Skip to content


入侵监测软件chkrootkit 安装

rootkit是入侵者经常使用的工具,这类工具可以隐秘、令用户不易察觉的建立了一条能够总能够入侵系统或者说对系统进行实时控制的途径.chkrootkit是可以查找系统是否被安装rootkit的工具,当然无法100%的查出,在系统被安装之后,或者说服务器开放之前就把它装好吧.
http://www.chkrootkit.org官方网站
目前最新版为chkrootkit-0.49
官方可能无法正常下载,可以用我博客里的地址http://blog.c1gstudio.com/lempelf/chkrootkit-0.49.tar.gz
测试系统为centos5.8

一.安装

wget http://blog.c1gstudio.com/lempelf/chkrootkit-0.49.tar.gz
tar zxvf chkrootkit.tar.gz
cd chkrootkit*
make sense
cd ..
mv -f chkrootkit-* /usr/local/chkrootkit
chown -R root:root /usr/local/chkrootkit
chmod -R 700 /usr/local/chkrootkit

二.运行

有些命令是当前目录下运行需cd到chkrootkit目录
cd /usr/local/chkrootkit
./chkrootkit

  1. ROOTDIR is `/'
  2. Checking `amd'... not found
  3. Checking `basename'... not infected
  4. Checking `biff'... not found
  5. Checking `chfn'... not infected
  6. Checking `chsh'... not infected
  7. Checking `cron'... not infected
  8. Checking `crontab'... not infected
  9. Checking `date'... not infected
  10. Checking `du'... not infected
  11. Checking `dirname'... not infected
  12. Checking `echo'... not infected
  13. Checking `egrep'... not infected
  14. Checking `env'... not infected
  15. Checking `find'... not infected
  16. Checking `fingerd'... not found
  17. Checking `gpm'... not infected
  18. Checking `grep'... not infected
  19. Checking `hdparm'... not infected
  20. Checking `su'... not infected
  21. Checking `ifconfig'... not infected
  22. Checking `inetd'... not tested
  23. Checking `inetdconf'... not found
  24. Checking `identd'... not found
  25. Checking `init'... not infected
  26. Checking `killall'... not infected
  27. Checking `ldsopreload'... not infected
  28. Checking `login'... not infected
  29. Checking `ls'... not infected
  30. Checking `lsof'... not infected
  31. Checking `mail'... not infected
  32. Checking `mingetty'... not infected
  33. Checking `netstat'... not infected
  34. Checking `named'... not found
  35. Checking `passwd'... not infected
  36. Checking `pidof'... not infected
  37. Checking `pop2'... not found
  38. Checking `pop3'... not found
  39. Checking `ps'... not infected
  40. Checking `pstree'... not infected
  41. Checking `rpcinfo'... not infected
  42. Checking `rlogind'... not found
  43. Checking `rshd'... not found
  44. Checking `slogin'... not infected
  45. Checking `sendmail'... not infected
  46. Checking `sshd'... not infected
  47. Checking `syslogd'... not infected
  48. Checking `tar'... not infected
  49. Checking `tcpd'... not infected
  50. Checking `tcpdump'... not infected
  51. Checking `top'... not infected
  52. Checking `telnetd'... not infected
  53. Checking `timed'... not found
  54. Checking `traceroute'... not infected
  55. Checking `vdir'... not infected
  56. Checking `w'... not infected
  57. Checking `write'... not infected
  58. Checking `aliens'... no suspect files
  59. Searching for sniffer's logs, it may take a while... nothing found
  60. Searching for HiDrootkit's default dir... nothing found
  61. Searching for t0rn's default files and dirs... nothing found
  62. Searching for t0rn's v8 defaults... nothing found
  63. Searching for Lion Worm default files and dirs... nothing found
  64. Searching for RSHA's default files and dir... nothing found
  65. Searching for RH-Sharpe's default files... nothing found
  66. Searching for Ambient's rootkit (ark) default files and dirs... nothing found
  67. Searching for suspicious files and dirs, it may take a while...
  68. /usr/lib/python2.4/config/.relocation-tag /usr/lib/gtk-2.0/immodules/.relocation-tag /usr/lib/.libgcrypt.so.11.hmac /lib/.libssl.so.0.9.8e.hmac /lib/.libcrypto.so.0.9.8e.hmac /lib/.libssl.so.6.hmac /lib/.libcrypto.so.6.hmac
  69.  
  70. Searching for LPD Worm files and dirs... nothing found
  71. Searching for Ramen Worm files and dirs... nothing found
  72. Searching for Maniac files and dirs... nothing found
  73. Searching for RK17 files and dirs... nothing found
  74. Searching for Ducoci rootkit... nothing found
  75. Searching for Adore Worm... nothing found
  76. Searching for ShitC Worm... nothing found
  77. Searching for Omega Worm... nothing found
  78. Searching for Sadmind/IIS Worm... nothing found
  79. Searching for MonKit... nothing found
  80. Searching for Showtee... nothing found
  81. Searching for OpticKit... nothing found
  82. Searching for T.R.K... nothing found
  83. Searching for Mithra... nothing found
  84. Searching for LOC rootkit... nothing found
  85. Searching for Romanian rootkit... nothing found
  86. Searching for HKRK rootkit... nothing found
  87. Searching for Suckit rootkit... nothing found
  88. Searching for Volc rootkit... nothing found
  89. Searching for Gold2 rootkit... nothing found
  90. Searching for TC2 Worm default files and dirs... nothing found
  91. Searching for Anonoying rootkit default files and dirs... nothing found
  92. Searching for ZK rootkit default files and dirs... nothing found
  93. Searching for ShKit rootkit default files and dirs... nothing found
  94. Searching for AjaKit rootkit default files and dirs... nothing found
  95. Searching for zaRwT rootkit default files and dirs... nothing found
  96. Searching for Madalin rootkit default files... nothing found
  97. Searching for Fu rootkit default files... nothing found
  98. Searching for ESRK rootkit default files... nothing found
  99. Searching for rootedoor... nothing found
  100. Searching for ENYELKM rootkit default files... nothing found
  101. Searching for common ssh-scanners default files... nothing found
  102. Searching for suspect PHP files...
  103. /tmp/pear/download/Archive_Tar-1.3.9/Archive/Tar.php
  104. /tmp/pear/download/XML_Util-1.2.1/tests/AllTests.php
  105. /tmp/pear/download/XML_Util-1.2.1/Util.php
  106. /tmp/pear/download/XML_Util-1.2.1/examples/example2.php
  107. /tmp/pear/download/XML_Util-1.2.1/examples/example.php
  108. /tmp/pear/download/Archive_Tar-1.3.7/Archive/Tar.php
  109. /tmp/pear/download/Structures_Graph-1.0.4/tests/testCase/BasicGraph.php
  110. /tmp/pear/download/Structures_Graph-1.0.4/tests/AllTests.php
  111. /tmp/pear/download/Structures_Graph-1.0.4/Structures/Graph.php
  112. /tmp/pear/download/Structures_Graph-1.0.4/Structures/Graph/Node.php
  113. /tmp/pear/download/Structures_Graph-1.0.4/Structures/Graph/Manipulator/AcyclicTest.php
  114. /tmp/pear/download/Structures_Graph-1.0.4/Structures/Graph/Manipulator/TopologicalSorter.php
  115. /tmp/pear/download/PEAR-1.9.1/PEAR5.php
  116. /tmp/pear/download/PEAR-1.9.1/PEAR/REST/10.php
  117. /tmp/pear/download/PEAR-1.9.1/PEAR/REST/13.php
  118. /tmp/pear/download/PEAR-1.9.1/PEAR/REST/11.php
  119. /tmp/pear/download/PEAR-1.9.1/PEAR/Builder.php
  120. /tmp/pear/download/PEAR-1.9.1/PEAR/Downloader/Package.php
  121. /tmp/pear/download/PEAR-1.9.1/PEAR/FixPHP5PEARWarnings.php
  122. /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Data.php
  123. /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Doc.php
  124. /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Php.php
  125. /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Cfg.php
  126. /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Src.php
  127. /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Www.php
  128. /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Test.php
  129. /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Common.php
  130. /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Script.php
  131. /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Ext.php
  132. /tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role.php
  133. /tmp/pear/download/PEAR-1.9.1/PEAR/Packager.php
  134. /tmp/pear/download/PEAR-1.9.1/PEAR/Validator/PECL.php
  135. /tmp/pear/download/PEAR-1.9.1/PEAR/Installer.php
  136. /tmp/pear/download/PEAR-1.9.1/PEAR/Config.php
  137. /tmp/pear/download/PEAR-1.9.1/PEAR/Registry.php
  138. /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Install.php
  139. /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Mirror.php
  140. /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Remote.php
  141. /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Build.php
  142. /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Config.php
  143. /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Registry.php
  144. /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Pickle.php
  145. /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Channels.php
  146. /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Auth.php
  147. /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Test.php
  148. /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Common.php
  149. /tmp/pear/download/PEAR-1.9.1/PEAR/Command/Package.php
  150. /tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile.php
  151. /tmp/pear/download/PEAR-1.9.1/PEAR/RunTest.php
  152. /tmp/pear/download/PEAR-1.9.1/PEAR/Autoloader.php
  153. /tmp/pear/download/PEAR-1.9.1/PEAR/Frontend.php
  154. /tmp/pear/download/PEAR-1.9.1/PEAR/Validate.php
  155. /tmp/pear/download/PEAR-1.9.1/PEAR/ErrorStack.php
  156. /tmp/pear/download/PEAR-1.9.1/PEAR/Task/Replace/rw.php
  157. /tmp/pear/download/PEAR-1.9.1/PEAR/Task/Unixeol/rw.php
  158. /tmp/pear/download/PEAR-1.9.1/PEAR/Task/Postinstallscript.php
  159. /tmp/pear/download/PEAR-1.9.1/PEAR/Task/Windowseol/rw.php
  160. /tmp/pear/download/PEAR-1.9.1/PEAR/Task/Replace.php
  161. /tmp/pear/download/PEAR-1.9.1/PEAR/Task/Unixeol.php
  162. /tmp/pear/download/PEAR-1.9.1/PEAR/Task/Windowseol.php
  163. /tmp/pear/download/PEAR-1.9.1/PEAR/Task/Common.php
  164. /tmp/pear/download/PEAR-1.9.1/PEAR/Task/Postinstallscript/rw.php
  165. /tmp/pear/download/PEAR-1.9.1/PEAR/ChannelFile/Parser.php
  166. /tmp/pear/download/PEAR-1.9.1/PEAR/Common.php
  167. /tmp/pear/download/PEAR-1.9.1/PEAR/XMLParser.php
  168. /tmp/pear/download/PEAR-1.9.1/PEAR/Downloader.php
  169. /tmp/pear/download/PEAR-1.9.1/PEAR/DependencyDB.php
  170. /tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/v2.php
  171. /tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/v2/rw.php
  172. /tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/v2/Validator.php
  173. /tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/Generator/v2.php
  174. /tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/Generator/v1.php
  175. /tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/v1.php
  176. /tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/Parser/v2.php
  177. /tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/Parser/v1.php
  178. /tmp/pear/download/PEAR-1.9.1/PEAR/REST.php
  179. /tmp/pear/download/PEAR-1.9.1/PEAR/Command.php
  180. /tmp/pear/download/PEAR-1.9.1/PEAR/Dependency2.php
  181. /tmp/pear/download/PEAR-1.9.1/PEAR/Exception.php
  182. /tmp/pear/download/PEAR-1.9.1/PEAR/Frontend/CLI.php
  183. /tmp/pear/download/PEAR-1.9.1/PEAR/ChannelFile.php
  184. /tmp/pear/download/PEAR-1.9.1/scripts/peclcmd.php
  185. /tmp/pear/download/PEAR-1.9.1/scripts/pearcmd.php
  186. /tmp/pear/download/PEAR-1.9.1/System.php
  187. /tmp/pear/download/PEAR-1.9.1/PEAR.php
  188. /tmp/pear/download/PEAR-1.9.1/OS/Guess.php
  189. /tmp/pear/download/Console_Getopt-1.2.3/Console/Getopt.php
  190. /tmp/pear/download/PEAR-1.9.4/PEAR5.php
  191. /tmp/pear/download/PEAR-1.9.4/PEAR/REST/10.php
  192. /tmp/pear/download/PEAR-1.9.4/PEAR/REST/13.php
  193. /tmp/pear/download/PEAR-1.9.4/PEAR/REST/11.php
  194. /tmp/pear/download/PEAR-1.9.4/PEAR/Builder.php
  195. /tmp/pear/download/PEAR-1.9.4/PEAR/Downloader/Package.php
  196. /tmp/pear/download/PEAR-1.9.4/PEAR/FixPHP5PEARWarnings.php
  197. /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Data.php
  198. /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Doc.php
  199. /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Php.php
  200. /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Cfg.php
  201. /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Src.php
  202. /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Www.php
  203. /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Test.php
  204. /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Common.php
  205. /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Script.php
  206. /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Ext.php
  207. /tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role.php
  208. /tmp/pear/download/PEAR-1.9.4/PEAR/Packager.php
  209. /tmp/pear/download/PEAR-1.9.4/PEAR/Validator/PECL.php
  210. /tmp/pear/download/PEAR-1.9.4/PEAR/Installer.php
  211. /tmp/pear/download/PEAR-1.9.4/PEAR/Config.php
  212. /tmp/pear/download/PEAR-1.9.4/PEAR/Registry.php
  213. /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Install.php
  214. /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Mirror.php
  215. /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Remote.php
  216. /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Build.php
  217. /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Config.php
  218. /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Registry.php
  219. /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Pickle.php
  220. /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Channels.php
  221. /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Auth.php
  222. /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Test.php
  223. /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Common.php
  224. /tmp/pear/download/PEAR-1.9.4/PEAR/Command/Package.php
  225. /tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile.php
  226. /tmp/pear/download/PEAR-1.9.4/PEAR/RunTest.php
  227. /tmp/pear/download/PEAR-1.9.4/PEAR/Autoloader.php
  228. /tmp/pear/download/PEAR-1.9.4/PEAR/Frontend.php
  229. /tmp/pear/download/PEAR-1.9.4/PEAR/Validate.php
  230. /tmp/pear/download/PEAR-1.9.4/PEAR/ErrorStack.php
  231. /tmp/pear/download/PEAR-1.9.4/PEAR/Task/Replace/rw.php
  232. /tmp/pear/download/PEAR-1.9.4/PEAR/Task/Unixeol/rw.php
  233. /tmp/pear/download/PEAR-1.9.4/PEAR/Task/Postinstallscript.php
  234. /tmp/pear/download/PEAR-1.9.4/PEAR/Task/Windowseol/rw.php
  235. /tmp/pear/download/PEAR-1.9.4/PEAR/Task/Replace.php
  236. /tmp/pear/download/PEAR-1.9.4/PEAR/Task/Unixeol.php
  237. /tmp/pear/download/PEAR-1.9.4/PEAR/Task/Windowseol.php
  238. /tmp/pear/download/PEAR-1.9.4/PEAR/Task/Common.php
  239. /tmp/pear/download/PEAR-1.9.4/PEAR/Task/Postinstallscript/rw.php
  240. /tmp/pear/download/PEAR-1.9.4/PEAR/ChannelFile/Parser.php
  241. /tmp/pear/download/PEAR-1.9.4/PEAR/Common.php
  242. /tmp/pear/download/PEAR-1.9.4/PEAR/XMLParser.php
  243. /tmp/pear/download/PEAR-1.9.4/PEAR/Downloader.php
  244. /tmp/pear/download/PEAR-1.9.4/PEAR/DependencyDB.php
  245. /tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/v2.php
  246. /tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/v2/rw.php
  247. /tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/v2/Validator.php
  248. /tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/Generator/v2.php
  249. /tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/Generator/v1.php
  250. /tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/v1.php
  251. /tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/Parser/v2.php
  252. /tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/Parser/v1.php
  253. /tmp/pear/download/PEAR-1.9.4/PEAR/REST.php
  254. /tmp/pear/download/PEAR-1.9.4/PEAR/Command.php
  255. /tmp/pear/download/PEAR-1.9.4/PEAR/Dependency2.php
  256. /tmp/pear/download/PEAR-1.9.4/PEAR/Exception.php
  257. /tmp/pear/download/PEAR-1.9.4/PEAR/Frontend/CLI.php
  258. /tmp/pear/download/PEAR-1.9.4/PEAR/ChannelFile.php
  259. /tmp/pear/download/PEAR-1.9.4/scripts/peclcmd.php
  260. /tmp/pear/download/PEAR-1.9.4/scripts/pearcmd.php
  261. /tmp/pear/download/PEAR-1.9.4/System.php
  262. /tmp/pear/download/PEAR-1.9.4/PEAR.php
  263. /tmp/pear/download/PEAR-1.9.4/OS/Guess.php
  264. /tmp/pear/download/Console_Getopt-1.3.1/Console/Getopt.php
  265. /tmp/pear/download/Structures_Graph-1.0.3/tests/testCase/BasicGraph.php
  266. /tmp/pear/download/Structures_Graph-1.0.3/tests/AllTests.php
  267. /tmp/pear/download/Structures_Graph-1.0.3/Structures/Graph.php
  268. /tmp/pear/download/Structures_Graph-1.0.3/Structures/Graph/Node.php
  269. /tmp/pear/download/Structures_Graph-1.0.3/Structures/Graph/Manipulator/AcyclicTest.php
  270. /tmp/pear/download/Structures_Graph-1.0.3/Structures/Graph/Manipulator/TopologicalSorter.php
  271.  
  272. Searching for anomalies in shell history files... Warning: `//root/.mysql_history' is linked to another file
  273. Checking `asp'... not infected
  274. Checking `bindshell'... not infected
  275. Checking `lkm'... chkproc: nothing detected
  276. chkdirs: nothing detected
  277. Checking `rexedcs'... not found
  278. Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets
  279. Checking `w55808'... not infected
  280. Checking `wted'... chkwtmp: nothing deleted
  281. Checking `scalper'... not infected
  282. Checking `slapper'... not infected
  283. Checking `z2'... chklastlog: nothing deleted
  284. Checking `chkutmp'... chkutmp: nothing deleted
  285. Checking `OSX_RSPLUG'... not infected

以上文件没有问题,出现INFECTED那就要小心了
./chkrootkit | grep INFECTED

三.自动运行

创建每日运行脚本,发现问题后自动发送邮件
vi chkrootkitcron.sh

  1. #!/bin/bash
  2. TOOLKITSPATH=/usr/local
  3. MAILUSER=root@localhost
  4. file_chkrootkit_log=chkrootkitcron.log
  5. servername=`hostname`
  6. date=`date +%Y-%m-%d`
  7.  
  8.  
  9. cd ${TOOLKITSPATH}/chkrootkit
  10. ./chkrootkit > ${file_chkrootkit_log}
  11. [ ! -z "$(grep INFECTED ${file_chkrootkit_log})" ] && \
  12. grep INFECTED ${file_chkrootkit_log} | mail -s "[chkrootkit] report in ${servername} ${date}" ${MAILUSER}

放入crontab中

  1. echo "40 5 * * * cd /opt/shell && /bin/sh ./chkrootkitcron.sh > /dev/null 2>&1" >> /var/spool/cron/root

Posted in 安全.

Tagged with , .


No Responses (yet)

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.



Some HTML is OK

or, reply to this post via trackback.