[分享] 主機上的木馬檢查工具 chkrootkit

常言道:『飲水思源』,在 Open Source 的世界裡,我們常常需要別人的幫助,但是在您有所心得的時候請記得分享給大家,『幫助人是快樂的喔』。歡迎您在使用 debian 的過程中的任何心得分享給大家。

[分享] 主機上的木馬檢查工具 chkrootkit

文章blue955 » 週二 7月 18, 2006 11:38 am

看到網站上還沒有人post相關介紹,小弟就獻醜post一下!

視窗 windows 上防毒掃木馬程式林林總總,那 linux 上呢?當然也有,個人 windows 系統中木馬或病毒大不了重灌,當成伺服器在運行的 linux 中木馬的話可是非同小可,多人多工的環境下,牽連的範圍可是非常的大,所以做好系統防護,是不可少的。

底下介紹一套掃木馬的程式 chkrootkit
安裝方式非常簡單,你可以選擇到官網下載,或是直接用 apt-get 安裝,都可以!

1.chkrootkit 官方網站 http://www.chkrootkit.org

2.執行 apt-get install chkrootkit

3.安裝好之後,執行 chkrootkit 就會開始掃描了。

4.範例畫面:

# chkrootkit

ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not infected
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not found
Checking `su'... not infected
Checking `ifconfig'... INFECTED
Checking `inetd'... not infected
Checking `inetdconf'... not infected
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... INFECTED
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... Possible t0rn v8 (or variation) rootkit installed
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... nothing found
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... Warning: Possible Showtee Rootkit installed
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... /usr/include/file.h /usr/include/proc.h
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... INFECTED (PORTS: 1008)
Checking `lkm'... You have 2 process hidden for ps command
Warning: Possible LKM Trojan installed

Checking `rexedcs'... not found
Checking `sniffer'... lo: not promisc and no packet sniffer sockets
eth0: PACKET SNIFFER(/sbin/dhclient[27847])
eth1: not promisc and no packet sniffer sockets
Checking `w55808'... not infected
Checking `wted'... nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... nothing deleted

看來這一台主機中毒很深,如果發現到木馬,網管的主控權恐怕早已經交出去了,趕緊備份重要資料,準備重灌吧!

至於 eth0: PACKET SNIFFER(/sbin/dhclient[27847]) 這一個問題,應該不是木馬所引起的,只要有裝 MRTG 等類似監控分析流量的程式就會被 chkrootkit 誤認為是嗅探器(sniffer),不過還是要注意一下。
取之於社群
回饋於社群

我的部落格 http://m955.com/wp/
頭像
blue955
可愛的小學生
可愛的小學生
 
文章: 18
註冊時間: 週三 1月 05, 2005 4:02 pm

回到 share

誰在線上

正在瀏覽這個版面的使用者:沒有註冊會員 和 1 位訪客