用chkrootkit和rkhunter检查rootkit
一,什么是rootkit
这个可以从名字上面看出来,就是得到root权限的工具
你可以把它理解成一组木马工具,它用自身替换掉我们在linux系统中原有的工具命令
比如:它替换掉ps这个命令后,当我们再执行ps时,它会把相应的偷偷运行的进程隐藏掉,
让我们看不到木马的运行
二,如何安装chkrootkit
chkrootkit是专门检查rootkit的工具软件,
它的官方站: http://www.chkrootkit.org/
可以从官网上下载代码进行编译安装,
也可以从 http://rpm.pbone.net上面获取相应的rpm包
例如:
[root@dev ~]# wget ftp://ftp.pbone.net/mirror/download.fedora.redhat.com/pub/fedora/epel/5/i386/chkrootkit-0.48-7.el5.i386.rpm
[root@dev ~]# rpm -ivh chkrootkit-0.48-7.el5.i386.rpm
三,如何使用chkrootkit
直接运行chkrootkit即可
[root@dev ~]# chkrootkit -q
/usr/lib/gtk-2.0/immodules/.relocation-tag /usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist
user czh deleted or never logged from lastlog!
The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 4196 pts/3 /bin/bash
! root 11095 pts/4 /bin/bash
说明: -q 参数: quiet,不再输出那些正常的信息,只输出可能有问题的项
四,如何安装rkhunter
这个软件项目的官方站:http://rkhunter.sourceforge.net/
可以下载源码后编译安装,也可以从http://rpm.pbone.net上面获取相应的rpm包
例如:
[root@dev ~]# wget ftp://ftp.pbone.net/mirror/download.fedora.redhat.com/pub/fedora/epel/5/i386/rkhunter-1.3.2-5.el5.noarch.rpm
[root@dev ~]# rpm -ivh rkhunter-1.3.2-5.el5.noarch.rpm
五,如何运行rkhunter?
[root@dev ~]# rkhunter -c
[ Rootkit Hunter version 1.3.2 ]
Checking system commands...
Performing 'strings' command checks
Checking 'strings' command [ OK ]
Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preload file [ Not found ]
Checking LD_LIBRARY_PATH variable [ Not found ]
Performing file properties checks
Checking for prerequisites [ Warning ]
/bin/awk [ OK ]
/bin/basename [ OK ]
/bin/bash [ OK ]
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/chown [ OK ]
/bin/cp [ OK ]
/bin/csh [ OK ]
/bin/cut [ OK ]
/bin/date [ OK ]
/bin/df [ OK ]
/bin/dmesg [ OK ]
/bin/echo [ OK ]
/bin/ed [ OK ]
/bin/egrep [ OK ]
/bin/env [ OK ]
/bin/fgrep [ OK ]
接下来的信息很长,忽略掉,我们直接看最后:
System checks summary
=====================
File properties checks...
Required commands check failed
Files checked: 128
Suspect files: 0
Rootkit checks...
Rootkits checked : 64
Possible rootkits: 0
Applications checks...
Applications checked: 6
Suspect applications: 0
The system checks took: 1 minute and 37 seconds
All results have been written to the logfile (/var/log/rkhunter/rkhunter.log)
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter/rkhunter.log)
可以看到,rkhunter在进行检查时同时把相应的信息写到了日志中,并提示了其位置是:/var/log/rkhunter/rkhunter.log
下面说一下rkhunter的工作原理:
rkhunter自己维护一个包含rootkit特征的数据库,然后它根据此数据库来检测系统中的rootkits,
所以我们需要注意对此数据库进行升级
命令是:
[root@dev ~]# rkhunter --update
[ Rootkit Hunter version 1.3.2 ]
Checking rkhunter data files...
Checking file mirrors.dat [ No update ]
Checking file programs_bad.dat [ No update ]
Checking file backdoorports.dat [ No update ]
Checking file suspscan.dat [ Updated ]
Checking file i18n/cn [ Updated ]
Checking file i18n/en [ No update ]
Checking file i18n/zh [ Updated ]
Checking file i18n/zh.utf8 [ Updated ]
它的手册中建议定期运行此命令,
所以我们可以把此命令放到cron中定时运行
精简版
chkrootkit:
安装:
yum install chkrootkit
检测:
#检测制定二进制命令
chkrootkit ps pwd ls
#检查所有,只提示被感染文件加 -q
chkrootkit -q
#制定检测其他root目录,可以先把要检测的系统挂到/mnt/root下。
chkrootkit -r /mnt/root
rkhunter:
rkhunter可以更新病毒库,可以邮件提醒你扫描结果。需要邮件提醒,你需要装sendmail或postfix。
安装:
apt-get install rkhunter postfix mailx
更新病毒库:
rkhunter --update
rkhunter --list
检测:
rkhunter -c
邮件提醒:rkhunter会安装一个任务/etc/cron.daily/rkhunter每天检测一次,发现病毒就会发邮件通知你。
vi /etc/default/rkhunter
#REPORT_EMAIL项填写你的邮件
REPORT_EMAIL="[email protected]"