Construction of the intrusion Monitoring System (chkrootkit)

Source: Internet
Author: User
Tags tar unzip

The so-called rootkit is a type of tool frequently used by intruders. Such tools are usually very confidential and difficult for users to notice. Through such tools, intruders have established a way that can always intrude into the system or control the system in real time. Therefore, we use the free software chkrootkit to establish an intrusion monitoring system to ensure that the system is installed with rootkit for monitoring.
In the process of monitoring whether the rootkit is installed, chkrootkit uses some operating system commands. However, it is not ruled out that the intruders have modified the system commands used by chkrootkit, making chkrootkit unable to monitor rootkit, in this way, even if chkrootkit is installed in the system, the existence of rootkit cannot be detected, and thus the system is still controlled to achieve intrusion. In that case, using chkrootkit to build an intrusion monitoring system will lose any meaning. In this regard, we asked chkrootkit to start working after the operating system was installed or before the server was opened. In addition, before the server is opened, back up the system command used by chkrootkit, and suspect that the system command has been modified when necessary ), let chkrootkit use the initial backup system command for work.
Install chkrootkit
Download and install chkrootkit

[Root @ localhost ~] # Wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz Download chkrootkit from supervisor -- 03:05:31 -- ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz => Comment 'resolving ftp.pangeia.com.br... failed to ftp.pangeia.com.br | 200.239.53.35 |: 21... connected. Logging in as anonymous... Logged in! ==> SYST... done. ==> PWD... done. ==> type I... done. ==> CWD/pub/seg/pac... done. ==> PASV... done. ==> RETR chkrootkit.tar.gz... done. length: 37,140 (36 K) (unauthoritative) 100% [=========================================>] 37,140 5.67 K/s ETA 00: 0003: 05: 46 (5.30 KB/s)-'chkrootkit.tar.gz 'saved [37140] [root @ localhost ~] # Tar zxvf chkrootkit.tar.gz unzip expand the compressed source code [root @ localhost ~] # Cd chkrootkit * into chkrootkit source code directory [root @ localhost chkrootkit-0.46a] # make sense compile [root @ localhost chkrootkit-0.46a] # cd .. returns the upper-level directory [root @ localhost ~]. # Cp-r chkrootkit-*/usr/local/chkrootkit plugin copy the directory of the compiled file to the specified location [root @ localhost ~] # Rm-rf chkrootkit * release Delete the legacy source code directory and Related Files
Test chkrootkit
Then, test whether chkrootkit can run normally.
[Root @ localhost ~] # Cd/usr/local/chkrootkit export enter the chkrootkit directory [root @ localhost chkrootkit] #./chkrootkit | grep INFECTED export test run chkrootkit wait a moment... If "INFECTED" is not displayed and a command line prompt is displayed, it means everything is OK! [Root @ localhost chkrootkit] # cd connector returns to the root user directory

Automate chkrootkit monitoring
Write a Script in Shell Script to automate the monitoring of chkrootkit. If any rootkit is found, send an email to notify the root user and save the running result in the/var/log/messages file.
[Root @ localhost ~] # Vi chkrootkit build chkrootkit automatic run script #! /Bin/bashPATH =/usr/bin: /binTMPLOG = 'mktemp '# Run the chkrootkit/usr/local/chkrootkit> $ TMPLOG # Output the logcat $ TMPLOG | logger-t chkrootkit # bindshe of SMTPSllHow to do some wrongsif [! -Z "$ (grep 465 $ TMPLOG)"] & \ [-z $ (/usr/sbin/lsof-I: 465 | grep bindshell)]; thensed-I '/465/d' $ TMPLOGfi # If the rootkit have been found, mail root [! -Z "$ (grep INFECTED $ TMPLOG) "] & \ grep INFECTED $ TMPLOG | mail-s" chkrootkit report in 'hostname' "rootrm-f $ TMPLOG [root @ localhost ~] # Chmod 700 chkrootkit grants the script executable permission [root @ localhost ~] # Mv chkrootkit/etc/cron. daily/scripts move the script to the directory that runs automatically every day
Chkrootkit-related system command backup
As described in the preface, when the system commands used by chkrootkit are changed by intruders, chkrootkit's monitoring of rootkit will become invalid. Therefore, we have backed up the system commands used by chkrootkit beforehand, and used the original BACKUP command as needed to let chkrootkit detect rootkit.
[Root @ localhost ~] # Mkdir/root/commands/logs: create a directory for temporary command backup [root @ localhost ~] # Cp 'which -- skip-alias awk cut echo egrep find head id ls netstat ps strings sed uname'
/Root/commands/logs continuous input without line breaks) backup system command to the established directory [root @ localhost ~] #/Usr/local/chkrootkit-p/root/commands | grep INFECTED
← Run chkrootkit [root @ localhost ~] With the BACKUP command # Tar cvf/root/commands.tar/root/commands package the command [root @ localhost ~] # Gzip/root/commands.tar unzip the compressed file and then download the following commands.tar.gz to a safe place using SCP software [root @ localhost ~] # Rm-rf commands * deletes system commands and related files backed up on the server for security reasons
If you want to run chkrootkit using the original backup system command in the future, you only need to use the SCP software to package the BACKUP command and compress the file to a known location on the server and decompress it, then, you can specify the corresponding directory when running chkrootkit. For example, assume that the backup has been uploaded to the root user directory as follows:
[Root @ localhost ~] # Tar zxvf/root/commands.tar.gz unzip uncompress command backup [root @ localhost ~] #/Usr/local/chkrootkit-p/root/commands | grep INFECTED
← Run chkrootkit with the BACKUP command
Then, delete the corresponding legacy files after running.

Related Articles]

  • Linux intrusion Monitoring System
  • Analysis on the Application of Network Intrusion Monitoring System-IDS
  • Linux intrusion Monitoring System LIDS principles

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.