使用chkrootkit工具保护服务器

发表于 更新于 分类于

安装chkrootkit,你可以自己去 http://www.chkrootkit.org/download/ 下载源码包,然后自己编译,也可以和我一样偷懒用别人做好的二进制包. centos 下用非官方源安装chkrootkit: 首先添加dag 源for centos(我的系统是centos5.2).

1
2
3
4
5
6
7
8
vi /etc/yum.repos.d/dag.repo

[dag]
name=Dag RPM Repository for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag
gpgcheck=1
enabled=1
rpm –import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt

yum 安装chkrootkit:

1
2
yum update
yum install chkrootkit

chkrootkit的应用: chkrootkit 的使用非常简单直接运行 chkrootkit 命令,然后会有如下输出:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
ROOTDIR is '/'
Checking 'amd'… not found
Checking 'basename'… not infected
Checking 'biff'… not found
Checking 'chfn'… not infected
Checking 'chsh'… not infected
Checking 'cron'… not infected
Checking 'crontab'… not infected
Checking 'date'… not infected
Checking 'du'… not infected
Checking 'dirname'… not infected
Checking 'echo'… not infected
Checking 'egrep'… not infected
Checking 'env'… not infected

如果有rootkit会报”INFECTED” 所以可以直接用chkrootkit -n|grep ‘INFECTED’更直接一些. 定时检测并在出问题时给管理员发邮件. 创建如下脚本chkrootkit.sh并放入crontab 定时运行.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
cat chkrootkit.sh
#!/bin/bash
PATH=/usr/bin:/bin
TMPLOG=mktemp
# Run the chkrootkit
/usr/bin/chkrootkit > $TMPLOG
# Output the log
cat $TMPLOG | logger -t chkrootkit
# bindshe of SMTPSllHow to do some wrongs
if [ ! -z "$(grep 465 $TMPLOG)" ] &&
[ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then
sed -i '/465/d' $TMPLOG
fi
# If the rootkit have been found,mail root
[ ! -z "$(grep INFECTED $TMPLOG)" ] &&
grep INFECTED $TMPLOG | mail -s "chkrootkit report in hostname" root
chmod 700 chkroot.sh
mv chkrootkit /etc/cron.daily

这样系统会每天运行chkrootkit 检测系统,并在检测到rootkit 时给root 发一封邮件.