rootkit后门检测工具chkrookit
1、编译安装chkrookit
官方站点:http://www.chkrootkit.org/
[root@node1 ~]# vim /etc/resolv.conf
1)、安装gcc编译环境
[root@node1 ~]# yum -y install gcc gcc-c++ make cmake glibc-static glibc-utils
[root@node1 ~]# yum -y install lrzsz
2)、下载chkrootkit包并上传
[root@node1 ~]# rz
[root@node1 ~]# ls
anaconda-ks.cfg chkrootkit.tar.gz mariadb-5.5.61.tar.gz ~None :wq
3)、解压编译安装:建议官方站点下载源码
[root@node1 ~]# tar zxvf chkrootkit.tar.gz -C /usr/local/
[root@node1 chkrootkit-0.52]# make sense
#注意,此处为make sense
cc -static -o strings-static strings.c
cc -o chkutmp chkutmp.c
[root@node1 chkrootkit-0.52]#
2、chkrookit的使用
1)、Usage: ./chkrootkit [options] [test ...]
Options:
-h 显示帮助信息
-V 显示版本信息
-l 显示测试内容
-d debug模式,显示检测过程的相关指令程序
-q 安静模式,只显示有问题部分,
-x 高级模式,显示所有检测结果
-r dir 设定指定的目录为根目录
-p dir1:dir2:dirN 检测指定目录
-n 跳过NFS连接的目录
2)、检测:直接执行chkrootkit命令即可检测系统
[root@node1 ~]# /usr/local/chkrootkit-0.52/chkrootkit
...
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... not tested: can't exec
Checking `rexedcs'... not found
Checking `sniffer'... not tested: can't exec ./ifpromisc
Checking `w55808'... not infected
Checking `wted'... not tested: can't exec ./chkwtmp
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... not tested: can't exec ./chklastlog
Checking `chkutmp'... not tested: can't exec ./chkutmp
Checking `OSX_RSPLUG'... not tested
[root@node1 ~]# /usr/local/chkrootkit-0.52/chkrootkit -q
can't exec ./strings-static,
/usr/lib/debug/usr/.dwz /usr/lib/python2.7/site-packages/ansible/galaxy/data/container_enabled/files/.git_keep /usr/lib/python2.7/site-packages/ansible/galaxy/data/container_enabled/templates/.git_keep /usr/lib/python2.7/site-packages/ansible/galaxy/data/default/files/.git_keep /usr/lib/python2.7/site-packages/ansible/galaxy/data/default/templates/.git_keep /usr/lib/ocf/resource.d/heartbeat/.ocf-binaries /usr/lib/ocf/resource.d/heartbeat/.ocf-directories /usr/lib/ocf/resource.d/heartbeat/.ocf-returncodes /usr/lib/ocf/resource.d/heartbeat/.ocf-shellfuncs /usr/lib/ocf/resource.d/.isolation /usr/lib/pcsd/.bundle /usr/lib/pcsd/vendor/bundle/ruby/gems/backports-3.9.1/.document /usr/lib/pcsd/vendor/bundle/ruby/gems/backports-3.9.1/.gitignore /usr/lib/pcsd/vendor/bundle/ruby/gems/backports-3.9.1/.gitmodules /usr/lib/pcsd/vendor/bundle/ruby/gems/backports-3.9.1/.irbrc /usr/lib/pcsd/vendor/bundle/ruby/gems/backports-3.9.1/.travis.yml /usr/lib/pcsd/vendor/bundle/ruby/gems/ethon-0.10.1/.gitignore /usr/lib/pcsd/vendor/bundle/ruby/gems/ethon-0.10.1/.rspec /usr/lib/pcsd/vendor/bundle/ruby/gems/ethon-0.10.1/.travis.yml /usr/lib/pcsd/vendor/bundle/ruby/gems/ffi-1.9.18/ext/ffi_c/.RUBYARCHDIR.time /usr/lib/pcsd/vendor/bundle/ruby/gems/rpam-ruby19-1.2.1/ext/Rpam/.RUBYARCHDIR.time /usr/lib/pcsd/vendor/bundle/ruby/gems/sinatra-1.4.8/.yardopts
/usr/lib/ocf/resource.d/.isolation /usr/lib/pcsd/.bundle
not tested
not tested: can't exec
not tested: can't exec ./ifpromisc
not tested: can't exec ./chkwtmp
not tested: can't exec ./chklastlog
not tested: can't exec ./chkutmp
not tested
3)、查看是否有感染的程序
[root@node1 ~]# /usr/local/chkrootkit-0.52/chkrootkit |grep INFECTED
4)、感染后最安全有效的处理:备份重要数据并重装系统
5)、备份chkrootkit使用的系统命令
chkrootkit在检测rootkit时使用部分系统命令,如果系统被入侵,那么依赖的系统命令也可能已经被入侵者替换,从而导致检测结果不可信。
所以在服务器对外开放前,建议事先备份chkrootkit使用的系统命,在chkrootkit做系统检测时使用备份的原始系统命令对rootkit进行检测可以保证结果可信度。
以下是具体步骤:
#复制系统命令
[root@node1 ~]# cp `which --skip-alias ssh awk cut echo find egrep id head ls netstat ps strings sed uname` /usr/share/.commands
[root@node1 ~]# cd /usr/share/.commands
[root@node1 .commands]# ls
awk cut echo egrep find head id ls netstat ps sed ssh strings uname
#压缩检测用到的系统工具并备份到安全目录
[root@node1 ~]# cd /usr/share/
[root@node1 share]# tar zcvf commands.tar.gz .commands
[root@node1 share]# sz commands.tar.gz
[root@node1 share]# rm -rf commands.tar.gz
6)、指定使用备份的系统工具检测:-p 指定通过哪个检测路径检测
[root@node1 ~]# /usr/local/chkrootkit-0.52/chkrootkit -p /usr/share/.commands/
[root@node1 .commands]# /usr/local/chkrootkit-0.52/chkrootkit -p /usr/share/.commands/ |grep INFECTED