操作系统安全：chkrootkit及rkhunter使用

1、chkrootkit 及 rkhunter 使用chkrootkit安装使用安装编译工具包yum install gcc gcc-c+ makeyum install glibc-static安装 chkrootkitcd /usr/local/src/wget #下载软彳牛包tar zxvf chkrootkit.tar.gz #解压cd chkrootkit-0.52make sense #安装mv /usr/local/src/chkrootkit-0.52 /usr/local/chkrootkit #拷贝到安装目录chkrootkit参数说明Usage: ./chkrootkit o

2、ptions test.Options:h显示帮助信息V显示版本信息I显示测试内容d debug模式，显示检测过程的相关指令程序q安静模式，只显示有问题局部，X高级模式，显示所有检测结果-rdir设定指定的目录为根目录p dirl:dir2:dirN检测指定目录n跳过NFS连接的目录使用 chkrootkit/usr/local/chkrootkit/chkrootkitcd /usr/local/chkrootkit,/chkrootkit | grep INFECTED出现INFECTED就说明系统可能有问题了./chkrootkit | grep INFECTED备注：CentOS 7.

3、x可能会出现下面的提示，原因是系统默认缺少netstat命令 chkrootkit: cant find netstat,.yum whatprovides *netstat #查看命令所在的安装包yum install net-snmp-utils net-tools #安装netstat命令即可rkhunter安装使用rkhunter是Linux下的一款开源入侵检测工具jkhunter具有比chrootkit更为全面的扫 描范围。除rootkit特征码扫描外，rkhunter还支持端口扫描，常用开源软件版本和文件变 动情况检查等。解压安装#./installer.sh -hrooteKen

4、ny:-# tar zxvf rkhunter-1.4.Z.tar,gzrootKenny:-# cd rkhunter-1.4.2/ rootKenny:-/rkhunter-1.4.2# IsrootKenny:/rkhunter-l.4.2# mkdir -p /usr/local/rkhunterrootKenny:/rkhunter-l.4.2# ./installer.sh -layout custom /usr/local/rkhunter -install rootKenny:/usr/local/rkhunter/bin# ./rkhunter -hUsage: rkhunt

5、er -check I -unlock I -update I -versioncheck I-propupd filename I directory I package name,. Ilist tests I lang I languages I rootkits I perl I propftles-config-check I -version I -help optionsCurrent options are:-append-log-Current options are:-append-log-bindir .-c, -check-C, -config-check-csZ, -

6、color-setZ-configfile -cronjobdbdir -debug-disable ,.-display-logfile-enable C,.hash MD5 I SHA1 I SHA224 I SHA256 I SHA384 I NONE I command Use the specified (Default is SHAl,-hel。Disolav this helpAppend to the logfile, do not overwrite Use the specified command directories Check the local systemChe

7、ck the configuration file(s), then exitUse the second color set for outputUse the specified configuration fileRun as a cron job(implies -c, -sk and -nocolors options)Use the specified database directoryDebug mode(Do not use unless asked to do so)Disable specific tests(Default is to disable no tests)

8、Display the logfile at the endEnable specific tests(Default is to enable all tests)SHA512 Ifile hash functionthen MD5)menu一 then exitOrdered valid parameters:-help (-h):显示帮助-examples :显示安装实例-layout :选择安装模板(安装必选参数).模板选择：default: (FHS compliant),/usr,/usr/local,oldschool:之前版本安装路径， -custom:自定义安装路径,RPM:

9、 for building RPMs. Requires $RPM_BUILD_ROOT.-DEB: for building DEBs. Requires $DEB_BUILD_ROOT.-striproot: Strip path from custom layout (for package maintainers).-install :根据选择目录安装-show :显示安装路径remove :卸载rkhunterversion :显示安装版本更新病毒库rkhunter updaterootKenny:/usr/local/rkhunter/bin# ./rkhunter -update

10、rkhunter 操作#/usr/local/bin/rkhunter -propupd#/usr/local/bin/rkhunter -c -skrootKenny:/usr/Local/rkhunter/bin# ./rkhunter -c -sk Rootkit Hunter version 1.4.Z 1Checking system commands.Performing strings command checksChecking strings command OK Performing Performing Checking Checking CheckingPerformi

11、ng Checking Checking Checkingshared Libraries Performing Checking Checking Checkingshared Libraries checks for preloading variables for preloaded libraries LD_LIBRARY_PATH variableNone found None found Not found n n a a K K K K K K wwooooooPerforming file properties checks Checking for prerequisites

12、 /usr/sbln/adduser /usr/sbin/chroot /usr/sbin/cron /usr/sbin/groupadd /usr/sbin/groupdel /usr/sbin/groupmod /usr/sbtn/grpckn n a a K K K K K K wwoooooo查找相应Warning的日志root#Kenny:/usr/local/rkhunter/bin# cat /var/log/rkhunter.log Igrep Warning15:59:27；Warning: Checking for prerequisites Warning 15:59:2

13、7；Warning: WARNING 1 It is the users responsibility to ensure that when the -propupd* opt15:59:28：/usr/sbin/adduser Warning 15:59:28：Warning: The command */usr/sbin/adduser* has been replaced by a script: /usr/sbin/adduse15:59:32；/usr/bin/ldd Warning 15:59:32：Warning: The command */usr/bin/ldd* has

14、been replaced by a script: /usr/bin/ldd: Bourne-15:59:40/bin/egrep Warning 15:59:40Warning: The command */bin/egrep* has been replaced by a script: /bin/egrep: POSIX shell15:59:40/bin/fgrep Warning 15:59:40；Warning: The command */bin/fgrep* has been replaced by a script: /bin/fgrep: POSIX shell15:59

15、:43：/bin/which Warning 15:59:43：Warning: The command Vbin/which* has been replaced by a script: /bin/whtch: POSIX shell16:00:45；Checking for enabled inetd services Warning 16:00:45；Warning: Found enabled inetd service: tftp16:00:53；Checking if SSH root access is allowed Warning 16:00:53；Warning: The

16、 SSH and rkhunter configuration options should be the same:16:00:58Checking /dev for suspicious file types Warning 16:00:58Warning: Suspicious file types found in /dev:16:00:58Checking for hidden files and directories Warning Wnrni nn- Hi ddpn di rpr+nrv fnund /ptr/ invn指令参数说明#/usr/local/bin/rkhunte

17、rUsage: rkhunter -check | update | versioncheck | propupd filename | directory | package name,. | list tests | lang | languages | rootkits,. | version | -help optionsCurrent options are: -append-log在日志文件后追加日志，而不覆盖原有日志 bindir . Use the specified command directories-cz -check检测当前系统 cs2, -color-set2 Us

18、e the second color set for output-configfile 使用特定的配置文件-cronjob作为cron定期运行（包含参数-c, sk, nocolors ）dbdir Use the specified database directory -debug Debug模式（不要使用除非要求使用）-disable L.跳过指定检查对象(默认为无)-display-logfile在最后显示日志文件内容-enable ,.对指定检测对象进行检查(默认检测所有对象)-hash MD5 | SHA1 | NONE |使用指定的文件哈希函数 (Default is SHA1)-hz -help显示帮助菜单-lang, -language 才旨定使用的语言(Default is English)-list tests | languages |罗列测试对象明朝，使用语言，可检测的木马程序rootkits-I, -logfile file写到指定的日志文件名(Default is /var/log/rkhunter.log)-noappend-log不追加日志，直接覆盖日志文件-nocolors输出只显示黑白两色-nolog不