Checks whether the system is installed with rootkit by intruders.

1. What is rootkit?

Before explaining what rootkit is, you must first explain what is trojaned system commands?

Trojaned System commands can be translated into "Trojan Horse program" (or, Trojan system command ).

I believe everyone should know the story of "Trojan horse killing city ?!

On the surface, everything is disguised as a normal program, but in fact, it secretly replaces the normal program and leaves some special system backdoors for convenience, a program that can control the operation of a host in the dark or conduct destructive actions. This is a trojan program, also known as backdoor or Trojan ).

When this program is hidden in the system, we call it a Trojan.

The sources of Trojans can be divided into the following types:

System intrusion (root-compromise) and cracker Implantation
In the host system, a well-designed
An unknown program is executed.
Install the program suite that has been tampered
Infected by Network Worm (Network Worm.
Among them, the system is infiltrated, infected with worms, and the execution of unknown programs, these three are the most common.

In terms of system intrusion, most cracker won't do anything after attacking a host, and immediately and obviously damage it. Only the hacker of the next product is eager to show off himself and pretend to be himself, or satisfy yourself as the hacker's script kids.

(In fact, these guys are not really hackers. They are just tools ready-to-use to attack vulnerable hosts)

Generally, they will install several trojan programs and replace the normal programs so that the system does not have any abnormalities during operation. Then, they will leave a convenient backdoor for free access in and out of the system, then, they will quietly leave after clearing the traces left (such as Recording files and command history files. when the host resources are needed, it will come in again .....

(The hacker of the above products will not make any changes to the system, and will notify the site owner of the vulnerabilities on the site? The website owner may even help fill up the vulnerabilities. The common name is educational lab. They care about whether they can gain the respect and status of the hacker community)

The so-called rootkit is a kind of people who are interested in organizing these commonly used trojan programs into a set of program suites to facilitate the cracker to attack the host on the affected host, smoothly compile and install the trojan program.

Some rootkit are purely experimental and rootkit itself, which is a rootkit Trojan. The rootkit contains Trojans. (What about rootkit in rootkit ?! )

There are many rootkit types. generally, the trojan programs contained in rootkit are mostly spread in the form of original program code. Many of these programs are gradually transplanted from the early bsd unix System (port, therefore, rootkit is available on almost all machine platforms, and variants and patterns can be said to be diverse and varied.

(I have no more than dozens of rootkits in my hands, including Linux, FreeBSD, Solaris, NT, W2K, Novell, DOS)

Generally, among rootkit, common trojan programs and tools include:

Bindshell
Chfn
Chsh
Crontab
Du
Find
Fix
Ifconfig
Inetd
Killall
Linsniffer
Login
Ls
Netstat
Passwd
Pidof
Ps
Rshd
Sniffchk
Syslogd
Tcpd
Top
Wted
Z2

2. The symptoms of rootkit are included:

After a trojan program is installed on the host, there is usually no big difference (however, poor-quality trojan programs will have obvious symptoms .)

Even if network administrators use programs such as ps, netstat, lsof, and top to observe the operations of the host, they will not find any strange process in the memory. This is because, these commonly used commands have been replaced by cracker. In other words, when you use these trojan programs to watch them, the pictures you see are likely to be fake!

However, the trojan program is not a real program. There is always some difference between it and the original program. Maybe in the short term, there is no difference,, in the long term, the original functions of the program cannot be fully used. therefore, these differences will eventually cause abnormal host operation one day.

Therefore, once you find any strange phenomenon in the system, the first thing to do is:

Try to doubt: Is my host a trojan ?!

Iii. Simple check method:

However, there is no way to use it. In addition, it is often suspected that network administrators will sooner or later get --- "neurasthenia";-Q

Make good use of tools!

Here, we will introduce the chkrootkit launched by http://www.chkrootkit.org.

As the name suggests, chkrootkit is a convenient tool for checking whether rootkit exists.

Chkrootkit can be used on the following platforms:

Linux 2.0.x, 2.2.x
FreeBSD 2.2.x, 3.xand 4.0
OpenBSD 2.6, 2.7 and 2.8 (if you are very concerned about security, we strongly recommend that you use OpenBSD 2.8. This is all for me. ^_^)
Solaris 2.5.1, 2.6 and 8.0.
Up to now (05/08/2001), the latest version is chkrootkit v0.32.

It can detect the following rootkit and worm:

Lrk3
Lrk4
Lrk5
Lrk6 (and some variants)
Solaris Rootkit
FreeBSD rootkit
T0rn (including some variants and t0rn V8)
Ambient's rootkit for Linux (ARK)
Ramen worm; Rh [67]-shaper
Rsha
Romanian Rootkit
Rk17
Lion Worm
Adore Worm
LPD Worm
Kenny-rk
Adore lkm
It mainly checks the following programs in the system:

Basename
Biff
Chfn
CHSH
Cron
Date
Dirname
Du
Echo
Env
Find
Fingerd
GPM
Grep
Identd
Ifconfig
Inetd
Killall
Login
Ls
Mail
Mingetty
Netstat
Passwd
Pidof
Pop2
POP3
PS
Pstree
Rlogind
Rpcinfo
Rshd
Sendmail
Sshd
Su
Syslogd
Tar
Tcpd
Telnetd
Timed
Top
Traceroute
Write
Installation Method:

Installing and using chkrootkit is very simple! (Please also be sure to refer to the http://www.chkrootkit.org/faq)

Download

Download chkrootkit.tar.gz from http://www.chkrootkit.org

Or to ftp.tnc.edu.tw/security/ download: chkrootkit-0.32.tar.gz (Be careful! Is this a trojan? ^_^... Joke with you, don't take it seriously !)

Extract

Tar xvzf chkrootkit-0.32.tar.gz

Compile

CD chkrootkit-0.32

Make sense

Run

./Chkrootkit> chk. lst

Check the text file chk. lst to see if any trojan or worm is detected?

The following is part of chk. lst, which indicates that the system should be clean (not! But at least it is reassuring !)

Rootdir is '/'
Checking 'basename'... not vulnerable
Checking 'biiff '... not tested
Checking 'chfn '... not vulnerable
Checking 'chsh'... Not vulnerable
Checking 'cron'... Not vulnerable
Checking 'date'... Not vulnerable
Checking 'du'... Not vulnerable
Checking 'dirname'... Not vulnerable
Checking 'echo '... Not vulnerable
Checking 'env'... Not vulnerable
Checking 'Find '... Not vulnerable
Checking 'fingerd'... Not vulnerable
Checking 'gpm'... Not vulnerable
Checking 'grep'... Not vulnerable
Checking 'su '... Not vulnerable
Checking 'ifconfig'... Not vulnerable
Checking 'inetd'... Not vulnerable
Checking 'identd'... Not vulnerable
Checking 'killall'... Not vulnerable
Checking 'login'... Not vulnerable
Checking 'LS'... Not vulnerable
Checking 'mail'... Not vulnerable
Checking 'mingetty '... not vulnerable
Checking 'netstat'... not vulnerable
Checking 'passwd'... not vulnerable
Checking 'pidof'... not vulnerable
Checking 'pop2'... not tested
Checking 'pop3 '... not tested
Checking 'ps'... not vulnerable
Checking 'pstree'... not vulnerable
Checking 'rpcinfo'... not vulnerable
Checking 'rlogind '... not vulnerable
Checking 'rshd'... not vulnerable
Checking 'sendmail'... not vulnerable
Checking 'sshd'... not vulnerable
Checking 'syslogd'... not vulnerable
Checking 'tar '... not vulnerable
Checking 'tcpd'... not vulnerable
Checking 'top'... not vulnerable
Checking 'telnetd'... not vulnerable
Checking 'timed '... not vulnerable
Checking 'traceroute'... not vulnerable
Checking 'write'... not vulnerable
Checking 'asp '... not vulnerable
Checking 'binshell'... not vulnerable
Checking 'z2'... Nothing deleted
Checking 'wted'... Nothing deleted
Checking 'rexedcs '... not vulnerable
Checking 'sniffer '...
Eth0 is not promisc
Checking 'aliens '... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's V8 ults... nothing found
Searching for lion worm default files and dirs... nothing found
Searching for rsha's default files and dir... nothing found
Searching for RH-Sharpe's default files... Nothing found
Searching for Ambient's rootkit (ark) default files and dirs... Nothing found
Searching for suspicious files and dirs, it may take a while...
Searching for LPD Worm files and dirs... Nothing found
Searching for Ramen Worm files and dirs... Nothing found
Searching for RK17 files and dirs... Nothing found
Searching for Adore Worm... Nothing found
Searching for anomalies in shell history files...
Checking 'lkm '... Nothing detected

4. What should I do if a trojan is in progress?

We can say: if a trojan program exists in the host, the master control of this host is no longer in the hands of the network administrator!

In other words, this host has already fallen (compromised )! Fortunately, the only thing that is lucky is that it has not been removed by Xiaoxiao .....

If this is really unfortunate, we suggest you: Hurry up.

Backdoor check
Identify intrusion causes
Tracking intrusion sources
Make psychological preparations for the reirrigation System
Back up important files
Reirrigation System
Afterwards, we must strengthen our knowledge on security and anti-terrorism.
Make good use of tools (for example, install the file system integrity check tool: Tripware; use MD5 checksum for comparison before installing any program suite)
Pay attention to related security information
Attendance Compensation System
Develop good network management habits (for example, avoid using telnet/ftp and switch to ssh2, sftp2, scp)
Continuous monitoring
Strive to maintain host Security
God bless u and Me... ^_^

Note:

Someone said: "It is safer to pick a system that is rarely used ?! ", Because it does not attract the interest and attention of hackers ?!

I think this is wise.

My suggestion is: it is best not to pick systems that are rarely used. (in case of a vulnerability, no one will launch a patch kit, or the company will be down, or will not launch it again, so you may cry! Unless you have the ability to fix .....)

But to choose: at least one specialized group or company is maintaining and continuously introducing a solid suite of systems that are continuously improving.