LINUX Security Operations (iv)

Linux Backdoor Intrusion Detection Tool:

(1) First, a simple introduction of a Trojan

Rootkit is a Trojan backdoor tool, plainly is Trojan virus. It is more dangerous than the ordinary Trojan, and hides hidden. It is mainly to put your system's file, replace it with its files. The surface is still your file, in fact it is not. So very dangerous.

There are 2 types of rootkits, file-level and kernel-level. (hehe, the virus also divides the door to send, like the martial arts drama, Confraternity also divides into the dirt clothing faction and the Net clothing school)

Dirt Coat Pie (file-level rootkit): Dirty clothing pie is relatively simple, is the use of program loopholes or system vulnerabilities into the system, modify the system's important files to achieve their own purposes.  To put it bluntly, that is, the important position of the system, replaced by the people who are dirty clothes, on the surface or the administrator, actually has changed. The system programs that are usually prone to being replaced by the dirt coat are login, ls, PS, ifconfig, Du, find, netstat and so on.

The effective method is to check the integrity of the system's important files regularly. How to check?  Check what? is to use the tool to check whether your files have been modified or replaced, is not the original files and so on. If the discovery is modified or replaced, it means that the system has already been invaded by an unclean clothing faction. There are many tools for detecting file integrity, such as tripwire, aide, and so on.

NET coat of clothing (kernel-level rootkit): The reason is known as the net clothing school, is because clean. The work is technically alive, with less dust on the body.

The net coat of clothing is mainly attached to the kernel and does not make any changes to the system files. It is difficult to detect with a generic detection tool.   For example, if a user wants to run program A, the system that is hacked by the net will pretend to run a, actually run B. It's horrible. Now the defense of the net, there is not a good tool, can only keep the system in the minimum permissions to work, as long as the attacker can not gain root privileges, can not be implanted in the kernel rootkit, that is, the kernel can not be placed in their own people.

(2) Introduction of Trojan Horse, now to introduce a tool against the Trojan, called Chkrootkit.

Chkrootkit is a tool for finding and detecting rootkit backdoors under a Linux system.    Its official website is: http://www.chkrootkit.org. Chkrootkit is not included in the official CentOS source, so the manual compilation method is used to install it.

I compare rootkits to confraternity, then I compare chkrootkit to agents, because we know that agents are very powerful.

Installation Agent (Chkrootkit):

Environment: CentOS System (different systems may not be the same, preferably centos,redhat may error)

1. # yum-y Install GCC

# yum-y Install gcc-c++

# yum-y Install make

2. For security, it is best to download Chkrootkit from the official website, after the download is complete, proceed to the following steps:

# TAR-ZXVF chkrootkit.tar.gz//Unzip file

# CD chkrootkit-*

# make sense//You're not mistaken, it's make sense!

# CD: Go back to the previous layer

# cp-r chkrootkit-*/usr/local/chkrootkit//Copy file to another place,-R is recursive copy

# RM-RF chkrootkit-*//Because the file has just been copied, it can now be deleted.

To this installation is complete!

(3) using an agent (Chkrootkit)

#/usr/local/chkrootkit/chkrootkit-h//-h is helpful, list various parameters,-Q is quiet mode, list only problematic content,-P is the directory that uses system commands when detecting

Checking ' ifconfig ' ... infected//The word is infected

Checking ' sshd ' ... not infected//no infection   

Summary: If you are infected, the best way to do this is to back up your data and then reinstall your operating system.

Add a very important point of knowledge: Agents (Chkrootkit) in the process of checking confraternity (rootkit), also used some system commands, so if the server has been confraternity intrusion, the system is confraternity people, is all the commands are confraternity people,  Then the Chkrootkit test results are unreliable.  To avoid this problem, back up the commands used by Chkrootkit before the server is open, and let the backup command detect the rootkit when needed. How to back it up? Here is the procedure:

# mkdir/usr/shareing/.mingling//mingling Front there is a dot, is the hidden directory, do not let hackers find

# cp ' which--skip-alias awk cut echo find egrep ID head ls netstat ps ssh strings sed uname '/usr/shareing/.mingling Make a backup of the command that the agent (Chkrootkit) may use in advance.

#/usr/local/chkrootkit/chkrootkit-p/usr/shareing/.mingling//-p is the directory where system commands are used for detection

# TAR-ZCVF mingling.tar.gz/usr/shareing/.mingling//You can pack this hidden directory, bake it with a USB stick and put it in a safe place. If the server is compromised, it can be uploaded to the server for detection.

# RM-RF mingling.tar.gz//Use a U disk to copy it out, you can delete it.

This article is from the "8174069" blog, please be sure to keep this source http://8184069.blog.51cto.com/8174069/1717916

LINUX Security Operations (iv)