Chkrootkit是一个在本地系统检查rootkit痕迹的工具,它是检查系统二进制文件是否被rootkit病毒修改的一个shell脚本。

(1)centerOS安装chkrootkit

安装gcc编译环境yum install gcc gcc-c++ make -y

安装chkrootkit.tar.gz

解压后执行

#make sense

安装过程中常见报错

#make sense

cc -DHAVE_LASTLOG_H -o chklastlog chklastlog.c

cc -DHAVE_LASTLOG_H -o chkwtmp chkwtmp.c

cc -DHAVE_LASTLOG_H   -D_FILE_OFFSET_BITS=64 -o ifpromisc ifpromisc.c

cc  -o chkproc chkproc.c

cc  -o chkdirs chkdirs.c

cc  -o check_wtmpx check_wtmpx.c

cc -static  -o strings-static strings.c

/usr/bin/ld: cannot find -lc

collect2: ld returned 1 exit status

make: *** [strings-static] Error 1

# yum install glibc-static

# make clean

# ./chkrootkit -V

直接执行chkrootkit命令

# ./chkrootkit

Chkrootkit会对系统中的重要文件进行扫描。

一下是官方文档:

1. What's chkrootkit?
 ---------------------

 chkrootkit is a tool to locally check for signs of a rootkit.  It
 contains:

 * chkrootkit: a shell script that checks system binaries for
   rootkit modification.

 * ifpromisc.c: checks if the network interface is in promiscuous
   mode.

 * chklastlog.c: checks for lastlog deletions.

 * chkwtmp.c: checks for wtmp deletions.

 * check_wtmpx.c: checks for wtmpx deletions.  (Solaris only)

 * chkproc.c: checks for signs of LKM trojans.

 * chkdirs.c: checks for signs of LKM trojans.

 * strings.c: quick and dirty strings replacement.

 * chkutmp.c: checks for utmp deletions.

 chkwtmp and chklastlog *try* to check for deleted entries in the wtmp
 and lastlog files, but it is *not* guaranteed that any modification
 will be detected.

 Aliens tries to find sniffer logs and rootkit config files.  It looks
 for some default file locations -- so it is also not guaranteed it
 will succeed in all cases.

 chkproc checks if /proc entries are hidden from ps and the readdir
 system call.  This could be the indication of a LKM trojan.  You can
 also run this command with the -v option (verbose).

 2. Rootkits, Worms and LKMs detected
 ------------------------------------

 For an updated list of rootkits, worms and LKMs detected by
 chkrootkit please visit: http://www.chkrootkit.org/

 3. Supported Systems
 --------------------

 chkrootkit has been tested on: Linux 2.0.x, 2.2.x, 2.4.x and 2.6.x,
 FreeBSD 2.2.x, 3.x, 4.x and 5.x, OpenBSD 2.x, 3.x and 4.x., NetBSD
 1.6.x, Solaris 2.5.1, 2.6, 8.0 and 9.0, HP-UX 11, Tru64, BSDI and Mac
 OS X.

 4. Package Contents
 -------------------

 README
 README.chklastlog
 README.chkwtmp
 COPYRIGHT
 chkrootkit.lsm

 Makefile
 chklastlog.c
 chkproc.c
 chkdirs.c
 chkwtmp.c
 check_wtmpx.c
 ifpromisc.c
 strings.c
 chkutmp.c

 chkrootkit

 5. Installation
 ---------------

 To compile the C programs type:

 # make sense

 After that it is ready to use and you can simply type:

 # ./chkrootkit

 6. Usage
 --------

 chkrootkit must run as root.  The simplest way is:

 # ./chkrootkit

 This will perform all tests.  You can also specify only the tests you
 want, as shown below:

 Usage: ./chkrootkit [options] [testname ...]
 Options:
         -h                show this help and exit
         -V                show version information and exit
         -l                show available tests
         -d                debug
         -q                quiet mode
         -x                expert mode
         -r dir            use dir as the root directory
         -p dir1:dir2:dirN path for the external commands used by chkrootkit
         -n                skip NFS mounted dirs

 Where testname stands for one or more from the following list:

 aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper
 z2 chkutmp amd basename biff chfn chsh cron crontab date du dirname
 echo egrep env find fingerd gpm grep hdparm su ifconfig inetd
 inetdconf identd init killall ldsopreload login ls lsof mail mingetty
 netstat named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd
 slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd timed
 traceroute vdir w write

 For example, the following command checks for trojaned ps and ls
 binaries and also checks if the network interface is in promiscuous
 mode.

   # ./chkrootkit ps ls sniffer

 The `-q' option can be used to put chkrootkit in quiet mode -- in
 this mode only output messages with `infected' status are shown.

 With the `-x' option the user can examine suspicious strings in the
 binary programs that may indicate a trojan -- all the analysis is
 left to the user.

 Lots of data can be seen with:

   # ./chkrootkit -x | more

 Pathnames inside system commands:

   # ./chkrootkit -x | egrep '^/'

 chkrootkit uses the following commands to make its tests: awk, cut,
 egrep, find, head, id, ls, netstat, ps, strings, sed, uname.  It is
 possible, with the `-p' option, to supply an alternate path to
 chkrootkit so it won't use the system's (possibly) compromised
 binaries to make its tests.

 To use, for example, binaries in /cdrom/bin:

   # ./chkrootkit -p /cdrom/bin

 It is possible to add more paths with a `:'

   # ./chkrootkit -p /cdrom/bin:/floppy/mybin

 Sometimes is a good idea to mount the disk from a compromised machine
 on a machine you trust.  Just mount the disk and specify a new
 rootdir with the `-r' option.

 For example, suppose the disk you want to check is mounted under
 /mnt, then:

   # ./chkrootkit -r /mnt

 7. Output Messages
 ------------------

 The following messages are printed by chkrootkit (except with the -x
 and -q command options) during its tests:

   "INFECTED": the test has identified a command probably modified by
   a known rootkit;

   "not infected": the test didn't find any known rootkit signature.

   "not tested": the test was not performed -- this could happen in
   the following situations:
     a) the test is OS specific;
     b) the test depends on an external program that is not available;
     c) some specific command line options are given. (e.g. -r ).

   "not found": the command to be tested is not available;

   "Vulnerable but disabled": the command is infected but not in use.
   (not running or commented in inetd.conf)

 8. A trojaned command has been found.  What should I do now?
 ------------------------------------------------------------

 Your biggest problem is that your machine has been compromised and
 this bad guy has root privileges.

 Maybe you can solve the problem by just replacing the trojaned
 command -- the best way is to reinstall the machine from a safe media
 and to follow your vendor's security recommendations.

 9. Reports and questions
 ------------------------

 Please send comments, questions and bug reports to
 nelson@pangeia.com.br and jessen@cert.br.

 A simple FAQ and Related information about rootkits and security can
 be found at chkrootkit's homepage, http://www.chkrootkit.org.

 10. ACKNOWLEDGMENTS
 -------------------

 See the ACKNOWLEDGMENTS file.

 11. ChangeLog
 -------------

centerOS安装chkrootkit的更多相关文章

  1. centeros安装jdk

    准备工作: java se下载网址:https://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.ht ...

  2. 编译安装chkrootkit出现的问题

    tar xf chkrootkit.tar.gz cd chkrootkit-* make sense的时候出现make: *** [strings-static] Error 1,解决办法:yum ...

  3. centerOS安装rkhunter

    rkhunter是专业检测系统是否感染rootkit的一个工具: rkhunter-1.4.2.tar.gz 解压后直接安装: #./installer.sh --layout defualt --i ...

  4. Linux CenterOS安装mysql-5.6.12-linux-glibc2.5-x86_64.tar.gz步骤

    1.首先配置IP. Cd /etc/sysconfig/network-scripts/ vim ifcfg-ens32 将ONBOOT=no,改为ONBOOT=yes.(开机启动激活网卡) 2.构建 ...

  5. mysql centeros 安装

    http://www.cnblogs.com/xiaoluo501395377/archive/2013/04/07/3003278.html linux mysql允许远程连接 1.登录数据库:my ...

  6. centeros 安装maven 私服

    1:下载nexus: 下载maven: 2:解压缩 配置maven环境变量 cd /etc/profile MAVEN_HOME=/usr/mavenexport MAVEN_HOMEexport P ...

  7. MySQL在CenterOS和Ubuntu的安装

    声明:作者原创,转载注明出处. 作者:帅气陈吃苹果 下载地址:https://dev.mysql.com/get/Downloads/MySQL-5.7/mysql-5.7.20-linux-glib ...

  8. CentOS 7下安装vertica记录

    CentOS 7下安装vertica记录 1.    安装好centeros 并更新 Centeros安装就不说了,安装完之后联网环境下 yum update.更新下,使得那些包都是新的.(要想用中文 ...

  9. centeros php 实战

    apache 默认安装路径 Fedora Core, CentOS, RHEL:ServerRoot              ::      /etc/httpdPrimary Config Fle ...

随机推荐

  1. phpstorm + xdebug 配置

    PHPSTORM版本 : 8.0.1 PHP版本 : 5.6.2 把php-xdebug.dll复制到xamapp/php/ext目录下,打开php.ini配置如下参数 [xdebug] zend_e ...

  2. .NET基本权限管理框架源代码

    有兴趣的朋友欢迎加群讨论:312677516 1.菜单导航管理 2.操作按钮 3.角色管理 4.部门管理 5.用户管理(用户权限) 6.用户组管理(设置成员,用户组权限) 7.系统配置(动态配置系统参 ...

  3. emacs快捷键学习(一)--Linux最强大的编辑器

    emacs是一个非常强大的编辑器.经常使用的快捷键总结例如以下: 退出emacs:ctrl+x ctrl+c 移动到下一屏:ctrl+v 移动到上一屏:alt+v 将光标所在行移动到屏幕中间:ctrl ...

  4. OC基础 代理和协议

    OC基础 代理和协议 1.协议 (1)oc语言中得协议:一组方法列表,不需要我们自己实现,由遵守协议的类来实现协议所定制的方法. (2)协议的使用步骤:制定协议-->遵守协议-->实现协议 ...

  5. noip2015运输计划

    二分+LCA+查分前缀和 #include<iostream> #include<cstring> #include<cstdio> #include<alg ...

  6. MySQL 大DML操作建议

    ㈠ 大数据量INSERT          ⑴ 使用多行插入代替单行:insert into t values (),(),(),...          ⑵ LOAD DATA INFILE ... ...

  7. centos 服务器装与python34源码安装

    http://www.111cn.net/sys/CentOS/63645.htm 1.CentOS安装Python的依赖包(不安装依赖包,会导致python安装不完整) yum groupinsta ...

  8. 转载:spring ,struct2 在 web.xml中的配置

    转载网址:http://blog.sina.com.cn/s/blog_4c6e822d0102dv63.html <!-- Struts2 need begin-->  <filt ...

  9. 在Yii2中使用Pjax导致Yii2内联脚本载入失败的问题

    当我用defunkt/jquery-pjax载入Yii2的ActiveForm时发生一个错误,正常情况下是 ActiveForm的两个js应该先载入,而实际情况是 typeError:JQuery(. ...

  10. SSH-key密钥生成

    为了能够不用输入密码访问git库(github/gitlab),需要使用ssh key ssh-keygen -t rsa -C "<your email address>&qu ...