Construction of the intrusion Monitoring System (chkrootkit)

The so-called rootkit is a type of tool frequently used by intruders. Such tools are usually very confidential and difficult for users to notice. Through such tools, intruders have established a way that can always intrude into the system or control the system in real time. Therefore, we use the free software chkrootkit to establish an intrusion monitoring system to ensure that the system is installed with rootkit for monitoring.

In the process of monitoring whether the rootkit is installed, chkrootkit uses some operating system commands. However, it is not ruled out that the intruders have modified the system commands used by chkrootkit, making chkrootkit unable to monitor rootkit, in this way, even if chkrootkit is installed in the system, the existence of rootkit cannot be detected, and thus the system is still controlled to achieve intrusion. In that case, using chkrootkit to build an intrusion monitoring system will lose any meaning. In this regard, we asked chkrootkit to start working after the operating system was installed or before the server was opened. In addition, before the server is opened, back up the system command used by chkrootkit and, when necessary, suspect that the system command has been modified ), let chkrootkit use the initial backup system command for work.

Install chkrootkit

First download and install the chkrootkit tool.

[Root @ localhost ~] # Wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz　← Download chkrootkit -- 03:05:31 -- ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz => 'Chkrootkit.tar.gz Resolving ftp.pangeia.com.br... 200.239.53.35 Connecting to ftp.pangeia.com.br | 200.239.53.35 |: 21... connected. Logging in as anonymous... Logged in! ==> SYST... done. ==> PWD... done. ==> Type I... done. ==> CWD/pub/seg/pac... done. ==> PASV... done. ==> RETR chkrootkit.tar.gz... done. Length: 37,140 (36 K) (unauthoritative) 100% [=========================================>] 37,140 5.67 K/s ETA 03:05:46 (5.30 KB/s)-'chkrootkit.tar.gz saved [37140] [Root @ localhost ~] # Tar zxvf chkrootkit.tar.gzExtract to expand the compressed source code [Root @ localhost ~] # Cd chkrootkit *← Go To The chkrootkit source code directory [Root @ localhost chkrootkit-0.46a] # Make senseCompile [Root @ localhost chkrootkit-0.46a] # Cd ..Returns the upper-level directory. [Root @ localhost ~] # Cp-r chkrootkit-*/usr/local/chkrootkitCompile copies the directory of the compiled file to the specified location. [Root @ localhost ~] # Rm-rf chkrootkit *← Delete legacy Source Code Directories and Related Files

Test chkrootkit

Then test whether chkrootkit can run normally.

[Root @ localhost ~] # Cd/usr/local/chkrootkitExport to the chkrootkit directory [Root @ localhost chkrootkit] # ./Chkrootkit | grep INFECTEDTesting and running chkrootkit Wait a moment... If "INFECTED" is not displayed and a command line prompt is displayed, it means everything is OK! [Root @ localhost chkrootkit] # CdRestore to the root user directory

Automate chkrootkit monitoring

Write a Script in Shell Script to automate the monitoring of chkrootkit. If any rootkit is found, send an email to notify the root user and save the running result in the/var/log/messages file.

[Root @ localhost ~] # Vi chkrootkit← Create chkrootkit to automatically run the script #! /Bin/bash PATH =/usr/bin:/bin TMPLOG = 'mktemp' # Run the chkrootkit /Usr/local/chkrootkit> $ TMPLOG # Output the log Cat $ TMPLOG | logger-t chkrootkit # Bindshe of SMTPSllHow to do some wrongs If [! -Z "$ (grep 465 $ TMPLOG)"] & [-Z $ (/usr/sbin/lsof-I: 465 | grep bindshell)]; then Sed-I/465/d $ TMPLOG Fi # If the rootkit have been found, mail root [! -Z "$ (grep INFECTED $ TMPLOG)"] & Grep INFECTED $ TMPLOG | mail-s "chkrootkit report in 'hostname'" root Rm-f $ TMPLOG [Root @ localhost ~] # Chmod 700 chkrootkitAllow grants the script executable permissions [Root @ localhost ~] # Mv chkrootkit/etc/cron. daily/Worker moves the script to the directory that runs automatically every day.

<