利用Chkrootkit 检测系统木马
ChkrootkitChkrootkit is a powerful tool to scan your *nux server for trojans. Here i explain how to install it, scan your server and setup a daily automated scanning job that emails you the report.
#Change to root
su -
#Download latest source
wget [url]ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz[/url]
#Unpack the source file using the command
tar xvzf chkrootkit.tar.gz
#Change to chkrootkit source directory
cd chkrootkit
#Compile chkrootkit
make sense
#To run chkrootkit, type
./chkrootkit
A clean system should return many 'nothing found" or not infected. A comprised system may return 'INFECTED" or vulnerable.
Lastly, chkrootkit should run once a day to ensure system safety. The following script created in /etc/cron.daily will scan system one per day and report detected trojan to specified persons via emails:
# cat /etc/cron.daily/chkrootkit.sh
#!/bin/bash
SYSADMIN1=admin1@email.com
SYSADMIN2=admin2@email.com
TMPDIR=/tmp
HOSTNAME=`hostname`
DATE=`date "+%d/%m/%Y %H:%M"`
CHKROOTKIT=/usr/local/chkrootkit-0.46a/chkrootkit
MAIL=mail
# Clean up before its runs
rm -f $TMPDIR/chkrootkit.$$
if [ -f $TMPDIR/chkrootkit.$$ ]; then
echo "Checkroot kit temp files exist in $TMPDIR directory that cannot be removed. This may be an attempt to spoof the checker." | $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" -c $SYSADMIN1 $SYSADMIN2
exit 1
fi
# Check for root kits
$CHKROOTKIT | grep INFECTED > $TMPDIR/chkrootkit.$$
if [ -s $TMPDIR/chkrootkit.$$ ]; then
cat $TMPDIR/chkrootkit.$$ | $MAIL -s "$DATE - ROOTKIT DETECTED ON $HOSTNAME!" -c $SYSADMIN1 $SYSADMIN2
fi
# Clean Up
rm -f $TMPDIR/chkrootkit.$$ 貌似,偶用过chkrootkit扫描过偶的系统。貌似不是很好用。。。貌似一个rootkit都扫不出来。。。
偶自己弄了个SSH后门的ROOTKIT那。。。
哇哈哈。。。 哦 ,学习啦,呵呵 choatrue你用什么啊,我现在也要找这方面的东东!
页:
[1]