Skip to content

入侵监测软件chkrootkit 安装

rootkit是入侵者经常使用的工具,这类工具可以隐秘、令用户不易察觉的建立了一条能够总能够入侵系统或者说对系统进行实时控制的途径.chkrootkit是可以查找系统是否被安装rootkit的工具,当然无法100%的查出,在系统被安装之后,或者说服务器开放之前就把它装好吧.
http://www.chkrootkit.org官方网站
目前最新版为chkrootkit-0.49
官方可能无法正常下载,可以用我博客里的地址http://blog.c1gstudio.com/lempelf/chkrootkit-0.49.tar.gz
测试系统为centos5.8

一.安装

wget http://blog.c1gstudio.com/lempelf/chkrootkit-0.49.tar.gz
tar zxvf chkrootkit.tar.gz
cd chkrootkit*
make sense
cd ..
mv -f chkrootkit-* /usr/local/chkrootkit
chown -R root:root /usr/local/chkrootkit
chmod -R 700 /usr/local/chkrootkit

二.运行

有些命令是当前目录下运行需cd到chkrootkit目录
cd /usr/local/chkrootkit
./chkrootkit

ROOTDIR is `/’
Checking `amd’… not found
Checking `basename’… not infected
Checking `biff’… not found
Checking `chfn’… not infected
Checking `chsh’… not infected
Checking `cron’… not infected
Checking `crontab’… not infected
Checking `date’… not infected
Checking `du’… not infected
Checking `dirname’… not infected
Checking `echo’… not infected
Checking `egrep’… not infected
Checking `env’… not infected
Checking `find’… not infected
Checking `fingerd’… not found
Checking `gpm’… not infected
Checking `grep’… not infected
Checking `hdparm’… not infected
Checking `su’… not infected
Checking `ifconfig’… not infected
Checking `inetd’… not tested
Checking `inetdconf’… not found
Checking `identd’… not found
Checking `init’… not infected
Checking `killall’… not infected
Checking `ldsopreload’… not infected
Checking `login’… not infected
Checking `ls’… not infected
Checking `lsof’… not infected
Checking `mail’… not infected
Checking `mingetty’… not infected
Checking `netstat’… not infected
Checking `named’… not found
Checking `passwd’… not infected
Checking `pidof’… not infected
Checking `pop2’… not found
Checking `pop3’… not found
Checking `ps’… not infected
Checking `pstree’… not infected
Checking `rpcinfo’… not infected
Checking `rlogind’… not found
Checking `rshd’… not found
Checking `slogin’… not infected
Checking `sendmail’… not infected
Checking `sshd’… not infected
Checking `syslogd’… not infected
Checking `tar’… not infected
Checking `tcpd’… not infected
Checking `tcpdump’… not infected
Checking `top’… not infected
Checking `telnetd’… not infected
Checking `timed’… not found
Checking `traceroute’… not infected
Checking `vdir’… not infected
Checking `w’… not infected
Checking `write’… not infected
Checking `aliens’… no suspect files
Searching for sniffer’s logs, it may take a while… nothing found
Searching for HiDrootkit’s default dir… nothing found
Searching for t0rn’s default files and dirs… nothing found
Searching for t0rn’s v8 defaults… nothing found
Searching for Lion Worm default files and dirs… nothing found
Searching for RSHA’s default files and dir… nothing found
Searching for RH-Sharpe’s default files… nothing found
Searching for Ambient’s rootkit (ark) default files and dirs… nothing found
Searching for suspicious files and dirs, it may take a while…
/usr/lib/python2.4/config/.relocation-tag /usr/lib/gtk-2.0/immodules/.relocation-tag /usr/lib/.libgcrypt.so.11.hmac /lib/.libssl.so.0.9.8e.hmac /lib/.libcrypto.so.0.9.8e.hmac /lib/.libssl.so.6.hmac /lib/.libcrypto.so.6.hmac

Searching for LPD Worm files and dirs… nothing found
Searching for Ramen Worm files and dirs… nothing found
Searching for Maniac files and dirs… nothing found
Searching for RK17 files and dirs… nothing found
Searching for Ducoci rootkit… nothing found
Searching for Adore Worm… nothing found
Searching for ShitC Worm… nothing found
Searching for Omega Worm… nothing found
Searching for Sadmind/IIS Worm… nothing found
Searching for MonKit… nothing found
Searching for Showtee… nothing found
Searching for OpticKit… nothing found
Searching for T.R.K… nothing found
Searching for Mithra… nothing found
Searching for LOC rootkit… nothing found
Searching for Romanian rootkit… nothing found
Searching for HKRK rootkit… nothing found
Searching for Suckit rootkit… nothing found
Searching for Volc rootkit… nothing found
Searching for Gold2 rootkit… nothing found
Searching for TC2 Worm default files and dirs… nothing found
Searching for Anonoying rootkit default files and dirs… nothing found
Searching for ZK rootkit default files and dirs… nothing found
Searching for ShKit rootkit default files and dirs… nothing found
Searching for AjaKit rootkit default files and dirs… nothing found
Searching for zaRwT rootkit default files and dirs… nothing found
Searching for Madalin rootkit default files… nothing found
Searching for Fu rootkit default files… nothing found
Searching for ESRK rootkit default files… nothing found
Searching for rootedoor… nothing found
Searching for ENYELKM rootkit default files… nothing found
Searching for common ssh-scanners default files… nothing found
Searching for suspect PHP files…
/tmp/pear/download/Archive_Tar-1.3.9/Archive/Tar.php
/tmp/pear/download/XML_Util-1.2.1/tests/AllTests.php
/tmp/pear/download/XML_Util-1.2.1/Util.php
/tmp/pear/download/XML_Util-1.2.1/examples/example2.php
/tmp/pear/download/XML_Util-1.2.1/examples/example.php
/tmp/pear/download/Archive_Tar-1.3.7/Archive/Tar.php
/tmp/pear/download/Structures_Graph-1.0.4/tests/testCase/BasicGraph.php
/tmp/pear/download/Structures_Graph-1.0.4/tests/AllTests.php
/tmp/pear/download/Structures_Graph-1.0.4/Structures/Graph.php
/tmp/pear/download/Structures_Graph-1.0.4/Structures/Graph/Node.php
/tmp/pear/download/Structures_Graph-1.0.4/Structures/Graph/Manipulator/AcyclicTest.php
/tmp/pear/download/Structures_Graph-1.0.4/Structures/Graph/Manipulator/TopologicalSorter.php
/tmp/pear/download/PEAR-1.9.1/PEAR5.php
/tmp/pear/download/PEAR-1.9.1/PEAR/REST/10.php
/tmp/pear/download/PEAR-1.9.1/PEAR/REST/13.php
/tmp/pear/download/PEAR-1.9.1/PEAR/REST/11.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Builder.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Downloader/Package.php
/tmp/pear/download/PEAR-1.9.1/PEAR/FixPHP5PEARWarnings.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Data.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Doc.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Php.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Cfg.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Src.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Www.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Test.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Common.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Script.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Ext.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Packager.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Validator/PECL.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Installer.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Config.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Registry.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command/Install.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command/Mirror.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command/Remote.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command/Build.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command/Config.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command/Registry.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command/Pickle.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command/Channels.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command/Auth.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command/Test.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command/Common.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command/Package.php
/tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile.php
/tmp/pear/download/PEAR-1.9.1/PEAR/RunTest.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Autoloader.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Frontend.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Validate.php
/tmp/pear/download/PEAR-1.9.1/PEAR/ErrorStack.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Task/Replace/rw.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Task/Unixeol/rw.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Task/Postinstallscript.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Task/Windowseol/rw.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Task/Replace.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Task/Unixeol.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Task/Windowseol.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Task/Common.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Task/Postinstallscript/rw.php
/tmp/pear/download/PEAR-1.9.1/PEAR/ChannelFile/Parser.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Common.php
/tmp/pear/download/PEAR-1.9.1/PEAR/XMLParser.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Downloader.php
/tmp/pear/download/PEAR-1.9.1/PEAR/DependencyDB.php
/tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/v2.php
/tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/v2/rw.php
/tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/v2/Validator.php
/tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/Generator/v2.php
/tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/Generator/v1.php
/tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/v1.php
/tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/Parser/v2.php
/tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/Parser/v1.php
/tmp/pear/download/PEAR-1.9.1/PEAR/REST.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Dependency2.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Exception.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Frontend/CLI.php
/tmp/pear/download/PEAR-1.9.1/PEAR/ChannelFile.php
/tmp/pear/download/PEAR-1.9.1/scripts/peclcmd.php
/tmp/pear/download/PEAR-1.9.1/scripts/pearcmd.php
/tmp/pear/download/PEAR-1.9.1/System.php
/tmp/pear/download/PEAR-1.9.1/PEAR.php
/tmp/pear/download/PEAR-1.9.1/OS/Guess.php
/tmp/pear/download/Console_Getopt-1.2.3/Console/Getopt.php
/tmp/pear/download/PEAR-1.9.4/PEAR5.php
/tmp/pear/download/PEAR-1.9.4/PEAR/REST/10.php
/tmp/pear/download/PEAR-1.9.4/PEAR/REST/13.php
/tmp/pear/download/PEAR-1.9.4/PEAR/REST/11.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Builder.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Downloader/Package.php
/tmp/pear/download/PEAR-1.9.4/PEAR/FixPHP5PEARWarnings.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Data.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Doc.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Php.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Cfg.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Src.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Www.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Test.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Common.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Script.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Ext.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Packager.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Validator/PECL.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Installer.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Config.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Registry.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command/Install.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command/Mirror.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command/Remote.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command/Build.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command/Config.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command/Registry.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command/Pickle.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command/Channels.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command/Auth.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command/Test.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command/Common.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command/Package.php
/tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile.php
/tmp/pear/download/PEAR-1.9.4/PEAR/RunTest.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Autoloader.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Frontend.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Validate.php
/tmp/pear/download/PEAR-1.9.4/PEAR/ErrorStack.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Task/Replace/rw.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Task/Unixeol/rw.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Task/Postinstallscript.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Task/Windowseol/rw.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Task/Replace.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Task/Unixeol.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Task/Windowseol.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Task/Common.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Task/Postinstallscript/rw.php
/tmp/pear/download/PEAR-1.9.4/PEAR/ChannelFile/Parser.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Common.php
/tmp/pear/download/PEAR-1.9.4/PEAR/XMLParser.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Downloader.php
/tmp/pear/download/PEAR-1.9.4/PEAR/DependencyDB.php
/tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/v2.php
/tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/v2/rw.php
/tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/v2/Validator.php
/tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/Generator/v2.php
/tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/Generator/v1.php
/tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/v1.php
/tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/Parser/v2.php
/tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/Parser/v1.php
/tmp/pear/download/PEAR-1.9.4/PEAR/REST.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Dependency2.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Exception.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Frontend/CLI.php
/tmp/pear/download/PEAR-1.9.4/PEAR/ChannelFile.php
/tmp/pear/download/PEAR-1.9.4/scripts/peclcmd.php
/tmp/pear/download/PEAR-1.9.4/scripts/pearcmd.php
/tmp/pear/download/PEAR-1.9.4/System.php
/tmp/pear/download/PEAR-1.9.4/PEAR.php
/tmp/pear/download/PEAR-1.9.4/OS/Guess.php
/tmp/pear/download/Console_Getopt-1.3.1/Console/Getopt.php
/tmp/pear/download/Structures_Graph-1.0.3/tests/testCase/BasicGraph.php
/tmp/pear/download/Structures_Graph-1.0.3/tests/AllTests.php
/tmp/pear/download/Structures_Graph-1.0.3/Structures/Graph.php
/tmp/pear/download/Structures_Graph-1.0.3/Structures/Graph/Node.php
/tmp/pear/download/Structures_Graph-1.0.3/Structures/Graph/Manipulator/AcyclicTest.php
/tmp/pear/download/Structures_Graph-1.0.3/Structures/Graph/Manipulator/TopologicalSorter.php

Searching for anomalies in shell history files… Warning: `//root/.mysql_history’ is linked to another file
Checking `asp’… not infected
Checking `bindshell’… not infected
Checking `lkm’… chkproc: nothing detected
chkdirs: nothing detected
Checking `rexedcs’… not found
Checking `sniffer’… eth0: not promisc and no PF_PACKET sockets
Checking `w55808’… not infected
Checking `wted’… chkwtmp: nothing deleted
Checking `scalper’… not infected
Checking `slapper’… not infected
Checking `z2’… chklastlog: nothing deleted
Checking `chkutmp’… chkutmp: nothing deleted
Checking `OSX_RSPLUG’… not infected

以上文件没有问题,出现INFECTED那就要小心了
./chkrootkit | grep INFECTED

三.自动运行

创建每日运行脚本,发现问题后自动发送邮件
vi chkrootkitcron.sh

#!/bin/bash
TOOLKITSPATH=/usr/local
MAILUSER=root@localhost
file_chkrootkit_log=chkrootkitcron.log
servername=`hostname`
date=`date +%Y-%m-%d`

cd ${TOOLKITSPATH}/chkrootkit
./chkrootkit > ${file_chkrootkit_log}
[ ! -z “$(grep INFECTED ${file_chkrootkit_log})” ] && \
grep INFECTED ${file_chkrootkit_log} | mail -s “[chkrootkit] report in ${servername} ${date}” ${MAILUSER}

放入crontab中

echo “40 5 * * * cd /opt/shell && /bin/sh ./chkrootkitcron.sh > /dev/null 2>&1” >> /var/spool/cron/root

Posted in 安全.

Tagged with , .

rev="post-1365" No comments

By C1G 2012/04/09

限制/tmp分区的执行权限

Linux的提权rootkit基本都是已编译的执行文件。禁止其在/tmp下的运行可降低黑客入侵的可能性。
Perl、PHP脚本属于解释型语言,可通过perl/php命令直接调用,即使脚本存放于/tmp也不受限制。

先以有独立/tmp分区的为例
1.mount 查看一下/tmp为default

/dev/mapper/VolGroup00-LogVol01 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/mapper/VolGroup01-LogVol00 on /opt type ext3 (rw)
/dev/mapper/VolGroup00-LogVol03 on /var type ext3 (rw)
/dev/mapper/VolGroup00-LogVol02 on /tmp type ext3 (rw)
/dev/sda1 on /boot type ext3 (rw)
tmpfs on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)

2.给/tmp加上(nosuid,noexec)
vi /etc/fstab

/dev/VolGroup00/LogVol01 / ext3 defaults 1 1
/dev/VolGroup01/LogVol00 /opt ext3 defaults 1 2
/dev/VolGroup00/LogVol03 /var ext3 defaults 1 2
/dev/VolGroup00/LogVol02 /tmp ext3 defaults,nosuid,noexec 1 2
LABEL=/boot /boot ext3 defaults 1 2
tmpfs /dev/shm tmpfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
sysfs /sys sysfs defaults 0 0
proc /proc proc defaults 0 0
/dev/VolGroup00/LogVol00 swap swap defaults 0 0

3.依据fstab重新载入/tmp
mount -oremount /tmp

4.再次查看
mount

/dev/mapper/VolGroup00-LogVol01 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/mapper/VolGroup01-LogVol00 on /opt type ext3 (rw)
/dev/mapper/VolGroup00-LogVol03 on /var type ext3 (rw)
/dev/mapper/VolGroup00-LogVol02 on /tmp type ext3 (rw,noexec,nosuid)
/dev/sda1 on /boot type ext3 (rw)
tmpfs on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)

5.执行文件测试
vi test.sh

#!/bin/bash
echo ‘/tmp test’

chmod u+x ./test.sh
./test.sh
-bash: ./test.sh: /bin/bash: bad interpreter: Permission denied

6.迁移/var/tmp目录

mv /var/tmp/* /tmp/
rm -fr /var/tmp
ln -s /tmp /var/tmp

对不存在独立/tmp分区的可以用dd创建个10G大小文件作/tmp

cd /usr/
dd if=/dev/zero of=Tmp bs=1024 count=10000000
mkfs -t ext3 /usr/Tmp
mkdir /tmp_backup
cp -ar /tmp /tmp_backup
mount -o loop,rw,noexec,nosuid /usr/Tmp /tmp
cp -ar /tmp_backup/tmp/* /tmp/
chmod 0777 /tmp
chmod +t /tmp
rm -rf /tmp_backup
#放入fstab 中启动加载
echo “/usr/Tmp /tmp ext3 loop,rw,noexec,nosuid 0 0” >> /etc/fstab

Posted in 安全.

Tagged with , .

rev="post-1360" No comments

By C1G 2012/04/06

linux基本安全配置设置脚本1.2发布

依据linux基本安全配置手册
方便设置一些基本的linux安全设置

更新=============
兼容centos/rhel 6 tty,ctrlaltdel,ipv6
关闭服务可以使用白名单,更可靠
限制su的用户组修正兼容性(充许su的用户需用gpasswd命令添加,sudoer不受限制)

#vi autosafe.sh

#!/bin/bash
#########################################################################
#
# File: autosafe.sh
# Description:
# Language: GNU Bourne-Again SHell
# Version: 1.2
# Date: 2012-3-30
# Corp.: c1gstudio
# Author: c1g
# WWW: http://blog.c1gstudio.com
### END INIT INFO
###############################################################################

if [[ ! -n ${WORKUSER} ]]; then
WORKUSER=c1g
fi
if [[ ! -n ${SSHPORT} ]]; then
SSHPORT=22
fi
V_DELUSER=”adm lp sync shutdown halt mail news uucp operator games gopher ftp”
V_DELGROUP=”adm lp mail news uucp games gopher mailnull floppy dip pppusers popusers slipusers daemon”
V_PASSMINLEN=8
V_HISTSIZE=30
V_TMOUT=300
V_GROUPNAME=suadmin
#V_SERVICE Not working since Version 1.2
V_SERVICE=”acpid anacron apmd atd auditd autofs avahi-daemon avahi-dnsconfd bluetooth cpuspeed cups dhcpd firstboot gpm haldaemon hidd ip6tables ipsec isdn kudzu lpd mcstrans messagebus microcode_ctl netfs nfs nfslock nscd pcscd portmap readahead_early restorecond rpcgssd rpcidmapd rstatd sendmail setroubleshoot snmpd xfs xinetd yppasswdd ypserv yum-updatesd tog-pegasus”
V_TTY=”3|4|5|6″
V_TTY6=”1-2″
V_SUID=(
‘/usr/bin/chage’
‘/usr/bin/gpasswd’
‘/usr/bin/wall’
‘/usr/bin/chfn’
‘/usr/bin/chsh’
‘/usr/bin/newgrp’
‘/usr/bin/write’
‘/usr/sbin/usernetctl’
‘/bin/traceroute’
‘/bin/mount’
‘/bin/umount’
‘/sbin/netreport’
)
linuxvar=`cat /etc/issue.net |head -n1`
linuxvar=${linuxvar#*release}
linuxvar=${linuxvar:1:1}
version=1.2

safe_deluser(){
echo “delete user …”
for i in $V_DELUSER ;do
echo “deleting $i”;
userdel $i ;
done
}

safe_delgroup(){
echo “delete group …”
for i in $V_DELGROUP ;do
echo “deleting $i”;
groupdel $i;
done
}

safe_password(){
echo “change password limit …”
echo “/etc/login.defs”
echo “PASS_MIN_LEN $V_PASSMINLEN”
sed -i “/^PASS_MIN_LEN/s/5/$V_PASSMINLEN/” /etc/login.defs
}

safe_history(){
echo “change history limit …”
echo “/etc/profile”
echo “HISTSIZE $V_HISTSIZE”
sed -i “/^HISTSIZE/s/1000/$V_HISTSIZE/” /etc/profile
}

safe_logintimeout(){
echo “change login timeout …”
echo “/etc/profile”
echo “TMOUT=$V_TMOUT”
sed -i “/^HISTSIZE/a\TMOUT=$V_TMOUT” /etc/profile
}

safe_bashhistory(){
echo “denied bashhistory …”
echo “/etc/skel/.bash_logout”
echo ‘rm -f $HOME/.bash_history’
if egrep “bash_history” /etc/skel/.bash_logout > /dev/null
then
echo ‘warning:existed’
else
echo ‘rm -f $HOME/.bash_history’ >> /etc/skel/.bash_logout
fi

}
safe_addgroup(){
echo “groupadd $V_GROUPNAME …”
groupadd $V_GROUPNAME
}

safe_sugroup(){
echo “permit $V_GROUPNAME use su …”
echo “/etc/pam.d/su”
echo “auth sufficient pam_rootok.so debug”
echo “auth required pam_wheel.so group=$V_GROUPNAME”
echo “gpasswd -a $WORKUSER $V_GROUPNAME”
if egrep “auth required pam_wheel.so” /etc/pam.d/su > /dev/null
then
echo ‘warning:existed’
else
sed -i “/^#%PAM/a\auth required pam_wheel.so group=${V_GROUPNAME}” /etc/pam.d/su
sed -i “/^#%PAM/a\auth sufficient pam_rootok.so debug” /etc/pam.d/su
gpasswd -a $WORKUSER $V_GROUPNAME
fi
}

safe_sudoer(){
echo “permit $WORKUSER use sudo …”
echo “/etc/sudoers”
echo “$WORKUSER ALL=(ALL) ALL”
if [ -n $WORKUSER ]
then
if egrep “$WORKUSER” /etc/sudoers > /dev/null
then
echo “warning:existed! ”
else
echo “$WORKUSER ALL=(ALL) ALL” >> /etc/sudoers
echo ‘export PATH=$PATH:/sbin:/usr/sbin’ >> /etc/bashrc
echo ‘export LDFLAGS=”-L/usr/local/lib -Wl,-rpath,/usr/local/lib”‘ >> /etc/bashrc
echo ‘export LD_LIBRARY_PATH=”/usr/local/lib”‘ >> /etc/bashrc
fi
else
echo “warning:skip! ”
fi
}

safe_denyrootssh(){
echo “denied root login …”
echo “/etc/ssh/sshd_config”
echo “PermitRootLogin no”
sed -i ‘/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin no/’ /etc/ssh/sshd_config
}

safe_changesshport(){
echo “change ssh port …”
echo “/etc/ssh/sshd_config”
echo “Port $SSHPORT”
if egrep “Port $SSHPORT” /etc/ssh/sshd_config > /dev/null
then
echo “warning:existed! ”
else
echo “Port $SSHPORT” >> “/etc/ssh/sshd_config”
fi
}

safe_stopservice(){
echo “stop services …”
for i in $V_SERVICE ;do
service $i stop;
done
}

safe_closeservice(){
echo “close services autostart …”
for i in $V_SERVICE ;do
chkconfig $i off;
done
}

safe_closeservicewhite(){
echo “close services autostart …”
for i in `ls /etc/rc3.d/S*`
do
CURSRV=`echo $i|cut -c 15-`
echo $CURSRV
case $CURSRV in
crond | irqbalance | microcode_ctl | network | sshd | syslog | rsyslog | snmpd | fail2ban | ntpd | lvm2-monitor | iptables | auditd | kdump | sysstat | memcached | smartd | nagios | local | sphinx )
;;
*)
echo “change $CURSRV to off”
chkconfig –level 235 $CURSRV off
service $CURSRV stop
;;
esac
done
}

safe_tty(){
echo “close tty …”
if [ ${linuxvar} == 6 ]; then
echo “/etc/init/start-ttys.conf”
echo “/etc/sysconfig/init”
echo “ACTIVE_CONSOLES=/dev/tty[${V_TTY6}]”
echo “init q”
#close tty
#initctl stop tty TTY=/dev/tty6
sed -i “/^env ACTIVE_CONSOLES/s/\[1-6\]/\[${V_TTY6}\]/” /etc/init/start-ttys.conf
sed -i “/^ACTIVE_CONSOLES/s/\[1-6\]/\[1-2\]/” /etc/sysconfig/init

else
echo “/etc/inittab”
echo “#3:2345:respawn:/sbin/mingetty tty3”
echo “#4:2345:respawn:/sbin/mingetty tty4”
echo “#5:2345:respawn:/sbin/mingetty tty5”
echo “#6:2345:respawn:/sbin/mingetty tty6”
sed -i “/^[${V_TTY}]:2345/s/^/#/” /etc/inittab
echo “init q”
fi
init q
}

safe_ctrlaltdel(){
echo “close ctrl+alt+del to restart server …”
if [ ${linuxvar} == 6 ]; then
echo “/etc/init/control-alt-delete.conf”
echo ‘#exec /sbin/shutdown -r now “Control-Alt-Delete pressed”‘
echo “init q”
sed -i ‘/^exec/s/^/#/’ /etc/init/control-alt-delete.conf
else
echo “/etc/inittab”
echo “#ca::ctrlaltdel:/sbin/shutdown -t3 -r now”
echo “init q”
sed -i ‘/^ca::/s/^/#/’ /etc/inittab
fi
init q
}

safe_ipv6(){
echo “close ipv6 …”
if [ ${linuxvar} == 6 ]; then
echo ‘”alias net-pf-10 off” >> /etc/modprobe.d/ipv6.conf’
echo ‘”options ipv6 disable=1″ >> /etc/modprobe.d/ipv6.conf’

cat > /etc/modprobe.d/ipv6.conf << EOF alias net-pf-10 off options ipv6 disable=1 EOF else echo '"alias net-pf-10 off" >> /etc/modprobe.conf’
echo ‘”alias ipv6 off” >> /etc/modprobe.conf’
if egrep “alias net-pf-10 off” /etc/modprobe.conf > /dev/null
then
echo “warning:existed! ”
else
echo “alias net-pf-10 off” >> /etc/modprobe.conf
echo “alias ipv6 off” >> /etc/modprobe.conf
fi

fi
echo ‘/sbin/chkconfig ip6tables off’
echo ‘”NETWORKING_IPV6=no” >> /etc/sysconfig/network’
/sbin/chkconfig –level 35 ip6tables off
if egrep “NETWORKING_IPV6=no” /etc/sysconfig/network > /dev/null
then
echo “warning:existed! ”
else
echo “NETWORKING_IPV6=no” >> /etc/sysconfig/network
fi
}

safe_selinux(){
echo “disable selinux …”
echo “sed -i ‘/SELINUX/s/enforcing/disabled/’ /etc/selinux/config ”
sed -i ‘/SELINUX/s/enforcing/disabled/’ /etc/selinux/config
echo “selinux is disabled,you must reboot!”
}

safe_vim(){
echo “edit vim …”
echo “alias vi=’vim'”
sed -i “8 s/^/alias vi=’vim’/” /root/.bashrc
cat >/root/.vimrc<
echo “”
echo ” deluser delete user”
echo ” delgroup delete group”
echo ” password change password limit”
echo ” history change history limit”
echo ” logintimeout change login timeout”
echo ” bashhistory denied bashhistory”
echo ” addgroup groupadd $V_GROUPNAME”
echo ” sugroup permit $V_GROUPNAME use su”
echo ” denyrootssh denied root login”
echo ” stopservice stop services use black list”
echo ” closeservice close services use black list”
echo ” closeservicewhite close & stop services use white list”
echo ” tty close tty”
echo ” ctrlaltdel close ctrl+alt+del”
echo ” ipv6 close ipv6″
echo ” selinux disabled selinux”
echo ” vim edit vim”
echo ” lockfile lock user&services”
echo ” unlockfile unlock user&services”
echo ” chmodinit init script only for root”
echo ” chmodcommand remove SUID”
echo ” version ”
echo “”

;;
esac

设置权限

chmod u+x ./autosafe.sh

运行脚本

./autosafe.sh deluser
./autosafe.sh delgroup
…..

猛击下载脚本
autosafe1.2.sh

其它参考
linux基本安全配置手册
iptables 默认安全规则脚本

Posted in shell.

Tagged with , , .

rev="post-1356" No comments

By C1G 2012/03/30

centos/rhel 5和6的一点区别

1.安装时,rehl5一般都是在定制完系统后才开始格式化盘,安装相关的包,而rhel6则格式化完硬盘才开始定制系统。
2.rhel6修改ifcfg-eth0文件,保存后网络会马上生效,而不会像以前版本修改后改变需要重启网络
3.centos6.2开始网卡ifcfg-eth0改成ifcfg-em1
4./etc/inittab 文件里相关设定分成了小文件
# System initialization is started by /etc/init/rcS.conf
#
# Individual runlevels are started by /etc/init/rc.conf
#
# Ctrl-Alt-Delete is handled by /etc/init/control-alt-delete.conf
#
# Terminal gettys are handled by /etc/init/tty.conf and /etc/init/serial.conf,
# with configuration in /etc/sysconfig/init.

5./etc/modprobe.conf不再存在,而是分成/etc/modprobe.d/ 下小文件
6.在RHEL 5.5中系统硬盘在分完区后可以直接使用partprobe更新分区,使内核识别分区。
在RHEL6中分区完毕后使用partprobe无法更新分区,必须重新启动服务器后,分区才可以被正常挂载。
2012-4-10更新
7.mailx由8.1 6/6/93升级成Heirloom Mail version 12.4 7/29/08

=============2012-5-11更新
内核ip_conntrack参数改成,nf_conntrack
在/etc/sysctl.conf中使用老的参数,再用sysctl -p生效会报错

error: “net.ipv4.netfilter.ip_conntrack_max” is an unknown key
error: “net.ipv4.netfilter.ip_conntrack_tcp_timeout_established” is an unknown key

改为

net.nf_conntrack_max = 655360
net.netfilter.nf_conntrack_tcp_timeout_established = 36000

参考:http://www.myfreelinux.com/?p=743&cpage=2&replytocom=223803

Posted in LINUX.

Tagged with , .

rev="post-1350" No comments

By C1G 2012/03/30

Lempelf一键安装包更新1.0.3

Lempelf一键安装包是什么?
——————————————————————————–
Lempelf一键安装包是用Shell编写的在Linux平台快速安装常用服务的Shell程序。

ChangeLog
主要修复1.0.3的bug
——————————————————————————–
2012-3-28 发布Lempelf 1.0.3
Bugfix:awstats安装完成后的提示域名地址
Bugfix:nginx安装失败 ./scripts/setup_nginx.sh 第21行文件名修正
Bugfix:php启动时找不到mysqlclient.so.18 (echo “/opt/mysql/lib” > /etc/ld.so.conf.d/mysql.conf && ldconfig)
Bugfix:64位下secure日志中的PAM错误 修改/etc/pam.d/su 中路径
Bugfix:centos6的tty,ctrl+alt+del,ipv6
Bugfix:限制可以su的用户 需要su的用户需用gpasswd 添加到组
Change:nginx日志改为保留1月
Feature:新增scripts/firstlog.sh 用于生成文件及运行信息供日后对比

2012-3-23 发布Lempelf 1.0.2
php的magic_quotes_gpc 设为on
yum增加cmake
mysql升级为Percona-Server-5.5.20-rel24.1
增加/tmp/mysql.sock软链接
php升级成5.2.17并打上hash补丁
隐藏nginx版本号为1.0
nginx.conf中隐藏版本号
修改autosafe.sh中自动运行的服务
升级pcre到pcre-8.30
phpmyadmin更新至phpMyAdmin-3.4.10.1-all-languages

2012-3-28 16:00再次更新
2012-3-30 14:30再次更新
2012-3-30 18:00再次更新

http://blog.c1gstudio.com/lempelfpage

Posted in Lempelf一键包.

Tagged with .

rev="post-1340" No comments

By C1G 2012/03/28

Lempelf一键包更新 1.0.2

Lempelf一键安装包是什么?
——————————————————————————–
Lempelf一键安装包是用Shell编写的在Linux平台快速安装常用服务的Shell程序。

ChangeLog
主要提升性能及安全
——————————————————————————–
2012-3-23 发布Lempelf 1.0.2
php的magic_quotes_gpc 设为on
yum增加cmake
mysql升级为Percona-Server-5.5.20-rel24.1
增加/tmp/mysql.sock软链接
php升级成5.2.17并打上hash补丁
隐藏nginx版本号为1.0
nginx.conf中隐藏版本号
修改autosafe.sh中自动运行的服务
升级pcre到pcre-8.30
phpmyadmin更新至phpMyAdmin-3.4.10.1-all-languages

http://blog.c1gstudio.com/lempelfpage

Posted in Lempelf一键包.

Tagged with .

rev="post-1332" No comments

By C1G 2012/03/23

phpMyAdmin 3.3.X and 3.4.X 含有注入漏洞

测试过受影响版本 phpmyadmin versions: 3.3.6, 3.3.10, 3.4.0, 3.4.5, 3.4.7

另3.0也有sql注入漏洞

目前最新稳定版为phpMyAdmin 3.4.10.1 注意升级
http://www.phpmyadmin.net/home_page/downloads.php

参考:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4107
http://www.secforce.com/blog/2012/01/cve-2011-4107-poc-phpmyadmin-local-file-inclusion-via-xxe-injection/

Posted in 安全通告.

Tagged with , .

rev="post-1325" No comments

By C1G 2012/03/23

PHP一句话木马及查杀

常见的木马基本上有如下特征
1.接收外部变量
常见如:$_GET,$_POST
更加隐蔽的$_FILES,$_REQUEST…

2.执行函数
获取数据后还需执行它
常见如:eval,assert,preg_replace
隐藏变种:

include($_POST[‘a’]);


$hh = “p”.”r”.”e”.”g”.”_”.”r”.”e”.”p”.”l”.”a”.”c”.”e”;
$hh(“/[discuz]/e”,$_POST[‘h’],”Access”);


@preg_replace(‘/ad/e’,’@’.str_rot13(‘riny’).'($b4dboy)’, ‘add’);

使用urldecode,gzinflate,base64_decode等加密函数

3.写入文件
获取更多的权限
如:copy,file_get_contents,exec

一般的建议是打开safe_mode 或使用disable_functions 等来提升安全性;
可能有些程序无法正常运行,基本的安全设置
php.ini中

expose_php = OFF
register_globals = Off
display_errors = Off
cgi.fix_pathinfo=0
magic_quotes_gpc = On
allow_url_fopen = Off
allow_url_include = Off
配置open_basedir

查找木马脚本
查找隐藏特征码及入口可以找出大部分的木马.

#!/bin/bash

findpath=./
logfile=findtrojan.log

echo -e $(date +%Y-%m-%d_%H:%M:%S)” start\r” >>$logfile
echo -e ‘============changetime list==========\r\n’ >> ${logfile}
find ${findpath} -name “*.php” -ctime -3 -type f -exec ls -l {} \; >> ${logfile}

echo -e ‘============nouser file list==========\r\n’ >> ${logfile}
find ${findpath} -nouser -nogroup -type f -exec ls -l {} \; >> ${logfile}

echo -e ‘============php one word trojan ==========\r\n’ >> ${logfile}
find ${findpath} -name “*.php” -exec egrep -I -i -C1 -H ‘exec\(|eval\(|assert\(|system\(|passthru\(|shell_exec\(|escapeshellcmd\(|pcntl_exec\(|gzuncompress\(|gzinflate\(|unserialize\(|base64_decode\(|file_get_contents\(|urldecode\(|str_rot13\(|\$_GET|\$_POST|\$_REQUEST|\$_FILES|\$GLOBALS’ {} \; >> ${logfile}
#使用使用-l 代替-C1 -H 可以只打印文件名
echo -e $(date +%Y-%m-%d_%H:%M:%S)” end\r” >>$logfile

more $logfile

Posted in 安全, 技术.

Tagged with , .

rev="post-1316" 2 comments

By C1G 2012/03/21

正则表达式口诀

正则其实也势利,削尖头来把钱揣; (指开始符号^和结尾符号$)
特殊符号认不了,弄个倒杠来引路; (指\. \*等特殊符号)
倒杠后面跟小w, 数字字母来表示; (w跟数字字母;\d跟数字)
倒杠后面跟小d, 只有数字来表示;
倒杠后面跟小a, 报警符号嘀一声;
倒杠后面跟小b, 单词分界或退格;
倒杠后面跟小t, 制表符号很明了;
倒杠后面跟小r, 回车符号知道了;
倒杠后面跟小s, 空格符号很重要;
小写跟罢跟大写,多得实在不得了;
倒杠后面跟大W, 字母数字靠边站;
倒杠后面跟大S, 空白也就靠边站;
倒杠后面跟大D, 数字从此靠边站;
倒框后面跟大B, 不含开头和结尾;

单个字符要重复,三个符号来帮忙; (* + ?)
0 星加1 到无穷,问号只管0 和1; (*表0-n;+表1-n;?表0-1次重复)
花括号里学问多,重复操作能力强; ({n} {n,} {n,m})
若要重复字符串,园括把它括起来; ((abc){3} 表示字符串“abc”重复3次 )
特殊集合自定义,中括号来帮你忙;
转义符号行不通,一个一个来排队;
实在多得排不下,横杠请来帮个忙; ([1-5])
尖头放进中括号,反义定义威力大; ([^a]指除“a”外的任意字符 )
1竖作用可不小,两边正则互替换; (键盘上与“”是同一个键)
1竖能用很多次,复杂定义很方便;
园括号,用途多;
反向引用指定组,数字排符对应它; (“(\w+)\b\s+\1\b”中的数字“1”引用前面的“(\w+)”)
支持组名自定义,问号加上尖括号; (“(?\w+)”中把“w+”定义为组,组名为“Word”)
园括号,用途多,位置指定全靠它;
问号等号字符串,定位字符串前面; (“\w+(?=ing\b)”定位“ing”前面的字符串)
若要定位串后面,中间插个小于号; (“(?<=\bsub)\w+\b”定位“sub”后面的字符串) 问号加个惊叹号,后面跟串字符串; PHPer都知道, !是取反的意思; 后面不跟这一串,统统符合来报到; (“w*d(?!og)\w*”,“dog”不符合,“do”符合) 问号小于惊叹号,后面跟串字符串; 前面不放这一串,统统符合来报到; 点号星号很贪婪,加个问号不贪婪; 加号问号有保底,至少重复一次多; 两个问号老规矩,0次1次团团转; 花括号后跟个?,贪婪变成不贪婪; 还有很多装不下,等着以后来增加。 参考: http://hi.baidu.com/hackxiu/blog/item/f8cd8901d500411c1d958313.html

Posted in 文档理论.

Tagged with .

rev="post-1322" No comments

By C1G 2012/02/28

find搜索如何排除文件及目录

查找cache目录下不是html的文件

find ./cache ! -name ‘*.html’ -type f

列出当前目录下的目录名,排除includes目录,后面的-print不能少

find . -path ‘./includes’ -prune -o -type d -maxdepth 1 -print

2012-3-26更新
排除多个目录,”(“前是带”\”的

find / \( -path /home/ -o -path /root \) -prune -nouser -type f -exec ls -l {} \;

Posted in Linux 命令.

Tagged with .

rev="post-1320" No comments

By C1G 2012/02/24