Construction of the intrusion Monitoring System (chkrootkit)

The so-called rootkit is a type of tool frequently used by intruders. Such tools are usually very confidential and difficult for users to notice. Through such tools, intruders have established a way that can always intrude into the system or control the system in real time. Therefore, we use the free software chkrootkit to establish an intrusion monitoring system to ensure that the system is installed with rootkit for monitoring.
In the process of monitoring whether the rootkit is installed, chkrootkit uses some operating system commands. However, it is not ruled out that the intruders have modified the system commands used by chkrootkit, making chkrootkit unable to monitor rootkit, in this way, even if chkrootkit is installed in the system, the existence of rootkit cannot be detected, and thus the system is still controlled to achieve intrusion. In that case, using chkrootkit to build an intrusion monitoring system will lose any meaning. In this regard, we asked chkrootkit to start working after the operating system was installed or before the server was opened. In addition, before the server is opened, back up the system command used by chkrootkit, and suspect that the system command has been modified when necessary ), let chkrootkit use the initial backup system command for work.
Install chkrootkit
Download and install chkrootkit

[Root @ localhost ~] # Wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz Download chkrootkit from supervisor -- 03:05:31 -- ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz => Comment 'resolving ftp.pangeia.com.br... failed to ftp.pangeia.com.br | 200.239.53.35 |: 21... connected. Logging in as anonymous... Logged in! ==> SYST... done. ==> PWD... done. ==> type I... done. ==> CWD/pub/seg/pac... done. ==> PASV... done. ==> RETR chkrootkit.tar.gz... done. length: 37,140 (36 K) (unauthoritative) 100% [=========================================>] 37,140 5.67 K/s ETA 00: 0003: 05: 46 (5.30 KB/s)-'chkrootkit.tar.gz 'saved [37140] [root @ localhost ~] # Tar zxvf chkrootkit.tar.gz unzip expand the compressed source code [root @ localhost ~] # Cd chkrootkit * into chkrootkit source code directory [root @ localhost chkrootkit-0.46a] # make sense compile [root @ localhost chkrootkit-0.46a] # cd .. returns the upper-level directory [root @ localhost ~]. # Cp-r chkrootkit-*/usr/local/chkrootkit plugin copy the directory of the compiled file to the specified location [root @ localhost ~] # Rm-rf chkrootkit * release Delete the legacy source code directory and Related Files

Test chkrootkit
Then, test whether chkrootkit can run normally.

[Root @ localhost ~] # Cd/usr/local/chkrootkit export enter the chkrootkit directory [root @ localhost chkrootkit] #./chkrootkit | grep INFECTED export test run chkrootkit wait a moment... If "INFECTED" is not displayed and a command line prompt is displayed, it means everything is OK! [Root @ localhost chkrootkit] # cd connector returns to the root user directory

Automate chkrootkit monitoring
Write a Script in Shell Script to automate the monitoring of chkrootkit. If any rootkit is found, send an email to notify the root user and save the running result in the/var/log/messages file.

[Root @ localhost ~] # Vi chkrootkit build chkrootkit automatic run script #! /Bin/bashPATH =/usr/bin: /binTMPLOG = 'mktemp '# Run the chkrootkit/usr/local/chkrootkit> $ TMPLOG # Output the logcat $ TMPLOG | logger-t chkrootkit # bindshe of SMTPSllHow to do some wrongsif [! -Z "$ (grep 465 $ TMPLOG)"] & \ [-z $ (/usr/sbin/lsof-I: 465 | grep bindshell)]; thensed-I '/465/d' $ TMPLOGfi # If the rootkit have been found, mail root [! -Z "$ (grep INFECTED $ TMPLOG) "] & \ grep INFECTED $ TMPLOG | mail-s" chkrootkit report in 'hostname' "rootrm-f $ TMPLOG [root @ localhost ~] # Chmod 700 chkrootkit grants the script executable permission [root @ localhost ~] # Mv chkrootkit/etc/cron. daily/scripts move the script to the directory that runs automatically every day

Chkrootkit-related system command backup
As described in the preface, when the system commands used by chkrootkit are changed by intruders, chkrootkit's monitoring of rootkit will become invalid. Therefore, we have backed up the system commands used by chkrootkit beforehand, and used the original BACKUP command as needed to let chkrootkit detect rootkit.

[Root @ localhost ~] # Mkdir/root/commands/logs: create a directory for temporary command backup [root @ localhost ~] # Cp 'which -- skip-alias awk cut echo egrep find head id ls netstat ps strings sed uname' /Root/commands/logs continuous input without line breaks) backup system command to the established directory [root @ localhost ~] #/Usr/local/chkrootkit-p/root/commands | grep INFECTED ← Run chkrootkit [root @ localhost ~] With the BACKUP command # Tar cvf/root/commands.tar/root/commands package the command [root @ localhost ~] # Gzip/root/commands.tar unzip the compressed file and then download the following commands.tar.gz to a safe place using SCP software [root @ localhost ~] # Rm-rf commands * deletes system commands and related files backed up on the server for security reasons

If you want to run chkrootkit using the original backup system command in the future, you only need to use the SCP software to package the BACKUP command and compress the file to a known location on the server and decompress it, then, you can specify the corresponding directory when running chkrootkit. For example, assume that the backup has been uploaded to the root user directory as follows:

[Root @ localhost ~] # Tar zxvf/root/commands.tar.gz unzip uncompress command backup [root @ localhost ~] #/Usr/local/chkrootkit-p/root/commands | grep INFECTED ← Run chkrootkit with the BACKUP command

Then, delete the corresponding legacy files after running.

Related Articles]

• Linux intrusion Monitoring System

• Analysis on the Application of Network Intrusion Monitoring System-IDS

• Linux intrusion Monitoring System LIDS principles