rootkit的检测工具使用(chkrootkit和rootkit hunter)
这两天突然发现我们的服务器产生大量DNS解析连线。为了查明问题,就下载网上找工具检查问题所在。用了两个工具,一个chkrootkit,另外一个rootkit huntur。在使用了这两个产品后,觉得rootkit的信息更加详细一些。现在就对两个工具的操作和使用写一个记录,也方便之后自己查看。
1. chkrootkit的使用
project: http://www.chkrootkit.org
download: ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
1.1 解压安装
#tar -zxvf chkrootkit.tar.gz
#make sense
1.2 运行监测
#./chkrootkit
运行结果在
http://blogimg.chinaunix.net/blog/upfile2/090326111017.pdf
判断有问题的信息如下:
Checking `ifconfig’… INFECTED
Checking `ls’… INFECTED
Checking `netstat’… INFECTED
Checking `ps’… INFECTED
Checking `top’… INFECTED
Searching for Madalin rootkit default files… Possible Madalin rootkit installed
Checking `bindshell’… INFECTED (PORTS: 145)
Checking `lkm’… You have 77 process hidden for readdir command
You have 77 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
Checking `sniffer’… eth0: PROMISC
不幸中招,系统只能够重新安装了。在看了这个文档之后,对chkrootkit这个工具又看了一些其他资料。可以做rootkit的自动检查操作
具体可以看 http://www.centospub.com/make/chkrootkit.html
1.3 chkrootkit参数说明
Usage: ./chkrootkit [options] [test …]
Options:
-h 显示帮助信息
-V 显示版本信息
-l 显示测试内容
-d debug模式,显示检测过程的相关指令程序
-q 安静模式,只显示有问题部分,
-x 高级模式,显示所有检测结果
-r dir 设定指定的目录为根目录
-p dir1:dir2:dirN 检测指定目录
-n 跳过NFS连接的目录
2. rootkit hunter的使用
Project: http://www.rootkit.nl/projects/rootkit_hunter.html
download: http://downloads.sourceforge.net/rkhunter/rkhunter-1.3.4.tar.gz?use_mirror=jaist
2.1 解压安装
解压
#tar -zxvf rkhunter-1.3.4.tar.gz
安装
#cd rkhunter-1.3.4
#./installer.sh -h
Usage: ./installer.sh <parameters>
Ordered valid parameters:
–help (-h) : 显示帮助
–examples : 显示安装实例
–layout <value> : 选择安装模板(安装必选参数).
模板选择:
– default: (FHS compliant),
– /usr,
– /usr/local,
– oldschool: 之前版本安装路径,
– custom: 自定义安装路径,
– RPM: for building RPM’s. Requires $RPM_BUILD_ROOT.
– DEB: for building DEB’s. Requires $DEB_BUILD_ROOT.
–striproot : Strip path from custom layout (for package maintainers).
–install : 根据选择目录安装
–show : 显示安装路径
–remove : 卸载rkhunter
–version : 显示安装版本
我使用的安装指令
#./installer.sh –layout default –install
2.2 rkhunter操作
#/usr/local/bin/rkhunter –propupd
#/usr/local/bin/rkhunter -c –sk -rwo
Warning: File ‘/bin/awk’ has the immutable-bit set.
Warning: File ‘/bin/basename’ has the immutable-bit set.
Warning: File ‘/bin/bash’ has the immutable-bit set.
Warning: File ‘/bin/cat’ has the immutable-bit set.
Warning: File ‘/bin/chmod’ has the immutable-bit set.
Warning: File ‘/bin/chown’ has the immutable-bit set.
Warning: File ‘/bin/cp’ has the immutable-bit set.
Warning: File ‘/bin/csh’ has the immutable-bit set.
Warning: File ‘/bin/cut’ has the immutable-bit set.
Warning: File ‘/bin/date’ has the immutable-bit set.
Warning: File ‘/bin/df’ has the immutable-bit set.
Warning: File ‘/bin/dmesg’ has the immutable-bit set.
Warning: File ‘/bin/echo’ has the immutable-bit set.
Warning: File ‘/bin/ed’ has the immutable-bit set.
Warning: File ‘/bin/egrep’ has the immutable-bit set.
Warning: File ‘/bin/env’ has the immutable-bit set.
Warning: File ‘/bin/fgrep’ has the immutable-bit set.
Warning: File ‘/bin/grep’ has the immutable-bit set.
Warning: File ‘/bin/kill’ has the immutable-bit set.
Warning: File ‘/bin/login’ has the immutable-bit set.
Warning: File ‘/bin/ls’ has the immutable-bit set.
Warning: File ‘/bin/mail’ has the immutable-bit set.
Warning: File ‘/bin/mktemp’ has the immutable-bit set.
Warning: File ‘/bin/more’ has the immutable-bit set.
Warning: File ‘/bin/mount’ has the immutable-bit set.
Warning: File ‘/bin/mv’ has the immutable-bit set.
Warning: File ‘/bin/netstat’ has the immutable-bit set.
Warning: File ‘/bin/ps’ has the immutable-bit set.
Warning: File ‘/bin/pwd’ has the immutable-bit set.
Warning: File ‘/bin/rpm’ has the immutable-bit set.
Warning: File ‘/bin/sed’ has the immutable-bit set.
Warning: File ‘/bin/sh’ has the immutable-bit set.
Warning: File ‘/bin/sort’ has the immutable-bit set.
Warning: File ‘/bin/su’ has the immutable-bit set.
Warning: File ‘/bin/touch’ has the immutable-bit set.
Warning: File ‘/bin/uname’ has the immutable-bit set.
Warning: File ‘/bin/gawk’ has the immutable-bit set.
Warning: File ‘/bin/tcsh’ has the immutable-bit set.
Warning: File ‘/usr/bin/awk’ has the immutable-bit set.
Warning: File ‘/usr/bin/cut’ has the immutable-bit set.
Warning: File ‘/usr/bin/env’ has the immutable-bit set.
Warning: The command ‘/usr/bin/GET’ has been replaced by a script: /usr/bin/GET: perl script text executable
Warning: The command ‘/usr/bin/groups’ has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
Warning: File ‘/usr/bin/kill’ has the immutable-bit set.
Warning: The command ‘/usr/bin/ldd’ has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
Warning: File ‘/usr/bin/top’ has the immutable-bit set.
Warning: The command ‘/usr/bin/whatis’ has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
Warning: File ‘/usr/bin/gawk’ has the immutable-bit set.
Warning: File ‘/sbin/chkconfig’ has the immutable-bit set.
Warning: File ‘/sbin/depmod’ has the immutable-bit set.
Warning: File ‘/sbin/fuser’ has the immutable-bit set.
Warning: File ‘/sbin/ifconfig’ has the immutable-bit set.
Warning: File ‘/sbin/ifdown’ has the immutable-bit set.
Warning: The command ‘/sbin/ifdown’ has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
Warning: File ‘/sbin/ifup’ has the immutable-bit set.
Warning: The command ‘/sbin/ifup’ has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
Warning: File ‘/sbin/init’ has the immutable-bit set.
Warning: File ‘/sbin/insmod’ has the immutable-bit set.
Warning: File ‘/sbin/ip’ has the immutable-bit set.
Warning: File ‘/sbin/lsmod’ has the immutable-bit set.
Warning: File ‘/sbin/modinfo’ has the immutable-bit set.
Warning: File ‘/sbin/modprobe’ has the immutable-bit set.
Warning: File ‘/sbin/nologin’ has the immutable-bit set.
Warning: File ‘/sbin/rmmod’ has the immutable-bit set.
Warning: File ‘/sbin/runlevel’ has the immutable-bit set.
Warning: File ‘/sbin/sulogin’ has the immutable-bit set.
Warning: File ‘/sbin/sysctl’ has the immutable-bit set.
Warning: File ‘/sbin/syslogd’ has the immutable-bit set.
Warning: File ‘/usr/sbin/adduser’ has the immutable-bit set.
Warning: No hash value found for file ‘/usr/sbin/amd’ in the rkhunter.dat file.
Warning: File ‘/usr/sbin/amd’ has the immutable-bit set.
Warning: File ‘/usr/sbin/chroot’ has the immutable-bit set.
Warning: File ‘/usr/sbin/groupadd’ has the immutable-bit set.
Warning: File ‘/usr/sbin/groupdel’ has the immutable-bit set.
Warning: File ‘/usr/sbin/groupmod’ has the immutable-bit set.
Warning: File ‘/usr/sbin/grpck’ has the immutable-bit set.
Warning: File ‘/usr/sbin/kudzu’ has the immutable-bit set.
Warning: File ‘/usr/sbin/lsof’ has the immutable-bit set.
Warning: File ‘/usr/sbin/prelink’ has the immutable-bit set.
Warning: File ‘/usr/sbin/pwck’ has the immutable-bit set.
Warning: File ‘/usr/sbin/sestatus’ has the immutable-bit set.
Warning: File ‘/usr/sbin/tcpd’ has the immutable-bit set.
Warning: File ‘/usr/sbin/useradd’ has the immutable-bit set.
Warning: File ‘/usr/sbin/userdel’ has the immutable-bit set.
Warning: File ‘/usr/sbin/usermod’ has the immutable-bit set.
Warning: File ‘/usr/sbin/vipw’ has the immutable-bit set.
Warning: File ‘/usr/sbin/xinetd’ has the immutable-bit set.
Warning: Dreams Rootkit [ Warning ]
File ‘/usr/bin/sense’ found
File ‘/usr/bin/sl2’ found
File ‘/usr/bin/(swapd)’ found
Warning: Checking for possible rootkit strings [ Warning ]
Found string ‘/dev/ttyoa’ in file ‘/bin/netstat’. Possible rootkit: Sin Rootkit
Warning: Found possible sniffer log file: /usr/lib/libice.log
Warning: Found enabled xinetd service: /etc/xinetd.d/auth
Warning: Found enabled xinetd service: /etc/xinetd.d/cups-lpd
Warning: Found enabled xinetd service: /etc/xinetd.d/swat
Warning: Found enabled xinetd service: /etc/xinetd.d/vmware-authd
Warning: Possible promiscuous interfaces:
‘ifconfig’ command output:
‘ip’ command output: eth0
Warning: Account ‘test’ is root equivalent (UID = 0)
Warning: Account ‘james’ is root equivalent (UID = 0)
Warning: Account ‘master’ is root equivalent (UID = 0)
Warning: Account ‘admin’ is root equivalent (UID = 0)
Warning: The SSH configuration option ‘PermitRootLogin’ has not been set.
The default value may be ‘yes’, to allow root access.
Warning: The SSH configuration option ‘Protocol’ has not been set.
The default value may be ‘2,1’, to allow the use of protocol version 1.
Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
Warning: Application ‘exim’, version ‘4.43’, is out of date, and possibly a security risk.
Warning: Application ‘gpg’, version ‘1.2.6’, is out of date, and possibly a security risk.
Warning: Application ‘openssl’, version ‘0.9.7a’, is out of date, and possibly a security risk.
Warning: Application ‘php’, version ‘4.3.9’, is out of date, and possibly a security risk.
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
结果就是“中招”,基本上就是重新安装系统的命了。不过从检查的结果来看,可以判断所中的rootkit的类型和被替换的系统文件。同时对一些程序版本进行检测,提供的信息比较多。
2.3 指令参数说明
#/usr/local/bin/rkhunter
Usage: rkhunter {–check | –update | –versioncheck |
–propupd [{filename | directory | package name},…] |
–list [{tests | {lang | languages} | rootkits},…] |
–version | –help} [options]
Current options are:
–append-log 在日志文件后追加日志,而不覆盖原有日志
–bindir <directory>… Use the specified command directories
-c, –check 检测当前系统
–cs2, –color-set2 Use the second color set for output
–configfile <file> 使用特定的配置文件
–cronjob 作为cron定期运行
(包含参数 -c, –sk , –nocolors )
–dbdir <directory> Use the specified database directory
–debug Debug模式(不要使用除非要求使用)
–disable <test>[,<test>…] 跳过指定检查对象(默认为无)
–display-logfile 在最后显示日志文件内容
–enable <test>[,<test>…] 对指定检测对象进行检查
(默认检测所有对象)
–hash {MD5 | SHA1 | NONE | 使用指定的文件哈希函数
<command>} (Default is SHA1)
-h, –help 显示帮助菜单
–lang, –language <language> 指定使用的语言
(Default is English)
–list [tests | languages | 罗列测试对象明朝,使用语言,可检测的木马程序
rootkits]
-l, –logfile [file] 写到指定的日志文件名
(Default is /var/log/rkhunter.log)
–noappend-log 不追加日志,直接覆盖日志文件
–nocolors 输出只显示黑白两色
–nolog 不写入日志文件
–nomow, –no-mail-on-warning 如果有警告信息,不发送邮件
–ns, –nosummary 不显示检查结果的统计数据
–novl, –no-verbose-logging 不显示详细记录
–pkgmgr {RPM | DPKG | BSD | 使用特定的包管理用于文件的哈希值验证
NONE} (Default is NONE)
–propupd [file | directory | 更新整个文件属性数据库或仅仅更新指定条目
package]…
-q, –quiet 安静模式(no output at all)
–rwo, –report-warnings-only 只显示警告信息
-r, –rootdir <directory> 使用指定的root目录
–sk, –skip-keypress 自动完成所有检测,跳过键盘输入
–summary 显示检测结果的统计信息
(This is the default)
–syslog [facility.priority] 记录检测启动和结束时间到系统日志中
(Default level is authpriv.notice)
–tmpdir <directory> 使用指定的临时目录
–update 检测更新内容
–vl, –verbose-logging 使用详细日志记录 (on by default)
-V, –version 显示版本信息
–versioncheck 检测最新版本
-x, –autox 当X在使用时,自动启动检测
-X, –no-autox 当X在使用时,不自启检测
本文所述Chkrootkit命令安装方法已由VPS管理百科验证通过
rootkit从浅显的层面来讲即一种具有自我隐蔽性的后门程序,它往往被入侵者作为一种入侵工具。通过rootkit,入侵者可以偷偷控制被入侵的电脑,因此危害巨大。chkrootkit是一个Linux系统下的查找检测rootkit后门的工具。本文将介绍chkrootkit的安装与使用方法。
chkrootkit没有包含在官方的CentOS或Debian源,因此我们将采取手动编译的方法来安装,这种方式也更加安全。由于需要编译源代码,因此还需要在系统中安装好gcc编译包。
安装方法
1、准备gcc编译环境
对于CentOS系统,执行下述三条命令:
yum -y install gcc
yum -y install gcc-c++
yum -y install make
对于debian系统,执行下述两条命令:
apt-get -y install gcc
apt-get -y install make
2、下载chkrootkit源码
chkrootkit的官方网站为 http://www.chkrootkit.org ,下述下载地址为官方地址。为了安全起见,务必在官方下载此程序:
1 |
[root@www ~]# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz |
3、解压下载回来的安装包
1 |
[root@www ~]# tar zxf chkrootkit.tar.gz |
4、编译安装(后文命令中出现的“*”无需替换成具体字符,原样复制执行即可)
1 |
[root@www ~]# cd chkrootkit-* |
2 |
[root@www ~]# make sense |
注意,上面的编译命令为make sense。
5、把编译好的文件部署到/usr/local/目录中,并删除遗留的文件
1 |
[root@www ~]# cd .. |
2 |
[root@www ~]# cp -r chkrootkit-* /usr/local/chkrootkit |
3 |
[root@www ~]# rm -r chkrootkit-* |
至此,安装完毕。
使用方法
安装好的chkrootkit程序位于 /usr/local/chkrootkit/chkrootkit
直接执行
1 |
root@vm:~# /usr/local/chkrootkit/chkrootkit |
即可对系统rootkit进行全面扫面,并滚动显示出结果,如图:
安全提示:由于chkrootkit的检查过程使用了部分系统命令。因此,如果服务器被入侵,则依赖的系统命令可能也已经被入侵者做了手脚,chkrootkit的结果将变得完全不可信,甚至连系统ls等查看文件的基础命令也变得不可信。
支付宝扫一扫
微信扫一扫
