rootkit后门检测工具chkrookit

rootkit后门检测工具chkrookit

1、编译安装chkrookit

官方站点:http://www.chkrootkit.org/

[root@node1 ~]# vim /etc/resolv.conf

1)、安装gcc编译环境

[root@node1 ~]# yum -y install gcc gcc-c++ make cmake glibc-static glibc-utils

[root@node1 ~]# yum -y install lrzsz

2)、下载chkrootkit包并上传

[root@node1 ~]# rz

[root@node1 ~]# ls

anaconda-ks.cfg  chkrootkit.tar.gz  mariadb-5.5.61.tar.gz  ~None  :wq

3)、解压编译安装:建议官方站点下载源码

[root@node1 ~]# tar zxvf chkrootkit.tar.gz -C /usr/local/

[root@node1 chkrootkit-0.52]# make sense

#注意,此处为make sense

cc -static  -o strings-static strings.c

cc  -o chkutmp chkutmp.c

[root@node1 chkrootkit-0.52]#

2chkrookit的使用

1)、Usage: ./chkrootkit [options] [test ...]

Options:

-h 显示帮助信息

-V 显示版本信息

-l 显示测试内容

-d debug模式,显示检测过程的相关指令程序

-q 安静模式,只显示有问题部分,

-x 高级模式,显示所有检测结果

-r dir 设定指定的目录为根目录

-p dir1:dir2:dirN 检测指定目录

-n 跳过NFS连接的目录

2)、检测:直接执行chkrootkit命令即可检测系统

[root@node1 ~]# /usr/local/chkrootkit-0.52/chkrootkit

...

Checking `asp'... not infected

Checking `bindshell'... not infected

Checking `lkm'... not tested: can't exec

Checking `rexedcs'... not found

Checking `sniffer'... not tested: can't exec ./ifpromisc

Checking `w55808'... not infected

Checking `wted'... not tested: can't exec ./chkwtmp

Checking `scalper'... not infected

Checking `slapper'... not infected

Checking `z2'... not tested: can't exec ./chklastlog

Checking `chkutmp'... not tested: can't exec ./chkutmp

Checking `OSX_RSPLUG'... not tested

[root@node1 ~]# /usr/local/chkrootkit-0.52/chkrootkit -q

can't exec ./strings-static,

/usr/lib/debug/usr/.dwz /usr/lib/python2.7/site-packages/ansible/galaxy/data/container_enabled/files/.git_keep /usr/lib/python2.7/site-packages/ansible/galaxy/data/container_enabled/templates/.git_keep /usr/lib/python2.7/site-packages/ansible/galaxy/data/default/files/.git_keep /usr/lib/python2.7/site-packages/ansible/galaxy/data/default/templates/.git_keep /usr/lib/ocf/resource.d/heartbeat/.ocf-binaries /usr/lib/ocf/resource.d/heartbeat/.ocf-directories /usr/lib/ocf/resource.d/heartbeat/.ocf-returncodes /usr/lib/ocf/resource.d/heartbeat/.ocf-shellfuncs /usr/lib/ocf/resource.d/.isolation /usr/lib/pcsd/.bundle /usr/lib/pcsd/vendor/bundle/ruby/gems/backports-3.9.1/.document /usr/lib/pcsd/vendor/bundle/ruby/gems/backports-3.9.1/.gitignore /usr/lib/pcsd/vendor/bundle/ruby/gems/backports-3.9.1/.gitmodules /usr/lib/pcsd/vendor/bundle/ruby/gems/backports-3.9.1/.irbrc /usr/lib/pcsd/vendor/bundle/ruby/gems/backports-3.9.1/.travis.yml /usr/lib/pcsd/vendor/bundle/ruby/gems/ethon-0.10.1/.gitignore /usr/lib/pcsd/vendor/bundle/ruby/gems/ethon-0.10.1/.rspec /usr/lib/pcsd/vendor/bundle/ruby/gems/ethon-0.10.1/.travis.yml /usr/lib/pcsd/vendor/bundle/ruby/gems/ffi-1.9.18/ext/ffi_c/.RUBYARCHDIR.time /usr/lib/pcsd/vendor/bundle/ruby/gems/rpam-ruby19-1.2.1/ext/Rpam/.RUBYARCHDIR.time /usr/lib/pcsd/vendor/bundle/ruby/gems/sinatra-1.4.8/.yardopts

/usr/lib/ocf/resource.d/.isolation /usr/lib/pcsd/.bundle

not tested

not tested: can't exec

not tested: can't exec ./ifpromisc

not tested: can't exec ./chkwtmp

not tested: can't exec ./chklastlog

not tested: can't exec ./chkutmp

not tested

3)、查看是否有感染的程序

[root@node1 ~]# /usr/local/chkrootkit-0.52/chkrootkit |grep INFECTED

4)、感染后最安全有效的处理:备份重要数据并重装系统

5)、备份chkrootkit使用的系统命令

chkrootkit在检测rootkit时使用部分系统命令,如果系统被入侵,那么依赖的系统命令也可能已经被入侵者替换,从而导致检测结果不可信。

所以在服务器对外开放前,建议事先备份chkrootkit使用的系统命,在chkrootkit做系统检测时使用备份的原始系统命令对rootkit进行检测可以保证结果可信度。

以下是具体步骤:

#复制系统命令

[root@node1 ~]# cp `which --skip-alias ssh awk cut echo find egrep id head ls netstat ps strings sed uname` /usr/share/.commands

[root@node1 ~]# cd /usr/share/.commands

[root@node1 .commands]# ls

awk  cut  echo  egrep  find  head  id  ls  netstat  ps  sed  ssh  strings  uname

#压缩检测用到的系统工具并备份到安全目录

[root@node1 ~]# cd /usr/share/

[root@node1 share]# tar zcvf commands.tar.gz .commands

[root@node1 share]# sz commands.tar.gz

[root@node1 share]# rm -rf commands.tar.gz

6)、指定使用备份的系统工具检测:-p 指定通过哪个检测路径检测

[root@node1 ~]# /usr/local/chkrootkit-0.52/chkrootkit -p /usr/share/.commands/

[root@node1 .commands]# /usr/local/chkrootkit-0.52/chkrootkit -p /usr/share/.commands/ |grep INFECTED

 

你可能感兴趣的:(Linux服务器安全,Linux系统检测)