追蹤
。有你真好。
關於部落格
‧∴ ° 手心的太陽‧∴ °∴ ‧°‧∴ ☆╮
  • 324870

    累積人氣

  • 12

    今日人氣

    2

    追蹤人氣

rkhunter

那麼如何開始檢測?呵呵!就直接按下 /usr/local/bin/rkhunter --checkall 即可!例如: [root@test root]# /usr/local/bin/rkhunter --checkall Rootkit Hunter 1.1.8 is running Determining OS... Ready # 第一部份,先進行 binary 的檢測,包括 MD5 的檢測喔! Checking binaries * Selftests Strings (command) [ OK ] * System tools Performing 'known good' check... /sbin/ifconfig [ OK ] ....(略).... /sbin/runlevel [ OK ] [Press to continue] 這裡按下 Enter 才能繼續! # 在第一部份的檢測當中,主要的工作就是在檢驗一些系統重要的 binary files, # 這些檔案就是常被 root kit 程式包攻擊的範圍!所以首先就得要檢測他們啊! # 接下來進行第二部分的檢測! Check rootkits * Default files and directories Rootkit '55808 Trojan - Variant A'... [ OK ] ADM Worm... [ OK ] ....(略).... Rootkit 'zaRwT.KiT Rootkit'... [ OK ] * Suspicious files and malware Scanning for known rootkit strings [ OK ] ....(略).... Sniffer logs [ OK ] [Press to continue] 這裡按下 Enter 才能繼續! # 第二部分就是在檢測常見的 rootkit 程式包所造成的系統傷害! # 這部分的檢測當然就是針對各個常見的 rootkit 攻擊的檔案/目錄來偵測囉! # 接下來是第三部分的檢測! * Trojan specific characteristics shv4 Checking /etc/rc.d/rc.sysinit Test 1 [ Clean ] ....(略).... Checking /etc/xinetd.conf [ Clean ] * Suspicious file properties chmod properties Checking /bin/ps [ Clean ] ....(略).... Checking /bin/login [ Clean ] * OS dependant tests Linux Checking loaded kernel modules... [ OK ] Checking files attributes [ OK ] Checking LKM module path [ OK ] Networking * Check: frequently used backdoors Port 2001: Scalper Rootkit [ OK ] Port 60922: zaRwT.KiT [ OK ] * Interfaces Scanning for promiscuous interfaces [ OK ] [Press to continue] 這裡按下 Enter 才能繼續! # 第三部分在檢測木馬以及可疑的檔案屬性!反正就是針對木馬程式來進行檢測~ # 當然,因為木馬程式可能會開後門,所以網路服務(port)也在這裡檢測! # 同時還包含核心模組等等的檢測喔!再來則是第四部分 System checks * Allround tests Checking hostname... Found. Hostname is test.vbird.tw Checking for passwordless user accounts... OK Checking for differences in user accounts... [ NA ] Checking for differences in user groups... Creating file It seems this is your first time. Checking boot.local/rc.local file... - /etc/rc.local [ OK ] - /etc/rc.d/rc.local [ OK ] - /usr/local/etc/rc.local [ Not found ] ....(略).... * Filesystem checks Checking /dev for suspicious files... [ OK ] Scanning for hidden files... [ OK ] [Press to continue] 這裡按下 Enter 才能繼續! # 第四部分主要在進行系統開機與相關服務的檢測!所以您可以看到 # rc.local 與 password/accounts 的檢測都會在這裡進行檢查~ # 此外,在 /dev 裡面也會檢查是否有被影響的檔案喔!接下來是第五部分 Application advisories * Application scan Checking Apache2 modules ... [ Not found ] Checking Apache configuration ... [ OK ] * Application version scan - GnuPG 1.2.1 [ Vulnerable ] - Bind DNS [unknown] [ OK ] - OpenSSL 0.9.7a [ Vulnerable ] - Procmail MTA 3.22 [ OK ] - OpenSSH 3.7.1p2 [ Unknown ] Security advisories * Check: Groups and Accounts Searching for /etc/passwd... [ Found ] Checking users with UID '0' (root)... [ OK ] * Check: SSH Searching for sshd_config... Found /etc/ssh/sshd_config Checking for allowed root login... [ OK (Remote root login disabled) ] Checking for allowed protocols... [ OK (Only SSH2 allowed) ] * Check: Events and Logging Search for syslog configuration... [ OK ] Checking for running syslog slave... [ OK ] Checking for logging to remote system... [ OK (no remote logging) ] [Press to continue] 這裡按下 Enter 才能繼續! # 第五部分在檢查一些常見的服務的套件版本! # 因為僅檢查版本資訊而已,並沒有針對可能的漏洞去攻擊, # 所以,這裡的資訊有可能是 誤判的 不要懷疑!以上面的檢測為例, # 我的 OpenSSL 0.9.7a 是已經經過官方 patch 的版本,也就是說, # 他已經封住漏洞了,但是這裡卻顯示有問題!原因就是這樣啦! ---------------------------- Scan results ---------------------------- MD5 MD5 compared: 51 Incorrect MD5 checksums: 0 File scan Scanned files: 328 Possible infected files: 0 Application scan Vulnerable applications: 2 Scanning took 114 seconds ----------------------------------------------------------------------- # 最後這裡是作一個輸出的總結!我們可以在這裡看到 # 最終的簡單資料,透過這個資料,可以瞭解系統目前的狀態! --------------------------------------------------- http://linux.vbird.org/linux_security/0420rkhunter.php http://www.weithenn.org/cgi-bin/wiki.pl?RkHunter-%E6%8E%83%E7%9E%84%E4%B8%BB%E6%A9%9F%E6%98%AF%E5%90%A6%E4%B8%AD%E4%BA%86_RootKit
相簿設定
標籤設定
相簿狀態