Contents
chkrootkit Install
①chkrootkit Download and installation
|
1 2 3 |
# cd /usr/local/src # wget https://launchpad.net/chkrootkit/main/0.55/+download/chkrootkit-0.55.tar.gz # tar xvf chkrootkit-0.55.tar.gz |
➁Create /root/bin directory and move chkrootkit command to that directory
|
1 2 |
# mkdir -p /root/bin # mv chkrootkit-0.55/chkrootkit /root/bin |
➂Check chkrootkit.
|
1 |
# chkrootkit | grep INFECTED |
Searching for Linux.Xor.DDoS … INFECTED: Possible Malicious Linux.Xor.DDoS installed
If you see the above, there may be an executable fill under /tmp.
I checked the files under /tmp and found the file "ks-script-xxx", so I deleted it and re-ran the program.
INFECTED disappeared.
④Create chkrootkit periodic execution script and change permissions
Create chkrootkit execution script in a directory where it is automatically executed daily
|
1 |
# vi /etc/cron.daily/chkrootkit |
Contents of chkrootkit
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
#!/bin/bash PATH=/usr/bin:/bin:/root/bin LOG=/tmp/$(basename ${0}) # Run chkrootkit chkrootkit > $LOG 2>&1 # log output cat $LOG | logger -t $(basename ${0}) # SMTPS bindshell false positive response if [ ! -z "$(grep 465 $LOG)" ] && \ [ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then sed -i '/465/d' $LOG fi # Support for Suckit false positives when updating upstart package if [ ! -z "$(grep Suckit $LOG)" ] && \ [ -z "$(rpm -V `rpm -qf /sbin/init`)" ]; then sed -i '/Suckit/d' $LOG fi # Send mail to root only when rootkit is detected [ ! -z "$(grep INFECTED $LOG)" ] && \ grep INFECTED $LOG | mail -s "chkrootkit report in `hostname`" root |
Add execution permission to chkrootkit execution script
|
1 |
# chmod 700 /etc/cron.daily/chkrootkit |
④Backup commands used by chkrootkit
If the commands used by chkrootkit are tampered with, rootkit will not be detected.
Back up these commands.
If necessary, run chkrootkit with the backed up command
chkrootkit use command save destination directory creation
|
1 |
# mkdir chkrootkitcmd |
Copy chkrootkit commands to the destination directory
|
1 |
# cp `which --skip-alias awk cut echo egrep find head id ls netstat ps strings sed ssh uname` chkrootkitcmd/ |
Execute chkrootkit using the saved chkrootkit use command
|
1 |
# chkrootkit -p /root/chkrootkitcmd|grep INFECTED |
chkrootkit use command save destination directory compressed and deleted
|
1 |
# zip -r chkrootkitcmd.zip chkrootkitcmd/ && rm -rf chkrootkitcmd |
cSend hkrootkit use command (compressed version) to root by e-mail
|
1 2 |
# dnf install mailx # echo|mail -a chkrootkitcmd.zip -s chkrootkitcmd.zip root |
chkrootkit use command (compressed version) removed
|
1 |
# rm -f chkrootkitcmd.zip |
Logwatch
①Install
|
1 |
# dnf install logwatch |
②Edit configuration file
|
1 |
# cat /usr/share/logwatch/default.conf/logwatch.conf >> /etc/logwatch/conf/logwatch.conf |
|
1 2 3 4 5 6 7 8 9 10 11 |
# vi /etc/logwatch/conf/logwatch.conf Per Line 45 Set "MailTo = root" as a comment and set the email address you want to receive notifications to the line below it. #MailTo = root MailTo = [Mail address] Per Line 79 Set the level of detail for log notifications #Detail = Low Detail = High |
③Output Logwatch reports
|
1 |
# logwatch --output stdout |
It will appear as follows
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 |
################### Logwatch 7.4.3 (04/27/16) #################### Processing Initiated: Tue Oct 17 13:17:00 2023 Date Range Processed: yesterday ( 2023-Oct-16 ) Period is day. Detail Level of Output: 10 Type of Output/Format: stdout / text Logfiles for Host: Lepard ################################################################## --------------------- Amavisd-new Begin ------------------------ ****** Summary ************************************************************************************* 4 Total messages scanned ------------------ 100.00% 3.043M Total bytes scanned 3,190,591 ======== ================================================== 4 Passed ---------------------------------- 100.00% 4 Clean passed 100.00% ======== ================================================== ********omission in the middle******* --------------------- Disk Space Begin ------------------------ Filesystem Size Used Avail Use% Mounted on devtmpfs 1.8G 0 1.8G 0% /dev /dev/mapper/ml-root 17G 7.8G 8.0G 50% / /dev/loop1 64M 64M 0 100% /var/lib/snapd/snap/core20/2015 /dev/loop0 41M 41M 0 100% /var/lib/snapd/snap/snapd/20290 /dev/loop2 46M 46M 0 100% /var/lib/snapd/snap/certbot/3390 /dev/nvme0n1p1 974M 232M 676M 26% /boot ---------------------- Disk Space End ------------------------- --------------------- lm_sensors output Begin ------------------------ No sensors found! Make sure you loaded all the kernel drivers you need. Try sensors-detect to find out which these are. ---------------------- lm_sensors output End ------------------------- ###################### Logwatch End ######################### |
④Test to see if the report arrives at the address you set. Check if you receive a log report email like the one above.
|
1 |
# /etc/cron.daily/0logwatch |