本地检测是否有rootkit存在的工具,可以检测lkm,网卡的混杂模式等等支持多种unix版本
现在http://www.chkrootkit.org网站提供的chkrootkit最新版本为0.46a版
chkrootkit is a tool to locally check for signs of a rootkit. It contains:
- chkrootkit: shell script that checks system binaries for rootkit modification.
- ifpromisc.c: checks if the interface is in promiscuous mode.
- chklastlog.c: checks for lastlog deletions.
- chkwtmp.c: checks for wtmp deletions.
- check_wtmpx.c: checks for wtmpx deletions. (Solaris only)
- chkproc.c: checks for signs of LKM trojans.
- chkdirs.c: checks for signs of LKM trojans.
- strings.c: quick and dirty strings replacement.
- chkutmp.c: checks for utmp deletions.
The following tests are made:
- aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper z2 chkutmp amd basename biff chfn chsh cron date du dirname echo egrep env find fingerd gpm grep hdparm su ifconfig inetd inetdconf identd init killall ldsopreload login ls lsof mail mingetty netstat named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd timed traceroute vdir w write
The following rootkits, worms and LKMs are currently detected:
| 01. lrk3, lrk4, lrk5, lrk6 (and variants); | 02. Solaris rootkit; | 03. FreeBSD rootkit; |
| 04. t0rn (and variants); | 05. Ambient's Rootkit (ARK); | 06. Ramen Worm; |
| 07. rh[67]-shaper; | 08. RSHA; | 09. Romanian rootkit; |
| 10. RK17; | 11. Lion Worm; | 12. Adore Worm; |
| 13. LPD Worm; | 14. kenny-rk; | 15. Adore LKM; |
| 16. ShitC Worm; | 17. Omega Worm; | 18. Wormkit Worm; |
| 19. Maniac-RK; | 20. dsc-rootkit; | 21. Ducoci rootkit; |
| 22. x.c Worm; | 23. RST.b trojan; | 24. duarawkz; |
| 25. knark LKM; | 26. Monkit; | 27. Hidrootkit; |
| 28. Bobkit; | 29. Pizdakit; | 30. t0rn v8.0; |
| 31. Showtee; | 32. Optickit; | 33. T.R.K; |
| 34. MithRa's Rootkit; | 35. George; | 36. SucKIT; |
| 37. Scalper; | 38. Slapper A, B, C and D; | 39. OpenBSD rk v1; |
| 40. Illogic rootkit; | 41. SK rootkit. | 42. sebek LKM; |
| 43. Romanian rootkit; | 44. LOC rootkit; | 45. shv4 rootkit; |
| 46. Aquatica rootkit; | 47. ZK rootkit; | 48. 55808.A Worm; |
| 49. TC2 Worm; | 50. Volc rootkit; | 51. Gold2 rootkit; |
| 52. Anonoying rootkit; | 53. Shkit rootkit; | 54. AjaKit rootkit; |
| 55. zaRwT rootkit; | 56. Madalin rootkit; | 57. Fu rootkit; |
| 58. Kenga3 rootkit; | 59. ESRK rootkit; | 60. rootedoor rootkit; |
chkrootkit has been tested on: Linux 2.0.x, 2.2.x, 2.4.x and 2.6.x, FreeBSD 2.2.x, 3.x, 4.x and 5.x, OpenBSD 2.x and 3.x., NetBSD 1.6.x, Solaris 2.5.1, 2.6, 8.0 and 9.0, HP-UX 11, Tru64, BSDI and Mac OS X.
使用方法
# make sense
# ./chkrootkit
#./chkrootkit -x lkm
0.46a支持FreeBSD6.1版
再介绍另外一款检查rootkit工具rkhunter,现在的版本是1.28版
官方站点http://www.rootkit.nl/projects/rootkit_hunter.html
使用方法,下载下来后解压后进行安装install.sh
安装完毕后执行
rkhunter --c 可对系统进行全面检查
rkhunter --update数据库进行升级
rkhunter 输出的比较多就不在这里贴出来了,总体还是比较人性化的
2个检查软件各有所长.
