rootkit后门检测工具rkhunter

rootkit后门检测工具RKHunter

1、关于rootkit

rootkit是Linux平台下最常见的一种木马后门工具,它主要通过替换系统文件来达到入侵和和隐蔽的目的,这种木马比普通木马后门更加危险和隐蔽,普通的检测工具和检查手段很难发现这种木马。

rootkit攻击能力极强,对系统的危害很大,它通过一套工具来建立后门和隐藏行迹,从而让攻击者保住权限,以使它在任何时候都可以使用root 权限登录到系统。

rootkit主要有两种类型:文件级别和内核级别。

文件级别的rootkit: 一般是通过程序漏洞或者系统漏洞进入系统后,通过修改系统的重要文件来达到隐藏自己的目的。在系统遭受rootkit攻击后,合法的文件被木马程序替代,变成了外壳程序,而其内部是隐藏着的后门程序。

通常容易被rootkit替换的系统程序有login、ls、ps、ifconfig、du、find、netstat等。文件级别的rootkit,对系统危害很大,目前最有效的防御方法是定期对系统重要文件的完整性进行检查,如Tripwire、aide等。

内核级rootkit: 是比文件级rootkit更高级的一种入侵方式,它可以使攻击者获得对系统底层的完全控制权,此时攻击者可以修改系统内核,进而截获运行程序向内核提交的命令,并将其重定向到入侵者所选择的程序并运行此程序。

内核级rootkit主要依附在内核上,它并不对系统文件做任何修改。以防范为主。一般系统镜像要从官网或可信度高的网站下载镜像。

2、关于RKHunter

rootkit后门检测工具RKHunter,它通过一系列脚本来确认服务器是否已经感染rootkit,主要执行以下测试:

1)、MD5校验测试, 检测文件是否被改动。

2)、检测rootkits使用的二进制和系统工具文件。

3)、检测特洛伊木马程序的特征码。

4)、检测常用程序的文件异常属性。

5)、检测系统相关。如:启动文件、系统用户和组配置、ssh配置、文件系统等。

6)、检测隐藏文件、/etc/rc.d/目录下的所有配置文件、日志文件等。

7)、检测Linux内核监控模块:驱动模块(LKM)

8)、检测系统已经启动的监听端口:扫描任何混杂模式下的接口和后门程序常用的端口。

9)、检测应用程序版本,如: Apache Web Server, Procmail等。

10)、检测网络。

3、编译安装rkhunter

1)、安装编译环境

[root@node1 ~]# yum -y install gcc gcc-c++ make cmake glibc-static glibc-utils

[root@node1 ~]# rz

[root@node1 ~]# ls

rkhunter-1.4.6.tar.gz 

2)、解压编译安装:建议官方站点下载源码

[root@node1 ~]# tar zxvf rkhunter-1.4.6.tar.gz -C /usr/local/

[root@node1 ~]# cd /usr/local/rkhunter-1.4.6/

[root@node1 rkhunter-1.4.6]# ls

files  installer.sh

[root@node1 rkhunter-1.4.6]# ./installer.sh --layout default --install

3)、安装后可执行文件为:

[root@node1 ~]# cd /usr/local/bin/

[root@node1 bin]# ls

rkhunter

4)、查看使用帮助:

[root@node1 ~]# rkhunter -h

Usage: rkhunter {--check | --unlock | --update | --versioncheck |

                 --propupd [{filename | directory | package name},...] |

                 --list [{tests | {lang | languages} | rootkits | perl | propfiles}] |

                 --config-check | --version | --help} [options]

4rkhunter的使用接检测输出信息说明  

运行rkhunter检查系统              

[root@node1 ~]# rkhunter -c

[ Rootkit Hunter version 1.4.6 ]

#第一部分:检测系统命令,主要检测系统的二进制文件,这些文件最容易被rootkit攻击;

#[ OK ]表示正常,[ Warning ]表示有异常,[ None found ]未找到

Checking system commands... -->检测系统命令

  Performing 'strings' command checks

    Checking 'strings' command                               [ OK ]

  Performing 'shared libraries' checks

    Checking for preloading variables                        [ None found ]

    Checking for preloaded libraries                         [ None found ]

    Checking LD_LIBRARY_PATH variable                        [ Not found ]

  Performing file properties checks

    Checking for prerequisites                               [ Warning ]

    /usr/local/bin/rkhunter                                  [ OK ]

    ...

    /usr/bin/echo                                            [ OK ]

    /usr/bin/egrep                                           [ Warning ]

    /usr/bin/env                                             [ OK ]

    /usr/bin/fgrep                                           [ Warning ]

    ...

    /usr/bin/gawk                                            [ OK ]

    /usr/lib/systemd/systemd                                 [ OK ]

    /etc/rkhunter.conf                                       [ OK ]

[Press to continue]

Checking for rootkits...

#第二部分:检测rootkit,主要检测常见的rootkit程序;

#[ Not found ]表示未感染

  Performing check of known rootkit files and directories

    55808 Trojan - Variant A                                 [ Not found ]

    ADM Worm                                                 [ Not found ]

    ...

    Xzibit Rootkit                                           [ Not found ]

    zaRwT.KiT Rootkit                                        [ Not found ]

    ZK Rootkit                                               [ Not found ]

[Press to continue]

#第三部分:特殊或附加检测:对rootkit文件或目录检测、对恶意软件检测、对指定内核检测等

  Performing additional rootkit checks

    Suckit Rootkit additional checks                         [ OK ]

    Checking for possible rootkit files and directories      [ None found ]

    Checking for possible rootkit strings                    [ None found ]

  Performing malware checks

    Checking running processes for suspicious files          [ Skipped ]

    Checking for login backdoors                             [ None found ]

    Checking for sniffer log files                           [ None found ]

    Checking for suspicious directories                      [ None found ]

    Checking for suspicious (large) shared memory segments   [ None found ]

    Checking for Apache backdoor                             [ Not found ]

  Performing Linux specific checks

    Checking loaded kernel modules                           [ OK ]

    Checking kernel module names                             [ OK ]

[Press to continue]

#第四部分:检测网络、系统端口、系统启动文件、系统用户和组配置、ssh配置、文件系统等

Checking the network...

  Performing checks on the network ports -->网络端口

    Checking for backdoor ports                              [ None found ]

  Performing checks on the network interfaces  -->网络接口

    Checking for promiscuous interfaces                      [ None found ]

Checking the local host...  

  Performing system boot checks  -->系统启动文件

    Checking for local host name                             [ Found ]

    Checking for system startup files                        [ Found ]

    Checking system startup files for malware                [ None found ]

  Performing group and account checks -->组和账户

    Checking for passwd file                                 [ Found ]

    Checking for root equivalent (UID 0) accounts            [ None found ]

    Checking for passwordless accounts                       [ None found ]

    Checking for passwd file changes                         [ None found ]

    Checking for group file changes                          [ None found ]

    Checking root account shell history files                [ OK ]

  Performing system configuration file checks  -->配置文件

    Checking for an SSH configuration file                   [ Found ]

    Checking if SSH root access is allowed                   [ Warning ]

    Checking if SSH protocol v1 is allowed                   [ Warning ]

    Checking for other suspicious configuration settings     [ None found ]

    Checking for a running system logging daemon             [ Found ]

    Checking for a system logging configuration file         [ Found ]

    Checking if syslog remote logging is allowed             [ Not allowed ]

  Performing filesystem checks     -->文件系统

    Checking /dev for suspicious file types                  [ None found ]

    Checking for hidden files and directories                [ Warning ]

[Press to continue]

#第五部分:应用程序版本检测

System checks summary

=====================

#第六部分:总结服务器目前的安全状态

File properties checks...

    Required commands check failed

    Files checked: 127

    Suspect files: 5

Rootkit checks...

    Rootkits checked : 440

    Possible rootkits: 0

Applications checks...

    All checks skipped

The system checks took: 1 minute and 44 seconds

All results have been written to the log file: /var/log/rkhunter.log

One or more warnings have been found while checking the system.

Please check the log file (/var/log/rkhunter.log)

5rkhunter其它用法:自动自行、定向任务执行等

自动执行程序:

[root@node1 ~]# rkhunter --check --skip-keypress

加入定时任务

[root@node1 ~]# crontab -e

10 03 * * * /usr/local/bin/rkhunter --check --skip-keypress >/home/field/check_rkhunter/chk.txt

[root@node1 ~]# ll /home/field/check_rkhunter/chk.txt

-rw-r--r-- 1 root root 10397 8月   8 03:12 /home/field/check_rkhunter/chk.txt

 

 

 

你可能感兴趣的:(Linux服务器安全,Linux系统检测)