Skip to content

入侵监测软件chkrootkit 安装

rootkit是入侵者经常使用的工具,这类工具可以隐秘、令用户不易察觉的建立了一条能够总能够入侵系统或者说对系统进行实时控制的途径.chkrootkit是可以查找系统是否被安装rootkit的工具,当然无法100%的查出,在系统被安装之后,或者说服务器开放之前就把它装好吧.
http://www.chkrootkit.org官方网站
目前最新版为chkrootkit-0.49
官方可能无法正常下载,可以用我博客里的地址http://blog.c1gstudio.com/lempelf/chkrootkit-0.49.tar.gz
测试系统为centos5.8

一.安装

wget http://blog.c1gstudio.com/lempelf/chkrootkit-0.49.tar.gz
tar zxvf chkrootkit.tar.gz
cd chkrootkit*
make sense
cd ..
mv -f chkrootkit-* /usr/local/chkrootkit
chown -R root:root /usr/local/chkrootkit
chmod -R 700 /usr/local/chkrootkit

二.运行

有些命令是当前目录下运行需cd到chkrootkit目录
cd /usr/local/chkrootkit
./chkrootkit

ROOTDIR is `/’
Checking `amd’… not found
Checking `basename’… not infected
Checking `biff’… not found
Checking `chfn’… not infected
Checking `chsh’… not infected
Checking `cron’… not infected
Checking `crontab’… not infected
Checking `date’… not infected
Checking `du’… not infected
Checking `dirname’… not infected
Checking `echo’… not infected
Checking `egrep’… not infected
Checking `env’… not infected
Checking `find’… not infected
Checking `fingerd’… not found
Checking `gpm’… not infected
Checking `grep’… not infected
Checking `hdparm’… not infected
Checking `su’… not infected
Checking `ifconfig’… not infected
Checking `inetd’… not tested
Checking `inetdconf’… not found
Checking `identd’… not found
Checking `init’… not infected
Checking `killall’… not infected
Checking `ldsopreload’… not infected
Checking `login’… not infected
Checking `ls’… not infected
Checking `lsof’… not infected
Checking `mail’… not infected
Checking `mingetty’… not infected
Checking `netstat’… not infected
Checking `named’… not found
Checking `passwd’… not infected
Checking `pidof’… not infected
Checking `pop2’… not found
Checking `pop3’… not found
Checking `ps’… not infected
Checking `pstree’… not infected
Checking `rpcinfo’… not infected
Checking `rlogind’… not found
Checking `rshd’… not found
Checking `slogin’… not infected
Checking `sendmail’… not infected
Checking `sshd’… not infected
Checking `syslogd’… not infected
Checking `tar’… not infected
Checking `tcpd’… not infected
Checking `tcpdump’… not infected
Checking `top’… not infected
Checking `telnetd’… not infected
Checking `timed’… not found
Checking `traceroute’… not infected
Checking `vdir’… not infected
Checking `w’… not infected
Checking `write’… not infected
Checking `aliens’… no suspect files
Searching for sniffer’s logs, it may take a while… nothing found
Searching for HiDrootkit’s default dir… nothing found
Searching for t0rn’s default files and dirs… nothing found
Searching for t0rn’s v8 defaults… nothing found
Searching for Lion Worm default files and dirs… nothing found
Searching for RSHA’s default files and dir… nothing found
Searching for RH-Sharpe’s default files… nothing found
Searching for Ambient’s rootkit (ark) default files and dirs… nothing found
Searching for suspicious files and dirs, it may take a while…
/usr/lib/python2.4/config/.relocation-tag /usr/lib/gtk-2.0/immodules/.relocation-tag /usr/lib/.libgcrypt.so.11.hmac /lib/.libssl.so.0.9.8e.hmac /lib/.libcrypto.so.0.9.8e.hmac /lib/.libssl.so.6.hmac /lib/.libcrypto.so.6.hmac

Searching for LPD Worm files and dirs… nothing found
Searching for Ramen Worm files and dirs… nothing found
Searching for Maniac files and dirs… nothing found
Searching for RK17 files and dirs… nothing found
Searching for Ducoci rootkit… nothing found
Searching for Adore Worm… nothing found
Searching for ShitC Worm… nothing found
Searching for Omega Worm… nothing found
Searching for Sadmind/IIS Worm… nothing found
Searching for MonKit… nothing found
Searching for Showtee… nothing found
Searching for OpticKit… nothing found
Searching for T.R.K… nothing found
Searching for Mithra… nothing found
Searching for LOC rootkit… nothing found
Searching for Romanian rootkit… nothing found
Searching for HKRK rootkit… nothing found
Searching for Suckit rootkit… nothing found
Searching for Volc rootkit… nothing found
Searching for Gold2 rootkit… nothing found
Searching for TC2 Worm default files and dirs… nothing found
Searching for Anonoying rootkit default files and dirs… nothing found
Searching for ZK rootkit default files and dirs… nothing found
Searching for ShKit rootkit default files and dirs… nothing found
Searching for AjaKit rootkit default files and dirs… nothing found
Searching for zaRwT rootkit default files and dirs… nothing found
Searching for Madalin rootkit default files… nothing found
Searching for Fu rootkit default files… nothing found
Searching for ESRK rootkit default files… nothing found
Searching for rootedoor… nothing found
Searching for ENYELKM rootkit default files… nothing found
Searching for common ssh-scanners default files… nothing found
Searching for suspect PHP files…
/tmp/pear/download/Archive_Tar-1.3.9/Archive/Tar.php
/tmp/pear/download/XML_Util-1.2.1/tests/AllTests.php
/tmp/pear/download/XML_Util-1.2.1/Util.php
/tmp/pear/download/XML_Util-1.2.1/examples/example2.php
/tmp/pear/download/XML_Util-1.2.1/examples/example.php
/tmp/pear/download/Archive_Tar-1.3.7/Archive/Tar.php
/tmp/pear/download/Structures_Graph-1.0.4/tests/testCase/BasicGraph.php
/tmp/pear/download/Structures_Graph-1.0.4/tests/AllTests.php
/tmp/pear/download/Structures_Graph-1.0.4/Structures/Graph.php
/tmp/pear/download/Structures_Graph-1.0.4/Structures/Graph/Node.php
/tmp/pear/download/Structures_Graph-1.0.4/Structures/Graph/Manipulator/AcyclicTest.php
/tmp/pear/download/Structures_Graph-1.0.4/Structures/Graph/Manipulator/TopologicalSorter.php
/tmp/pear/download/PEAR-1.9.1/PEAR5.php
/tmp/pear/download/PEAR-1.9.1/PEAR/REST/10.php
/tmp/pear/download/PEAR-1.9.1/PEAR/REST/13.php
/tmp/pear/download/PEAR-1.9.1/PEAR/REST/11.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Builder.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Downloader/Package.php
/tmp/pear/download/PEAR-1.9.1/PEAR/FixPHP5PEARWarnings.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Data.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Doc.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Php.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Cfg.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Src.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Www.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Test.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Common.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Script.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role/Ext.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Installer/Role.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Packager.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Validator/PECL.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Installer.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Config.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Registry.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command/Install.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command/Mirror.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command/Remote.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command/Build.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command/Config.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command/Registry.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command/Pickle.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command/Channels.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command/Auth.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command/Test.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command/Common.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command/Package.php
/tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile.php
/tmp/pear/download/PEAR-1.9.1/PEAR/RunTest.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Autoloader.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Frontend.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Validate.php
/tmp/pear/download/PEAR-1.9.1/PEAR/ErrorStack.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Task/Replace/rw.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Task/Unixeol/rw.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Task/Postinstallscript.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Task/Windowseol/rw.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Task/Replace.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Task/Unixeol.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Task/Windowseol.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Task/Common.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Task/Postinstallscript/rw.php
/tmp/pear/download/PEAR-1.9.1/PEAR/ChannelFile/Parser.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Common.php
/tmp/pear/download/PEAR-1.9.1/PEAR/XMLParser.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Downloader.php
/tmp/pear/download/PEAR-1.9.1/PEAR/DependencyDB.php
/tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/v2.php
/tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/v2/rw.php
/tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/v2/Validator.php
/tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/Generator/v2.php
/tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/Generator/v1.php
/tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/v1.php
/tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/Parser/v2.php
/tmp/pear/download/PEAR-1.9.1/PEAR/PackageFile/Parser/v1.php
/tmp/pear/download/PEAR-1.9.1/PEAR/REST.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Command.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Dependency2.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Exception.php
/tmp/pear/download/PEAR-1.9.1/PEAR/Frontend/CLI.php
/tmp/pear/download/PEAR-1.9.1/PEAR/ChannelFile.php
/tmp/pear/download/PEAR-1.9.1/scripts/peclcmd.php
/tmp/pear/download/PEAR-1.9.1/scripts/pearcmd.php
/tmp/pear/download/PEAR-1.9.1/System.php
/tmp/pear/download/PEAR-1.9.1/PEAR.php
/tmp/pear/download/PEAR-1.9.1/OS/Guess.php
/tmp/pear/download/Console_Getopt-1.2.3/Console/Getopt.php
/tmp/pear/download/PEAR-1.9.4/PEAR5.php
/tmp/pear/download/PEAR-1.9.4/PEAR/REST/10.php
/tmp/pear/download/PEAR-1.9.4/PEAR/REST/13.php
/tmp/pear/download/PEAR-1.9.4/PEAR/REST/11.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Builder.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Downloader/Package.php
/tmp/pear/download/PEAR-1.9.4/PEAR/FixPHP5PEARWarnings.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Data.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Doc.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Php.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Cfg.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Src.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Www.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Test.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Common.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Script.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role/Ext.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Installer/Role.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Packager.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Validator/PECL.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Installer.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Config.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Registry.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command/Install.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command/Mirror.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command/Remote.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command/Build.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command/Config.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command/Registry.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command/Pickle.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command/Channels.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command/Auth.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command/Test.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command/Common.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command/Package.php
/tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile.php
/tmp/pear/download/PEAR-1.9.4/PEAR/RunTest.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Autoloader.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Frontend.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Validate.php
/tmp/pear/download/PEAR-1.9.4/PEAR/ErrorStack.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Task/Replace/rw.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Task/Unixeol/rw.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Task/Postinstallscript.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Task/Windowseol/rw.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Task/Replace.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Task/Unixeol.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Task/Windowseol.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Task/Common.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Task/Postinstallscript/rw.php
/tmp/pear/download/PEAR-1.9.4/PEAR/ChannelFile/Parser.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Common.php
/tmp/pear/download/PEAR-1.9.4/PEAR/XMLParser.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Downloader.php
/tmp/pear/download/PEAR-1.9.4/PEAR/DependencyDB.php
/tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/v2.php
/tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/v2/rw.php
/tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/v2/Validator.php
/tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/Generator/v2.php
/tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/Generator/v1.php
/tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/v1.php
/tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/Parser/v2.php
/tmp/pear/download/PEAR-1.9.4/PEAR/PackageFile/Parser/v1.php
/tmp/pear/download/PEAR-1.9.4/PEAR/REST.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Command.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Dependency2.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Exception.php
/tmp/pear/download/PEAR-1.9.4/PEAR/Frontend/CLI.php
/tmp/pear/download/PEAR-1.9.4/PEAR/ChannelFile.php
/tmp/pear/download/PEAR-1.9.4/scripts/peclcmd.php
/tmp/pear/download/PEAR-1.9.4/scripts/pearcmd.php
/tmp/pear/download/PEAR-1.9.4/System.php
/tmp/pear/download/PEAR-1.9.4/PEAR.php
/tmp/pear/download/PEAR-1.9.4/OS/Guess.php
/tmp/pear/download/Console_Getopt-1.3.1/Console/Getopt.php
/tmp/pear/download/Structures_Graph-1.0.3/tests/testCase/BasicGraph.php
/tmp/pear/download/Structures_Graph-1.0.3/tests/AllTests.php
/tmp/pear/download/Structures_Graph-1.0.3/Structures/Graph.php
/tmp/pear/download/Structures_Graph-1.0.3/Structures/Graph/Node.php
/tmp/pear/download/Structures_Graph-1.0.3/Structures/Graph/Manipulator/AcyclicTest.php
/tmp/pear/download/Structures_Graph-1.0.3/Structures/Graph/Manipulator/TopologicalSorter.php

Searching for anomalies in shell history files… Warning: `//root/.mysql_history’ is linked to another file
Checking `asp’… not infected
Checking `bindshell’… not infected
Checking `lkm’… chkproc: nothing detected
chkdirs: nothing detected
Checking `rexedcs’… not found
Checking `sniffer’… eth0: not promisc and no PF_PACKET sockets
Checking `w55808’… not infected
Checking `wted’… chkwtmp: nothing deleted
Checking `scalper’… not infected
Checking `slapper’… not infected
Checking `z2’… chklastlog: nothing deleted
Checking `chkutmp’… chkutmp: nothing deleted
Checking `OSX_RSPLUG’… not infected

以上文件没有问题,出现INFECTED那就要小心了
./chkrootkit | grep INFECTED

三.自动运行

创建每日运行脚本,发现问题后自动发送邮件
vi chkrootkitcron.sh

#!/bin/bash
TOOLKITSPATH=/usr/local
MAILUSER=root@localhost
file_chkrootkit_log=chkrootkitcron.log
servername=`hostname`
date=`date +%Y-%m-%d`

cd ${TOOLKITSPATH}/chkrootkit
./chkrootkit > ${file_chkrootkit_log}
[ ! -z “$(grep INFECTED ${file_chkrootkit_log})” ] && \
grep INFECTED ${file_chkrootkit_log} | mail -s “[chkrootkit] report in ${servername} ${date}” ${MAILUSER}

放入crontab中

echo “40 5 * * * cd /opt/shell && /bin/sh ./chkrootkitcron.sh > /dev/null 2>&1” >> /var/spool/cron/root

Posted in 安全.

Tagged with , .

By C1G 2012/04/09

No Responses (yet)

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.



Some HTML is OK

or, reply to this post via trackback.

« »