Linux Rootkit vulnerability check tool Rootkit Hunter

Source: Internet
Author: User
Tags syslog
We know that to obtain all the permissions of a master machine, we need to obtain the permissions of the Super administrator root of the master machine! As a result, hackers generally want to gain root privileges by using the arbitrary method. So how can we get root privileges? The simplest method is to use the root kit tool program of the streaming on the network to initiate an intrusion.

Because the root kit tool is easy to obtain, it ensures that the host machines of our general users will not be processed by low-end geeks, so we certainly want to protect our own hosts! To determine whether the host has been attacked by a program similar to the root kit, the root kit hunter developed by the Free Software developer is required, the rkhunter suite can help us compile our documents! So next we will try again.

What is root kit?

There are many methods to obtain the control permission of a master machine! The simplest method is to use a login program (such as login, ssh, telnet, and so on) and a guess password program to access the login line. However, since most login programs have the limit on the number of Logon times, the use of the password-based guess program is not so popular.

For the security of the system network, high-end hackers will write some programs to expose server vulnerabilities on their own hosts, when vulnerabilities in certain services are discovered, the website administrator can modify the website or repair the website, to ensure the security of your own system. After the service development/release team receives such a channel, it will make modifications in the shortest time, and install the vulnerability repair program on the website.

However, after the vulnerability is detected, it is in an empty window before the program is released, some malicious cracker will launch attacks against such vulnerabilities. These crackers are similar in writing program to attack such vulnerabilities, at the same time, the attacker can gain control of the attacked host, or implant the trojan program on the attacked host. These crackers are different from those of high-end customers. As a result, they are very proud to launch attacks on some websites that are often used by cracker, in order to promote themselves, at the same time, they will also spread their creative programs on the Internet. Some people will collect these intent programs, make them program packages, and make these program packages more popular on the Internet, these program packages are regarded as the root kit.

The attack that rootkit can do is really endless! The most common issue is to directly use rootkit to detect the server vulnerabilities of the attacked host. If the target host is attacked, the vulnerability exists, then the control right of the host machine may be obtained by the cracker. In addition, if the host is given control rights, cracker may not be used as a stepping stone for the future, therefore, he may use other rootkits to disable some programs on the attacker's host. For example, we recommend that you use programs such as PS, ls, top, and w to check the information on the host, cracker crashes these programs in order to ensure that their intrusion will not be known by real system administrators, the original system administrator cannot know whether there are some unknown programs in the programs currently running the system.

How to Prevent Rootkit attacks

After learning about these rootkit kits, how can we du Yun cracker use the rootkit package to attack our hosts? Rootkit attacks are mainly caused by host vulnerabilities. Therefore, you must determine "unnecessary services are required 』, in addition, "update the repair program for each suite on the master machine at any time 』. Unnecessary services should be simple, so this will not happen. As for the update package's repair program, it is best to use the update method on the kernel provided by APT, yum, or your Linux distribution, in this case, system administrators may be more experienced.

That's not enough! The reason is that rootkit may also be used as a valid response on the Internet to attract you to install it. For example, in the past few years, the kits provided by the famous OpenSSL website were found to have been replaced by cracker ~ Therefore, before you install the suite, compare it with MD5 or other data, to confirm that there is no problem in this case. Of course, it is better not to install a suite of unknown sources.

To check whether our host is attacked by the rootkit package, in fact, we can use other software tools to check some important programs on the host, such as PS and top mentioned above. This is the Rootkit Hunter handler we will mention in this article.

What can root kit hunter do?

In the official documents, rkhunter can do things including: checking the rootkit program, checking the program after login, and checking the host computer's suite. The technical skills used by rkhunter include the following types:

  • Use MD5 to analyze:
    Remember that we mentioned the MD5 thing in the library? In simple terms, each case has its own reference data. This refers to a set of MD5 indexes obtained by using the linear algorithm, when this case was moved, I was afraid that I only changed one character while the capacity of the entire case remained unchanged, the MD5 token will be different. Therefore, if we establish an MD5 token for an important case after the system security completes, then, the analysis tool regularly analyzes the MD5 Signature of the important case. If there are differences, it indicates that the case has been changed, at this time, we naturally need to understand why it is more active.

    With this feature, rkhunter has collected the MD5 distribution of important Linux distributions cases (such as login, ls, PS, top, W, and so on), and finally, when we have prepared rkhunter and completed the operation, he will use the original information to compare the data with our system. If there is a problem with the comparison, the system administrator can analyze the alert text.

  • Check the typical attack cases of Rootkit:
    As we have mentioned earlier, rootkit allows attackers to manually modify themselves or gain system control rights. They will automatically change some important cases. Therefore, by analyzing these cases, we can easily know whether the case has been changed! This is also an important analysis method for rootkit!
  • Checking whether there is a limit on legal disclaimer -- checking for binary files:
    In the fundamentals article, the original scripts and the tarball we have written into the system can actually be used. In fact, they have been using the binary progressive program (binary files ), therefore, if the trojan program wants to master your system, the important cases that need to be modified will naturally be binary file formats, such as LS, PS, and top. The important point is that the original cases of the system all have permission limitations over the original cases, for example, the/bin/ls has a 755 permission limit of-rwxr-XR-X. However, the permissions of many Trojans may change to 777-rwxrwxrwx. Therefore, directly analyzing the rights of these important cases can also determine whether there is a problem in the case.
  • Check the hidden danger case:
    In some cases, we may hide some attack cases in order to conceal the information on the screen, in fact, we only add a small number at the beginning of the primary name 『.. The trojan program may also be able to hide their main program through the hidden library that is less important to the average friends. Therefore, rkhunter will also analyze some illegal hidden accounts to find problematic cases.
  • Checking suspicious core modules (lkm/KLD ):
    In the core functions mentioned in the fundamentals chapter, we can know that the core functions of Linux have exclusive features, that is, loadable kernel module and lkm. We also learned that the core determines what the system can do. Therefore, the intent program may, of course, be blamed by embedding the core module! Therefore, rkhunter will analyze Suspicious core modules. (In Linux, our core model is lkm, but above the BSD series, they are dynamic kernel linker and KLD.)
  • Special features of the operating system:
    Each operating system has a special operating format, such as under Linux, we can use PS to check whether the things under/proc are consistent !? However, because every production system is different, this function cannot be used in all production systems. In any case, Linux is supported!
  • Check the dynamic listener:
    If you want to generate a network connection, you need to listen to the listening port on the server. In this way, you can listen to the requirements of the client! This is also the most common method for the so-called backdoor program. We know that to activate a port to listen, you must write a program (the recognition system service of the basic article) if our system is infiltrated by the trojan program, it is very likely that a program will launch an Unknown Server, and the server will trigger some ports, with these ports, cracker can easily jump to our host. Therefore, rkhunter will analyze the listening ports on the host to check whether there is a problem ~
  • Specific analysis (string keyword ):
    Some specific Trojan programs or backend programs will establish a special program or project on the system, the names of these special cases or projects remain unchanged. Therefore, rkhunter will determine whether your system has been intruded by analyzing these specific cases or targets in your system?

In addition to these methods, the new version of rkhunter has also added release version Analysis for some common suites. For example, Apache versions earlier than 2.0.49 have already seen a lot of stinks. Therefore, generally, managers will suggest that you upgrade Apache in the system to version 2.0.50 (as of 2004/11 ). For example, common ssh/SSL versions have similar issues. Rkhunter can analyze the kits in these operations on your system, and then tells you whether your version may have a problem ?? However, this is just a question about "maybe ~ Success! Why is there another "possibility? Haha! Because rkhunter is not writable! Next, let's take a look. What are the possible comments of rkhunter?

Rkhunter exception

Rkhunter was a great tool, but he still had a small number of questions about the result. For example, in the aspect of MD5 ratio comparison, because rkhunter uses its own MD5 token to compare data with your system, however, rkhunter determines that your system is not supported by rkhunter! 』 In addition, if you use the tarball method to independently install data similar to Syslogd, PS, and so on, the data in the following regions is different, therefore, your cases must be different from the MD5 information provided by rkhunter. At this time, it is determined that there is a problem. In such a feasible period, you can update the rkhunter information, or contact the author to overcome this problem.

In addition, the new version of rkhunter provides the Suite version of zookeeper, as mentioned in the previous small release. However, the major distribution usually does not generate the latest version of the kit after discovering the stinking effect of the kit, but instead removes the stinking program through patches in the original version, without changing the version. At this time, the release version of the simple upload cannot know whether the version has been patched! Therefore, if your package version has been updated with patch, but the version has been updated, then the rkhunter version has been released.

For this reason, there are still restrictions on the use of rkhunter. If you want to upgrade your business to certain services, you must use a program that is already running, such as Nessus! In the future, we will discuss the security and usage of Nessus.

An operator rkhunter:

An rkhunter is really simple! First, you must go to the lower-end website to perform the following operations:

  • Http://www.rootkit.nl/projects/rootkit_hunter.html under rkhunter

There is a downloads at the bottom of the website. Please download the latest version. You can use version 1.1.8 to describe your website. Assume that the lower case is stored in/root, so the whole security step is like this: you must have a bash shell !)

[Root @ test root] #CD/usr/local/src[Root @ test SRC] #Tar-zxvf/root/rkhunter-1.1.8.tar.gz# At this time, an object named rkhunter will be generated! [Root @ test SRC] #CD rkhunter/[Root @ test rkhunter] #./Installer. Sh# At this time, a new category will be created:/usr/local/rkhunter # This category contains important information about the system, such as MD5 metadata. # In addition, the ghost program will be placed in/usr/local/bin/rkhunter!

In this case, the installation is complete! Very simple! At this time, we can start using the/usr/local/bin/rkhunter program to compile the system.

Zookeeper systems:

The consistency of the system is very simple, because as long as the rkhunter line is broken! The numbers related to rkhunter are:

[Root @ test root] #/Usr/local/bin/rkhunter -- Help# Below I will list several metric data that are commonly used in comparison. For more metric data, please take the test on your own! -- Checkall (-C): indicates all system metadata, and all metadata of rkhunter is stored. -- createlogfile: Creates a login metadata, which is usually set to/var/log/rkhunter. log -- cronjob! -- Skip-Application-check: Ignore the kernel release of the suite version (if you have determined that the suite of the system has been patched) -- skip-keypress: ignore the dynamic messages generated after the subscription (the program will hold the dynamic messages) -- Quiet: indicates the problematic messages, less information than -- Report-warnings-only -- versioncheck: whether a new version is available on the server.

So how to start logging? Haha! Simply press/usr/local/bin/rkhunter -- checkall! For example:

[Root @ test root] #/Usr/local/bin/rkhunter -- checkallRootkit Hunter 1.1.8 is runningdetermining OS... ready # The first part. First, perform the binary program encoding, including the MD5 program encoding! Checking binaries * selftests strings (command) [OK] * System Tools grouping 'Known good' check... /sbin/ifconfig [OK]... (Omitted ).... /sbin/runlevel [OK] [Press
     To continue] Press enter here to continue loading! # In the first batch of program execution, the main job is to compile important binary files in some systems, # These cases are often attacked by the root kit package! So first, we have to release them! # Next, proceed to the second part of zookeeper! Check rootkits * default files and directories rootkit '2017 Trojan-variant '... [OK] ADM worm... [OK]... (Omitted ).... rootkit 'zarwt. kit rootkit '... [OK] * suspicious files and malware scanning for known rootkit strings [OK]... (Omitted ).... sniffer logs [OK] [Press
     To continue] Press enter here to continue loading! # The second part is the system damage caused by installing the common rootkit package! # This part of attack is, of course, an attack on a common rootkit! # Next is the third part of the commit contest! * Trojan specific characteristics shv4 checking/etc/rc. d/RC. sysinit Test 1 [clean]... (Omitted ).... checking/etc/xinetd. conf [clean] * Suspicious File properties chmod properties checking/bin/PS [clean]... (Omitted ).... checking/bin/login [clean] * OS dependant tests Linux checking loaded kernel modules... [OK] Checking files attributes [OK] Checking lkm module path [OK] networking * Check: Frequently Used backdoors port 2001: scalper rootkit [OK] Port 60922: zarwt. kit [OK] * interfaces scanning for promiscuous interfaces [OK] [Press
     To continue] Press enter here to continue loading! # The third part is sensitive to Trojans and suspicious cases! It is about migrating the trojan program ~ # Of course, because the trojan program may be available later, the network server (port) is also available here! # The core modules are also included at the same time! The fourth part is system checks * allround tests checking hostname... found. hostname is test.vbird.tw checking for passwordless user accounts... OK checking for differences in user accounts... [Na] Checking for differences in user groups... creating file it seems this is your first time. checking boot. local/RC. local file... -/etc/rc. local [OK]-/etc/rc. d/RC. local [OK]-/usr/local/etc/rc. local [not found]... (Omitted ).... * filesystem checks checking/dev for suspicious files... [OK] scanning for hidden files... [OK] [Press
     To continue] Press enter here to continue loading! # The fourth part is mainly about the migration between the system and the related services! So you can see that the # RC. Local and password/accounts statement will be checked here ~ # In addition, The/dev interface will also check whether there are any affected cases! Next, the fifth part is application advisories * Application scan checking apache2 modules... [not found] Checking Apache configuration... [OK] * application version scan-GnuPG 1.2.1 [vulnerable]-bind dns [UNKNOWN] [OK]-OpenSSL 0.9.7a [vulnerable]-procmail MTA 3.22 [OK]-OpenSSH 3.7.1p2 [Unknown] security advisories * check: groups and Accounts searching for/etc/passwd... [found] Checking users with UID '0' (Root )... [OK] * Check: SSH searching for sshd_config... found/etc/ssh/sshd_config checking for allowed root login... [OK (Remote Root Login Disabled)] Checking for allowed protocols... [OK (only SSH2 allowed)] * Check: Events and logging search For syslog configuration... [OK] Checking for running syslog slave... [OK] Checking for logging to remote system... [OK (no remote logging)] [Press
     To continue] Press enter here to continue loading! # Part 5: check some common server suite versions in the workshop! # Because the website only checks the version information and does not attack any possible vulnerabilities, # The information here may beConfirmedDon't be suspicious! In the preceding example, # My OpenSSL 0.9.7a is a version that has passed the official patch, that is, # It has blocked the vulnerability, however, there is a problem in this issue! This is the reason! ---------------------------- Scan results -------------------------- md5md5 compared: 51 incorrect MD5 Checksums: 0 file scanscanned files: 328 possible infected files: 0 application scanvulnerable applications: 2 scanning took 114 seconds ------------------------------------------------------------------------- # The end result is a summary! Here we can see # The most detailed information. Through this information, we can understand the current website of the system!

When rkhunter is used on the terminal to explain the best features, the above table shows the features in the text including the character, if the color is red, OK indicates no problem. If the color is red! Haha! That indicates a problem! (In the friendly printing on the current website and on the website, as the printing problem occurs, you may not be able to see the pornographic display. Sorry ~ No way ~) So, if you see the plain-colored words, you must pay special attention to them!

In addition, if you do not want to allow the program to automatically hold the dynamic line, you can use:

/Usr/local/bin/rkhunter -- checkall -- skip-keypress

In this way, the program will be directly connected to the end! In addition, if you want to allow the program to automatically upload the line once a day, add the line in/etc/crontab:

10 3 *** root/usr/local/bin/rkhunter -- checkall -- cronjob

The row will be automatically renewed! However, because it is a crontab line, there will be no dirty display.

System Repair:

What should I do if your system finds a lot of "acronyms" after the rkhunter statement? The method provided by this website can be taken into consideration:

Http://www.rootkit.nl/articles/rootkit_hunter_faq.html

Basically, the official website is the same as that of General Web administrators ( That is, when the second part of the previous partition was attacked), So it is best to re-install the security system directly. There is no illusion that rootkit or trojan programs can be removed, because, "hidden" is the best tool for rootkit and trojan programs! We don't know how powerful this rootkit or Trojan program is. To ensure this, we can rebuild the system! How to refill? Simply put: in this case, it is safer than the host system that can prove our services. As for the Nessus Community mentioned above, we will introduce it in the next chapter!

However, if the rkhunter sends a response, the response is not caused by the rootkit or Trojan program, this is probably because of user-defined problems, or because the system administrator has changed some suites. For example:

  • The Rootkit contains the strings file, for example,/dev /. the case or object of thefile exists. So first, you must first confirm that the cause/objective is not caused by Rootkit (generally, if rkhunter does not list the cause in the rootkit Response Section, it is almost the strings file category, so, let's remove the case (it's OK to remove it! If you are not sure about the operation, please copy it and remove it again ~)
  • During MD5 verification, a binary file was found to indicate incorrect results! The most likely cause of this problem is not intrusion, but a system auto update suite. Brother Chen once updated syslogd on Red Hat 9. He didn't expect rkhunter to show problems in this case ~ Later, it was discovered that syslogd was updated after rkhunter, and rkhunter did not update the MD5 token, which caused the problem.

    How can we solve this problem? First, we can obtain the latest information through updating the rkhunter's information. How can we update the information on this page? Exploitation:

    [root@test root]# rkhunter --updateRunning updater...Mirrorfile /usr/local/rkhunter/lib/rkhunter/db/mirrors.dat rotatedUsing mirror http://www.rootkit.nl/rkhunter[DB] Mirror file                      : Update available  Action: Database updated (current version: 2004081200, new version 2004110700)[DB] MD5 hashes system binaries       : Update available  Action: Database updated (current version: 2004091000, new version 2004110900)[DB] Operating System information     : Update available  Action: Database updated (current version: 2004091100, new version 2004110901)[DB] MD5 blacklisted tools/binaries   : Up to date[DB] Known good program versions      : Update available  Action: Database updated (current version: 2004091000, new version 2004110500)[DB] Known bad program versions       : Update available  Action: Database updated (current version: 2004091000, new version 2004110500)

    As mentioned above, I can update the related information of version 1.1.8 to the latest version released in version 2004/11/09! Then compare it with the MD5. If this method still cannot solve your problem, you have to send an email to the author of rkhunter.

If you want to solve other problems, please refer to the answer provided above! ^_^ Y In addition, if you want to keep your rkhunter in the latest version, use:

Rkhunter -- versioncheck

You will be able to know the latest version of rkhunter notebook published by the author! Very simple!

 

I am using the Linux/Debian version and installed with apt.

Any post with Deb source, or Debian rkhunter Deb in Google can also be found

Deb http://falcon.landure.fr sarge Security
Deb-Src http://falcon.landure.fr sarge Security
 

  1. Remove the network links of the original host;
  2. Make a copy of your information. It is best to prepare two parts, one of which is the entire system content. The more you prepare, the better, including binary files and logfile, as for another document, you can take an exam to prepare an important item case!
  3. Submit the information for the previous step (important information part !) Check whether any strange information exists (this Part may take a lot of time !)
  4. Re-install a complete system, which includes:
    • The kits required by the Host Security Department are on the server;
    • Configure the fire protection units before you proceed;
    • Update the data using APT/Yum tools;
    • Indicates whether the operating system is running in a secure environment like rkhunter/Nessus.
  5. Move the original important information to the system that has been successfully installed, and activate the services on the original server;
  6. Whether or not the rkhunter/Nessus guest system is in a secure environment and equipped with a fire-proof machine!
  7. Finally, we will extract the original complete parts of the data for analysis, especially in the logfile section. How can we locate the cracker through which service? That time point? Use the IP address of the client to access the local computer and other information, and develop anti-DDoS methods for the information, and it should be used on a running machine.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.