rkhunter是一个rootkit,后门(backdoor),嗅探器(sniffer)和漏洞(exploit)扫描工具,它可以扫描已知和未知的上述问题。
他主要检查:
1)文件MD5的改变
2)由rootkit创建的文件
3)异常的文件可执行权限
4)内核模块可疑字符串
5)系统目录隐藏文件
6)其他自定义文件扫描
下面是一个扫描片段
- #rkhunter –check
- [22:30:22] /usr/sbin/pwck [ OK ]
- [22:30:22] /usr/sbin/tcpd [ OK ]
- [22:30:22] /usr/sbin/useradd [ OK ]
- [22:30:22] /usr/sbin/userdel [ OK ]
- [22:30:22] /usr/sbin/usermod [ OK ]
- [22:30:22] /usr/sbin/vipw [ OK ]
- [22:30:22] /usr/sbin/sysv-rc-conf [ Warning ]
- [22:30:22] Warning: The command '/usr/sbin/sysv-rc-conf' has been replaced by a script: /usr/sbin/sysv-rc-conf: perl script text executable
- [22:31:31]
- [22:31:31] Checking for rootkits…
- ubuntu用户可以直接使用
#apt-get install rkhunter
安装,其他发行版本,也许仓库里,当然也可以从官方站点获取( rkhunter.sf.net/ ) - Redhat用户的安装方法:
下载:
#wget ftp://ftp.kaybee.org/pub/redhat/RPMS/noarch/logwatch-6.0.2-2.noarch.rpm
#rpm -Ivh logwatch-6.0.2-2.noarch.rpm
配置:
#vi /etc/log.d/conf/logwatch.conf
查找 MailTo = ,然后改为你的实际Email地址,比如 MailTo = user@domain.com
Detail = 是细节度,推荐 10 ,即最高。 存盘退出。logwatch默认为每天执行一次(cron.daily)。手动执行logwatch的命令为:
#perl /etc/log.d/scripts/logwatch.pl - 以我的机器为例测式结果.
#root@ptubuntu:~# rkhunter –check
System checks summary
===================== - File properties checks…
Files checked: 127
Suspect files: 2 - Rootkit checks…
Rootkits checked : 110
Possible rootkits: 0 - Applications checks…
Applications checked: 5
Suspect applications: 0 - The system checks took: 1 minute and 27 seconds
- All results have been written to the logfile (/var/log/rkhunter.log)
- One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
参考: http://mlsx.xplore.cn/2008/08/28/rkhunter-rootkit-checker.html
更多的参考:鸟哥网.http://linux.vbird.org/linux_security/0420rkhunter.php
原创文章,转载请注明: 转载自PT Ubuntu Blog
