etc/.pwd.lock [empty] seems to be OK [22:26:06] Added /etc/.aumixrc (ASCII text) to list of unknown hidden files/dirs [22:26:06] WARNING, found: /etc/.aumixrc (ASCII text) [22:26:27] ------------------------ Application advisories ----------------------- [22:26:27] ---------------------- Application version check ---------------------- [22:26:27] ---------------------------------------------------------- [22:26:27] Scanning Exim%%MTA... [22:26:27] Application not found [22:26:27] ---------------------------------------------------------- [22:26:27] Scanning GnuPG... [22:26:27] /usr/bin/gpg found [22:26:27] Version 1.2.1 seems to be vulnerable (if unpatched)! [22:26:27] ---------------------------------------------------------- [22:26:27] Scanning Apache... [22:26:27] /usr/sbin/httpd found [22:26:27] Version 2.0.40 seems to be vulnerable (if unpatched)! [22:26:27] ---------------------------------------------------------- [22:26:27] Scanning Bind%%DNS... [22:26:27] Debug: [22:26:27] /usr/sbin/named found [22:26:28] No information available. Unknown version number [22:26:28] ---------------------------------------------------------- [22:26:28] Scanning OpenSSL... [22:26:28] /usr/bin/openssl found [22:26:28] Version 0.9.7a seems to be vulnerable (if unpatched)! [22:26:28] ---------------------------------------------------------- [22:26:28] Scanning PHP... [22:26:28] /usr/bin/php found [22:26:28] No version found of application php [22:26:28] ---------------------------------------------------------- [22:26:28] Scanning Procmail%%MTA... [22:26:28] /usr/bin/procmail found [22:26:28] Version 3.22 is available in non-vulnerable group and seems to be OK! [22:26:28] ---------------------------------------------------------- [22:26:28] Scanning ProFTPd... [22:26:28] Application not found [22:26:28] ---------------------------------------------------------- [22:26:28] Scanning OpenSSH... [22:26:28] /usr/sbin/sshd found [22:26:28] Version 3.5p1 seems to be vulnerable (if unpatched)! [22:26:29] ------------------------- Security advisories ------------------------- [22:26:29] Info: Found 'PermitRootLogin no' or 'PermitRootLogin without-password' in SSH configuration file /etc/ssh/sshd_config [22:26:31] Rootkits scanned for: 55808 Trojan - Variant A, AjaKit, aPa Kit, Apache Worm, Ambient (ark) Rootkit, Balaur Rootkit, BeastKit, beX2, BOBKit, CiNIK Worm (Slapper.B variant), Danny-Boy's Abuse Kit, Devil RootKit, Dica, Dreams Rootkit, Duarawkz, Flea Linux Rootkit, FreeBSD Rootkit, fusk`it Rootkit, GasKit, Heroin LKM, HjC Kit, ignoKit, ImperalsS-FBRK, Irix Rootkit, Kitko, Knark, Li0n Worm, Lockit / LJK2, MRK, Ni0 Rootkit, RootKit for SunOS / NSDAP, Optic Kit (Tux), Oz Rootkit, Portacelo, R3dstorm Toolkit, RH-Sharpe's rootkit, RSHA's rootkit, Scalper Worm, Shutdown, SHV4, SHV5, Sin Rootkit, Slapper, Sneakin Rootkit, Suckit Rootkit, SunOS Rootkit, Superkit, TBD (Telnet BackDoor), TeLeKiT, T0rn Rootkit, Trojanit Kit, Tuxtendo, URK, VcKit, Volc Rootkit, X-Org SunOS Rootkit, zaRwT.KiT Rootkit [22:26:31] 4 vulnerable applications found
Root login tai root login ilman salasanaa sallittu SSH:n yli? Tuoltahan sinne boxiin on todennäköisesti päästy ainakin sisälle.. hyi hyi.. mikä moka.. Noh, vaihtoehdot on siis paremmuusjärjestyksessä: 1: Ottaa nuo sivut talteen, ja laittaa ne takaisin puhtaalle koneelle, jolloin voi olla varma että kaikki on huomattu 2: Käsin ensin tappaa nuo prosessit ja alkaa siivoamaan noita saastuneita filuja pois sieltä, ja asentelemaan puhtaita filuja takaisin. Jos nimittäin rootin salasanaa ei vielä ole muutettu.. 3: http://www.clamav.net/ Tämän toimivuudesta ei ole mitn tietoa, epäilenpä vain ettei juuri auta, se on enemmän tarkoitettu noiden sähköpostien ja windows filujen siivoamiseen *nix & mac ympäristöissä.. edit: lisäystä.. eijeiei.. kakka on jo housuissa, nyt pitää housut vaihtaa, ei vaippa enään auta.. rautapalomuurista huolimatta sinun boxista tarvii olla jonkinlaisia yhteyksiä ulkomaailmaan, ja asiakkailla jonkinlaisia yhteyksiä sisäänpäin (webbisivuille?). Kone pitää ensin saada siivottua tavalla tai toisella. Siistiä konetta voi sill ä rautamuurilla yrittää suojata, mutta tärkeimpiä suojauksia silti on: - kaikki ylimääräiset palvelut pois - pakollisiin palveluihin joihin ei tarvi ulkopuolelta päästä, estetään ulkopuolelta pääsy, joko sovellusten conffeista tai palomuurilta, tai molemmista varmuuden vuoksi. esim 'cups' ellei kone ole tulostinpalvelimena. - tavallinen FTP bannaan. - SSH pois oletusportista, ja SSH:lle brute force ym. filtterit päälle. - jos ulkopuolisille jaetaan shellejä, ne chroot ansaan. (chroot trap) - ei pahaa tekis ajaa apacheakin chroot ansassa.. - PÄIVITYKSET!!!! Linux tietokoneessakin on ohjelmia, ihan totta! Ne on ihmisten tekemiä, ja niissäkin on virheitä. Tulee aina olemaankin. Mutta niitä kaikkia korjataan kun löydetään, ja jaellaan eteenpäin. Siis muitakin kuin harvoja ja valittuja joka kuun toisena tiistaina... *) *) tuli just M$:n ennakkoilmoitus ens tiistain päivityksistä, eikä vieläkään niitä Offic€ tuotteiden paikkauksia..
Editoipa toi sähköpostiosoite pois. Modet ei tykkää jos niitä julkaistaan täällä. Juuri tämän takia root oikeuksilla ei pitäisi pystyä kirjautua ulkoverkosta palvelimelle. Tiedä sitten millä salasana on murrettu vai onko jotain heikkoutta käytetty hyväksi, mutta todennäköinen reitti palvelimelle on tosiaan toi. Onhan se mahdollista, että tunnukset on kaapattu kun palvelimelle on otettu etäyhteys joltain saastuneelta koneelta.
Olethan huolehtinut RH9:n viimeisimmät saatavillaolevat päivitykset? http://fedoralegacy.org/download/ http://fedoralegacy.org/download/fedoralegacy-mirrors.php RedHat 9.0 Updates esim. http://playgirl.wu-wien.ac.at/fedora/legacy/redhat/9/updates/i386/ Tuolta löytyy monia tärkeitä päivityksiä kuten mm. openssh-päivitys viime vuodelta. Valitettavasti vain luulen, että RH9.0:n tuki alkaa jossakin välissä olemaan tiensä päässä Tällöinhän järjestelmän ylläpito tulee varsin työlääksi.
1. Eipä ole iso homma, jos www sivut ovat ainoa mitä pitää ottaa talteen. Itse asentaisin koneen uudestaan, ja hieman uudempaa distroa kiitos. Jos haluat pysyä Red Hat "sukuisissa" palvelimissa, eikä löydy tarvetta maksetuille palveluille, niin voisit kokeilla esim. CentOS:ia http://www.centos.org/. Ja jos distro osoittautuu hyväksi, niin muistat tukea heitä jatkossa 2. Jos kyseinen boxi tarjoaa palveluita ulkomaailmaan, niin ehdottomasti kaikki turhat palvelut pois ja tarkista ne SSH:n asetukset kuntoon. 3. Jos raudasta löytyy vääntöä, niin voisit harkita virtualisointia. Esim Xen http://www.xensource.com/ tai VMWare http://www.vmware.com/ ,johon sitten asentaisi minimi asennuksen halutusta distrosta. Ja ulkomaailmaan olisi auki vain http(s) ja ssh virtualisoidusta palvelimesta. Jos nyt vielä oikein haluaa kiristää niin chroottaa virtualisoidulla palvelimella halutut palvelut(apache ja ssh).
Eikös Red Hat 9 ole jo aika vanha...joskus se pitää kuitenkin vaihtaa. Asenna Debian tai joku muu jakelu johonkin koneeseen. Debian on vaaa ja hyvä palvelinkoneeseen. Konffaile valmiiksi ja huomioi nuo hyvät tietoturva ehdotukset. Sitten poistat tuon Red Hatin ja Kopsaat uuden tilalle. To iltana kopsasiin linukan uudelle levylle. Ei siinä paljoa aikaa mennyt. Ja hyvin lähti toimimaan kun ensin LiveCD:llä asensi grubin uusiksi ja korjasi levyviittaukset /etc/fstab-tiedostossa.
