在以前的文章， ，我们谈到了如何防范系统入侵和rootkit。 Although it is best to have a server that nobody can break into, in real life every server connected to a network is a potential target.尽管最好是有一个服务器，没有人可以强行进入，在现实生活中每个连接到网络服务器是一个潜在目标。

If a server is compromised, it is equally important to realize this before it's too late and take measures to survive the attack.如果服务器被攻破，但同样重要的是认识到这一点之前，为时已晚，并采取措施，以生存的攻击。

Is My Server Compromised?是我的服务器妥协？

Usually, the first sign that a server might be compromised is simple anomalies in the behavior of the server.通常，第一个标志，一个服务器可能会受到损害是在服务器的行为异常简单。 One of the more common anomalies one might notice is a change in how one or more of the core system utilities behave.比较常见的异常之一可能会注意到，一个是如何一个或多个核心系统的功能更加的行为变化。 For instance, a command-line switch to 'netstat' or 'ps', which you used to use without a problem everyday, might start returning an error message.例如，一个命令行开关'netstat的'或'ps的'，你用于日常使用没有问题，可能会开始返回一个错误消息。 The reason for this is that intruders replace these utilities with versions designed to hide their malicious activities.这样做的原因是，入侵者替换为了隐藏他们的恶意活动，这些实用程序的版本。 The utility they replace your original one with might be a different version, or it could have been compiled with different options, and as a result, it does not have the same options you are used to.它们所取代的工具之一，原来可能是一个不同的版本，或者它可能是用不同的选项编译，因此，它并没有你所使用的相同选项。

Another anomaly that should raise a big red flag is a change in your bandwidth-usage patterns.另一个反常现象应引起大红旗是你的带宽使用模式的改变。 If you or your hosting company routinely monitors your bandwidth usage, you might notice an increase in the amount of traffic your server is pushing compared with your normal traffic patterns.如果您或您的托管公司定期监控您的带宽使用情况，您可能会注意到在你的流量与您的服务器是推动正常的交通模式相比增加。 This is usually caused by intruders using your server to distribute copyrighted software, commonly known as 'warez'.这通常是由于使用您的服务器来分发受版权保护的软件，俗称'warez的'已知的入侵者。 Remember that you might be the target of a legal action as a result of such activities on your servers.记住，你可能是作为一个服务器上的这类活动采取法律行动的目标。

Ideally, a server administrator should not wait until all the alarms go off before a server is checked for signs of compromise, because the less time an intruder has the opportunity to spend on a server, the less damage he or she will be able to inflict.理想的情况下，服务器管理员不应该等到所有报警路要走是妥协的迹象检查了服务器关闭，因为更少的时间入侵者有机会花费在服务器上，造成的危害就越他或她将能造成。 (Although a very malicious intruder can potentially wipe out the whole system seconds after gaining root-level access.) For this reason, it is important to conduct server-security audits periodically, and to know as soon as possible when a server is compromised. （虽然很恶意入侵者有可能消灭后进入根级访问整个系统秒。）由于这个原因，重要的是要进行服务器的定期安全审计，并尽快知道当一个服务器被攻破。

Port Scanning端口扫描

An intruder will almost always try to install a backdoor on a server in order to have easy access to it at a later point.入侵者将几乎总是试图在服务器上安装一个后门，以便在以后有一点轻松的访问。 Because the local system utilities will probably be infected, they can't be trusted to detect the intruder.由于当地的系统工具可能会被感染，他们不能信任检测入侵者。 However, a port scan initiated from an external machine might reveal open ports that should normally be closed.然而，端口扫描开始从外部机可能会发现，通常应关闭的开放端口。 The de facto standard port scanner in the Unix world is nmap .在Unix世界事实上的标准端口扫描器是nmap的 。 A command line as well as a GUI version is available.一个命令行和图形界面的版本。 Without going into the details of the tool itself, here's how to scan all ports on a server for listening services:如果没有使该工具本身的细节之前，这里是如何扫描一个服务器上的所有端口监听服务：

[root@leeloo root]# nmap -p 1-65535 192.168.0.1 Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ ) Interesting ports on  (192.168.0.1): (The 65531 ports scanned but not shown below are in state: closed) Port       State       Service 21/tcp     open        ftp 22/tcp     open        ssh 80/tcp     open        http 111/tcp    open        sunrpc Nmap run completed -- 1 IP address (1 host up) scanned in 169 seconds [root@leeloo root]# 

This particular variation of the command scans all available ports (1 to 65535 inclusive) on 192.168.0.1.这种变化特别命令扫描所有可用的端口上192.168.0.1（1至65535包括在内）。 While the open ports above can be trojaned versions of ftp, ssh, or http, a real trouble sign is when you have ports with numbers higher than a few thousand where very few legitimate services normally listen to incoming connections.虽然上面的开放口岸，可对FTP，SSH或HTTP的，木马版本的真正麻烦的标志是当你拥有数超过几千合法服务的地方，通常很少听高端口传入的连接。 It is possible, and advisable, to periodically scan your whole network and identify any differences there might be between the outputs for different time periods.这是可能的和适宜，定期扫描您的整个网络，并确定可能存在的任何分歧之间的不同时间段的产出。

RPM as a Security Tool转速为一个安全工具

RPM (Red Hat Package Manager) is a popular packaging system used by some of the major Linux distributors including Red Hat, Mandrake, and SuSE.转速（Red Hat包管理器）是一种流行的包装系统由主要的Linux分销商包括Red Hat，Mandrake和SuSE的一些使用。 Every time an RPM package is installed, the package manager puts information about the package and the individual files the package contains into a central RPM database.每当一个RPM包安装，包管理提出有关包和包到中央的RPM数据库包含个人文件的信息。 Although not foolproof, this information can be used for performing quick and easy system audits.虽然并非万无一失，这些信息可用于快速方便地进行系统审计。 You should not rely on the RPM method when it claims the system is clean, but there's little need to doubt when it reveals the system binaries have been modified.您不应该依赖于它的RPM方法时声称系统是干净的，但有一点需要怀疑时，它揭示了系统二进制文件已被修改。

RPM records and tests the checksums of all files in a package, including files that are expected to change over time such as various configuration files and other files such as passwd, shadow, and group files.转速记录和测试包中的所有文件，包括预期随着时间的推移变化，如各种配置文件，例如passwd，阴影其他文件和组文件的文件的校验。 This makes it hard to conduct a full check and make sense out of the results.这使得它很难进行全面检查，并作出合理的解释的结果。 You can make this task easier by running the test on a handful of important core packages.您可以通过运行此任务的一个重要的核心封装测试更容易一些。 These packages include net-tools, fileutils, util-linux, procps, psmisc, and findutils, among others.这些软件包包括网络工具，fileutils中，util - linux的，procps的，Psmisc的，和其他人之间的findutils。

Here's how to check the signatures on an RPM package:以下是如何检查一个RPM包的签名：

 rpm -V procps 

If there are no changes to the package files, you will be returned to the command line.如果没有对包文件的更改，您将返回到命令行。 If there are changes you will get an output like this:如果有变化，你会得到一个像这样的输出：

 S.5....T c /root/.bash_profile 

The first column shows what kind of a change has been made to the particular file listed on the last column since the package was originally installed.第一列显示了一种什么样的变化已经向特定的文件上的最后一列列，因为最初安装的软件包。

The meaning of the symbols are as follows (from the man page):该符号的含义如下（从手册页）：

M Mode differs (includes permissions and file type) M模式的不同（包括权限和文件类型）
5 MD5 sum differs 5 MD5校验和不同
D Device major/minor number mis-match D设备的主/次要编号不匹配
L readLink(2) path mis-match L readLink（2）路径不匹配
U User ownership differs U用户拥有不同
G Group ownership differs G集团拥有不同
T mTime differs T文件的修改时间不同

There's also an easy way to test all It can be used to detect changes in files not part of the base packages listed above.另外还有一个简单的方法来测试所有它可以用来检测文件的变化不超过部分列出了基本的软件包。 You can use rpm -Va > filename.txt to redirect the whole report to a file and try to identify any important changes using your own judgment.你可以使用rpm -Va > filename.txt整个报告重定向到一个文件，并尝试找出任何重要的变化用自己的判断。

You can also use the RPM utility to see if a particular file belongs to a package.您还可以使用RPM工具来看看是否属于一个特定的文件包。 This comes in handy when you find well-known binaries in unusual places.这是当你发现不寻常的地方著名的二进制派上用场。

rpm -qf /path/to/file will either tell you the file is not part of any package, or give you which package it is a part of. rpm -qf /path/to/file要么告诉你该文件不包任何一部分，或给你的包中是其中一部分。 You can then run rpm -V on that particular package to detect changes.然后，可以运行rpm -V在那个特定的包发现变化。

Please keep in mind that you can only trust RPM when you get negative results.请记住，你只能相信转当你得到结果为阴性。 It is possible to modify the RPM binary, the operating system, or the RPM database so that the changes will not be detected.它是可以修改的RPM二进制，操作系统，或在RPM数据库，以便更改不会被检测出来。 For this reason, it is a good idea to use the RPM method along with "chkrootkit".基于这个原因，它是一个好主意，用随着“chkrootkit的”RPM的方法。

chkrootkit的根工具包扫描

chkrootkit is a collection of small utilities used to detect the presence of known rootkits on a system. chkrootkit的是一个系统，收集关于小工具的rootkit的存在已知的用来检测。 Although it is possible to find stand-alone detection scripts for almost all rootkits, chkrootkit differentiates itself by its ability to detect a large number of different rootkits using a single application.虽然它可以找到几乎所有的rootkit独立的检测脚本，chkrootkit的区分它是否有能力来检测不同的rootkit大量使用单一的应用程序本身。 In addition to detecting known rootkit signatures, it also runs some generic tests that might aid in discovering a rootkit that is not actually supported by the application.除了已知的rootkit检测签名，它也运行一些通用的测试中发现了一个可能的援助是不实际的应用程序所支持的rootkit。

The chkrootkit package contains seven small applications. chkrootkit的包中包含的七个小应用程序。 The main progam, chkrootkit , is used to detect known rootkit signatures.主要progam，chkrootkit的 ，是用来侦测已知的rootkit的签名。 In addition to searching for a rootkit's default files, it also checks core system binaries for malicious content.除了为一个rootkit的默认文件的搜索，它还会检查恶意内容的核心系统二进制文件。 The remaining applications in the package are ifpromisc , which helps to find out whether a network interface is in promiscuous mode (remember you can't trust netstat), chklastlog , chkwtmp , and check_wtmpx , all of which detect deletions in various log files, chkproc , which detects Loadable Kernel Module (LKM) trojans and hidden processes, and finally strings , which is a simple implementation of the Unix strings utility.包中的其余的申请是ifpromisc，这有助于找出一个网络接口是否处于混杂模式（记住你不能相信netstat命令），chklastlog，chkwtmp和check_wtmpx，所有这些检测在各种日志文件删除，chkproc ，它可以检测可加载内核模块（LKM的），木马和隐藏的进程，并最终字符串 ，这是一个实用的简单实现字符串的Unix。

Before going into how to use chkrootkit, let's see how to obtain and install it.在深入研究如何使用chkrootkit的打算，让我们来看看如何获取和安装它。 The official chkrootkit site is . chkrootkit的官方网站是 。 Download the latest .tar.gz file from this Web site.下载最新的。tar.gz文件网站由此而来。 After getting the file, put it in a temporary directory and decompress it ( tar xfvz chkrootkit.tar.gz ) and cd into the newly created directory ( cd chkrootkit-0.35 ).在得到该文件，把它在一个临时目录并解压缩它（ tar xfvz chkrootkit.tar.gz ）和cd到新创建的目录（ cd chkrootkit-0.35 ）。 Finally, type make sense to compile it.最后，输入make sense编译它。 Almost always the application will compile without a problem, but if you get error messages try building the software on another, similar machine and moving the binaries to the server you want to scan.几乎总是应用程序将编译没有问题，但如果你得到错误信息尝试建立另一个软件，类似的机器和移动二进制文件所需的服务器进行扫描。 Although it is possible to copy the newly created binaries to a central location in order to install them, this is not recommended because the software is updated frequently with new capabilities and it's best to get a new copy each time.虽然它是可以复制新创建的二进制文件到一个中心位置，以便安装它们，这是不建议，因为该软件是经常更新的新功能和它的最好把每一次新的副本。

After building the binaries, my personal preference is to run ./ifpromisc right away to see if any of the interfaces are in promiscuous mode, because in such a case I might want to pull the server off the network immediately.建成后的二进制文件，我个人的偏好是运行./ifpromisc马上看看任何接口的模式是混杂立即，因为在这种情况下，我可能要拉服务器断网。 It is also a good idea to run ./chkproc right after ifpromisc to see if there are any hidden processes or LKM trojans on the system.这也是一个好主意，运行./chkproc ifpromisc之后，看看是否有任何隐藏的进程或系统的LKM木马上。 After running these two stand-alone utilities, you can run the main program ./chkrootkit without parameters.运行后这两个独立的工具，你可以运行主程序./chkrootkit没有参数。 This will perform the rootkit tests as well as the tests provided by the rest of the utilities in the package, including ifpromisc and chkproc, which we had run earlier.这将执行rootkit的试验以及由包中，包括ifpromisc和chkproc，我们早已经运行其他公用事业所提供的测试。

Here's some sample output from chkrootkit:下面是一些来自chkrootkit的样本输出：

[root chkrootkit-0.34]# ./ifpromisc
eth0 is not promisc
eth0:0 is not promisc
eth0:1 is not promisc
eth0:2 is not promisc
eth0:3 is not promisc
eth0:4 is not promisc
eth0:5 is not promisc
eth0:6 is not promisc
eth0:7 is not promisc
eth0:8 is not promisc
[root chkrootkit-0.34]#


[root chkrootkit-0.34]# ./chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not infected
Checking `inetdconf'... INFECTED
Checking `identd'... not found
Checking `killall'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not infected
Checking `rshd'... not infected
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `top'... not infected
Checking `telnetd'... not infected
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/site_perl/5.005/i386-linux/auto/mod_perl/.packlist /usr/lib/perl5/site_perl/5.005/i386-
linux/auto/MD5/.packlist /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Quota/.packlist
/usr/lib/perl5/site_perl/5.005/i386-linux/auto/XML/Parser/.packlist /usr/lib/perl5/site_perl/5.005/i386-
linux/auto/Devel/Symdump/.packlist /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Image/Magick/.packlist
/usr/lib/perl5/5.00503/i386-linux/.packlist /lib/... /lib/.../BitchX/.config.h
/lib/...
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... ./chkrootkit: [: integer expression expected before -gt
not tested
Checking `rexedcs'... not found
Checking `sniffer'...
eth0 is not promisc
eth0:0 is not promisc
eth0:1 is not promisc
eth0:2 is not promisc
eth0:3 is not promisc
eth0:4 is not promisc
eth0:5 is not promisc
eth0:6 is not promisc
eth0:7 is not promisc
eth0:8 is not promisc
Checking `wted'... nothing deleted
Checking `z2'... user ap deleted or never loged from lastlog!

As you can see, on this system the interfaces are not promiscuous, but there is an infected file.正如你可以看到，在这个系统的接口不乱，但有一个受感染的文件。 Chkrootkit also detected a suspicious file in a '...' chkrootkit的也发现了一个可疑文件'...' directory ( /lib/.../BitchX/.config.h ).目录（ /lib/.../BitchX/.config.h ）。 It is common for intruders to create directories whose names start with a decimal dot character, which makes them invisible or hard to find.这是很常见的入侵者创建目录的名称以小数点字符开始，这使得它们看不见或难以找到。 You should also be looking for ' .'你也应该找'。' (space dot) files, which are difficult to differentiate from a '.' （空间点）文件，这是很难区分一个'。' (current dir) on a terminal screen. （当前目录）在终端屏幕上。 The error on the 'Checking lkm' line is nothing to worry about because that's the error message you get when your kernel does not support loadable kernel modules, and there's nothing wrong with that--it is an almost desirable configuration for a server.关于'检查LKM的'行错误是没有什么可担心的，因为这是错误消息你当你的内核不支持可装载内核模块，并没有什么不妥 - 这是一台服务器的几乎理想的配置。 Finally, the last line shows that a user 'ap' has either not logged in or was deleted later on from the log.最后，最后一行显示了用户的AP要么不登录或已被删除从日志以后。 I strongly recommend reading the FAQ on the chkrootkit Web site for more information.我强烈建议您阅读上的chkrootkit的有关详细信息，网站的常见问题。

A Rootkit Was Detected, Now What?一个rootkit检测，现在该怎么办？

The only way you can be 100 percent sure your system is clean after a rootkit infection is if you format your drive and reinstall the operating system again from the original media.只有这样，你可以百分之百确定你的系统是干净的rootkit的感染后，如果您格式化驱动器，并从原始媒体重新安装操作系统了。 However, real-life conditions can force you to keep an infected system running at least for a little while.然而，现实生活条件可以迫使你保持一个受感染的系统在运行，至少一点。 In such a case you should at least clean up your server and get rid of the rootkits and trojans.在这种情况下，你至少应该清理你的服务器，并得到了rootkit和木马清除。

Although the chkrootkit output is clear and to the point, it doesn't give you any pointers as to how you get rid of any given rootkit or trojan once it's detected.虽然chkrootkit的输出是明确的，重要的是，它不会给你，你是如何得到任何特定的rootkit或摆脱木马一旦它检测到的任何指针。 You need to familiarize yourself with the way rootkits work.你需要熟悉自己的工作方式的rootkit。 You can do so by frequenting security-related Web sites such as cert.org or sites that explain how a specific rootkit works. at Teep's site has a comprehensive report on the anatomy of a particular rootkit that also provides a lot of valuable information applicable to other rootkits.您可以通过网站，以便出入安全相关的Web站点，如cert.org或解释如何具体rootkit的工作。 在Teep的网站有一个全面的报告有价值的信息就特别的rootkit的解剖，也提供了很多的适用于其它的rootkit。 Another way to familiarize yourself with rootkits is to find and install them on a test environment and compare the effects by using before-and-after snapshots of the system.另一种方式来熟悉自己的rootkit是找到并安装在一个测试环境，并利用他们的影响比较之前和之后的系统快照。 If you know what a rootkit does, which directories and files it creates, and which binaries it infects, you can go to the infected server and remove the trojan files and replace the infected binaries with clean ones.如果你不知道什么是rootkit的，哪些目录和文件，它创建，并在感染二进制文件，你可以到受感染的服务器和删除木马文件，并用干净的替换被感染的二进制文件。

On RPM-based systems you can identify the infected packages as described earlier in this article.在基于RPM的系统，你可以找出感染的套件本文前面所述。 Once you have a list of the infected RPM packages, you can reinstall them using your original source.一旦你有一个受感染的RPM包的列表，你可以重新安装使用原始来源。

The following syntax will force an RPM package to be reinstalled, overwriting the old files in the process:下面的语法将强制重新安装的RPM包，覆盖在这个过程中旧的文件：

 rpm -U --force  rpm_package_name.rpm 

After reinstalling all infected RPM packages, run the RPM and chkrootkit checks again to see if there are still any unresolved issues.在重新安装所有受感染的RPM软件包，运行rpm和chkrootkit检查一次，看看是否还有任何悬而未决的问题。 If your system doesn't use RPM, you can follow a similar procedure that applies to the particular operating system you're running.如果您的系统不使用RPM，您可以按照类似的程序，适用于特定的操作系统正在运行。 If you're not using any packaging system at all, you'll need to recompile those applications from source and overwrite the old ones.如果你不使用任何包装系统可言，你需要从源代码重新编译这些应用程序，并覆盖旧的。

After reinstalling packages that are supposed to be on your system, you need to clean up alien files that are introduced to your system by the intruder.重新安装后应该是在你的系统软件包，你需要清除那些介绍给您的外来入侵者的系统文件。 The chkrootkit output will help you identify the location of these files.该chkrootkit的输出将帮助您确定这些文件的位置。 Also, after cleaning up core system utilities such as ifconfig, netstat, find, ls, top, and ps you can gather more accurate information that might reveal even more alien files and processes.此外，在清理ifconfig的核心系统，如公用事业，netstat命令，查找，ls的，顶部和ps你可以更准确的信息收集有可能透露更多的外来文件和进程。 You should go through and remove all these files and directories.你应该通过并删除所有这些文件和目录。 If you take a few minutes to read the config files that might be included in the rootkits, you might find clues as to what other trojan files and processes exist on the server.如果你花几分钟时间阅读的配置可能包含的文件中的rootkit，您可能会发现，哪些文件和进程的其他木马在服务器上存在的线索。

After removing all the alien files you can identify, run 'top' and 'ps' again to identify and kill undesired processes that are still running.在去除所有的外来文件，您可以识别，运行'顶'和'私人秘书'再次来识别和杀死不受欢迎的进程仍在运行。 You can also use 'netstat -nap' on most systems to see the process name and ID that started a daemon.您也可以使用最系统的使用netstat -小睡'看看进程的名称和ID的开始了守护进程。 You might also want to check your initialization scripts and make sure no alien process is started using those scripts.您可能还需要检查你的初始化脚本，并确保没有外来进程开始使用这些脚本。 Intruders usually place their startup lines at the bottom of these scripts but they can also hide them in the middle of the file to make it harder to identify.入侵者通常会放置在底部的启动这些脚本行，但他们还可以隐藏在文件的中间，使他们难以识别。 Some common locations that intruders use to place their startup calls are the inetd.conf file, rc.local file, and any other file in the initialization directory for the run-level you run the server at.有些启动呼叫常见位置入侵者使用的是放置inetd.conf文件，rc.local文件，并运行级别的任何其他文件在初始化目录服务器上运行。 You should also pay special attention to helper function files such as /etc/rc.d/init.d/functions , which other initialization scripts include, thereby allowing any valid command in them to be executed indirectly when the system is rebooted.您还应该特别注意辅助功能，如文件/etc/rc.d/init.d/functions ，其中包括其他初始化脚本，从而使他们中的任何有效的命令被执行间接当系统重新启动。

When you're confident there are no sniffers or trojans left running, change all the passwords on the server.当你确信没有任何嗅探器或木马向左走，改变服务器上的所有的密码。 If this is not possible at least change the passwords for users who have root or equivalent access to the server.如果这是不可能的，至少为用户更改根谁拥有或同等访问服务器的密码。 Also go through your password file and remove any users that you think shouldn't be there, especially those with root equivalency.还要通过你的密码文件，删除任何用户，你认为不应该存在，尤其是那些根相等。 You may optionally reboot the server and perform another security scan to see if you were able to clean up all startup scripts and infected binaries.你可以选择重新启动服务器，并执行其他安全扫描，看看你能清理受感染的所有启动脚本和二进制文件。

Conclusion结论

In theory, it is possible to detect and clean up all effects of a rootkit or a trojan on a compromised machine.从理论上讲，它可以检测和清除所有的rootkit的影响或感染机器上的一个木马程序。 However, it is extremely important to secure a system so that rootkits and trojans can't be introduced to the system in the first place.然而，这是非常重要的取得，使rootkit和木马不能引入到摆在首位制度。 Most of the intrusion activity on the Internet targets servers that respond positively to a network scan probing for a specific operating system or software weakness.互联网上的大多数入侵活动的目标服务器上，积极响应网络弱点扫描探讨一个特定的操作系统或软件。 If you keep up with software patches and updates, you are less likely to be targeted in the first place because a potential intruder will usually pick a server that he or she can get into with the least effort, and there's never a shortage of these weak servers on the Internet.如果你把软件修补程序和更新，你不太可能在第一目标，是因为一个潜在的入侵者通常会选择一个服务器，他或她可以用最少的努力之中，而且也从来没有这些薄弱的短缺服务器在互联网上。

Furthermore, if your server still gets broken into, you must unplug that server from the network immediately, reinstall the OS, and apply all security patches before introducing it to the network again.此外，如果您的服务器仍然获得分成，你必须拔掉，从网络服务器立即，重新安装操作系统和应用所有的安全性之前引进到网络再次修补程序。

The information I provide is not meant to replace common security practices, but might prove useful when used in conjunction with these practices.我的资料提供，并不是要取代共同安全的做法，但可能是有用时，与这些做法结合使用。

May your servers always be rootkit free.愿你的服务器永远是免费的rootkit。