Linux
從 sshd 中刪除共享庫
mv /lib64/libkeyutils.so.1.9 /root service sshd restart Stopping sshd: [ OK ] Starting sshd: /usr/sbin/sshd: error while loading shared libraries: libkeyutils.so.1: cannot open shared object file: No such file or directory [FAILED]如何從 SSHD 中刪除它?
需要解決這個問題: http ://www.webhostingtalk.com/showpost.php?p=8548338&postcount=4
現在我聽說了這個漏洞,請參考:http: //blog.solidshellsecurity.com/2013/02/18/0day-linuxcentos-sshd-spam-exploit-libkeyutils-so-1-9/
他們沒有使用 root 登錄,甚至沒有生成 bash 程序。如果 lib 被移出,並且 sshd 重新啟動,他們將無法再登錄。
關鍵是找出他們是如何進入的。在非標準埠上的完全升級的、ssh 密鑰受限的 sshd 正在受到損害。我的客戶都不是,但我收到了很多關於這個問題的銷售諮詢,所以我不知道機器的完整歷史。
[/lib64]# rpm -vV openssh ......... /etc/ssh ......... c /etc/ssh/moduli ......... /usr/bin/ssh-keygen ......... /usr/libexec/openssh ......... /usr/libexec/openssh/ssh-keysign ......... /usr/share/doc/openssh-5.3p1 ......... d /usr/share/doc/openssh-5.3p1/CREDITS ......... d /usr/share/doc/openssh-5.3p1/ChangeLog ......... d /usr/share/doc/openssh-5.3p1/INSTALL ......... d /usr/share/doc/openssh-5.3p1/LICENCE ......... d /usr/share/doc/openssh-5.3p1/OVERVIEW ......... d /usr/share/doc/openssh-5.3p1/PROTOCOL ......... d /usr/share/doc/openssh-5.3p1/PROTOCOL.agent ......... d /usr/share/doc/openssh-5.3p1/README ......... d /usr/share/doc/openssh-5.3p1/README.dns ......... d /usr/share/doc/openssh-5.3p1/README.nss ......... d /usr/share/doc/openssh-5.3p1/README.platform ......... d /usr/share/doc/openssh-5.3p1/README.privsep ......... d /usr/share/doc/openssh-5.3p1/README.smartcard ......... d /usr/share/doc/openssh-5.3p1/README.tun ......... d /usr/share/doc/openssh-5.3p1/TODO ......... d /usr/share/doc/openssh-5.3p1/WARNING.RNG ......... d /usr/share/man/man1/ssh-keygen.1.gz ......... d /usr/share/man/man8/ssh-keysign.8.gz [/lib64]# rpm -vV openssh-clients S.5....T. c /etc/ssh/ssh_config ......... /usr/bin/.ssh.hmac ......... /usr/bin/scp ......... /usr/bin/sftp ......... /usr/bin/slogin ......... /usr/bin/ssh ......... /usr/bin/ssh-add ......... /usr/bin/ssh-agent ......... /usr/bin/ssh-copy-id ......... /usr/bin/ssh-keyscan ......... d /usr/share/man/man1/scp.1.gz ......... d /usr/share/man/man1/sftp.1.gz ......... d /usr/share/man/man1/slogin.1.gz ......... d /usr/share/man/man1/ssh-add.1.gz ......... d /usr/share/man/man1/ssh-agent.1.gz ......... d /usr/share/man/man1/ssh-copy-id.1.gz ......... d /usr/share/man/man1/ssh-keyscan.1.gz ......... d /usr/share/man/man1/ssh.1.gz ......... d /usr/share/man/man5/ssh_config.5.gz [/lib64]# rpm -vV openssh-server .......T. c /etc/pam.d/ssh-keycat S.5....T. c /etc/pam.d/sshd ......... /etc/rc.d/init.d/sshd S.5....T. c /etc/ssh/sshd_config ......... c /etc/sysconfig/sshd ......... /usr/libexec/openssh/sftp-server ......... /usr/libexec/openssh/ssh-keycat ......... /usr/sbin/.sshd.hmac ......... /usr/sbin/sshd ......... /usr/share/doc/openssh-server-5.3p1 ......... d /usr/share/doc/openssh-server-5.3p1/HOWTO.ssh-keycat ......... d /usr/share/man/man5/moduli.5.gz ......... d /usr/share/man/man5/sshd_config.5.gz ......... d /usr/share/man/man8/sftp-server.8.gz ......... d /usr/share/man/man8/sshd.8.gz ......... /var/empty/sshd和
[/lib64]# rpm -qf /lib64/libkeyutils.so.1.9 file /lib64/libkeyutils.so.1.9 is not owned by any package [/lib64]# rpm -vV keyutils-libs ....L.... /lib64/libkeyutils.so.1 ......... /lib64/libkeyutils.so.1.3 ......... /usr/share/doc/keyutils-libs-1.4 ......... d /usr/share/doc/keyutils-libs-1.4/LICENCE.LGPL
您的 SSH 守護程序和系統可能會受到威脅!
您不能信任伺服器上安裝的現有 SSH 守護程序。
要快速檢查,請對現有包執行 RPM 驗證。你可以這樣做:
rpm -vV openssh-server rpm -vV openssh-clients rpm -vV openssh將每個命令的輸出用於
S\.5. 這將告訴您二進製文件是否已更改。臨時修復是重新安裝您的 openssh 設置,但這超出了此問題的範圍。請看以下…