Ahoj, mám domácí server Debian squeeze a dnes mi ho někdo úspěšně hacknul. Tuším jak se to stalo - jednoduché heslo roota, podle logu to bral někdo hrubou silou. (Jsem vůl že byl root vůbec povolen přes ssh).
Každopádně budu muset přeinstalovat celý systém. Zajímavé je, když si vypíšu netstat tak vydím toto:
tcp 0 0 *:sunrpc *:* LISTEN root 3754 977/portmap
tcp 0 0 *:44784 *:* LISTEN root 4178 1193/rpc.mountd
tcp 0 0 angel.local:domain *:* LISTEN bind 4354 1281/named
tcp 0 0 localhost:domain *:* LISTEN bind 4352 1281/named
tcp 0 0 *:ssh *:* LISTEN root 5053 1725/sshd
tcp 0 0 localhost:smtp *:* LISTEN root 4982 1702/exim4
tcp 0 0 localhost:953 *:* LISTEN bind 4360 1281/named
tcp 0 0 *:55515 *:* LISTEN statd 3792 990/rpc.statd
tcp 0 0 *:60961 *:* LISTEN root 4092 -
tcp 0 0 *:nfs *:* LISTEN root 4072 -
tcp 0 0 *:swat *:* LISTEN root 4509 1368/inetd
tcp 0 152 angel.local:ssh 10.0.0.1:52980 ESTABLISHED root 5190 1810/sshd: david [p
tcp 0 0 angel.local:37335 Tampa.FL.US.Undern:ircd ESTABLISHED root 5296 1809/sshd
tcp 0 0 angel.local:47117 Tampa.FL.US.Undern:ircd ESTABLISHED root 5173 1809/sshd
tcp 0 0 angel.local:59360 Tampa.FL.US.Undern:ircd ESTABLISHED root 5378 1809/sshd
udp 0 0 angel.local:domain *:* bind 4353 1281/named
udp 0 0 localhost:domain *:* bind 4351 1281/named
udp 0 0 *:36665 *:* root 4173 1193/rpc.mountd
udp 0 0 *:47817 *:* root 4085 -
udp 0 0 *:46816 *:* statd 3789 990/rpc.statd
udp 0 0 *:742 *:* root 3780 990/rpc.statd
udp 0 0 *:mdns *:* avahi 4408 1325/avahi-daemon:
udp 0 0 *:sunrpc *:* root 3745 977/portmap
udp 0 0 *:nfs *:* root 4107 -
udp 0 0 10.0.0.255:netbios-ns *:* root 4957 1695/nmbd
udp 0 0 angel.local:netbios-ns *:* root 4956 1695/nmbd
udp 0 0 *:netbios-ns *:* root 4953 1695/nmbd
udp 0 0 10.0.0.255:netbios-dgm *:* root 4959 1695/nmbd
udp 0 0 angel.local:netbios-dgm *:* root 4958 1695/nmbd
udp 0 0 *:netbios-dgm *:* root 4954 1695/nmbd
udp 0 0 *:38287 *:* root 5171 1809/sshd
udp 0 0 localhost:921 *:* root 4486 1349/lwresd
udp 0 0 *:39971 *:* avahi 4410 1325/avahi-daemon:
tcp 0 0 angel.local:47117 Tampa.FL.US.Undern:ircd ESTABLISHED root 5173 1809/sshd
Z toho usuzuji, že útočník něco nainstaloval na server, a může ho přes ircd vzdáleně ovládat. Chápu to správně? S linuxem si teprve začínáme pořádně rozumět. Zde je ještě výpis ps aux:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 2036 708 ? Ss 19:46 0:00 init [2]
root 2 0.0 0.0 0 0 ? S 19:46 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S 19:46 0:00 [migration/0]
root 4 0.0 0.0 0 0 ? S 19:46 0:00 [ksoftirqd/0]
root 5 0.0 0.0 0 0 ? S 19:46 0:00 [watchdog/0]
root 6 0.0 0.0 0 0 ? S 19:46 0:00 [events/0]
root 7 0.0 0.0 0 0 ? S 19:46 0:00 [cpuset]
root 8 0.0 0.0 0 0 ? S 19:46 0:00 [khelper]
root 9 0.0 0.0 0 0 ? S 19:46 0:00 [netns]
root 10 0.0 0.0 0 0 ? S 19:46 0:00 [async/mgr]
root 11 0.0 0.0 0 0 ? S 19:46 0:00 [pm]
root 12 0.0 0.0 0 0 ? S 19:46 0:00 [sync_supers]
root 13 0.0 0.0 0 0 ? S 19:46 0:00 [bdi-default]
root 14 0.0 0.0 0 0 ? S 19:46 0:00 [kintegrityd/0]
root 15 0.0 0.0 0 0 ? S 19:46 0:00 [kblockd/0]
root 16 0.0 0.0 0 0 ? S 19:46 0:00 [kacpid]
root 17 0.0 0.0 0 0 ? S 19:46 0:00 [kacpi_notify]
root 18 0.0 0.0 0 0 ? S 19:46 0:00 [kacpi_hotplug]
root 19 0.0 0.0 0 0 ? S 19:46 0:00 [kseriod]
root 21 0.0 0.0 0 0 ? S 19:46 0:00 [kondemand/0]
root 22 0.0 0.0 0 0 ? S 19:46 0:00 [khungtaskd]
root 23 0.0 0.0 0 0 ? S 19:46 0:00 [kswapd0]
root 24 0.0 0.0 0 0 ? SN 19:46 0:00 [ksmd]
root 25 0.0 0.0 0 0 ? S 19:46 0:00 [aio/0]
root 26 0.0 0.0 0 0 ? S 19:46 0:00 [crypto/0]
root 229 0.0 0.0 0 0 ? S 19:46 0:00 [ksuspend_usbd]
root 230 0.0 0.0 0 0 ? S 19:46 0:00 [khubd]
root 235 0.0 0.0 0 0 ? S 19:46 0:00 [ata/0]
root 240 0.0 0.0 0 0 ? S 19:46 0:00 [ata_aux]
root 241 0.0 0.0 0 0 ? S 19:46 0:00 [kmmcd]
root 243 0.0 0.0 0 0 ? S 19:46 0:00 [scsi_eh_0]
root 245 0.0 0.0 0 0 ? S 19:46 0:00 [scsi_eh_1]
root 283 0.0 0.0 0 0 ? S 19:46 0:00 [kstriped]
root 286 0.0 0.0 0 0 ? S 19:46 0:00 [kdmflush]
root 293 0.0 0.0 0 0 ? S 19:46 0:00 [kdmflush]
root 307 0.0 0.0 0 0 ? S 19:46 0:00 [kjournald]
root 381 0.0 0.0 2460 992 ? S<s 19:47 0:00 udevd --daemon
root 543 0.0 0.0 2544 928 ? S< 19:47 0:00 udevd --daemon
root 544 0.0 0.0 2544 912 ? S< 19:47 0:00 udevd --daemon
root 602 0.0 0.0 0 0 ? S 19:47 0:00 [kpsmoused]
root 611 0.0 0.0 0 0 ? S 19:47 0:00 [i915]
root 613 0.0 0.0 0 0 ? S 19:47 0:00 [tifm]
root 618 0.0 0.0 0 0 ? S 19:47 0:00 [ipw2200/0]
root 642 0.0 0.0 0 0 ? S 19:47 0:00 [pccardd]
root 643 0.0 0.0 0 0 ? S 19:47 0:00 [pccardd]
root 768 0.0 0.0 0 0 ? S 19:47 0:00 [firewire_sbp2]
root 800 0.0 0.0 0 0 ? S 19:47 0:00 [kdmflush]
root 837 0.0 0.0 0 0 ? S 19:47 0:00 [kjournald]
root 916 0.0 0.0 0 0 ? S 19:47 0:00 [flush-254:0]
daemon 977 0.0 0.0 1812 500 ? Ss 19:47 0:00 /sbin/portmap
statd 990 0.0 0.0 1940 788 ? Ss 19:47 0:00 /sbin/rpc.statd
root 1138 0.0 0.0 0 0 ? S 19:47 0:00 [rpciod/0]
root 1146 0.0 0.1 27584 1684 ? Sl 19:47 0:00 /usr/sbin/rsyslogd -c4
root 1166 0.0 0.0 0 0 ? S 19:47 0:00 [lockd]
root 1167 0.0 0.0 0 0 ? S 19:47 0:00 [nfsd4]
root 1168 0.0 0.0 0 0 ? S 19:47 0:00 [nfsd]
root 1169 0.0 0.0 0 0 ? S 19:47 0:00 [nfsd]
root 1170 0.0 0.0 0 0 ? S 19:47 0:00 [nfsd]
root 1171 0.0 0.0 0 0 ? S 19:47 0:00 [nfsd]
root 1172 0.0 0.0 0 0 ? S 19:47 0:00 [nfsd]
root 1173 0.0 0.0 0 0 ? S 19:47 0:00 [nfsd]
root 1175 0.0 0.0 0 0 ? S 19:47 0:00 [nfsd]
root 1177 0.0 0.0 0 0 ? S 19:47 0:00 [nfsd]
root 1193 0.0 0.0 2112 360 ? Ss 19:47 0:00 /usr/sbin/rpc.mountd --manage-gids
root 1215 0.0 0.0 1536 196 ? Ss 19:47 0:00 /usr/sbin/acpi_fakekeyd
root 1220 0.0 0.0 1864 748 ? Ss 19:47 0:00 /usr/sbin/acpid
daemon 1248 0.0 0.0 2164 416 ? Ss 19:47 0:00 /usr/sbin/atd
105 1275 0.0 0.0 2584 788 ? Ss 19:47 0:00 /usr/bin/dbus-daemon --system
bind 1281 0.0 1.2 46284 12804 ? Ssl 19:47 0:00 /usr/sbin/named -u bind -t /var/lib/named
root 1291 0.0 0.0 0 0 ? S 19:47 0:00 [kconservative/0]
avahi 1325 0.0 0.1 2956 1536 ? S 19:47 0:00 avahi-daemon: running [angel.local]
avahi 1326 0.0 0.0 2844 488 ? S 19:47 0:00 avahi-daemon: chroot helper
root 1349 0.0 0.6 40376 6928 ? Ssl 19:47 0:00 /usr/sbin/lwresd
root 1355 0.0 0.1 4020 1792 ? Ss 19:47 0:00 /usr/sbin/bluetoothd
root 1368 0.0 0.0 1880 632 ? Ss 19:47 0:00 /usr/sbin/inetd
root 1376 0.0 0.0 0 0 ? S 19:47 0:00 [bluetooth]
root 1384 0.0 0.0 0 0 ? S< 19:47 0:00 [krfcommd]
root 1409 0.0 0.9 26412 10148 ? Ss 19:47 0:00 /usr/sbin/apache2 -k start
root 1436 0.0 0.0 3816 944 ? Ss 19:47 0:00 /usr/sbin/cron
www-data 1485 0.0 0.5 26412 5660 ? S 19:47 0:00 /usr/sbin/apache2 -k start
www-data 1486 0.0 0.5 26412 5656 ? S 19:47 0:00 /usr/sbin/apache2 -k start
www-data 1487 0.0 0.5 26412 5656 ? S 19:47 0:00 /usr/sbin/apache2 -k start
www-data 1488 0.0 0.5 26412 5656 ? S 19:47 0:00 /usr/sbin/apache2 -k start
www-data 1490 0.0 0.5 26412 5656 ? S 19:47 0:00 /usr/sbin/apache2 -k start
root 1695 0.0 0.1 9184 1716 ? Ss 19:47 0:00 /usr/sbin/nmbd -D
101 1702 0.0 0.0 6540 936 ? Ss 19:47 0:00 /usr/sbin/exim4 -bd -q30m
root 1718 0.0 0.2 16588 2952 ? Ss 19:47 0:00 /usr/sbin/smbd -D
root 1725 0.0 0.0 5500 976 ? Ss 19:47 0:00 /usr/sbin/sshd
root 1733 0.0 0.1 16588 1256 ? S 19:47 0:00 /usr/sbin/smbd -D
root 1738 0.0 0.1 13184 1588 ? Ss 19:47 0:00 /usr/sbin/winbindd
root 1749 0.0 0.1 13184 1232 ? S 19:47 0:00 /usr/sbin/winbindd
root 1796 0.0 0.0 1712 568 tty1 Ss+ 19:47 0:00 /sbin/getty 38400 tty1
root 1797 0.0 0.0 1712 568 tty2 Ss+ 19:47 0:00 /sbin/getty 38400 tty2
root 1798 0.0 0.0 1712 564 tty3 Ss+ 19:47 0:00 /sbin/getty 38400 tty3
root 1799 0.0 0.0 1712 568 tty4 Ss+ 19:47 0:00 /sbin/getty 38400 tty4
root 1800 0.0 0.0 1712 564 tty5 Ss+ 19:47 0:00 /sbin/getty 38400 tty5
root 1801 0.0 0.0 1712 568 tty6 Ss+ 19:47 0:00 /sbin/getty 38400 tty6
root 1809 0.0 0.0 2036 900 ? Ss 19:48 0:00 sshd
root 1810 0.0 0.2 8484 2920 ? Ss 19:48 0:00 sshd: david [priv]
david 1812 0.0 0.1 8624 1476 ? S 19:48 0:00 sshd: david@pts/0
david 1813 0.0 0.5 8168 5536 pts/0 Ss 19:48 0:00 -bash
root 1876 0.0 0.1 4148 1284 pts/0 S 19:49 0:00 su
root 1877 0.0 0.3 5924 3288 pts/0 S 19:49 0:00 bash
root 1994 0.0 0.1 3876 1052 pts/0 R+ 20:02 0:00 ps aux
Mým problémem je to, že nemohu zaboha najít co ten dotyčný nainstaloval, popř. změnil - poradíte, kde hledat? ircd jsem nikde nenašel, ale možná je to tím že neumím hledat? Zajímalo by mě to opravdu moc. Předem díky za rady