参考: RootKit Hunter 後端偵測軟體之架設與執行 http://linux.vbird.org/linux_security/0420rkhunter.php
安装: linux系统rootkit恶意软件安全检测工具rkhunter安装部署、使用 http://blog.chinaunix.net/uid-29179844-id-4208822.html
1 2 3 4 |
wget -S http://nchc.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz tar zxvf rkhunter-1.4.2.tar.gz && cd rkhunter-1.4.2 ./installer.sh --install |
1.为基本系统程序建立校对样本,建议系统安装完成后就建立。
执行命令:
1 2 |
/usr/local/bin/rkhunter --propupd ls /var/lib/rkhunter/db/rkhunter.dat #样本文件位置 |
2.查杀后门执行命令:
1 2 3 |
/usr/local/bin/rkhunter --check /usr/local/bin/rkhunter --checkall --skip-keypress 如果您不想要每個部分都以 Enter 來繼續,想要讓程式自動持續執行,可以使用: |
只显示报警信息可以运行
1 |
/usr/local/bin/rkhunter -c --rwo (report-warnings-only,只显示报警信息) |
扫描完成后会生成一份日志存放在/var/log/rkhunter.log
3.在线升级rkhunter
rkhunter是通过一个含有rootkit名字的数据库来检测系统的rootkits漏洞, 所以经常更新该数据库非常重要, 你可以通过下面命令来更新该数据库:
执行命令:
1 |
/usr/local/bin/rkhunter --update |
4.检测最新版本
让 rkhunter 保持在最新的版本;
执行命令:
1 |
/usr/local/bin/rkhunter --versioncheck |
扫描木马:
1 |
/usr/local/bin/rkhunter --checkall |
——————————————————————————–
/bin/ed [ Warning ]
/bin/sed [ Warning ]
/usr/bin/diff [ Warning ]
/usr/bin/ldd [ Warning ]
/usr/bin/pgrep [ Warning ]
/usr/bin/pkill [ Warning ]
/usr/bin/vmstat [ Warning ]
/usr/bin/w [ Warning ]
/usr/bin/watch [ Warning ]
/usr/bin/whatis [ Warning ]
/usr/bin/which [ Warning ]
/sbin/ifconfig [ Warning ]
/sbin/ifdown [ Warning ]
/sbin/ifup [ Warning ]
/sbin/route [ Warning ]
/sbin/sysctl [ Warning ]
Suspicious Shared Memory segments [ Warning ]
Checking if SSH root access is allowed [ Warning ]
Checking /dev for suspicious file types [ Warning ]
Checking for hidden files and directories [ Warning ]
Checking version of Apache [ Warning ]
Checking version of OpenSSL [ Warning ]