ERROR: ld.so: object '/usr/local/lib/mscan.so' from /etc/ld.so.preload cannot be preloaded

# 服务器报错
ERROR: ld.so: object '/usr/local/lib/ext4.so' from /etc/ld.so.preloadERROR: ld.so: object ' cannot be preloaded (/usr/local/lib/pscan.socannot open shared object file' from ): ignored.
/etc/ld.so.preload cannot be preloaded (cannot open shared object fileERROR: ld.so: object '): ignored.
/usr/local/lib/zrab.so' from /etc/ld.so.preloadERROR: ld.so: object ' cannot be preloaded (/usr/local/lib/bioset.socannot open shared object file' from ): ignored.
/etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object '/usr/local/lib/mscan.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object '/usr/local/lib/ext4.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object '/usr/local/lib/zrab.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.

# 查看文件内容
cat /etc/ld.so.preload
/usr/local/lib/pscan.so
/usr/local/lib/bioset.so
/usr/local/lib/mscan.so
/usr/local/lib/ext4.so
/usr/local/lib/zrab.so

# 清空文件内容
# 将/etc/ld.so.preload置空，使在运行前不动态链接加载其它类库
echo "" > /etc/ld.so.preload

# 查看文件属性
lsattr \
/usr/local/lib/pscan.so \
/usr/local/lib/bioset.so \
/usr/local/lib/mscan.so \
/usr/local/lib/ext4.so \
/usr/local/lib/zrab.so

# 运行结果
[root@node02 cron]# lsattr \
> /usr/local/lib/pscan.so \
> /usr/local/lib/bioset.so \
> /usr/local/lib/mscan.so \
> /usr/local/lib/ext4.so \
> /usr/local/lib/zrab.so
----ia--------e----- /usr/local/lib/pscan.so
----ia--------e----- /usr/local/lib/bioset.so
----ia--------e----- /usr/local/lib/mscan.so
----ia--------e----- /usr/local/lib/ext4.so
----ia--------e----- /usr/local/lib/zrab.so

# 执行减属性
chattr -ia \
/usr/local/lib/pscan.so \
/usr/local/lib/bioset.so \
/usr/local/lib/mscan.so \
/usr/local/lib/ext4.so \
/usr/local/lib/zrab.so

# 结果
[root@node02 cron]# lsattr \
> /usr/local/lib/pscan.so \
> /usr/local/lib/bioset.so \
> /usr/local/lib/mscan.so \
> /usr/local/lib/ext4.so \
> /usr/local/lib/zrab.so
--------------e----- /usr/local/lib/pscan.so
--------------e----- /usr/local/lib/bioset.so
--------------e----- /usr/local/lib/mscan.so
--------------e----- /usr/local/lib/ext4.so
--------------e----- /usr/local/lib/zrab.so

# 删除文件
rm -rf \
/usr/local/lib/pscan.so \
/usr/local/lib/bioset.so \
/usr/local/lib/mscan.so \
/usr/local/lib/ext4.so \
/usr/local/lib/zrab.so

chattr -ia \
/usr/local/lib/pscan.so \
/usr/local/lib/bioset.so \
/usr/local/lib/mscan.so \
/usr/local/lib/ext4.so \
/usr/local/lib/zrab.so
rm -rf \
/usr/local/lib/pscan.so \
/usr/local/lib/bioset.so \
/usr/local/lib/mscan.so \
/usr/local/lib/ext4.so \
/usr/local/lib/zrab.so

删除密钥

[root@node02 .ssh]# ll -h
total 28K
-rw------- 1 root root 1.6K Oct 14 22:53 authorized_keys
-rw------- 1 root root 1.6K Oct 15 09:47 authorized_keys~
-rw------- 1 root root  399 Oct 14 22:53 authorized_keys2
-rw------- 1 root root 1.6K Oct 15 09:47 authorized_keyz~
-r-------- 1 root root 1.7K Oct 11 14:48 id_rsa
-rw------- 1 root root  393 Oct 11 13:01 id_rsa.pub
-rw-r--r-- 1 root root  679 Oct 11 14:25 known_hosts
[root@node02 .ssh]# 
[root@node02 .ssh]# lsattr ./au*
-----a-------------- ./authorized_keys
-----a--------e----- ./authorized_keys2
--------------e----- ./authorized_keys~
--------------e----- ./authorized_keyz~

[root@node02 .ssh]# chattr -a ./au*
cur attrs: 0x00000020, mask: 0x00000020
new attrs: 0x00000000
cur attrs: 0x00080020, mask: 0x00000020
new attrs: 0x00080000
cur attrs: 0x00080000, mask: 0x00000020
new attrs: 0x00080000
cur attrs: 0x00080000, mask: 0x00000020
new attrs: 0x00080000

[root@node02 .ssh]# lsattr ./au*
-------------------- ./authorized_keys
--------------e----- ./authorized_keys2
--------------e----- ./authorized_keys~
--------------e----- ./authorized_keyz~
[root@node02 .ssh]# 

[root@node02 .ssh]# rm -rf authorized_keys~ authorized_keys2 authorized_keyz~
[root@node02 .ssh]# 

删除用户

[root@node03 .ssh]# egrep "bash" /etc/passwd
root:x:0:0:root:/root:/bin/bash
mysql:x:1000:1001::/home/mysql:/bin/bash
hilde:x:1000:1000::/home/hilde:/bin/bash
[root@node03 .ssh]# 
[root@node03 .ssh]# lsattr /etc/passwd
-----a--------e----- /etc/passwd
[root@node03 .ssh]# chattr -a /etc/passwd
[root@node03 .ssh]# lsattr /etc/passwd
--------------e----- /etc/passwd
[root@node03 .ssh]# userdel hilde
userdel: cannot open /etc/shadow
[root@node03 .ssh]# lsattr /etc/shadow
-----a--------e----- /etc/shadow
[root@node03 .ssh]# chattr -a /etc/shadow
[root@node03 .ssh]# vi /etc/shadow

# 手动删除家目录
[root@node03 hilde]# cd /home/hilde/
[root@node03 hilde]# ll -a
total 12
drwx------  3 root root 4096 Oct 14 22:52 .
drwxr-xr-x 11 root root 4096 Oct 14 22:52 ..
drwx------  2 root root 4096 Oct 14 22:52 .ssh
[root@node03 hilde]# cd .ssh/
[root@node03 .ssh]# ll
total 8
-rw------- 1 root root 399 Oct 14 22:53 authorized_keys
-rw------- 1 root root 399 Oct 14 22:53 authorized_keys2
[root@node03 .ssh]# lsattr ./*
-----a--------e----- ./authorized_keys
-----a--------e----- ./authorized_keys2
[root@node03 .ssh]# chattr -a ./*
[root@node03 .ssh]# lsattr ./*
--------------e----- ./authorized_keys
--------------e----- ./authorized_keys2
[root@node03 .ssh]# rm -rf ./*
[root@node03 .ssh]# 

处理黑客入侵最好的方式是重装系统，一般是清理不干净的，系统命令都能给你改了