rkhunter是Linux下的一款开源入侵检测工具。rkhunter具有比chrootkit更为全面的扫描范围。除rootkit特征码扫描外,rkhunter还支持端口扫描,常用开源软件版本和文件变动情况检查等。
rkhunter的官方网站位于http://www.rootkit.nl/,目前最新的版本是rkhunter-1.3.8。
centos5.8
Linux C1gstudio 2.6.18-308.el5 #1 SMP Tue Feb 21 20:06:06 EST 2012 x86_64 x86_64 x86_64 GNU/Linux
一.安装
安装到自定义目录/usr/local/rkhunter
wget http://nchc.dl.sourceforge.net/project/rkhunter/rkhunter/1.3.8/rkhunter-1.3.8.tar.gz
tar zxvf rkhunter-1.3.8.tar.gz
cd rkhunter-1.3.8
mkdir -p /usr/local/rkhunter
./installer.sh –layout custom /usr/local/rkhunter –install
Note: Directory /usr/local/rkhunter/bin is not in your PATH
Checking system for:
Rootkit Hunter installer files: found
A web file download command: wget found
Starting installation:
Checking installation directory “/usr/local/rkhunter”: it exists and is writable.
Checking installation directories:
Directory /usr/local/rkhunter/share/doc/rkhunter-1.3.8: creating: OK
Directory /usr/local/rkhunter/share/man/man8: creating: OK
Directory /usr/local/rkhunter/etc: creating: OK
Directory /usr/local/rkhunter/bin: creating: OK
Directory /usr/local/rkhunter/lib64: creating: OK
Directory /usr/local/rkhunter/var/lib: creating: OK
Directory /usr/local/rkhunter/lib64/rkhunter/scripts: creating: OK
Directory /usr/local/rkhunter/var/lib/rkhunter/db: creating: OK
Directory /usr/local/rkhunter/var/lib/rkhunter/tmp: creating: OK
Directory /usr/local/rkhunter/var/lib/rkhunter/db/i18n: creating: OK
Installing check_modules.pl: OK
Installing filehashsha.pl: OK
Installing stat.pl: OK
Installing readlink.sh: OK
Installing backdoorports.dat: OK
Installing mirrors.dat: OK
Installing programs_bad.dat: OK
Installing suspscan.dat: OK
Installing rkhunter.8: OK
Installing ACKNOWLEDGMENTS: OK
Installing CHANGELOG: OK
Installing FAQ: OK
Installing LICENSE: OK
Installing README: OK
Installing language support files: OK
Installing rkhunter: OK
Installing rkhunter.conf: OK
Installation complete
/usr/local/rkhunter/bin/rkhunter –help
Usage: rkhunter {–check | –unlock | –update | –versioncheck |
–propupd [{filename | directory | package name},…] |
–list [{tests | {lang | languages} | rootkits | perl}] |
–config-check | –version | –help} [options]
Current options are:
–append-log Append to the logfile, do not overwrite
–bindir
-c, –check Check the local system
-C, –config-check Check the configuration file(s), then exit
–cs2, –color-set2 Use the second color set for output
–configfile
–cronjob Run as a cron job
(implies -c, –sk and –nocolors options)
–dbdir
–debug Debug mode
(Do not use unless asked to do so)
–disable
(Default is to disable no tests)
–display-logfile Display the logfile at the end
–enable
(Default is to enable all tests)
–hash {MD5 | SHA1 | SHA224 | SHA256 | SHA384 | SHA512 |
NONE |
(Default is SHA1, then MD5)
-h, –help Display this help menu, then exit
–lang, –language
(Default is English)
–list [tests | languages | List the available test names, languages, checked
rootkits | perl] for rootkits, or perl module status, then exit
-l, –logfile [file] Write to a logfile
(Default is /var/log/rkhunter.log)
–noappend-log Do not append to the logfile, overwrite it
–nocf Do not use the configuration file entries
for disabled tests (only valid with –disable)
–nocolors Use black and white output
–nolog Do not write to a logfile
–nomow, –no-mail-on-warning Do not send a message if warnings occur
–ns, –nosummary Do not show the summary of check results
–novl, –no-verbose-logging No verbose logging
–pkgmgr {RPM | DPKG | BSD | Use the specified package manager to obtain or
SOLARIS | NONE} verify file property values. (Default is NONE)
–propupd [file | directory | Update the entire file properties database,
package]… or just for the specified entries
-q, –quiet Quiet mode (no output at all)
–rwo, –report-warnings-only Show only warning messages
-r, –rootdir
–sk, –skip-keypress Don’t wait for a keypress after each test
–summary Show the summary of system check results
(This is the default)
–syslog [facility.priority] Log the check start and finish times to syslog
(Default level is authpriv.notice)
–tmpdir
–unlock Unlock (remove) the lock file
–update Check for updates to database files
–vl, –verbose-logging Use verbose logging (on by default)
-V, –version Display the version number, then exit
–versioncheck Check for latest version of program
-x, –autox Automatically detect if X is in use
-X, –no-autox Do not automatically detect if X is in use
更新db
/usr/local/rkhunter/bin/rkhunter –update
[ Rootkit Hunter version 1.3.8 ]
Checking rkhunter data files…
Checking file mirrors.dat [ No update ]
Checking file programs_bad.dat [ Updated ]
Checking file backdoorports.dat [ No update ]
Checking file suspscan.dat [ No update ]
Checking file i18n/cn [ No update ]
Checking file i18n/de [ No update ]
Checking file i18n/en [ No update ]
Checking file i18n/zh [ No update ]
Checking file i18n/zh.utf8 [ No update ]
ll /usr/local/rkhunter/var/lib/rkhunter/db/
total 20
-rw-r—– 1 root root 1055 Apr 9 13:43 backdoorports.dat
drwxr-x— 2 root root 4096 Apr 9 13:43 i18n
-rw-r—– 1 root root 58 Apr 9 13:44 mirrors.dat
-rw-r—– 1 root root 3203 Apr 9 13:44 programs_bad.dat
-rw-r—– 1 root root 1904 Apr 9 13:43 suspscan.dat
在系统“干净”的时候产生对比文件
/usr/local/rkhunter/bin/rkhunter –propupd
[ Rootkit Hunter version 1.3.8 ]
File created: searched for 164 files, found 135
多了rkhunter.dat,rkhunter_prop_list.dat文件
ll /usr/local/rkhunter/var/lib/rkhunter/db/
total 68
-rw-r—– 1 root root 1055 Apr 9 13:43 backdoorports.dat
drwxr-x— 2 root root 4096 Apr 9 13:43 i18n
-rw-r—– 1 root root 58 Apr 9 13:44 mirrors.dat
-rw-r—– 1 root root 3203 Apr 9 13:44 programs_bad.dat
-rw-r—– 1 root root 12958 Apr 9 13:47 rkhunter.dat
-rw-r—– 1 root root 31798 Apr 9 13:47 rkhunter_prop_list.dat
-rw-r—– 1 root root 1904 Apr 9 13:43 suspscan.dat
二.开始检查,有问题会红色的Warning 提示
/usr/local/rkhunter/bin/rkhunter -c –sk
[ Rootkit Hunter version 1.3.8 ]
Checking system commands…
Performing ‘strings’ command checks
Checking ‘strings’ command [ OK ]
Performing ‘shared libraries’ checks
Checking for preloading variables [ None found ]
Checking for preloaded libraries [ None found ]
Checking LD_LIBRARY_PATH variable [ OK ]
Performing file properties checks
Checking for prerequisites [ OK ]
/sbin/chkconfig [ OK ]
/sbin/depmod [ OK ]
/sbin/fsck [ OK ]
/sbin/fuser [ OK ]
/sbin/ifconfig [ OK ]
/sbin/ifdown [ Warning ]
/sbin/ifup [ Warning ]
/sbin/init [ OK ]
/sbin/insmod [ OK ]
/sbin/ip [ OK ]
/sbin/kudzu [ OK ]
/sbin/lsmod [ OK ]
/sbin/modinfo [ OK ]
/sbin/modprobe [ OK ]
/sbin/nologin [ OK ]
/sbin/rmmod [ OK ]
/sbin/route [ OK ]
/sbin/rsyslogd [ OK ]
/sbin/runlevel [ OK ]
/sbin/sulogin [ OK ]
/sbin/sysctl [ OK ]
/sbin/syslogd [ OK ]
/bin/awk [ OK ]
/bin/basename [ OK ]
/bin/bash [ OK ]
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/chown [ OK ]
/bin/cp [ OK ]
/bin/csh [ OK ]
/bin/cut [ OK ]
/bin/date [ OK ]
/bin/df [ OK ]
/bin/dmesg [ OK ]
/bin/echo [ OK ]
/bin/ed [ OK ]
/bin/egrep [ OK ]
/bin/env [ OK ]
/bin/fgrep [ OK ]
/bin/grep [ OK ]
/bin/kill [ OK ]
/bin/logger [ OK ]
/bin/login [ OK ]
/bin/ls [ OK ]
/bin/mail [ OK ]
/bin/mktemp [ OK ]
/bin/more [ OK ]
/bin/mount [ OK ]
/bin/mv [ OK ]
/bin/netstat [ OK ]
/bin/ps [ OK ]
/bin/pwd [ OK ]
/bin/rpm [ OK ]
/bin/sed [ OK ]
/bin/sh [ OK ]
/bin/sort [ OK ]
/bin/su [ OK ]
/bin/touch [ OK ]
/bin/uname [ OK ]
/bin/gawk [ OK ]
/bin/tcsh [ OK ]
/usr/sbin/adduser [ OK ]
/usr/sbin/chroot [ OK ]
/usr/sbin/groupadd [ OK ]
/usr/sbin/groupdel [ OK ]
/usr/sbin/groupmod [ OK ]
/usr/sbin/grpck [ OK ]
/usr/sbin/kudzu [ OK ]
/usr/sbin/lsof [ OK ]
/usr/sbin/prelink [ OK ]
/usr/sbin/pwck [ OK ]
/usr/sbin/sestatus [ OK ]
/usr/sbin/tcpd [ OK ]
/usr/sbin/useradd [ OK ]
/usr/sbin/userdel [ OK ]
/usr/sbin/usermod [ OK ]
/usr/sbin/vipw [ OK ]
/usr/bin/awk [ OK ]
/usr/bin/chattr [ OK ]
/usr/bin/curl [ OK ]
/usr/bin/cut [ OK ]
/usr/bin/diff [ OK ]
/usr/bin/dirname [ OK ]
/usr/bin/du [ OK ]
/usr/bin/env [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/groups [ Warning ]
/usr/bin/head [ OK ]
/usr/bin/id [ OK ]
/usr/bin/kill [ OK ]
/usr/bin/killall [ OK ]
/usr/bin/last [ OK ]
/usr/bin/lastlog [ OK ]
/usr/bin/ldd [ Warning ]
/usr/bin/less [ OK ]
/usr/bin/locate [ OK ]
/usr/bin/logger [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/md5sum [ OK ]
/usr/bin/newgrp [ OK ]
/usr/bin/passwd [ OK ]
/usr/bin/perl [ OK ]
/usr/bin/pgrep [ OK ]
/usr/bin/pstree [ OK ]
/usr/bin/readlink [ OK ]
/usr/bin/runcon [ OK ]
/usr/bin/sha1sum [ OK ]
/usr/bin/sha224sum [ OK ]
/usr/bin/sha256sum [ OK ]
/usr/bin/sha384sum [ OK ]
/usr/bin/sha512sum [ OK ]
/usr/bin/size [ OK ]
/usr/bin/stat [ OK ]
/usr/bin/strace [ OK ]
/usr/bin/strings [ OK ]
/usr/bin/sudo [ OK ]
/usr/bin/tail [ OK ]
/usr/bin/test [ OK ]
/usr/bin/top [ OK ]
/usr/bin/tr [ OK ]
/usr/bin/uniq [ OK ]
/usr/bin/users [ OK ]
/usr/bin/vmstat [ OK ]
/usr/bin/w [ OK ]
/usr/bin/watch [ OK ]
/usr/bin/wc [ OK ]
/usr/bin/wget [ OK ]
/usr/bin/whatis [ Warning ]
/usr/bin/whereis [ OK ]
/usr/bin/which [ OK ]
/usr/bin/who [ OK ]
/usr/bin/whoami [ OK ]
/usr/bin/gawk [ OK ]
/usr/local/rkhunter/etc/rkhunter.conf [ OK ]
Checking for rootkits…
Performing check of known rootkit files and directories
55808 Trojan – Variant A [ Not found ]
ADM Worm [ Not found ]
AjaKit Rootkit [ Not found ]
Adore Rootkit [ Not found ]
aPa Kit [ Not found ]
Apache Worm [ Not found ]
Ambient (ark) Rootkit [ Not found ]
Balaur Rootkit [ Not found ]
BeastKit Rootkit [ Not found ]
beX2 Rootkit [ Not found ]
BOBKit Rootkit [ Not found ]
cb Rootkit [ Not found ]
CiNIK Worm (Slapper.B variant) [ Not found ]
Danny-Boy’s Abuse Kit [ Not found ]
Devil RootKit [ Not found ]
Dica-Kit Rootkit [ Not found ]
Dreams Rootkit [ Not found ]
Duarawkz Rootkit [ Not found ]
Enye LKM [ Not found ]
Flea Linux Rootkit [ Not found ]
FreeBSD Rootkit [ Not found ]
Fu Rootkit [ Not found ]
Fuck`it Rootkit [ Not found ]
GasKit Rootkit [ Not found ]
Heroin LKM [ Not found ]
HjC Kit [ Not found ]
ignoKit Rootkit [ Not found ]
iLLogiC Rootkit [ Not found ]
IntoXonia-NG Rootkit [ Not found ]
Irix Rootkit [ Not found ]
Kitko Rootkit [ Not found ]
Knark Rootkit [ Not found ]
ld-linuxv.so Rootkit [ Not found ]
Li0n Worm [ Not found ]
Lockit / LJK2 Rootkit [ Not found ]
Mood-NT Rootkit [ Not found ]
MRK Rootkit [ Not found ]
Ni0 Rootkit [ Not found ]
Ohhara Rootkit [ Not found ]
Optic Kit (Tux) Worm [ Not found ]
Oz Rootkit [ Not found ]
Phalanx Rootkit [ Not found ]
Phalanx2 Rootkit [ Not found ]
Phalanx2 Rootkit (extended tests) [ Not found ]
Portacelo Rootkit [ Not found ]
R3dstorm Toolkit [ Not found ]
RH-Sharpe’s Rootkit [ Not found ]
RSHA’s Rootkit [ Not found ]
Scalper Worm [ Not found ]
Sebek LKM [ Not found ]
Shutdown Rootkit [ Not found ]
SHV4 Rootkit [ Not found ]
SHV5 Rootkit [ Not found ]
Sin Rootkit [ Not found ]
Slapper Worm [ Not found ]
Sneakin Rootkit [ Not found ]
‘Spanish’ Rootkit [ Not found ]
Suckit Rootkit [ Not found ]
SunOS Rootkit [ Not found ]
SunOS / NSDAP Rootkit [ Not found ]
Superkit Rootkit [ Not found ]
TBD (Telnet BackDoor) [ Not found ]
TeLeKiT Rootkit [ Not found ]
T0rn Rootkit [ Not found ]
trNkit Rootkit [ Not found ]
Trojanit Kit [ Not found ]
Tuxtendo Rootkit [ Not found ]
URK Rootkit [ Not found ]
Vampire Rootkit [ Not found ]
VcKit Rootkit [ Not found ]
Volc Rootkit [ Not found ]
Xzibit Rootkit [ Not found ]
X-Org SunOS Rootkit [ Not found ]
zaRwT.KiT Rootkit [ Not found ]
ZK Rootkit [ Not found ]
Performing additional rootkit checks
Suckit Rookit additional checks [ OK ]
Checking for possible rootkit files and directories [ None found ]
Checking for possible rootkit strings [ None found ]
Performing malware checks
Checking running processes for suspicious files [ None found ]
Checking for login backdoors [ None found ]
Checking for suspicious directories [ None found ]
Checking for sniffer log files [ None found ]
Performing Linux specific checks
Checking loaded kernel modules [ OK ]
Checking kernel module names [ OK ]
Checking the network…
Performing checks on the network ports
Checking for backdoor ports [ None found ]
Performing checks on the network interfaces
Checking for promiscuous interfaces [ None found ]
Checking the local host…
Performing system boot checks
Checking for local host name [ Found ]
Checking for system startup files [ Found ]
Checking system startup files for malware [ None found ]
Performing group and account checks
Checking for passwd file [ Found ]
Checking for root equivalent (UID 0) accounts [ None found ]
Checking for passwordless accounts [ None found ]
Checking for passwd file changes [ None found ]
Checking for group file changes [ None found ]
Checking root account shell history files [ OK ]
Performing system configuration file checks
Checking for SSH configuration file [ Found ]
Checking if SSH root access is allowed [ Not allowed ]
Checking if SSH protocol v1 is allowed [ Not allowed ]
Checking for running syslog daemon [ Found ]
Checking for syslog configuration file [ Found ]
Checking if syslog remote logging is allowed [ Not allowed ]
Performing filesystem checks
Checking /dev for suspicious file types [ None found ]
Checking for hidden files and directories [ Warning ]
Checking application versions…
Checking version of GnuPG [ OK ]
Checking version of OpenSSL [ Warning ]
Checking version of Procmail MTA [ OK ]
Checking version of OpenSSH [ Warning ]
System checks summary
=====================
File properties checks…
Files checked: 135
Suspect files: 5
Rootkit checks…
Rootkits checked : 253
Possible rootkits: 0
Applications checks…
Applications checked: 4
Suspect applications: 2
The system checks took: 1 minute and 38 seconds
All results have been written to the log file (/var/log/rkhunter.log)
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
相应产生的日志
# cat /var/log/rkhunter.log |grep Warning
[13:52:20] /sbin/ifdown [ Warning ]
[13:52:20] Warning: The command ‘/sbin/ifdown’ has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
[13:52:20] /sbin/ifup [ Warning ]
[13:52:20] Warning: The command ‘/sbin/ifup’ has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
[13:52:34] /usr/bin/groups [ Warning ]
[13:52:34] Warning: The command ‘/usr/bin/groups’ has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
[13:52:35] /usr/bin/ldd [ Warning ]
[13:52:35] Warning: The command ‘/usr/bin/ldd’ has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
[13:52:39] /usr/bin/whatis [ Warning ]
[13:52:39] Warning: The command ‘/usr/bin/whatis’ has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
[13:53:44] Checking for hidden files and directories [ Warning ]
[13:53:44] Warning: Hidden directory found: /dev/.udev
[13:53:44] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[13:53:44] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
[13:53:44] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[13:53:44] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
[13:53:45] Checking version of OpenSSL [ Warning ]
[13:53:45] Warning: Application ‘openssl’, version ‘0.9.8e’, is out of date, and possibly a security risk.
[13:53:45] Checking version of OpenSSH [ Warning ]
[13:53:45] Warning: Application ‘sshd’, version ‘4.3p2’, is out of date, and possibly a security risk.
三.修正误报
可以看到上面信息基本为误报
还有更新了部分包可能会因起No hash value found错误;
grep是安装nginx时更新了pcre
amd是安装sasl认证
Warning: No hash value found for file ‘/bin/egrep’ in the rkhunter.dat file.
Warning: No hash value found for file ‘/bin/fgrep’ in the rkhunter.dat file.
Warning: No hash value found for file ‘/bin/grep’ in the rkhunter.dat file.
Warning: No hash value found for file ‘/usr/sbin/amd’ in the rkhunter.dat file.
使用prelink可以查看
# prelink –verify –sha /bin/egrep
prelink: /bin/egrep: at least one of file’s dependencies has changed since prelinking
# prelink /bin/egrep
prelink: /usr/local/lib/libpcre.so.0.0.1 is not present in any config file directories, nor was specified on command line
# prelink –verify –sha /usr/sbin/amd
prelink: /usr/sbin/amd: at least one of file’s dependencies has changed since prelinking
# prelink /usr/sbin/amd
prelink: /usr/local/sasl2/lib/libsasl2.so.2.0.22 is not present in any config file directories, nor was specified on command line
Aborted
cp /usr/local/rkhunter/etc/rkhunter.conf{,.bak}
网上部分脚本已失效,我对此作了些修改
sed -i ‘s/#SCRIPTWHITELIST=\/sbin\/ifup/SCRIPTWHITELIST=\/sbin\/ifup/’ /opt/rthunter/etc/rkhunter.conf
sed -i ‘s/#SCRIPTWHITELIST=\/sbin\/ifdown/SCRIPTWHITELIST=\/sbin\/ifdown/’ /opt/rthunter/etc/rkhunter.conf
sed -i ‘/#SCRIPTWHITELIST=”\/sbin\/ifup/ {s/^#//g}’ /usr/local/rkhunter/etc/rkhunter.conf
sed -i ‘/#SCRIPTWHITELIST=”\/usr\/bin\/groups”/ {s/^#//g}’ /usr/local/rkhunter/etc/rkhunter.conf
sed -i ‘/#ALLOWHIDDENDIR=”\/etc\/.java”/ {s/^#//g}’ /usr/local/rkhunter/etc/rkhunter.conf
sed -i ‘/#ALLOWHIDDENDIR=”\/dev\/.mdadm”/ {s/^#//g}’ /usr/local/rkhunter/etc/rkhunter.conf
sed -i ‘/#ALLOWHIDDENDIR=”\/dev\/.udev/ {s/^#//g}’ /usr/local/rkhunter/etc/rkhunter.conf
sed -i ‘/#ALLOWHIDDENFILE=”\/usr\/share\/man\/man1\/..1.gz”/ {s/^#//g}’ /usr/local/rkhunter/etc/rkhunter.conf
sed -i ‘/#ALLOWHIDDENFILE=”\/usr\/bin\/.fipscheck.hmac”/ {s/^#//g}’ /usr/local/rkhunter/etc/rkhunter.conf
sed -i ‘/#ALLOWHIDDENFILE=”\/usr\/bin\/.ssh.hmac”/ {s/^#//g}’ /usr/local/rkhunter/etc/rkhunter.conf
sed -i ‘/#ALLOWHIDDENFILE=”\/usr\/sbin\/.sshd.hmac”/ {s/^#//g}’ /usr/local/rkhunter/etc/rkhunter.conf
echo ‘IGNORE_PRELINK_DEP_ERR=”/bin/egrep /bin/fgrep /bin/grep /usr/sbin/amd /usr/bin/less” ‘ >> /usr/local/rkhunter/etc/rkhunter.conf
echo ‘SCRIPTWHITELIST=/usr/bin/ldd’ >> /usr/local/rkhunter/etc/rkhunter.conf
echo ‘SCRIPTWHITELIST=/usr/bin/whatis’ >> /usr/local/rkhunter/etc/rkhunter.conf
echo ‘SCRIPTWHITELIST=/usr/bin/GET’ >> /usr/local/rkhunter/etc/rkhunter.conf
echo ‘ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz’ >> /usr/local/rkhunter/etc/rkhunter.conf
echo ‘APP_WHITELIST=”openssl:0.9.8e sshd:4.3p2″‘ >> /usr/local/rkhunter/etc/rkhunter.conf
echo ‘ALLOWDEVFILE=”/dev/shm/nginx.pid”‘ >> /usr/local/rkhunter/etc/rkhunter.conf
#注意openssl和sshd的版本号
再次更新和检测
/usr/local/rkhunter/bin/rkhunter –propupd
[ Rootkit Hunter version 1.3.8 ]
File updated: searched for 164 files, found 135
跳过按键只输出warning,不再有显示
/usr/local/rkhunter/bin/rkhunter -c –sk –rwo
四.自动报告
每天5点检测并发送通知邮件
vi /var/spool/cron/root
3 5 * * * (/usr/local/rkhunter/bin/rkhunter –cronjob -l –nomow –rwo | mail -s “[rkhunter] report `hostname` `date`” root@localhost)
参考:http://sourceforge.net/apps/trac/rkhunter/wiki/SPRKH#Introduction
===============2012-4-18更新
修正应更新而产生的误报,运行时检查文件存,如果文件不存在就不要加在里面
ALLOWDEVFILE=”/dev/shm/nginx.pid”
IGNORE_PRELINK_DEP_ERR=”/bin/egrep /bin/fgrep /bin/grep /usr/sbin/amd /usr/bin/less”
hdparm 的Xzibit Rootkit
[15:29:12] Warning: Checking for possible rootkit strings [ Warning ]
[15:29:12] Found string ‘hdparm’ in file ‘/etc/rc.d/rc.sysinit’. Possible rootkit: Xzibit Rootkit
RTKT_FILE_WHITELIST=”/etc/rc.d/rc.sysinit:hdparm”
===============2012-4-28更新
修正The file properties have changed
rkhunter在crontab中运行和手功运行有差异
就算你在配置文件中写了IGNORE_PRELINK_DEP_ERR,在日志中还是会有
[05:45:10] /usr/bin/less [ Warning ]
[05:45:10] Warning: The file properties have changed:
prelink /usr/bin/less
prelink: /usr/local/lib/libpcre.so.0.0.1 is not present in any config file directories, nor was specified on command line
#增加库链接
echo ‘-l /usr/local/lib’ >> /etc/prelink.conf
#再次执行就没错了,把每个prelink出错的命令都运行下
prelink /usr/bin/less
#修改配置文件将IGNORE_PRELINK_DEP_ERR 提到USER_FILEPROP_FILES_DIRS下面
#再rkhunter –propupd更新
#使用conrtab调试不再报错
嗯嗯,,不错,,话说rootkit太恶心了,,,,很难清理干净,,,