rootkit 后门检测工具 RKHunter

Posted on Posted in 安全
Tips: 本文创建于2015年11月11日,已超过 2 年,内容或图片可能已经失效!

RKHunter 是专业的系统是否感染 rootkit 的一个工具。可以做的事:
md5校验测试,检测文件是否有改动
检测 rootkit 使用的二进制和系统工具文件
检测特洛伊木马程序的特征码
检测常用程序的文件属性是否异常
检测系统想过的测试
检测隐藏文件
检测可以的核心模块 LKM
检测系统已启动的监听端口

[官网][1]

安装

  1. tar zxvf rkhunter-1.4.2.tar.gz  
  2. cd rkhunter-1.4.2  
  3. ./installer.sh --layout default --install  

rkhunter帮助文件

  1. /usr/local/bin/rkhunter --help  
  2.   
  3. Usage: rkhunter {--check | --unlock | --update | --versioncheck |  
  4.                  --propupd [{filename | directory | package name},...] |  
  5.                  --list [{tests | {lang | languages} | rootkits | perl | propfiles}] |  
  6.                  --config-check | --version | --help} [options]  
  7.   
  8. Current options are:  
  9.          --append-log                  Append to the logfile, do not overwrite  
  10.          --bindir <directory>...       Use the specified command directories  
  11.      -c, --check                       Check the local system   #必选参数,表示检测当前系统  
  12.      -C, --config-check                Check the configuration file(s), then exit  
  13.   --cs2, --color-set2                  Use the second color set for output  
  14.          --configfile <file>           Use the specified configuration filename     #使用特定的配置文件  
  15.          --cronjob                     Run as a cron job    #作为 cron 任务定期执行  
  16.                                        (implies -c, --sk and --nocolors options)  
  17.          --dbdir <directory>           Use the specified database directory  
  18.          --debug                       Debug mode  
  19.                                        (Do not use unless asked to do so)  
  20.          --disable <test>[,<test>...]  Disable specific tests  
  21.                                        (Default is to disable no tests)  
  22.          --display-logfile             Display the logfile at the end  
  23.          --enable  <test>[,<test>...]  Enable specific tests  
  24.                                        (Default is to enable all tests)  
  25.          --hash {MD5 | SHA1 | SHA224 | SHA256 | SHA384 | SHA512 |  
  26.                  NONE | <command>}     Use the specified file hash function  
  27.                                        (Default is SHA1, then MD5)  
  28.      -h, --help                        Display this help menu, then exit  
  29.  --lang, --language <language>         Specify the language to use  
  30.                                        (Default is English)  
  31.          --list [tests |&
    nbsp;languages |   List the available test names, languages,  
  32.                  rootkits | perl |     rootkit names, perl module status  
  33.                  propfiles]            or file properties database, then exit  
  34.      -l, --logfile [file]              Write to a logfile  
  35.                                        (Default is /var/log/rkhunter.log)  
  36.          --noappend-log                Do not append to the logfile, overwrite it  
  37.          --nocf                        Do not use the configuration file entries  
  38.                                        for disabled tests (only valid with --disable)  
  39.          --nocolors                    Use black and white output  
  40.          --nolog                       Do not write to a logfile  
  41. --nomow, --no-mail-on-warning          Do not send a message if warnings occur  
  42.    --ns, --nosummary                   Do not show the summary of check results  
  43.  --novl, --no-verbose-logging          No verbose logging  
  44.          --pkgmgr {RPM | DPKG | BSD |  Use the specified package manager to obtain or  
  45.                    SOLARIS | NONE}     verify file property values. (Default is NONE)  
  46.          --propupd [file | directory | Update the entire file properties database,  
  47.                     package]...        or just for the specified entries  
  48.      -q, --quiet                       Quiet mode (no output at all)  
  49.   --rwo, --report-warnings-only        Show only warning messages  
  50.    --sk, --skip-keypress               Don't wait for a keypress after each tests   #自动完成检测,跳过键盘输入  
  51.          --summary                     Show the summary of system check results     #显示检测结果的统计信息  
  52.                                        (This is the default)  
  53.          --syslog [facility.priority]  Log the check start and finish times to syslog  
  54.                                        (Default level is authpriv.notice)  
  55.          --tmpdir <directory>          Use the specified temporary directory  
  56.          --unlock                      Unlock (remove) the lock file  
  57.        &n
    bsp; --update                      Check for updates to database files      #检测更新内容  
  58.    --vl, --verbose-logging             Use verbose logging (on by default)  
  59.      -V, --version                     Display the version number, then exit    #显示版本信息  
  60.          --versioncheck                Check for latest version of program      #检测最新版本  
  61.      -x, --autox                       Automatically detect if X is in use  
  62.      -X, --no-autox                    Do not automatically detect if X is in use  

使用

  1. /usr/local/bin/rkhunter -c  
  2.      #这是第一部分,先进行系统命令的检查,主要检测系统的二进制文件,因为这些文件最容易被攻击。显示 OK 表示正常,显示 warning 表示有异常,需要引起注意,显示 Not found ,一般无需理会  
  3. [ Rootkit Hunter version 1.4.2 ]  
  4.   
  5. Checking system commands...  
  6.   
  7.   Performing 'strings' command checks  
  8.     Checking 'strings' command                               [ OK ]  
  9.   
  10.   Performing 'shared libraries' checks  
  11.     Checking for preloading variables                        [ None found ]  
  12.     Checking for preloaded libraries                         [ None found ]  
  13.     Checking LD_LIBRARY_PATH variable                        [ Not found ]  
  14.   
  15.   Performing file properties checks  
  16.     Checking for prerequisites                               [ Warning ]  
  17.     /usr/local/bin/rkhunter                                  [ OK ]  
  18.     /sbin/chkconfig                                          [ OK ]  
  19.     /sbin/depmod                                             [ OK ]  
  20.     /sbin/fsck                                               [ OK ]  
  21.     /sbin/fuser                                              [ OK ]  
  22.     /sbin/ifconfig                                           [ OK ]  
  23.     /sbin/ifdown                                             [ Warning ]  
  24.     /sbin/ifup                                               [ Warning ]  
  25.     /sbin/init                                               [ OK ]  
  26.     /sbin/insmod                                             [ OK ]  
  27.     /sbin/ip                                                 [ OK ]  
  28.     /sbin/lsmod                                              [ OK ]  
  29.     /sbin/modinfo                                            [ OK ]  
  30.     /sbin/modprobe                                           [ OK ]  
  31.     /sbin/nologin     &
    nbsp;                                      [ OK ]  
  32.     /sbin/rmmod                                              [ OK ]  
  33.     /sbin/route                                              [ OK ]  
  34.     /sbin/rsyslogd                                           [ OK ]  
  35.     /sbin/runlevel                                           [ OK ]  
  36.     /sbin/sulogin                                            [ OK ]  
  37.     /sbin/sysctl                                             [ OK ]  
  38.     /bin/awk                                                 [ OK ]  
  39.     /bin/basename                                            [ OK ]  
  40.     /bin/bash                                                [ OK ]  
  41.     /bin/cat                                                 [ OK ]  
  42.     /bin/chmod                                               [ OK ]  
  43.     /bin/chown                                               [ OK ]  
  44.     /bin/cp                                                  [ OK ]  
  45.     /bin/cut                                                 [ OK ]  
  46.     /bin/date                                                [ OK ]  
  47.     /bin/df                                                  [ OK ]  
  48.     /bin/dmesg                                               [ OK ]  
  49.     /bin/echo                                                [ OK ]  
  50.     /bin/egrep                                               [ OK ]  
  51.     /bin/env                                                 [ OK ]  
  52.     /bin/fgrep                                           &nbs
    p;   [ OK ]  
  53.     /bin/find                                                [ OK ]  
  54.     /bin/grep                                                [ OK ]  
  55.     /bin/kill                                                [ OK ]  
  56.     /bin/logger                                              [ OK ]  
  57.     /bin/login                                               [ OK ]  
  58.     /bin/ls                                                  [ OK ]  
  59.     /bin/mktemp                                              [ OK ]  
  60.     /bin/more                                                [ OK ]  
  61.     /bin/mount                                               [ OK ]  
  62.     /bin/mv                                                  [ OK ]  
  63.     /bin/netstat                                             [ OK ]  
  64.     /bin/ping                                                [ OK ]  
  65.     /bin/ps                                                  [ OK ]  
  66.     /bin/pwd                                                 [ OK ]  
  67.     /bin/readlink                                            [ OK ]  
  68.     /bin/rpm                                                 [ OK ]  
  69.     /bin/sed                                                 [ OK ]  
  70.     /bin/sh                                                  [ OK ]  
  71.     /bin/sort                                                [ OK ]  
  72.     /bin/su                                                  [ OK ]  
  73.     /bin/touch                                               [ 
    OK ]  
  74.     /bin/uname                                               [ OK ]  
  75.     /bin/gawk                                                [ OK ]  
  76.     /usr/sbin/adduser                                        [ OK ]  
  77.     /usr/sbin/chroot                                         [ OK ]  
  78.     /usr/sbin/groupadd                                       [ OK ]  
  79.     /usr/sbin/groupdel                                       [ OK ]  
  80.     /usr/sbin/groupmod                                       [ OK ]  
  81.     /usr/sbin/grpck                                          [ OK ]  
  82.     /usr/sbin/pwck                                           [ OK ]  
  83.     /usr/sbin/sestatus                                       [ OK ]  
  84.     /usr/sbin/sshd                                           [ OK ]  
  85.     /usr/sbin/useradd                                        [ OK ]  
  86.     /usr/sbin/userdel                                        [ OK ]  
  87.     /usr/sbin/usermod                                        [ OK ]  
  88.     /usr/sbin/vipw                                           [ OK ]  
  89.     /usr/bin/awk                                             [ OK ]  
  90.     /usr/bin/chattr                                          [ OK ]  
  91.     /usr/bin/curl                                            [ OK ]  
  92.     /usr/bin/cut                                             [ OK ]  
  93.     /usr/bin/diff                                            [ OK ]  
  94.     /usr/bin/dirname                                         [ OK ]  
  95.     /usr/bin/du                                              [ OK ]  
  96.     /usr/bin/env                                             [ OK ]  
  97.     /usr/bin/file                                            [ OK ]  
  98.     /usr/bin/find                                            [ OK ]  
  99.     /usr/bin/groups                                          [ OK ]  
  100.     /usr/bin/head                                            [ OK ]  
  101.     /usr/bin/id                                              [ OK ]  
  102.     /usr/bin/kill                                            [ OK ]  
  103.     /usr/bin/killall                                         [ OK ]  
  104.     /usr/bin/last                                            [ OK ]  
  105.     /usr/bin/lastlog                                         [ OK ]  
  106.     /usr/bin/ldd                                             [ Warning ]  
  107.     /usr/bin/less                                            [ OK ]  
  108.     /usr/bin/logger                                          [ OK ]  
  109.     /usr/bin/lsattr                                          [ OK ]  
  110.     /usr/bin/md5sum                                          [ OK ]  
  111.     /usr/bin/newgrp                                          [ OK ]  
  112.     /usr/bin/passwd                                          [ OK ]  
  113.     /usr/bin/perl                                            [ OK ]  
  114.     /usr/bin/pgrep                                           [ OK ]  
  115.     /usr/bin/pkill                                           [ OK ]  
  116.     /usr/bin/pstree                                          [ OK ]  
  117.     /usr/bin/readlink                                        [ OK ]  
  118.     /usr/bin/runcon                                          [ OK ]  
  119.     /usr/bin/sha1sum                            
    ;             [ OK ]  
  120.     /usr/bin/sha224sum                                       [ OK ]  
  121.     /usr/bin/sha256sum                                       [ OK ]  
  122.     /usr/bin/sha384sum                                       [ OK ]  
  123.     /usr/bin/sha512sum                                       [ OK ]  
  124.     /usr/bin/size                                            [ OK ]  
  125.     /usr/bin/ssh                                             [ OK ]  
  126.     /usr/bin/stat                                            [ OK ]  
  127.     /usr/bin/strings                                         [ OK ]  
  128.     /usr/bin/sudo                                            [ OK ]  
  129.     /usr/bin/tail                                            [ OK ]  
  130.     /usr/bin/test                                            [ OK ]  
  131.     /usr/bin/top                                             [ OK ]  
  132.     /usr/bin/tr                                              [ OK ]  
  133.     /usr/bin/uniq                                            [ OK ]  
  134. <

» 转载请注明来源:若我若鱼 » rootkit 后门检测工具 RKHunter

Leave a Reply

Your email address will not be published. Required fields are marked *

three × two =