Архивировано

Эта тема находится в архиве и закрыта для публикации сообщений.

VladimirSS

АнтиРуткиты

Рекомендованные сообщения

ROOTKIT HUNTER 1.3.0 Утилита для выявления внедренных в систему rootkits, backdoors и local exploits. Поддерживает большинство Linux-дистрибутивов и *BSD-систем. Лицензия: GPL.

описание http://rkhunter.sourceforge.net/

скачать http://sourceforge.net/projects/rkhunter/

или здесь http://ubuntu.ipacct.com/ubuntu/pool/universe/r/rkhunter/

статейка на русском http://www.pc-inform.ru/articles/rkhunter.html (правда с ошибками - правильно rkhunter -c :)

Поделиться сообщением


Ссылка на сообщение
Поделиться на других сайтах

chkrootkit

http://www.chkrootkit.org/

Сам скрипт проверяет бинарные файлы на предмет модификации руткитом.

Тестируются aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper z2 chkutmp amd basename biff chfn chsh cron crontab date du dirname echo egrep env find fingerd gpm grep hdparm su ifconfig inetd inetdconf identd init killall ldsopreload login ls lsof mail mingetty netstat named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd timed traceroute vdir w write

Проверяет удаления utmp, грязную и быструю замену строк, LKM трояны, удаления wtmp, удаления lastlog, работает ли сетевуха в неразборчивом режиме.

Поделиться сообщением


Ссылка на сообщение
Поделиться на других сайтах

Для RootKitHunter

--update обновить базу данных.

 

Не забывайте обновляться, конечно же.

Поделиться сообщением


Ссылка на сообщение
Поделиться на других сайтах

Гм...Народ, что это значит???

 

Checking for hidden files and directories				[ Warning ]

 

Searching for OBSD rk v1... /usr/lib/security
/usr/lib/security/classpath.security

Это нормально??

 

Вот полные логи.

 

root@*-desktop:/home/*# [b]chkrootkit[/b]
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not infected
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not found
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not found
Checking `sshd'... not found
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... 
/usr/lib/jvm/.java-6-sun.jinfo
/usr/lib/jvm/java-6-sun-1.6.0.00/.systemPrefs
/usr/lib/firefox/.autoreg
/lib/linux-restricted-modules/.nvidia_new_installed

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... /usr/lib/security
/usr/lib/security/classpath.security
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... INFECTED (PORTS:  1524 6667 31337) (Эта строка - работа программы portsentry)
Checking `lkm'... chkproc: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... lo: not promisc and no packet sniffer sockets
eth0: PACKET SNIFFER(/sbin/dhclient3[4917])
ppp0: not promisc and no packet sniffer sockets
ppp0: not promisc and no packet sniffer sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... user root deleted or never logged from lastlog!

 

 

 

root@*-desktop:/home/*# rkhunter -c

[ Rootkit Hunter version 1.3.0 ]

 

Checking system commands...

 

Performing 'strings' command checks

Checking 'strings' command [ OK ]

 

Performing 'shared libraries' checks

Checking for preloading variables [ None found ]

Checking for preload file [ Not found ]

Checking LD_LIBRARY_PATH variable [ Not found ]

 

Performing file properties checks

Checking for prerequisites [ OK ]

/bin/bash [ OK ]

/bin/cat [ OK ]

/bin/chmod [ OK ]

/bin/chown [ OK ]

/bin/cp [ OK ]

/bin/date [ OK ]

/bin/df [ OK ]

/bin/dmesg [ OK ]

/bin/echo [ OK ]

/bin/ed [ OK ]

/bin/egrep [ Warning ]

/bin/fgrep [ Warning ]

/bin/grep [ OK ]

/bin/ip [ OK ]

/bin/kill [ OK ]

/bin/login [ OK ]

/bin/ls [ OK ]

/bin/lsmod [ OK ]

/bin/mktemp [ OK ]

/bin/more [ OK ]

/bin/mount [ OK ]

/bin/mv [ OK ]

/bin/netstat [ OK ]

/bin/ps [ OK ]

/bin/pwd [ OK ]

/bin/readlink [ OK ]

/bin/sed [ OK ]

/bin/sh [ OK ]

/bin/su [ OK ]

/bin/touch [ OK ]

/bin/uname [ OK ]

/bin/which [ Warning ]

/bin/dash [ OK ]

/usr/bin/awk [ OK ]

/usr/bin/basename [ OK ]

/usr/bin/chattr [ OK ]

/usr/bin/cut [ OK ]

/usr/bin/diff [ OK ]

/usr/bin/dirname [ OK ]

/usr/bin/dpkg [ OK ]

/usr/bin/dpkg-query [ OK ]

/usr/bin/du [ OK ]

/usr/bin/env [ OK ]

/usr/bin/file [ OK ]

/usr/bin/find [ OK ]

/usr/bin/GET [ OK ]

/usr/bin/groups [ Warning ]

/usr/bin/head [ OK ]

/usr/bin/id [ OK ]

/usr/bin/killall [ OK ]

/usr/bin/last [ OK ]

/usr/bin/lastlog [ OK ]

/usr/bin/ldd [ Warning ]

/usr/bin/less [ OK ]

/usr/bin/locate [ OK ]

/usr/bin/logger [ OK ]

/usr/bin/lsattr [ OK ]

/usr/bin/lsof [ OK ]

/usr/bin/md5sum [ OK ]

/usr/bin/newgrp [ OK ]

/usr/bin/passwd [ OK ]

/usr/bin/perl [ OK ]

/usr/bin/pstree [ OK ]

/usr/bin/rpm [ OK ]

/usr/bin/runcon [ OK ]

/usr/bin/sha1sum [ OK ]

/usr/bin/size [ OK ]

/usr/bin/slocate [ OK ]

/usr/bin/sort [ OK ]

/usr/bin/stat [ OK ]

/usr/bin/strace [ OK ]

/usr/bin/strings [ OK ]

/usr/bin/sudo [ OK ]

/usr/bin/tail [ OK ]

/usr/bin/test [ OK ]

/usr/bin/top [ OK ]

/usr/bin/touch [ OK ]

/usr/bin/tr [ OK ]

/usr/bin/uniq [ OK ]

/usr/bin/users [ OK ]

/usr/bin/vmstat [ OK ]

/usr/bin/w [ OK ]

/usr/bin/watch [ OK ]

/usr/bin/wc [ OK ]

/usr/bin/wget [ OK ]

/usr/bin/whatis [ OK ]

/usr/bin/whereis [ OK ]

/usr/bin/which [ OK ]

/usr/bin/who [ OK ]

/usr/bin/whoami [ OK ]

/usr/bin/gawk [ OK ]

/usr/bin/lwp-request [ Warning ]

/usr/bin/w.procps [ OK ]

/sbin/depmod [ OK ]

/sbin/ifconfig [ OK ]

/sbin/ifdown [ OK ]

/sbin/ifup [ OK ]

/sbin/init [ OK ]

/sbin/insmod [ OK ]

/sbin/ip [ OK ]

/sbin/lsmod [ OK ]

/sbin/modinfo [ OK ]

/sbin/modprobe [ OK ]

/sbin/rmmod [ OK ]

/sbin/runlevel [ OK ]

/sbin/sulogin [ OK ]

/sbin/sysctl [ OK ]

/sbin/syslogd [ OK ]

/usr/sbin/adduser [ Warning ]

/usr/sbin/chroot [ OK ]

/usr/sbin/cron [ OK ]

/usr/sbin/groupadd [ OK ]

/usr/sbin/groupdel [ OK ]

/usr/sbin/groupmod [ OK ]

/usr/sbin/grpck [ OK ]

/usr/sbin/modprobe [ OK ]

/usr/sbin/nologin [ OK ]

/usr/sbin/pwck [ OK ]

/usr/sbin/useradd [ OK ]

/usr/sbin/userdel [ OK ]

/usr/sbin/usermod [ OK ]

/usr/sbin/vipw [ OK ]

/usr/local/bin/links [ Warning ]

/usr/local/bin/rkhunter [ OK ]

 

[Press <ENTER> to continue]

 

 

Checking for rootkits...

 

Performing check of known rootkit files and directories

55808 Trojan - Variant A [ Not found ]

ADM Worm [ Not found ]

AjaKit Rootkit [ Not found ]

aPa Kit [ Not found ]

Apache Worm [ Not found ]

Ambient (ark) Rootkit [ Not found ]

Balaur Rootkit [ Not found ]

BeastKit Rootkit [ Not found ]

beX2 Rootkit [ Not found ]

BOBKit Rootkit [ Not found ]

CiNIK Worm (Slapper.B variant) [ Not found ]

Danny-Boy's Abuse Kit [ Not found ]

Devil RootKit [ Not found ]

Dica-Kit Rootkit [ Not found ]

Dreams Rootkit [ Not found ]

Duarawkz Rootkit [ Not found ]

Enye LKM [ Not found ]

Flea Linux Rootkit [ Not found ]

FreeBSD Rootkit [ Not found ]

Fuck`it Rootkit [ Not found ]

GasKit Rootkit [ Not found ]

Heroin LKM [ Not found ]

HjC Kit [ Not found ]

ignoKit Rootkit [ Not found ]

ImperalsS-FBRK Rootkit [ Not found ]

Irix Rootkit [ Not found ]

Kitko Rootkit [ Not found ]

Knark Rootkit [ Not found ]

Li0n Worm [ Not found ]

Lockit / LJK2 Rootkit [ Not found ]

Mood-NT Rootkit [ Not found ]

MRK Rootkit [ Not found ]

Ni0 Rootkit [ Not found ]

Ohhara Rootkit [ Not found ]

Optic Kit (Tux) Worm [ Not found ]

Oz Rootkit [ Not found ]

Phalanx Rootkit [ Not found ]

Phalanx Rootkit (strings) [ Not found ]

Portacelo Rootkit [ Not found ]

R3dstorm Toolkit [ Not found ]

RH-Sharpe's Rootkit [ Not found ]

RSHA's Rootkit [ Not found ]

Scalper Worm [ Not found ]

Sebek LKM [ Not found ]

Shutdown Rootkit [ Not found ]

SHV4 Rootkit [ Not found ]

SHV5 Rootkit [ Not found ]

Sin Rootkit [ Not found ]

Slapper Worm [ Not found ]

Sneakin Rootkit [ Not found ]

Suckit Rootkit [ Not found ]

SunOS Rootkit [ Not found ]

SunOS / NSDAP Rootkit [ Not found ]

Superkit Rootkit [ Not found ]

TBD (Telnet BackDoor) [ Not found ]

TeLeKiT Rootkit [ Not found ]

T0rn Rootkit [ Not found ]

Trojanit Kit [ Not found ]

Tuxtendo Rootkit [ Not found ]

URK Rootkit [ Not found ]

VcKit Rootkit [ Not found ]

Volc Rootkit [ Not found ]

X-Org SunOS Rootkit [ Not found ]

zaRwT.KiT Rootkit [ Not found ]

 

Performing additional rootkit checks

Suckit Rookit additional checks [ OK ]

Checking for possible rootkit files and directories [ None found ]

Checking for possible rootkit strings [ None found ]

 

Performing malware checks

Checking running processes for suspicious files [ None found ]

Checking for login backdoors [ None found ]

Checking for suspicious directories [ None found ]

Checking for sniffer log files [ None found ]

 

Performing Linux specific checks

Checking kernel module commands [ OK ]

Checking kernel module names [ OK ]

 

[Press <ENTER> to continue]

 

 

Checking the network...

 

Performing check for backdoor ports

Checking for UDP port 2001 [ Not found ]

Checking for TCP port 2006 [ Not found ]

Checking for TCP port 2128 [ Not found ]

Checking for TCP port 14856 [ Not found ]

Checking for TCP port 47107 [ Not found ]

Checking for TCP port 60922 [ Not found ]

 

Performing checks on the network interfaces

Checking for promiscuous interfaces [ None found ]

 

[Press <ENTER> to continue]

 

 

Checking the local host...

 

Performing system boot checks

Checking for local host name [ Found ]

Checking for local startup files [ Found ]

Checking local startup files for malware [ None found ]

Checking system startup files for malware [ None found ]

 

Performing group and account checks

Checking for passwd file [ Found ]

Checking for root equivalent (UID 0) accounts [ None found ]

Checking for passwordless accounts [ None found ]

Checking for passwd file changes [ None found ]

Checking for group file changes [ None found ]

Checking root account shell history files [ OK ]

 

Performing system configuration file checks

Checking for SSH configuration file [ Not found ]

Checking for running syslog daemon [ Found ]

Checking for syslog configuration file [ Found ]

Checking if syslog remote logging is allowed [ Not allowed ]

 

Performing filesystem checks

Checking /dev for suspicious file types [ None found ]

Checking for hidden files and directories [ Warning ]

 

[Press <ENTER> to continue]

 

 

Checking application versions...

 

Checking version of GnuPG [ OK ]

Checking version of OpenSSL [ OK ]

 

 

System checks summary

=====================

 

File properties checks...

Files checked: 124

Suspect files: 8

 

Rootkit checks...

Rootkits checked : 108

Possible rootkits: 0

 

Applications checks...

Applications checked: 2

Suspect applications: 0

 

The system checks took: 2 minutes and 32 seconds

 

 

 

 

 

 

 

Поделиться сообщением


Ссылка на сообщение
Поделиться на других сайтах

chkrootkit

http://www.chkrootkit.org/

....

Краткое пояснение всем возможным сообщениям:

INFECTED: возможно, найден файл, модифицированный взломщиком;

not infected: проверка не нашла никаких известных признаков руткитов;

suspicious files found: найдены подозрительные файлы

not tested: проверка не была произведена по одной из следующих причин:

проверка может быть выполнена только на определённой операционной системе, отличной от текущей;

проверка зависит от программ, которые отсутсвуют;

указан неправильный аргумент (чтобы получить список всех возможных аргументов, введите команду ./chkrootkit -h).

not found: проверяемый объект не найден;

vulnerable but disabled: обнаружена вредоносная программа, но она не запущена;

user Х deleted or never logged from lastlog!: имя пользователя находится в файле пользователей и паролей, но либо ни разу не использовалось для входа в систему, либо запись об этом удалена из файла lastlog;

user key deleted from lastlog!: запись о вхождении в систему была удалена.

 

Гм...Народ, что это значит???

 

Checking for hidden files and directories				[ Warning ]

 

Searching for OBSD rk v1... /usr/lib/security
/usr/lib/security/classpath.security

Это нормально??

Checking `bindshell'... INFECTED (PORTS: 1524 6667 31337) (Эта строка - работа программы portsentry)

это нормально - если запущен portsentry

а в остальном надо ковыряться

....лучше (особенно когда есть уверенность, что система была взломана) смонтировать жесткий диск со взломанной системой на другом компьютере, где есть chkrootkit,...

вот статейка http://ru-board.com/new/article.php?sid=171

Поделиться сообщением


Ссылка на сообщение
Поделиться на других сайтах

Checking `bindshell'... INFECTED (PORTS: 1524 6667 31337) (Эта строка - работа программы portsentry)

это нормально - если запущен portsentry

Его лог выглядит абсолютно нормально на первый взгляд, если прога не подменили портсентри.

....лучше (особенно когда есть уверенность, что система была взломана) смонтировать жесткий диск со взломанной системой на другом компьютере, где есть chkrootkit...

Достаточно LiveCD c дистрибутивом, содержащим chkrootkit или rkhunter. Последний имеется, например, на LiveCD Backtrack2.

Это необходимо, так как вышеназванные скрипты используют некоторые системные проги и модули ядра, которые тоже могут быть модифицированы. Но это важно только в том случае, если есть подозрение, что получен доступ к root.

Поделиться сообщением


Ссылка на сообщение
Поделиться на других сайтах

Спасибо за дельные советы. Ну а так - ложная тревога. :mellow:

Поделиться сообщением


Ссылка на сообщение
Поделиться на других сайтах

вообще-то

OS X Rootkit Hunter -это для Mac

Rootkitty -это для Винды

Поделиться сообщением


Ссылка на сообщение
Поделиться на других сайтах