MiracleLinux9.2 ; Chkrootkit Logwatch

Contents

chkrootkit
Logwatch

chkrootkit

①Download and install chkrootkit

# cd /usr/local/src
# wget ftp://ftp.chkrootkit.org/pub/seg/pac/chkrootkit.tar.gz
# tar xvf chkrootkit.tar.gz

# cd /usr/local/src

# wget ftp://ftp.chkrootkit.org/pub/seg/pac/chkrootkit.tar.gz

# tar xvf chkrootkit.tar.gz

➁Create /root/bin directory and move chkrootkit command to that directory

# mkdir -p /root/bin
# mv chkrootkit-0.58b/chkrootkit /root/bin

1 2	# mkdir -p /root/bin # mv chkrootkit-0.58b/chkrootkit /root/bin

➂Check chkrootkit.

# chkrootkit | grep INFECTED

1	# chkrootkit \| grep INFECTED

Searching for Linux.Xor.DDoS … INFECTED: Possible Malicious Linux.Xor.DDoS installed
If the above message appears, there may be an executable file under /tmp.
When I checked the files under /tmp, I found a file "ks-script-xxx", so I deleted it and reexecuted the file.
INFECTED disappeared.

④Create chkrootkit periodic execution script and change permissions
Create chkrootkit execution script in a directory where it is automatically executed daily

# vi /etc/cron.daily/chkrootkit

1	# vi /etc/cron.daily/chkrootkit

Scheduled Script Contents

#!/bin/bash
 
PATH=/usr/bin:/bin:/root/bin
 
LOG=/tmp/$(basename ${0})
 
# Run chkrootkit
chkrootkit > $LOG 2>&1
 
# log output
cat $LOG | logger -t $(basename ${0})
 
# SMTPS bindshell false positive response
if [ ! -z "$(grep 465 $LOG)" ] && \
[ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then
sed -i '/465/d' $LOG
fi
 
# Support for Suckit false positives when updating upstart package
if [ ! -z "$(grep Suckit $LOG)" ] && \
[ -z "$(rpm -V `rpm -qf /sbin/init`)" ]; then
sed -i '/Suckit/d' $LOG
fi
 
# Send mail to root only when rootkit is detected
[ ! -z "$(grep INFECTED $LOG)" ] && \
grep INFECTED $LOG | mail -s "chkrootkit report in `hostname`" root

#!/bin/bash

PATH=/usr/bin:/bin:/root/bin

LOG=/tmp/$(basename ${0})

# Run chkrootkit

chkrootkit > $LOG 2>&1

# log output

cat $LOG | logger -t $(basename ${0})

# SMTPS bindshell false positive response

if [ ! -z "$(grep 465 $LOG)" ] && \

[ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then

sed -i '/465/d' $LOG

# Support for Suckit false positives when updating upstart package

if [ ! -z "$(grep Suckit $LOG)" ] && \

[ -z "$(rpm -V `rpm -qf /sbin/init`)" ]; then

sed -i '/Suckit/d' $LOG

# Send mail to root only when rootkit is detected

[ ! -z "$(grep INFECTED $LOG)" ] && \

grep INFECTED $LOG | mail -s "chkrootkit report in `hostname`" root

Add execution permission to chkrootkit execution script

# chmod 700 /etc/cron.daily/chkrootkit

1	# chmod 700 /etc/cron.daily/chkrootkit

If the commands used by chkrootkit are tampered with, rootkit will not be detected.
Back up these commands.
If necessary, run chkrootkit with the backed up command

# mkdir chkrootkitcmd

1	# mkdir chkrootkitcmd

Copy chkrootkit commands to the destination directory

# cp `which --skip-alias awk cut echo egrep find head id ls netstat ps strings sed ssh uname` chkrootkitcmd/

1	# cp `which --skip-alias awk cut echo egrep find head id ls netstat ps strings sed ssh uname` chkrootkitcmd/

Execute chkrootkit using the saved chkrootkit use command

# chkrootkit -p /root/chkrootkitcmd|grep INFECTED

1	# chkrootkit -p /root/chkrootkitcmd\|grep INFECTED

chkrootkit use command save destination directory compressed and deleted

# zip -r chkrootkitcmd.zip chkrootkitcmd/ && rm -rf chkrootkitcmd

1	# zip -r chkrootkitcmd.zip chkrootkitcmd/ && rm -rf chkrootkitcmd

Send chkrootkit use command (compressed version) to root by e-mail

# echo|mail -a chkrootkitcmd.zip -s chkrootkitcmd.zip root

1	# echo\|mail -a chkrootkitcmd.zip -s chkrootkitcmd.zip root

chkrootkit use command (compressed version) removed

# rm -f chkrootkitcmd.zip

1	# rm -f chkrootkitcmd.zip

Logwatch

①Install

# dnf install logwatch

1	# dnf install logwatch

②Edit configuration file

# cat /usr/share/logwatch/default.conf/logwatch.conf >> /etc/logwatch/conf/logwatch.conf

1	# cat /usr/share/logwatch/default.conf/logwatch.conf >> /etc/logwatch/conf/logwatch.conf

# vi /etc/logwatch/conf/logwatch.conf

Per line 51
Set "MailTo = root" as a comment and set the email address you want to receive notifications to the line below it.
#MailTo = root
MailTo = [Mail address]

Per line 84 : Set the level of detail for log notifications
#Detail = Low
Detail = High

# vi /etc/logwatch/conf/logwatch.conf

Per line 51

Set "MailTo = root" as a comment and set the email address you want to receive notifications to the line below it.

#MailTo = root

MailTo = [Mail address]

Per line 84 : Set the level of detail for log notifications

#Detail = Low

Detail = High

③Output Logwatch reports

# logwatch --output stdout

1	# logwatch --output stdout

It will appear as follows

################### Logwatch 7.5.5 (01/22/21) ####################
        Processing Initiated: Sat Oct 21 14:32:29 2023
        Date Range Processed: yesterday
                              ( 2023-Oct-20 )
                              Period is day.
        Detail Level of Output: 10
        Type of Output/Format: stdout / text
        Logfiles for Host: Lepard
 ##################################################################

 --------------------- Amavisd-new Begin ------------------------

 ****** Summary *************************************************************************************

        2   Total messages scanned ------------------  100.00%
    1.724K  Total bytes scanned                          1,765
 ========   ==================================================

        2   Passed ----------------------------------  100.00%

********omission in the middle*******

 --------------------- Disk Space Begin ------------------------

 Filesystem           Size  Used Avail Use% Mounted on
 /dev/mapper/ml-root   17G  7.0G  8.8G  45% /
 /dev/nvme0n1p1       974M  220M  687M  25% /boot


 ---------------------- Disk Space End -------------------------


 --------------------- lm_sensors output Begin ------------------------

 No sensors found!
 Make sure you loaded all the kernel drivers you need.
 Try sensors-detect to find out which these are.

 ---------------------- lm_sensors output End -------------------------


 ###################### Logwatch End #########################

################### Logwatch 7.5.5 (01/22/21) ####################

Processing Initiated: Sat Oct 21 14:32:29 2023

Date Range Processed: yesterday

( 2023-Oct-20 )

Period is day.

Detail Level of Output: 10

Type of Output/Format: stdout / text

Logfiles for Host: Lepard

##################################################################

--------------------- Amavisd-new Begin ------------------------

****** Summary *************************************************************************************

2 Total messages scanned ------------------ 100.00%

1.724K Total bytes scanned 1,765

======== ==================================================

2 Passed ---------------------------------- 100.00%

********omission in the middle*******

--------------------- Disk Space Begin ------------------------

Filesystem Size Used Avail Use% Mounted on

/dev/mapper/ml-root 17G 7.0G 8.8G 45% /

/dev/nvme0n1p1 974M 220M 687M 25% /boot

---------------------- Disk Space End -------------------------

--------------------- lm_sensors output Begin ------------------------

No sensors found!

Make sure you loaded all the kernel drivers you need.

Try sensors-detect to find out which these are.

---------------------- lm_sensors output End -------------------------

###################### Logwatch End #########################

④Test to see if the report arrives at the address you set. Check if you receive a log report email like the one above.

# /etc/cron.daily/0logwatch

1	# /etc/cron.daily/0logwatch

Go to top