Chkrootkit
① Download and install chkrootkit
|
1 2 3 |
# cd /usr/local/src # wget ftp://ftp.chkrootkit.org/pub/seg/pac/chkrootkit.tar.gz # tar xvf chkrootkit.tar.gz |
➁Create /root/bin directory and move chkrootkit command to that directory
|
1 2 |
# mkdir -p /root/bin # mv chkrootkit-0.58b/chkrootkit /root/bin |
➂Check chkrootkit.
|
1 |
# chkrootkit | grep INFECTED |
If nothing is displayed, no problem.
④Create chkrootkit periodic execution script and change permissions
Create chkrootkit execution script in a directory where it is automatically executed daily
|
1 |
# vi /etc/cron.daily/chkrootkit |
Scheduled Script Contents
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
#!/bin/bash PATH=/usr/bin:/bin:/root/bin LOG=/tmp/$(basename ${0}) # Run chkrootkit chkrootkit > $LOG 2>&1 # log output cat $LOG | logger -t $(basename ${0}) # SMTPS bindshell false positive response if [ ! -z "$(grep 465 $LOG)" ] && \ [ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then sed -i '/465/d' $LOG fi # Support for Suckit false positives when updating upstart package if [ ! -z "$(grep Suckit $LOG)" ] && \ [ -z "$(rpm -V `rpm -qf /sbin/init`)" ]; then sed -i '/Suckit/d' $LOG fi # Send mail to root only when rootkit is detected [ ! -z "$(grep INFECTED $LOG)" ] && \ grep INFECTED $LOG | mail -s "chkrootkit report in `hostname`" root |
Add execution permission to chkrootkit execution script
|
1 |
# chmod 700 /etc/cron.daily/chkrootkit |
⑥Backup commands used by chkrootkit
If the commands used by chkrootkit are tampered with, rootkit will not be detected.
Back up these commands.
If necessary, run chkrootkit with the backed up command
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
# cd /root # mkdir /root/chkrootkit_cmd # cp `which --skip-alias awk cut echo egrep grep find head id ls netstat ps strings sed ssh uname` chkrootkit_cmd/ # ls -l /root/chkrootkit_cmd/ total 2832 -rwxr-xr-x 1 root root 768176 Jun 26 11:07 awk -rwxr-xr-x 1 root root 53216 Jun 26 11:07 cut -rwxr-xr-x 1 root root 36496 Jun 26 11:07 echo -rwxr-xr-x 1 root root 106 Jun 26 11:07 egrep -rwxr-xr-x 1 root root 209304 Jun 26 11:07 find -rwxr-xr-x 1 root root 165872 Jun 26 11:07 grep -rwxr-xr-x 1 root root 45016 Jun 26 11:07 head -rwxr-xr-x 1 root root 44920 Jun 26 11:07 id -rwxr-xr-x 1 root root 141184 Jun 26 11:07 ls -rwxr-xr-x 1 root root 148840 Jun 26 11:07 netstat -rwxr-xr-x 1 root root 120584 Jun 26 11:07 ps -rwxr-xr-x 1 root root 120176 Jun 26 11:07 sed -rwxr-xr-x 1 root root 943024 Jun 26 11:07 ssh -rwxr-xr-x 1 root root 36936 Jun 26 11:07 strings -rwxr-xr-x 1 root root 36664 Jun 26 11:07 uname |
⑦Run chkrootkit on the copied command
|
1 |
# chkrootkit -p /root/chkrootkit_cmd | grep INFECTED |
If nothing is displayed, no problem.
⑧Compresses backed up commands
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# tar zcvf chkrootkit_cmd.tar.gz chkrootkit_cmd chkrootkit_cmd/ chkrootkit_cmd/awk chkrootkit_cmd/cut chkrootkit_cmd/echo chkrootkit_cmd/egrep chkrootkit_cmd/find chkrootkit_cmd/head chkrootkit_cmd/id chkrootkit_cmd/ls chkrootkit_cmd/netstat chkrootkit_cmd/ps chkrootkit_cmd/strings chkrootkit_cmd/sed chkrootkit_cmd/ssh chkrootkit_cmd/uname chkrootkit_cmd/grep |
|
1 2 3 4 5 6 7 |
# ls -l total 1420 -rw-------. 1 root root 1034 Jun 23 19:10 anaconda-ks.cfg drwxr-xr-x 2 root root 24 Jun 26 11:05 bin drwxr-xr-x 2 huong huong 4096 Jun 26 11:05 chkrootkit-0.58b drwxr-xr-x 2 root root 184 Jun 26 11:07 chkrootkit_cmd -rw-r--r-- 1 root root 1344839 Jun 26 11:08 chkrootkit_cmd.tar.gz |
⑨Send chkrootkit use command (compressed version) to root by e-mail
|
1 |
# echo|mail -a chkrootkit_cmd.tar.gz -s chkrootkit_cmd.tar.gz root |
⑩Download and save chkrootkit_cmd.tar.gz file to Windows
⑪Delete commands on the backed up server
|
1 |
# rm -f chkrootkit_cmd.tar.gz |
Logwatch
①Install
|
1 |
# dnf install logwatch -y |
②Edit configuration file
|
1 2 |
# cat /usr/share/logwatch/default.conf/logwatch.conf >> /etc/logwatch/conf/logwatch.conf # vi /etc/logwatch/conf/logwatch.conf |
|
1 2 3 4 5 6 7 |
●Line 77 : Set "MailTo = root" as a comment and set the email address you want to receive notifications to the line below it. #MailTo = root MailTo = [Mail address] ●Line 116 : Set the level of detail for log notifications #Detail = Low Detail = High |
③Output Logwatch reports
|
1 |
# logwatch --output stdout |
It will appear as follows
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 |
################### Logwatch 7.11 (07/22/24) #################### Processing Initiated: Thu Jun 26 11:18:02 2025 Date Range Processed: yesterday ( 2025-Jun-25 ) Period is day. Detail Level of Output: 10 Type of Output/Format: stdout / text Logfiles for Host: Lepard ################################################################## --------------------- Kernel Audit Begin ------------------------ Number of audit daemon starts: 1 Number of audit initializations: 1 **Unmatched Entries** auditd[885]: audit dispatcher initialized with q_depth=2000 and 1 active plu gins: 1 Time(s) ---------------------- Kernel Audit End ------------------------- ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ --------------------- lm_sensors output Begin ------------------------ ERROR: Can't get value of subfeature temp41_input: I/O error applesmc-isa-0300 Adapter: ISA adapter Main : 1398 RPM (min = 1400 RPM, max = 3073 RPM) TA0P: +17.5 C TA0V: +30.5 C TA0p: +37.5 C TC0E: -32.2 C TC0F: -30.8 C TC0J: +1.5 C TC0P: +59.2 C TC0T: +0.0 C TC0c: +67.0 C TC0p: +59.2 C TC1c: +68.0 C TC2c: +70.0 C TC3c: +66.0 C TCGc: +61.0 C TCMc: +0.0 C TCSc: +61.0 C TCXR: -31.2 C TCXc: +68.8 C TCXr: -31.2 C TH0A: -127.0 C TH0B: -127.0 C TH0C: -127.0 C TH0F: -127.0 C TH0O: +9.0 C TH0P: -127.0 C TH0R: -127.0 C TH0a: -127.0 C TH0b: -127.0 C TH0c: -127.0 C TH1A: +41.8 C TH1B: +41.8 C TH1C: -127.0 C TH1F: -39.2 C TH1O: +9.0 C TH1P: -127.0 C TH1R: -39.2 C TH1a: +41.8 C TH1b: +41.8 C TH1c: -127.0 C TL0P: +43.5 C TL0V: N/A TL0p: +43.5 C TL1P: +43.5 C TL1V: +38.2 C TL1p: +43.5 C TL1v: +38.2 C TM0P: +52.8 C TM0V: +54.5 C TM0p: +52.8 C TMXP: +52.8 C TPCD: +68.0 C TS0V: +42.8 C Tb0P: +59.0 C Tb0p: +59.0 C Tm0P: +51.5 C Tm0p: +51.5 C Tm1P: +59.2 C Tm1p: +59.2 C Tm2P: +51.5 C Tm2p: +51.5 C Tp2F: +45.5 C Tp2H: +45.5 C Tp2h: +45.5 C coretemp-isa-0000 Adapter: ISA adapter Package id 0: +69.0 C (high = +84.0 C, crit = +100.0 C) Core 0: +67.0 C (high = +84.0 C, crit = +100.0 C) Core 1: +69.0 C (high = +84.0 C, crit = +100.0 C) Core 2: +64.0 C (high = +84.0 C, crit = +100.0 C) Core 3: +62.0 C (high = +84.0 C, crit = +100.0 C) ---------------------- lm_sensors output End ------------------------- ###################### Logwatch End ######################### |
④Test to see if the report arrives at the address you set. Check if you receive a log report email like the one above.
|
1 |
# /etc/cron.daily/0logwatch |
Introduce disk usage check script
1. Script Creation
|
1 2 |
# cd /var/www/system # vi disk_capacity_check.sh |
Contents of disk_capacity_check.sh
|
1 2 3 4 5 6 7 8 9 10 |
#!/bin/bash # Designation of e-mail address to be notified MAIL="<your mailaddress>" DVAL=`/bin/df / | /usr/bin/tail -1 | /bin/sed 's/^.* \([0-9]*\)%.*$/\1/'` if [ $DVAL -gt 80 ]; then echo "Disk usage alert: $DVAL %" | mail -s "Disk Space Alert in `hostname`" $MAIL fi |
|
1 |
# chmod 700 disk_capacity_check.sh |
2. Execution Confirmation
①Check current usage rates
|
1 |
# df -h |
It appears as follows
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
Filesystem Size Used Avail Use% Mounted on /dev/mapper/rl-root 70G 8.3G 62G 12% / devtmpfs 4.0M 0 4.0M 0% /dev tmpfs 3.8G 0 3.8G 0% /dev/shm tmpfs 1.5G 9.4M 1.5G 1% /run tmpfs 1.0M 0 1.0M 0% /run/credentials/systemd-journald.service /dev/loop3 128K 128K 0 100% /var/lib/snapd/snap/hello-world/29 /dev/loop0 105M 105M 0 100% /var/lib/snapd/snap/core/17212 /dev/loop4 51M 51M 0 100% /var/lib/snapd/snap/snapd/24718 /dev/loop1 55M 55M 0 100% /var/lib/snapd/snap/certbot/4737 /dev/loop2 67M 67M 0 100% /var/lib/snapd/snap/core24/1006 /dev/sda2 960M 439M 522M 46% /boot /dev/mapper/rl-home 155G 3.0G 152G 2% /home /dev/sda1 599M 8.4M 591M 2% /boot/efi tmpfs 1.0M 0 1.0M 0% /run/credentials/getty@tty1.service tmpfs 762M 16K 762M 1% /run/user/1000 |
②Create a dummy file to achieve at least 80% utilization(In the example, the name is dummyfile and it is about 60G.)
|
1 |
# dd if=/dev/zero of=dummyfile bs=1M count=60000 |
③check again
|
1 |
# df -h |
Run it and make sure it is above 80%.
④Run check scripts
|
1 |
# /var/www/system/disk_capacity_check.sh |
You will receive an email to the email address you have set up, stating something like "Disk usage alert: 96 %".
⑤Delete "dummyfile"
|
1 |
# rm dummyfile |
⑥Periodic Execution Setting
|
1 2 |
# crontab -e 30 2 * * * /var/www/system/disk_capacity_check.sh |