linux下用chkrootkit和rkhunter检查rootkit
一 什么是rootkit
这个可以从名字上面看出来,就是得到root权限的工具,你可以把它理解成一组木马工具,它用自身替换掉我们在linux系统中原有的工具命令。比如:它替换掉ps这个命令后,当我们再执行ps时,它会把相应的偷偷运行的进程隐藏掉,让我们看不到木马的运行
二 chkrootkit
介绍 http://www.chkrootkit.org/
下载 ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
解压后可直接运行
[root@done opt]# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
[root@done opt]# cd chkrootkit-0.49/
[root@done chkrootkit-0.49]# ./chkrootkit -h
Usage: ./chkrootkit [options] [test ...]
Options:
-h show this help and exit
-V show version information and exit
-l show available tests and exit
-d debug
-q quiet mode
-x expert mode
-r dir use dir as the root directory
-p dir1:dir2:dirN path for the external commands used by chkrootkit
-n skip NFS mounted dirs
[root@done chkrootkit-0.49]# ./chkrootkit
三 rkhunter
介绍 http://www.rootkit.nl/projects/rootkit_hunter.html
下载 http://sourceforge.net/projects/rkhunter/
解压安装
[root@done opt]# tar -zxvf rkhunter-1.3.6.tar.gz
[root@done rkhunter-1.3.6]# ./installer.sh --install
[root@done rkhunter-1.3.6]# ./installer.sh --show
Install into: /usr/local
Application: /usr/local/bin
Configuration file: /etc
Documents: /usr/local/share/doc/rkhunter-1.3.6
Man page: /usr/local/share/man/man8
Scripts: /usr/local/lib/rkhunter/scripts
Databases: /var/lib/rkhunter/db
Temporary files: /var/lib/rkhunter/tmp
[root@done rkhunter-1.3.6]# /usr/local/bin/rkhunter -c
这个可以从名字上面看出来,就是得到root权限的工具,你可以把它理解成一组木马工具,它用自身替换掉我们在linux系统中原有的工具命令。比如:它替换掉ps这个命令后,当我们再执行ps时,它会把相应的偷偷运行的进程隐藏掉,让我们看不到木马的运行
二 chkrootkit
介绍 http://www.chkrootkit.org/
下载 ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
解压后可直接运行
[root@done opt]# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
[root@done opt]# cd chkrootkit-0.49/
[root@done chkrootkit-0.49]# ./chkrootkit -h
Usage: ./chkrootkit [options] [test ...]
Options:
-h show this help and exit
-V show version information and exit
-l show available tests and exit
-d debug
-q quiet mode
-x expert mode
-r dir use dir as the root directory
-p dir1:dir2:dirN path for the external commands used by chkrootkit
-n skip NFS mounted dirs
[root@done chkrootkit-0.49]# ./chkrootkit
三 rkhunter
介绍 http://www.rootkit.nl/projects/rootkit_hunter.html
下载 http://sourceforge.net/projects/rkhunter/
解压安装
[root@done opt]# tar -zxvf rkhunter-1.3.6.tar.gz
[root@done rkhunter-1.3.6]# ./installer.sh --install
[root@done rkhunter-1.3.6]# ./installer.sh --show
Install into: /usr/local
Application: /usr/local/bin
Configuration file: /etc
Documents: /usr/local/share/doc/rkhunter-1.3.6
Man page: /usr/local/share/man/man8
Scripts: /usr/local/lib/rkhunter/scripts
Databases: /var/lib/rkhunter/db
Temporary files: /var/lib/rkhunter/tmp
[root@done rkhunter-1.3.6]# /usr/local/bin/rkhunter -c