MiracleLinux9.2 ; Chkrootkit Logwatch 


Download and install chkrootkit

Create /root/bin directory and move chkrootkit command to that directory

Check chkrootkit.

Searching for Linux.Xor.DDoS … INFECTED: Possible Malicious Linux.Xor.DDoS installed
If the above message appears, there may be an executable file under /tmp.
When I checked the files under /tmp, I found a file "ks-script-xxx", so I deleted it and reexecuted the file.
INFECTED disappeared.

Create chkrootkit periodic execution script and change permissions
Create chkrootkit execution script in a directory where it is automatically executed daily

Scheduled Script Contents

Add execution permission to chkrootkit execution script

If the commands used by chkrootkit are tampered with, rootkit will not be detected.
Back up these commands.
If necessary, run chkrootkit with the backed up command

Copy chkrootkit commands to the destination directory

Execute chkrootkit using the saved chkrootkit use command

chkrootkit use command save destination directory compressed and deleted

Send chkrootkit use command (compressed version) to root by e-mail

chkrootkit use command (compressed version) removed



②Edit configuration file

③Output Logwatch reports

It will appear as follows

④Test to see if the report arrives at the address you set. Check if you receive a log report email like the one above.

Copied title and URL