Linux后门入侵检测

蛋疼啊，服务器被入侵成肉鸡了，发出大量SYN请求到某个网站！（瞬间有种被OOXX（强）（奸）的赶脚） 泪奔ING...

源起：

Linux服务器日常检查，#ps aux 发现大量httpd进程，和往常情况不同(和以往多出好几倍)，接着#top 一下，httpd名列前茅！（JJ Fly...）

#netstat -anp 发现大量SYN_SENT,成肉鸡了！（瞬间有种被OOXX（强）（奸）的赶脚）！

#cd / 转到根目录  #ll -a检查最近修改过的文件，发现/etc文件夹在前几天凌晨三点被修改过，#cd /etc   #ll -a

检测是否存在root.kit

1.安装chkrootkit（不安装工具，手动检测，你会疯的）

rootkit从浅显的层面来讲即一种具有自我隐蔽性的后门程序，它往往被入侵者作为一种入侵工具。通过rootkit，入侵者可以偷偷控制被入侵的电脑，因此危害巨大。chkrootkit是一个Linux系统下的查找检测rootkit后门的工具。

安装方法

1、准备gcc编译环境

对于CentOS系统，执行下述三条命令：

yum -y install gcc
yum -y install gcc-c++
yum -y install make

对于debian系统，执行下述两条命令：

apt-get -y install gcc
apt-get -y install make

2、下载chkrootkit源码

chkrootkit的官方网站为 http://www.chkrootkit.org ，下述下载地址为官方地址。为了安全起见，务必在官方下载此程序：

1	[root@www ~]# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

3、解压下载回来的安装包

1	[root@www ~]# tar zxf chkrootkit.tar.gz

4、编译安装（后文命令中出现的“*”无需替换成具体字符，原样复制执行即可）

1	[root@www ~]# cd chkrootkit-*

2	[root@www ~]# make sense

注意，上面的编译命令为make sense。

5、把编译好的文件部署到/usr/local/目录中，并删除遗留的文件

1	[root@www ~]# cd ..

2	[root@www ~]# cp -r chkrootkit-* /usr/local/chkrootkit

3	[root@www ~]# rm -r chkrootkit-*

至此，安装完毕。

使用方法

安装好的chkrootkit程序位于 /usr/local/chkrootkit/chkrootkit

直接执行

1	root@vm:~# /usr/local/chkrootkit/chkrootkit

即可对系统rootkit进行全面扫面，并滚动显示出结果，

（注：由于chkrootkit的检查过程使用了部分系统命令。因此，如果服务器被入侵，则依赖的系统命令可能也已经被入侵者做了手脚，chkrootkit的结果将变得完全不可信，甚至连系统ls等查看文件的基础命令也变得不可信。）

（附：chkrootkit参数说明）

Usage: ./chkrootkit [options] [test ...]
   Options:
        -h                显示帮助信息
        -V                显示版本信息
        -l                显示测试内容
        -d                debug模式，显示检测过程的相关指令程序
        -q                安静模式，只显示有问题部分，
        -x                高级模式，显示所有检测结果
        -r dir            设定指定的目录为根目录
        -p dir1:dir2:dirN 检测指定目录
        -n                跳过NFS连接的目录

2.rootkit hunter的使用

Project: http://www.rootkit.nl/projects/rootkit_hunter.html

download: http://downloads.sourceforge.net/rkhunter/rkhunter-1.3.4.tar.gz?use_mirror=jaist

 

2.1 解压安装

解压

#tar -zxvf rkhunter-1.3.4.tar.gz

安装

#cd rkhunter-1.3.4

#./installer.sh -h

Usage: ./installer.sh <parameters>

Ordered valid parameters:
--help (-h)      : 显示帮助
--examples       : 显示安装实例
--layout <value> : 选择安装模板(安装必选参数).
                   模板选择：
                    - default: (FHS compliant),
                    - /usr,
                    - /usr/local,
                    - oldschool: 之前版本安装路径,
                    - custom: 自定义安装路径,
                    - RPM: for building RPM's. Requires $RPM_BUILD_ROOT.
                    - DEB: for building DEB's. Requires $DEB_BUILD_ROOT.
--striproot      : Strip path from custom layout (for package maintainers).
--install        : 根据选择目录安装

--show           : 显示安装路径
--remove         : 卸载rkhunter
--version        : 显示安装版本

 

安装指令

#./installer.sh --layout default --install

 

2.2 rkhunter操作

#/usr/local/bin/rkhunter --propupd

#/usr/local/bin/rkhunter -c --sk -rwo

 

Warning: File '/bin/awk' has the immutable-bit set.
Warning: File '/bin/basename' has the immutable-bit set.
Warning: File '/bin/bash' has the immutable-bit set.
Warning: File '/bin/cat' has the immutable-bit set.
Warning: File '/bin/chmod' has the immutable-bit set.
Warning: File '/bin/chown' has the immutable-bit set.
Warning: File '/bin/cp' has the immutable-bit set.
Warning: File '/bin/csh' has the immutable-bit set.
Warning: File '/bin/cut' has the immutable-bit set.
Warning: File '/bin/date' has the immutable-bit set.
Warning: File '/bin/df' has the immutable-bit set.
Warning: File '/bin/dmesg' has the immutable-bit set.
Warning: File '/bin/echo' has the immutable-bit set.
Warning: File '/bin/ed' has the immutable-bit set.
Warning: File '/bin/egrep' has the immutable-bit set.
Warning: File '/bin/env' has the immutable-bit set.
Warning: File '/bin/fgrep' has the immutable-bit set.
Warning: File '/bin/grep' has the immutable-bit set.
Warning: File '/bin/kill' has the immutable-bit set.
Warning: File '/bin/login' has the immutable-bit set.
Warning: File '/bin/ls' has the immutable-bit set.
Warning: File '/bin/mail' has the immutable-bit set.
Warning: File '/bin/mktemp' has the immutable-bit set.
Warning: File '/bin/more' has the immutable-bit set.
Warning: File '/bin/mount' has the immutable-bit set.
Warning: File '/bin/mv' has the immutable-bit set.
Warning: File '/bin/netstat' has the immutable-bit set.
Warning: File '/bin/ps' has the immutable-bit set.
Warning: File '/bin/pwd' has the immutable-bit set.
Warning: File '/bin/rpm' has the immutable-bit set.
Warning: File '/bin/sed' has the immutable-bit set.
Warning: File '/bin/sh' has the immutable-bit set.
Warning: File '/bin/sort' has the immutable-bit set.
Warning: File '/bin/su' has the immutable-bit set.
Warning: File '/bin/touch' has the immutable-bit set.
Warning: File '/bin/uname' has the immutable-bit set.
Warning: File '/bin/gawk' has the immutable-bit set.
Warning: File '/bin/tcsh' has the immutable-bit set.
Warning: File '/usr/bin/awk' has the immutable-bit set.
Warning: File '/usr/bin/cut' has the immutable-bit set.
Warning: File '/usr/bin/env' has the immutable-bit set.
Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
Warning: File '/usr/bin/kill' has the immutable-bit set.
Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
Warning: File '/usr/bin/top' has the immutable-bit set.
Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
Warning: File '/usr/bin/gawk' has the immutable-bit set.
Warning: File '/sbin/chkconfig' has the immutable-bit set.
Warning: File '/sbin/depmod' has the immutable-bit set.
Warning: File '/sbin/fuser' has the immutable-bit set.
Warning: File '/sbin/ifconfig' has the immutable-bit set.
Warning: File '/sbin/ifdown' has the immutable-bit set.
Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
Warning: File '/sbin/ifup' has the immutable-bit set.
Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
Warning: File '/sbin/init' has the immutable-bit set.
Warning: File '/sbin/insmod' has the immutable-bit set.
Warning: File '/sbin/ip' has the immutable-bit set.
Warning: File '/sbin/lsmod' has the immutable-bit set.
Warning: File '/sbin/modinfo' has the immutable-bit set.
Warning: File '/sbin/modprobe' has the immutable-bit set.
Warning: File '/sbin/nologin' has the immutable-bit set.
Warning: File '/sbin/rmmod' has the immutable-bit set.
Warning: File '/sbin/runlevel' has the immutable-bit set.
Warning: File '/sbin/sulogin' has the immutable-bit set.
Warning: File '/sbin/sysctl' has the immutable-bit set.
Warning: File '/sbin/syslogd' has the immutable-bit set.
Warning: File '/usr/sbin/adduser' has the immutable-bit set.
Warning: No hash value found for file '/usr/sbin/amd' in the rkhunter.dat file.
Warning: File '/usr/sbin/amd' has the immutable-bit set.
Warning: File '/usr/sbin/chroot' has the immutable-bit set.
Warning: File '/usr/sbin/groupadd' has the immutable-bit set.
Warning: File '/usr/sbin/groupdel' has the immutable-bit set.
Warning: File '/usr/sbin/groupmod' has the immutable-bit set.
Warning: File '/usr/sbin/grpck' has the immutable-bit set.
Warning: File '/usr/sbin/kudzu' has the immutable-bit set.
Warning: File '/usr/sbin/lsof' has the immutable-bit set.
Warning: File '/usr/sbin/prelink' has the immutable-bit set.
Warning: File '/usr/sbin/pwck' has the immutable-bit set.
Warning: File '/usr/sbin/sestatus' has the immutable-bit set.
Warning: File '/usr/sbin/tcpd' has the immutable-bit set.
Warning: File '/usr/sbin/useradd' has the immutable-bit set.
Warning: File '/usr/sbin/userdel' has the immutable-bit set.
Warning: File '/usr/sbin/usermod' has the immutable-bit set.
Warning: File '/usr/sbin/vipw' has the immutable-bit set.
Warning: File '/usr/sbin/xinetd' has the immutable-bit set.
Warning: Dreams Rootkit                           [ Warning ]
         File '/usr/bin/sense' found
         File '/usr/bin/sl2' found
         File '/usr/bin/(swapd)' found
Warning: Checking for possible rootkit strings    [ Warning ]
         Found string '/dev/ttyoa' in file '/bin/netstat'. Possible rootkit: Sin Rootkit
Warning: Found possible sniffer log file: /usr/lib/libice.log
Warning: Found enabled xinetd service: /etc/xinetd.d/auth
Warning: Found enabled xinetd service: /etc/xinetd.d/cups-lpd
Warning: Found enabled xinetd service: /etc/xinetd.d/swat
Warning: Found enabled xinetd service: /etc/xinetd.d/vmware-authd
Warning: Possible promiscuous interfaces:
         'ifconfig' command output:
         'ip' command output: eth0
Warning: Account 'test' is root equivalent (UID = 0)
Warning: Account 'james' is root equivalent (UID = 0)
Warning: Account 'master' is root equivalent (UID = 0)
Warning: Account 'admin' is root equivalent (UID = 0)
Warning: The SSH configuration option 'PermitRootLogin' has not been set.
         The default value may be 'yes', to allow root access.
Warning: The SSH configuration option 'Protocol' has not been set.
         The default value may be '2,1', to allow the use of protocol version 1.
Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
Warning: Application 'exim', version '4.43', is out of date, and possibly a security risk.
Warning: Application 'gpg', version '1.2.6', is out of date, and possibly a security risk.
Warning: Application 'openssl', version '0.9.7a', is out of date, and possibly a security risk.
Warning: Application 'php', version '4.3.9', is out of date, and possibly a security risk.

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

结果就是“中招”，基本上就是重新安装系统的命了。不过从检查的结果来看，可以判断所中的rootkit的类型和被替换的系统文件。同时对一些程序版本进行检测，提供的信息比较多。

 

2.3 指令参数说明

#/usr/local/bin/rkhunter

Usage: rkhunter {--check | --update | --versioncheck |
                 --propupd [{filename | directory | package name},...] |
                 --list [{tests | {lang | languages} | rootkits},...] |
                 --version | --help} [options]

Current options are:
         --append-log                  在日志文件后追加日志，而不覆盖原有日志
         --bindir <directory>...       Use the specified command directories
     -c, --check                       检测当前系统
  --cs2, --color-set2                  Use the second color set for output
         --configfile <file>           使用特定的配置文件
         --cronjob                     作为cron定期运行
                                       (包含参数 -c, --sk , --nocolors )
         --dbdir <directory>           Use the specified database directory
         --debug                       Debug模式(不要使用除非要求使用)
         --disable <test>[,<test>...]  跳过指定检查对象(默认为无)
         --display-logfile             在最后显示日志文件内容
         --enable  <test>[,<test>...]  对指定检测对象进行检查
                                       (默认检测所有对象)
         --hash {MD5 | SHA1 | NONE |   使用指定的文件哈希函数
                 <command>}            (Default is SHA1)
     -h, --help                        显示帮助菜单
 --lang, --language <language>         指定使用的语言
                                       (Default is English)
         --list [tests | languages |   罗列测试对象明朝，使用语言，可检测的木马程序
                 rootkits]             
     -l, --logfile [file]              写到指定的日志文件名

                                       (Default is /var/log/rkhunter.log)
         --noappend-log                不追加日志，直接覆盖日志文件
         --nocolors                    输出只显示黑白两色
         --nolog                       不写入日志文件
--nomow, --no-mail-on-warning          如果有警告信息，不发送邮件
   --ns, --nosummary                   不显示检查结果的统计数据
 --novl, --no-verbose-logging          不显示详细记录
         --pkgmgr {RPM | DPKG | BSD |  使用特定的包管理用于文件的哈希值验证
                   NONE}               (Default is NONE)
         --propupd [file | directory | 更新整个文件属性数据库或仅仅更新指定条目
                    package]...        
     -q, --quiet                       安静模式(no output at all)
  --rwo, --report-warnings-only        只显示警告信息
     -r, --rootdir <directory>         使用指定的root目录
   --sk, --skip-keypress               自动完成所有检测，跳过键盘输入

--summary                     显示检测结果的统计信息
                                       (This is the default)
         --syslog [facility.priority]  记录检测启动和结束时间到系统日志中
                                       (Default level is authpriv.notice)
         --tmpdir <directory>          使用指定的临时目录
         --update                      检测更新内容
   --vl, --verbose-logging             使用详细日志记录 (on by default)
     -V, --version                     显示版本信息
         --versioncheck                检测最新版本
     -x, --autox                       当X在使用时，自动启动检测
     -X, --no-autox                    当X在使用时，不自启检测

转自：

http://www.spriteking.com/archives/1133