http://www.yunweipai.com/archives/22780.html
find / -type f -perm 4000find . -type f -name “*.jsp” | xargs grep -i “getRuntime”find . -type f -name “*.jsp” | xargs grep -i “getHostAddress”find . -type f -name “*.jsp” | xargs grep -i “wscript.shell”#创建WshShell对象可以运行程序、操作注册表、创建快捷方式、访问系统文件夹、管理环境变量find . -type f -name “*.jsp” | xargs grep -i “gethostbyname”#gethostbyname()返回对应于给定主机名的包含主机名字和地址信息的hostent结构指针find . -type f -name “*.jsp” | xargs grep -i “bash”find . -type f -name “*.jsp” | xargs grep -i “jspspy”find . -type f -name “*.jsp” | xargs grep -i “getParameter”fgrep – R “admin_index.jsp” 20120702.log > log.txtfgrep – R “and1=1″*.log>log.txtfgrep – R “select “*.log>log.txtfgrep – R “union “*.log>log.txtfgrep – R “../../”*.log >log.txtfgrep – R “Runtime”*.log >log.txtfgrep – R “passwd”*.log >log.txtfgrep – R “uname -a”*.log>log.txtfgrep – R “id”*.log>log.txtfgrep – R “ifconifg”*.log>log.txtfgrep – R “ls -l”*.log>log.txttail -n 10 /var/log/securetail -n 100 ~./bash_history | more#如果存在.c .py .sh为后缀的文件或者2进制elf文件。
历史记录和相关访问日志已经被删除,痕迹清除。
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gztar zxvf chkrootkit.tar.gz yum install -y glibc-static
vi /etc/motd 发现