操作系統(tǒng)安全：chkrootkit及rkhunter使用

1、chkrootkit 及 rkhunter 使用chkrootkit安裝使用安裝編譯工具包yum install gcc gcc-c+ makeyum install glibc-static安裝 chkrootkitcd /usr/local/src/wget #下載軟彳牛包tar zxvf chkrootkit.tar.gz #解壓cd chkrootkit-0.52make sense #安裝mv /usr/local/src/chkrootkit-0.52 /usr/local/chkrootkit #拷貝到安裝目錄chkrootkit參數(shù)說明Usage: ./chkrootkit o

2、ptions test.Options:h顯示幫助信息V顯示版本信息I顯示測試內(nèi)容d debug模式，顯示檢測過程的相關(guān)指令程序q安靜模式，只顯示有問題局部，X高級模式，顯示所有檢測結(jié)果-rdir設(shè)定指定的目錄為根目錄p dirl:dir2:dirN檢測指定目錄n跳過NFS連接的目錄使用 chkrootkit/usr/local/chkrootkit/chkrootkitcd /usr/local/chkrootkit,/chkrootkit | grep INFECTED出現(xiàn)INFECTED就說明系統(tǒng)可能有問題了./chkrootkit | grep INFECTED備注：CentOS 7.

3、x可能會(huì)出現(xiàn)下面的提示，原因是系統(tǒng)默認(rèn)缺少netstat命令 chkrootkit: cant find netstat,.yum whatprovides *netstat #查看命令所在的安裝包yum install net-snmp-utils net-tools #安裝netstat命令即可rkhunter安裝使用rkhunter是Linux下的一款開源入侵檢測工具jkhunter具有比chrootkit更為全面的掃 描范圍。除rootkit特征碼掃描外，rkhunter還支持端口掃描，常用開源軟件版本和文件變 動(dòng)情況檢查等。解壓安裝#./installer.sh -hrooteKen

4、ny:-# tar zxvf rkhunter-1.4.Z.tar,gzrootKenny:-# cd rkhunter-1.4.2/ rootKenny:-/rkhunter-1.4.2# IsrootKenny:/rkhunter-l.4.2# mkdir -p /usr/local/rkhunterrootKenny:/rkhunter-l.4.2# ./installer.sh -layout custom /usr/local/rkhunter -install rootKenny:/usr/local/rkhunter/bin# ./rkhunter -hUsage: rkhunt

5、er -check I -unlock I -update I -versioncheck I-propupd filename I directory I package name,. Ilist tests I lang I languages I rootkits I perl I propftles-config-check I -version I -help optionsCurrent options are:-append-log-Current options are:-append-log-bindir .-c, -check-C, -config-check-csZ, -

6、color-setZ-configfile -cronjobdbdir -debug-disable ,.-display-logfile-enable C,.hash MD5 I SHA1 I SHA224 I SHA256 I SHA384 I NONE I command Use the specified (Default is SHAl,-hel。Disolav this helpAppend to the logfile, do not overwrite Use the specified command directories Check the local systemChe

7、ck the configuration file(s), then exitUse the second color set for outputUse the specified configuration fileRun as a cron job(implies -c, -sk and -nocolors options)Use the specified database directoryDebug mode(Do not use unless asked to do so)Disable specific tests(Default is to disable no tests)

8、Display the logfile at the endEnable specific tests(Default is to enable all tests)SHA512 Ifile hash functionthen MD5)menu一 then exitOrdered valid parameters:-help (-h):顯示幫助-examples :顯示安裝實(shí)例-layout :選擇安裝模板(安裝必選參數(shù)).模板選擇：default: (FHS compliant),/usr,/usr/local,oldschool:之前版本安裝路徑， -custom:自定義安裝路徑,RPM:

9、 for building RPMs. Requires $RPM_BUILD_ROOT.-DEB: for building DEBs. Requires $DEB_BUILD_ROOT.-striproot: Strip path from custom layout (for package maintainers).-install :根據(jù)選擇目錄安裝-show :顯示安裝路徑remove :卸載rkhunterversion :顯示安裝版本更新病毒庫rkhunter updaterootKenny:/usr/local/rkhunter/bin# ./rkhunter -update

10、rkhunter 操作#/usr/local/bin/rkhunter -propupd#/usr/local/bin/rkhunter -c -skrootKenny:/usr/Local/rkhunter/bin# ./rkhunter -c -sk Rootkit Hunter version 1.4.Z 1Checking system commands.Performing strings command checksChecking strings command OK Performing Performing Checking Checking CheckingPerformi

11、ng Checking Checking Checkingshared Libraries Performing Checking Checking Checkingshared Libraries checks for preloading variables for preloaded libraries LD_LIBRARY_PATH variableNone found None found Not found n n a a K K K K K K wwooooooPerforming file properties checks Checking for prerequisites

12、 /usr/sbln/adduser /usr/sbin/chroot /usr/sbin/cron /usr/sbin/groupadd /usr/sbin/groupdel /usr/sbin/groupmod /usr/sbtn/grpckn n a a K K K K K K wwoooooo查找相應(yīng)Warning的日志root#Kenny:/usr/local/rkhunter/bin# cat /var/log/rkhunter.log Igrep Warning15:59:27；Warning: Checking for prerequisites Warning 15:59:2

13、7；Warning: WARNING 1 It is the users responsibility to ensure that when the -propupd* opt15:59:28：/usr/sbin/adduser Warning 15:59:28：Warning: The command */usr/sbin/adduser* has been replaced by a script: /usr/sbin/adduse15:59:32；/usr/bin/ldd Warning 15:59:32：Warning: The command */usr/bin/ldd* has

14、been replaced by a script: /usr/bin/ldd: Bourne-15:59:40/bin/egrep Warning 15:59:40Warning: The command */bin/egrep* has been replaced by a script: /bin/egrep: POSIX shell15:59:40/bin/fgrep Warning 15:59:40；Warning: The command */bin/fgrep* has been replaced by a script: /bin/fgrep: POSIX shell15:59

15、:43：/bin/which Warning 15:59:43：Warning: The command Vbin/which* has been replaced by a script: /bin/whtch: POSIX shell16:00:45；Checking for enabled inetd services Warning 16:00:45；Warning: Found enabled inetd service: tftp16:00:53；Checking if SSH root access is allowed Warning 16:00:53；Warning: The

16、 SSH and rkhunter configuration options should be the same:16:00:58Checking /dev for suspicious file types Warning 16:00:58Warning: Suspicious file types found in /dev:16:00:58Checking for hidden files and directories Warning Wnrni nn- Hi ddpn di rpr+nrv fnund /ptr/ invn指令參數(shù)說明#/usr/local/bin/rkhunte

17、rUsage: rkhunter -check | update | versioncheck | propupd filename | directory | package name,. | list tests | lang | languages | rootkits,. | version | -help optionsCurrent options are: -append-log在日志文件后追加日志，而不覆蓋原有日志 bindir . Use the specified command directories-cz -check檢測當(dāng)前系統(tǒng) cs2, -color-set2 Us

18、e the second color set for output-configfile 使用特定的配置文件-cronjob作為cron定期運(yùn)行（包含參數(shù)-c, sk, nocolors ）dbdir Use the specified database directory -debug Debug模式（不要使用除非要求使用）-disable L.跳過指定檢查對象(默認(rèn)為無)-display-logfile在最后顯示日志文件內(nèi)容-enable ,.對指定檢測對象進(jìn)行檢查(默認(rèn)檢測所有對象)-hash MD5 | SHA1 | NONE |使用指定的文件哈希函數(shù) (Default is SHA1)-hz -help顯示幫助菜單-lang, -language 才旨定使用的語言(Default is English)-list tests | languages |羅列測試對象明朝，使用語言，可檢測的木馬程序rootkits-I, -logfile file寫到指定的日志文件名(Default is /var/log/rkhunter.log)-noappend-log不追加日志，直接覆蓋日志文件-nocolors輸出只顯示黑白兩色-nolog不