SNORT2 Install
1. Advance preparation
①Install necessary software
|
1 2 3 4 5 |
# yum -y install bison flex libtool nghttp2 libnghttp2-devel \ libpcap-devel pcre-devel openssl-devel libdnet-devel \ libtirpc-devel git gcc-c++ libunwind-devel cmake hwloc-devel \ luajit-devel xz-devel libnfnetlink-devel libmnl-devel \ libnetfilter_queue-devel uuid-devel libsafec-devel |
②DAQ install
|
1 2 3 4 5 6 7 8 9 |
# mkdir /var/src # cd /var/src # wget https://snort.org/downloads/snort/daq-2.0.7.tar.gz # tar zxvf daq-2.0.7.tar.gz # cd daq-2.0.7 # autoreconf -f -i # ./configure # make # make install |
③Lua install
|
1 2 3 4 5 6 |
# cd /var/src # wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz # tar -zxvf LuaJIT-2.0.5.tar.gz # cd LuaJIT-2.0.5 # make # make install |
④Create fake release file
|
1 2 3 |
# /bin/cat << EOT >/etc/fedora-release Fedora release 28 (Rawhide) EOT |
2. Download, compile, and install Snort
|
1 2 3 4 5 6 7 8 9 |
# cd /var/src # wget https://snort.org/downloads/archive/snort/snort-2.9.18.1.tar.gz # tar -zxvf snort-2.9.18.1.tar.gz # cd snort-2.9.18.1 # ./configure --enable-sourcefire # make # make install # ldconfig # ln -s /usr/local/bin/snort /usr/sbin/snort |
Delete fake release files
|
1 |
# rm /etc/fedora-release |
3.Create groups and users, necessary directories and files
|
1 2 |
# groupadd snort # useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# mkdir /etc/snort # mkdir -p /etc/snort/rules # mkdir /var/log/snort # mkdir /usr/local/lib/snort_dynamicrules # mkdir /etc/snort/preproc_rules # chmod -R 5775 /etc/snort # chmod -R 5775 /var/log/snort # chmod -R 5775 /usr/local/lib/snort_dynamicrules # chown -R snort:snort /etc/snort # chown -R snort:snort /var/log/snort # chown -R snort:snort /usr/local/lib/snort_dynamicrules Create the following files # touch /etc/snort/rules/white_list.rules # touch /etc/snort/rules/black_list.rules # touch /etc/snort/rules/local.rules |
Setup configuration files… Copy all files to the configuration directory.
|
1 2 |
# cp /var/src/snort-2.9.18.1/etc/*.conf* /etc/snort # cp /var/src/snort-2.9.18.1/etc/*.map* /etc/snort |
4.Use of Community Rules
①Get Community Rules
|
1 |
# wget https://www.snort.org/rules/community -O ~/community.tar.gz |
②Extract rules and copy to configuration folder
|
1 2 |
# tar -xvf ~/community.tar.gz -C ~/ # cp ~/community-rules/* /etc/snort/rules |
There are various rule files that are not included in the community rules.
Use the sed command to comment out unnecessary lines.
|
1 |
# sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf |
5. Retrieving Registered User Rules
Once registered on the Snort website, you can use your Oink code to download registered user rules; the Oink code is located in your Snort user account details.
Replace oinkcode with your personal code in the following command
Replace oinkcode with your personal code in the following command
|
1 |
# wget https://www.snort.org/rules/snortrules-snapshot-29181.tar.gz?oinkcode=<oink-code> -O ~/registered.tar.gz |
Once download is complete, extract rules to the configuration directory
|
1 |
# tar -xvf ~/registered.tar.gz -C /etc/snort |
6. Network and Rule Configuration
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
# vi /etc/snort/snort.conf ●Line 45 # Setup the network addresses you are protecting ipvar HOME_NET 192.168.11.0/24 ←adapt to each environment ●Line 48 # Set up the external network addresses. Leave as "any" in most situations ipvar EXTERNAL_NET !$HOME_NET ●Line 104-106: Comment out and add below # Path to your rules files (this can be a relative path) # var RULE_PATH ../rules # var SO_RULE_PATH ../so_rules # var PREPROC_RULE_PATH ../preproc_rules var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules ●Per line 116: Comment out and add below # Set the absolute path appropriately #var WHITE_LIST_PATH ../rules #var BLACK_LIST_PATH ../rules var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rules ●Per line 525: Add # unified2 # Recommended for most installs output unified2: filename snort.log, limit 128 ●Per line 550: To allow custom rules to be loaded, local.rules must be uncommented include $RULE_PATH/local.rules ●If you are using community rules, also add the following line just below the local.rules line, for example include $RULE_PATH/community.rules |
7. Verification of settings
Use parameter -T to test configuration and enable test mode
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
# snort -T -c /etc/snort/rules/snort.conf MaxRss at the end of detection rules:809420 --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.18.1 GRE (Build 1005) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.9.1 (with TPACKET_V3) Using PCRE version: 8.45 2021-06-15 Using ZLIB version: 1.2.11 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 3.2 <Build 1> Preprocessor Object: SF_DNS Version 1.1 <Build 4> Preprocessor Object: appid Version 1.1 <Build 5> Preprocessor Object: SF_S7COMMPLUS Version 1.0 <Build 1> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13> Preprocessor Object: SF_POP Version 1.0 <Build 1> Preprocessor Object: SF_SSLPP Version 1.1 <Build 4> Total snort Fixed Memory Cost - MaxRss:809420 Snort successfully validated the configuration! Snort exiting |
Copy the relevant file to /etc/snort/rules in case of an error
In our case, the error occurred in the following file
In our case, the error occurred in the following file
|
1 2 3 4 |
# cp /var/src/snort-2.9.18.1/etc/classification.config /etc/snort/rules\ cp /var/src/snort-2.9.18.1/etc/reference.config /etc/snort/rules \ cp /var/src/snort-2.9.18.1/etc/threshold.conf /etc/snort/rules \ cp /var/src/snort-2.9.18.1/etc/unicode.map /etc/snort/rules |
If you get a unicode.map error
|
1 |
# cp /usr/local/src/snort-2.9.18.1/etc/unicode.map /etc/snort/rules |
Also, if you get the error "/etc/snort/rules/snort.conf(322) => Invalid keyword '}'".
relevant line
decompress_swf { deflate lzma } \ : Comment.
# decompress_swf { deflate lzma } \
relevant line
decompress_swf { deflate lzma } \ : Comment.
# decompress_swf { deflate lzma } \
8. Configuration Testing
①To test if Snort is logging alerts, add a custom detection rule alert for incoming ICMP connections to the local.rules file.
|
1 2 3 |
# vi /etc/snort/rules/local.rules ●Add the following line to the last line alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;) |
②Start Snort at the console and output an alert to stdout. The correct network interface (e.g. eth0) must be selected
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# snort -A console -i eth0 -u snort -g snort -c /etc/snort/snort.conf Get Snort up and running and ping it from another computer; you will see the following notification for each ICMP call on the terminal running Snort Commencing packet processing (pid=33565) 02/18-13:39:15.162545 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 02/18-13:39:15.162585 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 02/18-13:39:16.167356 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 02/18-13:39:16.167401 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 02/18-13:39:17.180964 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 02/18-13:39:17.181003 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 02/18-13:39:18.199202 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.22 -> 192.168.11.83 02/18-13:39:18.199274 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.22 |
9. Running Snort in the background
①Create a startup script for Snort (eth0 must match your environment)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# vi /lib/systemd/system/snort.service [Unit] Description=Snort NIDS Daemon After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 [Install] WantedBy=multi-user.target |
②After defining the service, reload and run the systemctl daemon
|
1 2 |
# systemctl daemon-reload # systemctl start snort |
Tripwire Install
1.Download and installation
|
1 |
# yum install tripwire |
2.Passphrase setting
Set site passphrase and local passphrase
|
1 |
# tripwire-setup-keyfiles |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
---------------------------------------------- The Tripwire site and local passphrases are used to sign a variety of files, such as the configuration, policy, and database files. Passphrases should be at least 8 characters in length and contain both letters and numbers. See the Tripwire manual for more information. ---------------------------------------------- Creating key files... (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the site keyfile passphrase: ←Enter any "Site Passphrase" Verify the site keyfile passphrase: ←Enter "Site Passphrase" again Generating key (this may take several minutes)...Key generation complete. (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the local keyfile passphrase: ←Enter any "local passphrase" Verify the local keyfile passphrase: ←Enter "Local Passphrase" again Generating key (this may take several minutes)...Key generation complete. ---------------------------------------------- Signing configuration file... Please enter your site passphrase: ←Enter "Site Passphrase" Wrote configuration file: /etc/tripwire/tw.cfg A clear-text version of the Tripwire configuration file: /etc/tripwire/twcfg.txt has been preserved for your inspection. It is recommended that you move this file to a secure location and/or encrypt it in place (using a tool such as GPG, for example) after you have examined it. ---------------------------------------------- Signing policy file... Please enter your site passphrase: ←Enter "Site Passphrase" Wrote policy file: /etc/tripwire/tw.pol A clear-text version of the Tripwire policy file: /etc/tripwire/twpol.txt ~omission~ default values from the current configuration file are used. |
3.Tripwire Configuration
①Configuration File Edit
|
1 2 3 4 5 6 7 8 |
# vi /etc/tripwire/twcfg.txt ●Per line 9 Add "#" at the beginning of the line and "LOOSEDIRECTORYCHECKING =true" on the line below it. ●Per line 12 Add "#" at the beginning of the line and "REPORTLEVEL =4" on the line below it. Level 4 provides the most detailed report of the five levels from "0" to "4". #REPORTLEVEL =3 REPORTLEVEL =4 |
②Create a Tripwire configuration file (cryptographically signed version)
|
1 2 3 |
# twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt Please enter your site passphrase: ←Enter site passphrase Wrote configuration file: /etc/tripwire/tw.cfg |
③Delete Tripwire configuration file (text version)
|
1 |
# rm -f /etc/tripwire/twcfg.txt |
④Policy File Setting
|
1 2 |
# cd /etc/tripwire/ # vi twpolmake.pl |
Contents of twpolmake.pl
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
#!/usr/bin/perl # Tripwire Policy File customize tool # $POLFILE=$ARGV[0]; open(POL,"$POLFILE") or die "open error: $POLFILE" ; my($myhost,$thost) ; my($sharp,$tpath,$cond) ; my($INRULE) = 0 ; while (<POL>) { chomp; if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) { $myhost = `hostname` ; chomp($myhost) ; if ($thost ne $myhost) { $_="HOSTNAME=\"$myhost\";" ; } } elsif ( /^{/ ) { $INRULE=1 ; } elsif ( /^}/ ) { $INRULE=0 ; } elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) { $ret = ($sharp =~ s/\#//g) ; if ($tpath eq '/sbin/e2fsadm' ) { $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ; } if (! -s $tpath) { $_ = "$sharp#$tpath$cond" if ($ret == 0) ; } else { $_ = "$sharp$tpath$cond" ; } } print "$_\n" ; } close(POL) ; |
⑤Policy File Optimizations
|
1 |
# perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.new |
⑥Create policy file (cryptographically signed version) based on optimized policy file
|
1 2 3 |
# twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key /etc/tripwire/twpol.txt.new Please enter your site passphrase: ←Enter site passphrase Wrote policy file: /etc/tripwire/tw.pol |
⑦Create database and check operation
|
1 2 3 4 5 6 7 8 |
# tripwire -m i -s -c /etc/tripwire/tw.cfg Please enter your local passphrase: ←Enter local passphrase Create test files # echo test > /root/test.txt Check Tripwire operation # tripwire -m c -s -c /etc/tripwire/tw.cfg OK if it appears as follows |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 |
Open Source Tripwire(R) 2.4.3.7 Integrity Check Report Report generated by: root Report created on: Sat 18 Feb 2023 02:28:02 PM JST Database last updated on: Never =============================================================================== Report Summary: =============================================================================== Host name: Lepard Host IP address: 192.168.11.83 Host ID: None Policy file used: /etc/tripwire/tw.pol Configuration file used: /etc/tripwire/tw.cfg Database file used: /var/lib/tripwire/Lepard.twd Command line used: tripwire -m c -s -c /etc/tripwire/tw.cfg =============================================================================== Rule Summary: =============================================================================== ------------------------------------------------------------------------------- Section: Unix File System ------------------------------------------------------------------------------- Rule Name Severity Level Added Removed Modified --------- -------------- ----- ------- -------- User binaries 66 0 0 0 Tripwire Binaries 100 0 0 0 Libraries 66 0 0 0 Operating System Utilities 100 0 0 0 File System and Disk Administraton Programs 100 0 0 0 Kernel Administration Programs 100 0 0 0 Networking Programs 100 0 0 0 System Administration Programs 100 0 0 0 Hardware and Device Control Programs 100 0 0 0 System Information Programs 100 0 0 0 Application Information Programs 100 0 0 0 (/sbin/rtmon) Critical Utility Sym-Links 100 0 0 0 Shell Binaries 100 0 0 0 Critical system boot files 100 0 0 0 * Tripwire Data Files 100 1 0 0 System boot changes 100 0 0 0 OS executables and libraries 100 0 0 0 Critical configuration files 100 0 0 0 Security Control 100 0 0 0 Login Scripts 100 0 0 0 * Root config files 100 1 0 0 Invariant Directories 66 0 0 0 Temporary directories 33 0 0 0 Critical devices 100 0 0 0 (/proc/kcore) Total objects scanned: 32789 Total violations found: 2 =============================================================================== Object Summary: =============================================================================== ------------------------------------------------------------------------------- # Section: Unix File System ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Rule Name: Tripwire Data Files (/var/lib/tripwire) Severity Level: 100 ------------------------------------------------------------------------------- Added: "/var/lib/tripwire/Lepard.twd" ------------------------------------------------------------------------------- Rule Name: Root config files (/root) Severity Level: 100 ------------------------------------------------------------------------------- Added: "/root/test.txt" =============================================================================== Error Report: =============================================================================== No Errors ------------------------------------------------------------------------------- *** End of report *** Open Source Tripwire 2.4 Portions copyright 2000-2018 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. |
テスト用ファイルを削除
|
1 |
# rm -f /root/test.txt |
⑧Tripwire Scheduled Execution Script
|
1 2 |
# cd /var/www/system # vi tripwire.sh |
Contents of tripwire.sh
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
#!/bin/bash PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin # Passphrase setting LOCALPASS= ←local passphrase SITEPASS= ←site passphrase cd /etc/tripwire # Tripwire check run tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" root # Policy File Update twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt perl twpolmake.pl twpol.txt > twpol.txt.new twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null rm -f twpol.txt* *.bak # Database update rm -f /usr/local/tripwire/lib/tripwire/*.twd* tripwire -m i -s -c tw.cfg -P $LOCALPASS |
⑨Tripwire Auto-Run Script Execution Settings
|
1 2 3 4 5 |
# chmod 700 tripwire.sh Add to cron # crontab -e 0 3 * * * /var/www/system/tripwire.sh |
Reference: Script for reporting results by e-mail
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
#!/bin/bash PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin # Passphrase setting LOCALPASS=xxxxx # local passphrase SITEPASS=xxxxx # site passphrase #Specify e-mail address for notification MAIL="<your mailaddress> " cd /etc/tripwire # Tripwire check run tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" $MAIL # Policy File Update twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt perl twpolmake.pl twpol.txt > twpol.txt.new twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null rm -f twpol.txt* *.bak # Database Update rm -f /usr/local/tripwire/lib/tripwire/*.twd* tripwire -m i -s -c tw.cfg -P $LOCALPASS |
Chkrootkit Install
①Download and install chkrootkit
|
1 2 3 |
# cd /usr/local/src # wget https://launchpad.net/chkrootkit/main/0.55/+download/chkrootkit-0.55.tar.gz # tar xvf chkrootkit-0.55.tar.gz |
➁Create /root/bin directory and move chkrootkit command to that directory
|
1 2 |
# mkdir -p /root/bin # mv chkrootkit-0.55/chkrootkit /root/bin |
➂Check chkrootkit.
|
1 2 |
# chkrootkit | grep INFECTED If nothing is displayed, no problem. |
Searching for Linux.Xor.DDoS ... INFECTED: Possible Malicious Linux.Xor.DDoS installed
If you get the above error
This is probably a false positive that occurs when there are executable files under /tmp.
In our case, we have disabled the following files
This is probably a false positive that occurs when there are executable files under /tmp.
In our case, we have disabled the following files
|
1 |
# chmod -x ks-script-ha_lzbh5 ks-script-uu6cvhzn |
④Create chkrootkit periodic execution script and change permissions
|
1 2 |
Create chkrootkit execution script in a directory where it is automatically executed daily # vi /etc/cron.daily/chkrootkit |
Scheduled Script Contents
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
#!/bin/bash PATH=/usr/bin:/bin:/root/bin LOG=/tmp/$(basename ${0}) # Run chkrootkit chkrootkit > $LOG 2>&1 # log output cat $LOG | logger -t $(basename ${0}) # SMTPS false positive response to bindshell false positives if [ ! -z "$(grep 465 $LOG)" ] && \ [ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then sed -i '/465/d' $LOG fi # Support for Suckit false positives when updating upstart package if [ ! -z "$(grep Suckit $LOG)" ] && \ [ -z "$(rpm -V `rpm -qf /sbin/init`)" ]; then sed -i '/Suckit/d' $LOG fi # Send mail to root only when rootkit is detected [ ! -z "$(grep INFECTED $LOG)" ] && \ grep INFECTED $LOG | mail -s "chkrootkit report in `hostname`" root |
Add execution permission to chkrootkit execution script
|
1 |
# chmod 700 /etc/cron.daily/chkrootkit |
⑥Backup commands used by chkrootkit
If the commands used by chkrootkit are tampered with, rootkit will not be detected.
Back up these commands.
If necessary, run chkrootkit using the backed up commands
Back up these commands.
If necessary, run chkrootkit using the backed up commands
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# cd /root # mkdir /root/chkrootkit_cmd # cp `which --skip-alias awk cut echo egrep find head id ls netstat ps strings sed ssh uname` chkrootkit_cmd/ # ls -l /root/chkrootkit_cmd/ total 2060 -rwxr-xr-x 1 root root 428584 Feb 18 15:34 awk -rwxr-xr-x 1 root root 41584 Feb 18 15:34 cut -rwxr-xr-x 1 root root 33088 Feb 18 15:34 echo -rwxr-xr-x 1 root root 290 Feb 18 15:34 egrep -rwxr-xr-x 1 root root 199304 Feb 18 15:34 find -rwxr-xr-x 1 root root 41480 Feb 18 15:34 head -rwxr-xr-x 1 root root 37400 Feb 18 15:34 id -rwxr-xr-x 1 root root 117608 Feb 18 15:34 ls -rwxr-xr-x 1 root root 155008 Feb 18 15:34 netstat -rwxr-xr-x 1 root root 100112 Feb 18 15:34 ps -rwxr-xr-x 1 root root 76072 Feb 18 15:34 sed -rwxr-xr-x 1 root root 774544 Feb 18 15:34 ssh -rwxr-xr-x 1 root root 33328 Feb 18 15:34 strings -rwxr-xr-x 1 root root 33072 Feb 18 15:34 uname |
⑦Run chkrootkit on the copied command
|
1 |
# chkrootkit -p /root/chkrootkit_cmd | grep INFECTED |
If nothing is displayed, no problem.
⑧Compresses backed up commands
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# tar zcvf chkrootkit_cmd.tar.gz chkrootkit_cmd chkrootkit_cmd/ chkrootkit_cmd/awk chkrootkit_cmd/cut chkrootkit_cmd/echo chkrootkit_cmd/egrep chkrootkit_cmd/find chkrootkit_cmd/head chkrootkit_cmd/id chkrootkit_cmd/ls chkrootkit_cmd/netstat chkrootkit_cmd/ps chkrootkit_cmd/strings chkrootkit_cmd/sed chkrootkit_cmd/ssh chkrootkit_cmd/uname |
|
1 2 3 4 5 6 |
# ls -l total 126512 -rw-------. 1 root root 1606 Feb 16 22:36 anaconda-ks.cfg drwxr-xr-x 2 root root 24 Feb 18 15:28 bin drwxr-xr-x 2 root root 172 Feb 18 15:34 chkrootkit_cmd -rw-r--r-- 1 root root 971076 Feb 18 15:35 chkrootkit_cmd.tar.gz |
⑨Send chkrootkit use command (compressed version) to root by e-mail
|
1 |
# echo|mail -a chkrootkit_cmd.tar.gz -s chkrootkit_cmd.tar.gz root |
⑩Download and save chkrootkit_cmd.tar.gz file to Windows
⑪Delete commands on the backed up server
|
1 |
# rm -f chkrootkit_cmd.tar.gz |