用chkrootkit和rkhunter檢查rootkit
一,什麼是rootkit
這個可以從名字上面看出來,就是得到root權限的工具
你可以把它理解成一組木馬工具,它用自身替換掉我們在linux系統中原有的工具命令
比如:它替換掉ps這個命令後,當我們再執行ps時,它會把相應的偷偷運行的進程隱藏掉,
讓我們看不到木馬的運行
二,如何安裝chkrootkit
chkrootkit是專門檢查rootkit的工具軟件,
它的官方站: http://www.chkrootkit.org/
可以從官網上下載代碼進行編譯安裝,
也可以從 http://rpm.pbone.net上面獲取相應的rpm包
例如:
[root@dev ~]# wget ftp://ftp.pbone.net/mirror/download.fedora.redhat.com/pub/fedora/epel/5/i386/chkrootkit-0.48-7.el5.i386.rpm
[root@dev ~]# rpm -ivh chkrootkit-0.48-7.el5.i386.rpm
三,如何使用chkrootkit
直接運行chkrootkit即可
[root@dev ~]# chkrootkit -q
/usr/lib/gtk-2.0/immodules/.relocation-tag /usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist
user czh deleted or never logged from lastlog!
The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 4196 pts/3 /bin/bash
! root 11095 pts/4 /bin/bash
說明: -q 參數: quiet,不再輸出那些正常的信息,只輸出可能有問題的項
四,如何安裝rkhunter
這個軟件項目的官方站:http://rkhunter.sourceforge.net/
可以下載源碼後編譯安裝,也可以從http://rpm.pbone.net上面獲取相應的rpm包
例如:
[root@dev ~]# wget ftp://ftp.pbone.net/mirror/download.fedora.redhat.com/pub/fedora/epel/5/i386/rkhunter-1.3.2-5.el5.noarch.rpm
[root@dev ~]# rpm -ivh rkhunter-1.3.2-5.el5.noarch.rpm
五,如何運行rkhunter?
[root@dev ~]# rkhunter -c
[ Rootkit Hunter version 1.3.2 ]
Checking system commands...
Performing 'strings' command checks
Checking 'strings' command [ OK ]
Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preload file [ Not found ]
Checking LD_LIBRARY_PATH variable [ Not found ]
Performing file properties checks
Checking for prerequisites [ Warning ]
/bin/awk [ OK ]
/bin/basename [ OK ]
/bin/bash [ OK ]
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/chown [ OK ]
/bin/cp [ OK ]
/bin/csh [ OK ]
/bin/cut [ OK ]
/bin/date [ OK ]
/bin/df [ OK ]
/bin/dmesg [ OK ]
/bin/echo [ OK ]
/bin/ed [ OK ]
/bin/egrep [ OK ]
/bin/env [ OK ]
/bin/fgrep [ OK ]
接下來的信息很長,忽略掉,我們直接看最後:
System checks summary
=====================
File properties checks...
Required commands check failed
Files checked: 128
Suspect files: 0
Rootkit checks...
Rootkits checked : 64
Possible rootkits: 0
Applications checks...
Applications checked: 6
Suspect applications: 0
The system checks took: 1 minute and 37 seconds
All results have been written to the logfile (/var/log/rkhunter/rkhunter.log)
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter/rkhunter.log)
可以看到,rkhunter在進行檢查時同時把相應的信息寫到了日誌中,並提示了其位置是:/var/log/rkhunter/rkhunter.log
下面說一下rkhunter的工作原理:
rkhunter自己維護一個包含rootkit特徵的數據庫,然後它根據此數據庫來檢測系統中的rootkits,
所以我們需要注意對此數據庫進行升級
命令是:
[root@dev ~]# rkhunter --update
[ Rootkit Hunter version 1.3.2 ]
Checking rkhunter data files...
Checking file mirrors.dat [ No update ]
Checking file programs_bad.dat [ No update ]
Checking file backdoorports.dat [ No update ]
Checking file suspscan.dat [ Updated ]
Checking file i18n/cn [ Updated ]
Checking file i18n/en [ No update ]
Checking file i18n/zh [ Updated ]
Checking file i18n/zh.utf8 [ Updated ]
它的手冊中建議定期運行此命令,
所以我們可以把此命令放到cron中定時運行
精簡版
chkrootkit:
安裝:
yum install chkrootkit
檢測:
#檢測制定二進制命令
chkrootkit ps pwd ls
#檢查所有,只提示被感染文件加 -q
chkrootkit -q
#制定檢測其他root目錄,可以先把要檢測的系統掛到/mnt/root下。
chkrootkit -r /mnt/root
rkhunter:
rkhunter可以更新病毒庫,可以郵件提醒你掃描結果。需要郵件提醒,你需要裝sendmail或postfix。
安裝:
apt-get install rkhunter postfix mailx
更新病毒庫:
rkhunter --update
rkhunter --list
檢測:
rkhunter -c
郵件提醒:rkhunter會安裝一個任務/etc/cron.daily/rkhunter每天檢測一次,發現病毒就會發郵件通知你。
vi /etc/default/rkhunter
#REPORT_EMAIL項填寫你的郵件
REPORT_EMAIL="[email protected]"