Linux安全检测chkrootkit、RKHunter工具的使用

chkrootkitrkhunter检查rootkit

一,什么是rootkit
   这个可以从名字上面看出来,就是得到root权限的工具
   你可以把它理解成一组木马工具,它用自身替换掉我们在linux系统中原有的工具命令
   比如:它替换掉ps这个命令后,当我们再执行ps时,它会把相应的偷偷运行的进程隐藏掉,
       让我们看不到木马的运行

二,如何安装chkrootkit
   chkrootkit是专门检查rootkit的工具软件,
   它的官方站:  http://www.chkrootkit.org/
  
可以从官网上下载代码进行编译安装,
   也可以从 http://rpm.pbone.net上面获取相应的rpm
   
  
例如:
       [root@dev ~]# wget ftp://ftp.pbone.net/mirror/download.fedora.redhat.com/pub/fedora/epel/5/i386/chkrootkit-0.48-7.el5.i386.rpm
       [root@dev ~]# rpm -ivh chkrootkit-0.48-7.el5.i386.rpm
  

三,如何使用chkrootkit
   直接运行chkrootkit即可

[root@dev ~]# chkrootkit -q

/usr/lib/gtk-2.0/immodules/.relocation-tag /usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist

user czh deleted or never logged from lastlog!
 The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! root         4196 pts/3  /bin/bash
! root        11095 pts/4  /bin/bash


说明: -q 参数: quiet,不再输出那些正常的信息,只输出可能有问题的项

四,如何安装rkhunter
   这个软件项目的官方站:http://rkhunter.sourceforge.net/
  
可以下载源码后编译安装,也可以从http://rpm.pbone.net上面获取相应的rpm
  
  
例如:
      [root@dev ~]# wget ftp://ftp.pbone.net/mirror/download.fedora.redhat.com/pub/fedora/epel/5/i386/rkhunter-1.3.2-5.el5.noarch.rpm
      [root@dev ~]# rpm -ivh rkhunter-1.3.2-5.el5.noarch.rpm


五,如何运行rkhunter?
   [root@dev ~]# rkhunter -c
[ Rootkit Hunter version 1.3.2 ]

Checking system commands...

  Performing 'strings' command checks
    Checking 'strings' command                               [ OK ]

  Performing 'shared libraries' checks
    Checking for preloading variables                        [ None found ]
    Checking for preload file                                [ Not found ]
    Checking LD_LIBRARY_PATH variable                        [ Not found ]

  Performing file properties checks
    Checking for prerequisites                               [ Warning ]
    /bin/awk                                                 [ OK ]
    /bin/basename                                            [ OK ]
    /bin/bash                                                [ OK ]
    /bin/cat                                                 [ OK ]
    /bin/chmod                                               [ OK ]
    /bin/chown                                               [ OK ]
    /bin/cp                                                  [ OK ]
    /bin/csh                                                 [ OK ]
    /bin/cut                                                 [ OK ]
    /bin/date                                                [ OK ]
    /bin/df                                                  [ OK ]
    /bin/dmesg                                               [ OK ]
    /bin/echo                                                [ OK ]
    /bin/ed                                                  [ OK ]
    /bin/egrep                                               [ OK ]
    /bin/env                                                 [ OK ]
    /bin/fgrep                                               [ OK ]

接下来的信息很长,忽略掉,我们直接看最后:
System checks summary
=====================

File properties checks...
    Required commands check failed
    Files checked: 128
    Suspect files: 0

Rootkit checks...
    Rootkits checked : 64
    Possible rootkits: 0

Applications checks...
    Applications checked: 6
    Suspect applications: 0

The system checks took: 1 minute and 37 seconds

All results have been written to the logfile (/var/log/rkhunter/rkhunter.log)

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter/rkhunter.log)


可以看到,rkhunter在进行检查时同时把相应的信息写到了日志中,并提示了其位置是:/var/log/rkhunter/rkhunter.log

下面说一下rkhunter的工作原理:
    rkhunter自己维护一个包含rootkit特征的数据库,然后它根据此数据库来检测系统中的rootkits,
    所以我们需要注意对此数据库进行升级

    命令是:  
[root@dev ~]# rkhunter --update
[ Rootkit Hunter version 1.3.2 ]

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ No update ]
  Checking file programs_bad.dat                             [ No update ]
  Checking file backdoorports.dat                            [ No update ]
  Checking file suspscan.dat                                 [ Updated ]
  Checking file i18n/cn                                      [ Updated ]
  Checking file i18n/en                                      [ No update ]
  Checking file i18n/zh                                      [ Updated ]
  Checking file i18n/zh.utf8                                 [ Updated ]


它的手册中建议定期运行此命令,
所以我们可以把此命令放到cron中定时运行

 

精简版

chkrootkit:
安装:

yum install chkrootkit  

检测:

#检测制定二进制命令  

chkrootkit ps pwd ls  

#检查所有,只提示被感染文件加 -q  

chkrootkit -q  

#制定检测其他root目录,可以先把要检测的系统挂到/mnt/root下。  

chkrootkit -r /mnt/root  


rkhunter:
rkhunter可以更新病毒库,可以邮件提醒你扫描结果。需要邮件提醒,你需要装sendmailpostfix
安装:

apt-get install rkhunter postfix mailx  
更新病毒库:

rkhunter --update  

rkhunter --list  
检测:

rkhunter -c  
邮件提醒:rkhunter会安装一个任务/etc/cron.daily/rkhunter每天检测一次,发现病毒就会发邮件通知你。

vi /etc/default/rkhunter  

#REPORT_EMAIL项填写你的邮件  

REPORT_EMAIL="[email protected]"

 

發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章