mv /lib64/libkeyutils.so.1.9 /root service sshd restart Stopping sshd: [ OK ] Starting sshd: /usr/sbin/sshd: error while loading shared libraries: libkeyutils.so.1: cannot open shared object file: No such file or directory [FAILED] 我如何从SSHD中删除它?
需要解决这个问题: http : //www.webhostingtalk.com/showpost.php? p=8548338&postcount =4
现在我已经听说了关于这个漏洞的REF: http : //blog.solidshellsecurity.com/2013/02/18/0day-linuxcentos-sshd-spam-exploit-libkeyutils-so-1-9/
他们不是用rootlogin的,他们甚至不会产生一个bash进程。 如果lib被移出,并且sshd被重新启动,他们将不能再loginfwiw。
- 执行前进行远程代码完整性检查
- 替代的Linux检测方法来检测一个妥协的主机
- 我怎么能欺骗SBS 2011让我分配一个UPN别名,以便用户可以login为[email protected]
- 有人试图破解我的网站,想了解日志
- 奇怪的请求来自韩国网站
关键在于了解他们是如何进入的。在非标准端口上完全升级,ssh密钥受限制的sshd正在受到攻击。 我的客户都不是,但我已经得到了很多关于这个问题的销售询问,所以我不知道机器的全部历史。
[/lib64]# rpm -vV openssh ......... /etc/ssh ......... c /etc/ssh/moduli ......... /usr/bin/ssh-keygen ......... /usr/libexec/openssh ......... /usr/libexec/openssh/ssh-keysign ......... /usr/share/doc/openssh-5.3p1 ......... d /usr/share/doc/openssh-5.3p1/CREDITS ......... d /usr/share/doc/openssh-5.3p1/ChangeLog ......... d /usr/share/doc/openssh-5.3p1/INSTALL ......... d /usr/share/doc/openssh-5.3p1/LICENCE ......... d /usr/share/doc/openssh-5.3p1/OVERVIEW ......... d /usr/share/doc/openssh-5.3p1/PROTOCOL ......... d /usr/share/doc/openssh-5.3p1/PROTOCOL.agent ......... d /usr/share/doc/openssh-5.3p1/README ......... d /usr/share/doc/openssh-5.3p1/README.dns ......... d /usr/share/doc/openssh-5.3p1/README.nss ......... d /usr/share/doc/openssh-5.3p1/README.platform ......... d /usr/share/doc/openssh-5.3p1/README.privsep ......... d /usr/share/doc/openssh-5.3p1/README.smartcard ......... d /usr/share/doc/openssh-5.3p1/README.tun ......... d /usr/share/doc/openssh-5.3p1/TODO ......... d /usr/share/doc/openssh-5.3p1/WARNING.RNG ......... d /usr/share/man/man1/ssh-keygen.1.gz ......... d /usr/share/man/man8/ssh-keysign.8.gz [/lib64]# rpm -vV openssh-clients S.5....T. c /etc/ssh/ssh_config ......... /usr/bin/.ssh.hmac ......... /usr/bin/scp ......... /usr/bin/sftp ......... /usr/bin/slogin ......... /usr/bin/ssh ......... /usr/bin/ssh-add ......... /usr/bin/ssh-agent ......... /usr/bin/ssh-copy-id ......... /usr/bin/ssh-keyscan ......... d /usr/share/man/man1/scp.1.gz ......... d /usr/share/man/man1/sftp.1.gz ......... d /usr/share/man/man1/slogin.1.gz ......... d /usr/share/man/man1/ssh-add.1.gz ......... d /usr/share/man/man1/ssh-agent.1.gz ......... d /usr/share/man/man1/ssh-copy-id.1.gz ......... d /usr/share/man/man1/ssh-keyscan.1.gz ......... d /usr/share/man/man1/ssh.1.gz ......... d /usr/share/man/man5/ssh_config.5.gz [/lib64]# rpm -vV openssh-server .......T. c /etc/pam.d/ssh-keycat S.5....T. c /etc/pam.d/sshd ......... /etc/rc.d/init.d/sshd S.5....T. c /etc/ssh/sshd_config ......... c /etc/sysconfig/sshd ......... /usr/libexec/openssh/sftp-server ......... /usr/libexec/openssh/ssh-keycat ......... /usr/sbin/.sshd.hmac ......... /usr/sbin/sshd ......... /usr/share/doc/openssh-server-5.3p1 ......... d /usr/share/doc/openssh-server-5.3p1/HOWTO.ssh-keycat ......... d /usr/share/man/man5/moduli.5.gz ......... d /usr/share/man/man5/sshd_config.5.gz ......... d /usr/share/man/man8/sftp-server.8.gz ......... d /usr/share/man/man8/sshd.8.gz ......... /var/empty/sshd
和
[/lib64]# rpm -qf /lib64/libkeyutils.so.1.9 file /lib64/libkeyutils.so.1.9 is not owned by any package [/lib64]# rpm -vV keyutils-libs ....L.... /lib64/libkeyutils.so.1 ......... /lib64/libkeyutils.so.1.3 ......... /usr/share/doc/keyutils-libs-1.4 ......... d /usr/share/doc/keyutils-libs-1.4/LICENCE.LGPL
您的SSH守护进程和系统可能会受到影响 !
您不能相信服务器上安装的现有SSH守护进程。
要进行快速检查,请运行现有软件包的RPMvalidation。 你可以这样做:
rpm -vV openssh-server rpm -vV openssh-clients rpm -vV openssh
grep S\.5的每个命令的输出。 这会告诉你,如果二进制文件已经改变。
临时修复是重新安装你的openssh设置,但这超出了这个问题的范围。 看下面…
我如何处理受损的服务器?
sshd在fsck修复后立即核心转储
在最后一行下面的`/ etc / inittab`中的条目 – 可能的破解?