这个系统是应该继续运行还是关闭?如果有人对那个人的攻击技术感兴趣,我可以提供Root的ssh密码和私钥,或提供那个虚拟机的全部文件,最好是在非上班时间时登录(也可用'ssh icatman@dg-hd.xicp.net'登录系统,密码是'jjyy',然后用sudo将/root/id.key搞出来,这个key的密码是'a',可用作root@dg-hd.xicp.net的ssh的私钥,白天太多人上网,晚间会快很多)。系统上运行的服务有(没有被增减):
vm:~# netstat -pl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:9001 *:* LISTEN 2524/tor
tcp 0 0 localhost:mysql *:* LISTEN 2108/mysqld
tcp 0 0 ns.hd.local:domain *:* LISTEN 1998/named
tcp 0 0 localhost:domain *:* LISTEN 1998/named
tcp 0 0 *:8118 *:* LISTEN 2518/privoxy
tcp 0 0 *:3128 *:* LISTEN 2545/(squid)
tcp 0 0 *:smtp *:* LISTEN 2510/exim4
tcp 0 0 localhost:953 *:* LISTEN 1998/named
tcp 0 0 localhost:9050 *:* LISTEN 2524/tor
udp 0 0 *:32768 *:* 1998/named
udp 0 0 *:32771 *:* 2545/(squid)
udp 0 0 ns.hd.local:domain *:* 1998/named
udp 0 0 localhost:domain *:* 1998/named
udp 0 0 *:icpv2 *:* 2545/(squid)
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 6253 2108/mysqld /var/run/mysqld/mysqld.sock
unix 2 [ ACC ] STREAM LISTENING 6555 2258/acpid /var/run/acpid.socket
最明显的看出已经入侵的地方是
Dec 30 08:13:56 vm useradd[7544]: new group: name=Raoul, GID=1001
Dec 30 08:13:57 vm useradd[7544]: new user: name=Raoul, UID=1001, GID=1001, home=/home/Raoul, shell=/bin/sh
这个用户一定是hacker建立的,虽然/home/Raoul已经不在,但/etc/passwd文件里还有Raoul这个用户。之前的hotend这个用户是我测试时建立的:
Dec 28 15:45:44 vm useradd[5636]: new group: name=hotend, GID=1001
Dec 28 15:45:44 vm useradd[5636]: new user: name=hotend, UID=1001, GID=1001, home=/home/hotend, shell=/bin/sh
Dec 28 15:46:35 vm passwd[5640]: pam_unix(passwd:chauthtok): password changed for hotend
Dec 28 15:47:44 vm userdel[5644]: delete user `hotend'
Dec 28 15:47:44 vm userdel[5644]: removed group `hotend' owned by `hotend'
icatman的信箱里有4封信,其中第2封比较有用,上面显示2007-12-30日居然有root登录系统,信的标题是'Mail delivery failed: returning message to sender'
[
本帖最后由 icatman 于 2008-1-5 06:07 编辑 ]
