RKHunte是一款專業的檢測系統是否感染ootkit工具,RKHunte可以通過執行一系列的腳本來確認服務器是否已經感染ootkit。本文主要爲大家介紹RKHunte安裝及使用教程,供大家參考。
、安裝RKHunte(下載地址:https://soucefoge.net/pojects/khunte/files/ltest/downlod)
[oot@see ~]# t -zxf khunte-.4.6.t.gz #版本可能不同,命令都一樣
[oot@see ~]# cd khunte-.4.6
[oot@see khunte-.4.6]# ./instlle.sh Rlyout defult Rinstll
注意:RKHunte的默認安裝方式,目錄:/us/locl/bin
2、RKHunte常用參數列表
參數 |
含義 |
-c, Rcheck |
必選參數,表示檢測當前系統 |
Rconfigfile <file> |
使用特定配置文件 |
Rconjob |
作爲con任務定期運行 |
Rsk, Rskip-keypess |
自動完成所有檢測,跳過鍵盤輸入 |
Rsummy |
顯示檢測結果的統計信息 |
Rupdte |
檢測更新內容 |
-V, Resion |
顯示版本信息 |
Resioncheck |
檢測最新版本 |
Rpopupd [file | diectoy ] |
建立樣本文件,建議安裝完系統就建立 |
檢測示例:
[oot@mste khunte-.4.6]# khunte -c
[ Rootkit Hunte esion .4.6 ]
Checking system commnds...
Pefoming 'stings' commnd checks
Checking 'stings' commnd [ OK ]
Pefoming 'shed libies' checks
Checking fo peloding ibles [ None found ]
Checking fo peloded libies [ None found ]
Checking LD_LIBRARY_PATH ible [ Not found ]
Pefoming file popeties checks
Checking fo peequisites [ Wning ]
/us/locl/bin/khunte [ OK ]
/us/sbin/dduse [ OK ]
/us/sbin/chkconfig [ OK ]
/us/sbin/choot [ OK ]
/us/sbin/depmod [ OK ]
/us/sbin/fsck [ OK ]
/us/sbin/goupdd [ OK ]
/us/sbin/goupdel [ OK ]
/us/sbin/goupmod [ OK ]
/us/sbin/gpck [ OK ]
/us/sbin/ifconfig [ OK ]
/us/sbin/ifdown [ Wning ]
/us/sbin/ifup [ Wning ]
/us/sbin/init [ OK ]
/us/sbin/insmod [ OK ]
/us/sbin/ip [ OK ]
/us/sbin/lsmod [ OK ]
/us/sbin/lsof [ OK ]
/us/sbin/modinfo [ OK ]
/us/sbin/modpobe [ OK ]
/us/sbin/nologin [ OK ]
/us/sbin/pwck [ OK ]
/us/sbin/mmod [ OK ]
/us/sbin/oute [ OK ]
/us/sbin/syslogd [ OK ]
/us/sbin/unleel [ OK ]
/us/sbin/sesttus [ OK ]
/us/sbin/sshd [ OK ]
/us/sbin/sulogin [ OK ]
/us/sbin/sysctl [ OK ]
/us/sbin/usedd [ OK ]
/us/sbin/usedel [ OK ]
/us/sbin/usemod [ OK ]
/us/sbin/ipw [ OK ]
/us/bin/wk [ OK ]
/us/bin/bsenme [ OK ]
/us/bin/bsh [ OK ]
/us/bin/ct [ OK ]
/us/bin/chtt [ OK ]
/us/bin/chmod [ OK ]
/us/bin/chown [ OK ]
/us/bin/cp [ OK ]
/us/bin/cul [ OK ]
/us/bin/cut [ OK ]
/us/bin/dte [ OK ]
/us/bin/df [ OK ]
/us/bin/diff [ OK ]
/us/bin/dinme [ OK ]
/us/bin/dmesg [ OK ]
/us/bin/du [ OK ]
/us/bin/echo [ OK ]
/us/bin/egep [ Wning ]
/us/bin/en [ OK ]
/us/bin/fgep [ Wning ]
/us/bin/file [ OK ]
/us/bin/find [ OK ]
/us/bin/gep [ OK ]
/us/bin/goups [ OK ]
/us/bin/hed [ OK ]
/us/bin/id [ OK ]
/us/bin/ipcs [ OK ]
/us/bin/kill [ OK ]
/us/bin/lst [ OK ]
/us/bin/lstlog [ OK ]
/us/bin/ldd [ Wning ]
/us/bin/less [ OK ]
/us/bin/logge [ OK ]
/us/bin/login [ OK ]
/us/bin/ls [ OK ]
/us/bin/lstt [ OK ]
/us/bin/md5sum [ OK ]
/us/bin/mktemp [ OK ]
/us/bin/moe [ OK ]
/us/bin/mount [ OK ]
/us/bin/m [ OK ]
/us/bin/netstt [ OK ]
/us/bin/newgp [ OK ]
/us/bin/psswd [ OK ]
/us/bin/pel [ OK ]
/us/bin/pgep [ OK ]
/us/bin/ping [ OK ]
/us/bin/pkill [ OK ]
/us/bin/ps [ OK ]
/us/bin/pwd [ OK ]
/us/bin/edlink [ OK ]
/us/bin/pm [ OK ]
/us/bin/uncon [ OK ]
/us/bin/sed [ OK ]
/us/bin/sh [ OK ]
/us/bin/shsum [ OK ]
/us/bin/sh224sum [ OK ]
/us/bin/sh256sum [ OK ]
/us/bin/sh384sum [ OK ]
/us/bin/sh52sum [ OK ]
/us/bin/size [ OK ]
/us/bin/sot [ OK ]
/us/bin/ssh [ OK ]
/us/bin/stt [ OK ]
/us/bin/stce [ OK ]
/us/bin/stings [ OK ]
/us/bin/su [ OK ]
/us/bin/sudo [ OK ]
/us/bin/til [ OK ]
/us/bin/telnet [ OK ]
/us/bin/test [ OK ]
/us/bin/top [ OK ]
/us/bin/touch [ OK ]
/us/bin/t [ OK ]
/us/bin/unme [ OK ]
/us/bin/uniq [ OK ]
/us/bin/uses [ OK ]
/us/bin/mstt [ OK ]
/us/bin/w [ OK ]
/us/bin/wtch [ OK ]
/us/bin/wc [ OK ]
/us/bin/wget [ OK ]
/us/bin/whtis [ OK ]
/us/bin/wheeis [ OK ]
/us/bin/which [ OK ]
/us/bin/who [ OK ]
/us/bin/whomi [ OK ]
/us/bin/numfmt [ OK ]
/us/bin/kmod [ OK ]
/us/bin/systemctl [ OK ]
/us/bin/gwk [ OK ]
/us/lib/systemd/systemd [ OK ]
/etc/khunte.conf [ OK ]
[Pess <ENTER> to continue]
Checking fo ootkits...
Pefoming check of known ootkit files nd diectoies
55808 Tojn - Vint A [ Not found ]
ADM Wom [ Not found ]
AjKit Rootkit [ Not found ]
Adoe Rootkit [ Not found ]
P Kit [ Not found ]
Apche Wom [ Not found ]
Ambient (k) Rootkit [ Not found ]
Blu Rootkit [ Not found ]
BestKit Rootkit [ Not found ]
beX2 Rootkit [ Not found ]
BOBKit Rootkit [ Not found ]
cb Rootkit [ Not found ]
CiNIK Wom (Slppe.B int) [ Not found ]
Dnny-Boy's Abuse Kit [ Not found ]
Deil RootKit [ Not found ]
Dimophine LKM [ Not found ]
Dic-Kit Rootkit [ Not found ]
Dems Rootkit [ Not found ]
Duwkz Rootkit [ Not found ]
Ebuy bckdoo [ Not found ]
Enye LKM [ Not found ]
Fle Linux Rootkit [ Not found ]
Fu Rootkit [ Not found ]
Fuck`it Rootkit [ Not found ]
GsKit Rootkit [ Not found ]
Heoin LKM [ Not found ]
HjC Kit [ Not found ]
ignoKit Rootkit [ Not found ]
IntoXoni-NG Rootkit [ Not found ]
Iix Rootkit [ Not found ]
Jynx Rootkit [ Not found ]
Jynx2 Rootkit [ Not found ]
KBest Rootkit [ Not found ]
Kitko Rootkit [ Not found ]
Knk Rootkit [ Not found ]
ld-linux.so Rootkit [ Not found ]
Li0n Wom [ Not found ]
Lockit / LJK2 Rootkit [ Not found ]
Mokes bckdoo [ Not found ]
Mood-NT Rootkit [ Not found ]
MRK Rootkit [ Not found ]
Ni0 Rootkit [ Not found ]
Ohh Rootkit [ Not found ]
Optic Kit (Tux) Wom [ Not found ]
Oz Rootkit [ Not found ]
Phlnx Rootkit [ Not found ]
Phlnx2 Rootkit [ Not found ]
Phlnx2 Rootkit (extended tests) [ Not found ]
Potcelo Rootkit [ Not found ]
R3dstom Toolkit [ Not found ]
RH-Shpe's Rootkit [ Not found ]
RSHA's Rootkit [ Not found ]
Sclpe Wom [ Not found ]
Sebek LKM [ Not found ]
Shutdown Rootkit [ Not found ]
SHV4 Rootkit [ Not found ]
SHV5 Rootkit [ Not found ]
Sin Rootkit [ Not found ]
Slppe Wom [ Not found ]
Snekin Rootkit [ Not found ]
'Spnish' Rootkit [ Not found ]
Suckit Rootkit [ Not found ]
Supekit Rootkit [ Not found ]
TBD (Telnet BckDoo) [ Not found ]
TeLeKiT Rootkit [ Not found ]
T0n Rootkit [ Not found ]
tNkit Rootkit [ Not found ]
Tojnit Kit [ Not found ]
Tuxtendo Rootkit [ Not found ]
URK Rootkit [ Not found ]
Vmpie Rootkit [ Not found ]
VcKit Rootkit [ Not found ]
Volc Rootkit [ Not found ]
Xzibit Rootkit [ Not found ]
zRwT.KiT Rootkit [ Not found ]
ZK Rootkit [ Not found ]
[Pess <ENTER> to continue]
Pefoming dditionl ootkit checks
Suckit Rootkit dditionl checks [ OK ]
Checking fo possible ootkit files nd diectoies [ None found ]
Checking fo possible ootkit stings [ None found ]
Pefoming mlwe checks
Checking unning pocesses fo suspicious files [ None found ]
Checking fo login bckdoos [ None found ]
Checking fo sniffe log files [ None found ]
Checking fo suspicious diectoies [ None found ]
Checking fo suspicious (lge) shed memoy segments [ None found ]
Checking fo Apche bckdoo [ Not found ]
Pefoming Linux specific checks
Checking loded kenel modules [ OK ]
Checking kenel module nmes [ OK ]
[Pess <ENTER> to continue]
Checking the netwok...
Pefoming checks on the netwok pots
Checking fo bckdoo pots [ None found ]
Pefoming checks on the netwok intefces
Checking fo pomiscuous intefces [ None found ]
Checking the locl host...
Pefoming system boot checks
Checking fo locl host nme [ Found ]
Checking fo system sttup files [ Found ]
Checking system sttup files fo mlwe [ None found ]
Pefoming goup nd ccount checks
Checking fo psswd file [ Found ]
Checking fo oot equilent (UID 0) ccounts [ None found ]
Checking fo psswodless ccounts [ None found ]
Checking fo psswd file chnges [ None found ]
Checking fo goup file chnges [ None found ]
Checking oot ccount shell histoy files [ OK ]
Pefoming system configution file checks
Checking fo n SSH configution file [ Found ]
Checking if SSH oot ccess is llowed [ Wning ]
Checking if SSH potocol is llowed [ Wning ]
Checking fo othe suspicious configution settings [ None found ]
Checking fo unning system logging demon [ Found ]
Checking fo system logging configution file [ Found ]
Checking if syslog emote logging is llowed [ Not llowed ]
Pefoming filesystem checks
Checking /de fo suspicious file types [ Wning ]
Checking fo hidden files nd diectoies [ Wning ]
[Pess <ENTER> to continue]
System checks summy
=====================
File popeties checks...
Requied commnds check filed
Files checked: 27
Suspect files: 5
Rootkit checks...
Rootkits checked : 496
Possible ootkits: 0
Applictions checks...
All checks skipped
The system checks took: 5 minutes nd 43 seconds
All esults he been witten to the log file: //log/khunte.log
One o moe wnings he been found while checking the system.
Plese check the log file (//log/khunte.log)
解讀:每項檢測結果都高亮顯示,綠色表示正常,紅色表示需要引起關注,上面的檢測需要與用戶交互輸入“回車”,可以使用Rsk選項使其自動檢測:
[oot@mste khunte-.4.6]# khunte Rcheck Rskip-keypess
3、定時檢測
Linux終端使用khunte來檢測,最大的好處在於每項的檢測結果都有不同的顏色顯示,如果是綠色的表示沒有問題,如果是紅色的,那就要引起關注了。另外,在上面執行檢測的過程中,在每個部分檢測完成後,需要以Ente鍵來繼續。如果要讓程序自動運行,可以執行如下命令:
30 09 * * * oot /us/locl/bin/khunte –check –conjob
解讀:khunte檢測程序就會在每天的9:30分運行一次。
4、安全更新
測試是否存在漏洞,執行以下命令:
$ en x='() { :;}; echo ulneble̻ bsh -c “echo this is test̶
ulneble
this is test
如果顯示如上,那麼,很遺憾,必須立即打上安全補丁修復,
臨時解決辦法爲:
yum -y updte bsh
升級bsh後,執行測試:
$ en x='() { :;}; echo ulneble̻ bsh -c “echo this is test̶
bsh: wning: x: ignoing function definition ttempt
bsh: eo impoting function definition fo `x̻
this is test
如果顯示如上,表示已經修補了漏洞。