Chkrootkit
① Download and install chkrootkit
|
1 2 3 |
# cd /usr/local/src # wget ftp://ftp.chkrootkit.org/pub/seg/pac/chkrootkit.tar.gz # tar xvf chkrootkit.tar.gz |
➁Move the chkrootkit command to /usr/bin
|
1 |
# mv chkrootkit-0.58b/chkrootkit /usr/bin |
➂Check chkrootkit.
|
1 |
# chkrootkit | grep INFECTED |
If nothing is displayed, no problem.
④Create chkrootkit periodic execution script and change permissions
Create chkrootkit execution script in a directory where it is automatically executed daily
|
1 |
# vi /etc/cron.daily/chkrootkit |
Scheduled Script Contents
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
#!/bin/bash PATH=/usr/bin:/bin LOG=/tmp/$(basename ${0}) # Run chkrootkit chkrootkit > $LOG 2>&1 # log output cat $LOG | logger -t $(basename ${0}) # SMTPS bindshell false positive response if [ ! -z "$(grep 465 $LOG)" ] && \ [ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then sed -i '/465/d' $LOG fi # Support for Suckit false positives when updating upstart package if [ ! -z "$(grep Suckit $LOG)" ] && \ [ -z "$(rpm -V `rpm -qf /sbin/init`)" ]; then sed -i '/Suckit/d' $LOG fi # Send mail to root only when rootkit is detected [ ! -z "$(grep INFECTED $LOG)" ] && \ grep INFECTED $LOG | mail -s "chkrootkit report in `hostname`" root |
Add execution permission to chkrootkit execution script
|
1 |
# chmod 700 /etc/cron.daily/chkrootkit |
⑥Backup commands used by chkrootkit
If the commands used by chkrootkit are tampered with, rootkit will not be detected.
Back up these commands.
If necessary, run chkrootkit with the backed up command
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
# cd /root # mkdir /root/chkrootkit_cmd # cp `which --skip-alias awk cut echo egrep grep find head id ls netstat ps strings sed ssh uname` chkrootkit_cmd/ # ls -l /root/chkrootkit_cmd/ total 2820 -rwxr-xr-x 1 root root 763808 Jun 19 13:56 awk -rwxr-xr-x 1 root root 49128 Jun 19 13:56 cut -rwxr-xr-x 1 root root 36496 Jun 19 13:56 echo -rwxr-xr-x 1 root root 106 Jun 19 13:56 egrep -rwxr-xr-x 1 root root 209224 Jun 19 13:56 find -rwxr-xr-x 1 root root 169800 Jun 19 13:56 grep -rwxr-xr-x 1 root root 45016 Jun 19 13:56 head -rwxr-xr-x 1 root root 44928 Jun 19 13:56 id -rwxr-xr-x 1 root root 145280 Jun 19 13:56 ls -rwxr-xr-x 1 root root 148672 Jun 19 13:56 netstat -rwxr-xr-x 1 root root 124696 Jun 19 13:56 ps -rwxr-xr-x 1 root root 124080 Jun 19 13:56 sed -rwxr-xr-x 1 root root 922568 Jun 19 13:56 ssh -rwxr-xr-x 1 root root 36944 Jun 19 13:56 strings -rwxr-xr-x 1 root root 36664 Jun 19 13:56 uname |
⑦Run chkrootkit on the copied command
|
1 |
# chkrootkit -p /root/chkrootkit_cmd | grep INFECTED |
If nothing is displayed, no problem.
⑧Compresses backed up commands
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# tar zcvf chkrootkit_cmd.tar.gz chkrootkit_cmd chkrootkit_cmd/ chkrootkit_cmd/awk chkrootkit_cmd/cut chkrootkit_cmd/echo chkrootkit_cmd/egrep chkrootkit_cmd/find chkrootkit_cmd/head chkrootkit_cmd/id chkrootkit_cmd/ls chkrootkit_cmd/netstat chkrootkit_cmd/ps chkrootkit_cmd/strings chkrootkit_cmd/sed chkrootkit_cmd/ssh chkrootkit_cmd/uname chkrootkit_cmd/grep |
|
1 2 3 4 5 6 7 |
# ls -l total 2048 -rw-------. 1 root root 1031 Nov 25 12:58 anaconda-ks.cfg -rw------- 1 root root 766 Nov 27 11:30 appid_stats.log -rwxr-xr-x 1 huong huong 88420 Jul 6 2023 bin drwxr-xr-x 2 root root 184 Nov 27 14:51 chkrootkit_cmd -rw-r--r-- 1 root root 1311290 Nov 27 14:52 chkrootkit_cmd.tar.gz |
⑨Send chkrootkit use command (compressed version) to root by e-mail
|
1 |
# echo|mail -a chkrootkit_cmd.tar.gz -s chkrootkit_cmd.tar.gz root |
⑩Download and save chkrootkit_cmd.tar.gz file to Windows
⑪Delete commands on the backed up server
|
1 |
# rm -f chkrootkit_cmd.tar.gz |
Logwatch
①Install
|
1 |
# dnf install logwatch -y |
②Edit configuration file
|
1 2 |
# cat /usr/share/logwatch/default.conf/logwatch.conf >> /etc/logwatch/conf/logwatch.conf # vi /etc/logwatch/conf/logwatch.conf |
|
1 2 3 4 5 6 7 |
# Line 77 : Set the email address where you want to receive notifications #MailTo = root MailTo = [mail address] # Line 116 : Set the level of detail for log notifications #Detail = Low Detail = High |
③Output Logwatch reports
|
1 |
# logwatch --output stdout |
It will appear as follows
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 |
################### Logwatch 7.11 (07/22/24) #################### Processing Initiated: Thu Nov 27 14:58:08 2025 Date Range Processed: yesterday ( 2025-Nov-26 ) Period is day. Detail Level of Output: 10 Type of Output/Format: stdout / text Logfiles for Host: Lepard ################################################################## --------------------- Kernel Audit Begin ------------------------ Number of audit daemon starts: 2 Number of audit initializations: 2 **Unmatched Entries** auditd[1036]: audit dispatcher initialized with q_depth=2000 and 1 active plugins: 1 Time(s) auditd[1051]: audit dispatcher initialized with q_depth=2000 and 1 active plugins: 1 Time(s) ---------------------- Kernel Audit End ------------------------- ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ --------------------- Disk Space Begin ------------------------ Filesystem Size Used Avail Use% Mounted on /dev/mapper/almalinux-root 17G 7.4G 9.6G 44% / /dev/nvme0n1p2 960M 348M 613M 37% /boot ---------------------- Disk Space End ------------------------- --------------------- lm_sensors output Begin ------------------------ No sensors found! Make sure you loaded all the kernel drivers you need. Try sensors-detect to find out which these are. ---------------------- lm_sensors output End ------------------------- ###################### Logwatch End ######################### |
④Test to see if the report arrives at the address you set. Check if you receive a log report email like the one above.
|
1 |
# /etc/cron.daily/0logwatch |
Introduce disk usage check script
1. Script Creation
|
1 2 |
# cd /var/www/system # vi disk_capacity_check.sh |
Contents of disk_capacity_check.sh
|
1 2 3 4 5 6 7 8 9 10 |
#!/bin/bash # Designation of e-mail address to be notified MAIL="<your mailaddress>" DVAL=`/bin/df / | /usr/bin/tail -1 | /bin/sed 's/^.* \([0-9]*\)%.*$/\1/'` if [ $DVAL -gt 80 ]; then echo "Disk usage alert: $DVAL %" | mail -s "Disk Space Alert in `hostname`" $MAIL fi |
|
1 |
# chmod 700 disk_capacity_check.sh |
2. Execution Confirmation
①Check current usage rates
|
1 |
# df -h |
It appears as follows
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
Filesystem Size Used Avail Use% Mounted on /dev/mapper/almalinux-root 17G 7.4G 9.6G 44% / devtmpfs 1.3G 0 1.3G 0% /dev tmpfs 1.4G 0 1.4G 0% /dev/shm tmpfs 536M 11M 526M 2% /run tmpfs 1.0M 0 1.0M 0% /run/credentials/systemd-journald.service /dev/loop2 128K 128K 0 100% /var/lib/snapd/snap/hello-world/29 /dev/loop3 67M 67M 0 100% /var/lib/snapd/snap/core24/1225 /dev/loop0 71M 71M 0 100% /var/lib/snapd/snap/certbot/5057 /dev/loop4 51M 51M 0 100% /var/lib/snapd/snap/snapd/25577 /dev/loop1 105M 105M 0 100% /var/lib/snapd/snap/core/17247 /dev/nvme0n1p2 960M 348M 613M 37% /boot tmpfs 1.0M 0 1.0M 0% /run/credentials/getty@tty1.service tmpfs 268M 16K 268M 1% /run/user/1000 |
②Create a dummy file to achieve at least 80% utilization(In the example, a file named dummyfile with a size of about 8G)
|
1 |
# dd if=/dev/zero of=dummyfile bs=1M count=8000 |
③check again
|
1 |
# df -h |
Run it and make sure it is above 80%.
④Run check scripts
|
1 |
# /var/www/system/disk_capacity_check.sh |
You will receive an email to the email address you have set up, stating something like "Disk usage alert: 90 %".
⑤Delete "dummyfile"
|
1 |
# rm dummyfile |
⑥Periodic Execution Setting
|
1 2 |
# crontab -e 30 2 * * * /var/www/system/disk_capacity_check.sh |
