Security O & M: Use of Linux backdoor intrusion detection tools

Security O & M: Use of Linux backdoor intrusion detection tools

1. Introduction to rootkit

Rootkit is the most common backdoor tool in Linux. It mainly replaces system files for intrusion and concealment. This Trojan is more dangerous and concealed than a common backdoor, it is difficult to find such Trojans through common detection tools and detection methods. The rootkit has a strong attack capability and has a great harm to the system. It uses a set of tools to create backdoors and hide traces, so that attackers can keep their permissions, so that it can log on to the system with the root permission at any time.

There are two main types of rootkit: file-level and kernel-level. The following is a brief introduction.

1. File-level rootkit

File-level rootkit is generally used to hide itself after a program or system vulnerability enters the system and an important file of the system is modified. After the system is attacked by rootkit, valid files are replaced by Trojans and become Shell programs, while inside the system is a hidden backdoor program. Generally, system programs that are easily replaced by rootkit include login, ls, ps, ifconfig, du, find, and netstat. Among them, the login program is the most frequently replaced, because when accessing Linux, whether you log on locally or remotely, the/bin/login program runs. The system collects and checks the user's account and password through/bin/login, rootkit uses the features of this program to replace the/bin/login of the system with a/bin/login password with the root permission, in this way, attackers can easily access the system by entering the set password. At this time, even if the system administrator modifies the root password or clears the root password, attackers can log on to the system as a root user. Attackers usually perform a series of attacks after entering the Linux system. The most common is to install the sniffer to collect important data from other servers on the local or network. By default, some system files in Linux also monitor these tool actions, such as ifconfig commands. Therefore, attackers try to replace other system files to avoid being detected, common examples are ls, ps, ifconfig, du, find, and netstat. If these files are replaced, it is difficult to find that the rootkit is already running in the system.

This is the file-level rootkit, which maintains a great deal of system maintenance. Currently, the most effective defense method is to regularly check the integrity of important system files. If files are found to be modified or replaced, therefore, the system may have suffered rootkit intrusion. There are many tools for checking the integrity of parts, such as Tripwire and aide. These tools can be used to regularly check the integrity of the file system to detect whether the system is intruded by rootkit.

2. kernel-level rootkit

The kernel-level rootkit is a more advanced intrusion method than the file-level rootkit. It allows attackers to gain full control over the underlying system. In this case, attackers can modify the system kernel, then, it intercepts the command submitted by the running program to the kernel, redirects it to the program selected by the intruder, and runs the program. That is to say, when the user wants to run program, the kernel modified by intruders will pretend to execute program A, but actually execute program B.

Kernel-level rootkit is mainly attached to the kernel and does not make any modifications to the system file. Therefore, it is difficult for general detection tools to detect its existence. Once the system kernel is implanted with rootkit, attackers can do whatever they want without being discovered. At present, kernel-level rootkit does not have a good defense tool. Therefore, it is very important to do a good job of system security prevention and maintain the system with minimum permissions. As long as attackers cannot obtain root permissions, the rootkit cannot be embedded in the kernel.

Ii. rootkit backdoor detection tool chkrootkit

Chkrootkit is a tool used in Linux to search for and detect rootkit backdoors. Its official address is http://www.chkrootkit.org /. Chkrootkit is not included in the official CentOS source. Therefore, you must manually compile it to install it. However, this installation method is more secure. The following describes how to install chkrootkit.

1. Prepare the gcc compiling environment

To install the gcc compiling environment for CentOS, run the following three commands:

123	[root@server ~]# yum -y install gcc[root@server ~]# yum -y install gcc-c++[root@server ~]# yum -y install make

2. Install chkrootkit

To ensure security, we recommend that you download the chkrootkit source code from the official website and install it as follows:

123	[root@server ~]# tar zxvf chkrootkit.tar.gz[root@server ~]# cd chkrootkit-*[root@server ~]# make sense

# Note: The above compilation command is make sense.

123	[root@server ~]# cd ..[root@server ~]# cp -r chkrootkit-* /usr/local/chkrootkit[root@server ~]# rm -rf chkrootkit-*

3. Use chkrootkit

The installed chkrootkit program is located in the/usr/local/chkrootkit directory. Run the following command to display the detailed usage of chkrootkit:

[Root @ server chkrootkit] #/usr/local/chkrootkit-h

The meanings of each chkrootkit parameter are as follows.

Parameter description

-H: Display help information

-V: display version information

-L Display Test content

-Ddebug mode: displays the relevant instruction programs in the detection process.

-Q quiet mode: only problematic content is displayed.

-X advanced mode: displays all detection results

-R dir: Set the specified directory as the root directory.

-P dir1: dir2: dirN specifies the directory where the system command is used for chkrootkit detection.

-N: directory for skipping NFS connections

Chkrootkit is easy to use. You can directly execute the chkrootkit command to automatically start the detection system. The following is the detection result of a system:

12345678910111213

[root@server chkrootkit]# /usr/local/chkrootkit/chkrootkitChecking `ifconfig'... INFECTEDChecking `ls'... INFECTEDChecking `login'... INFECTEDChecking `netstat'... INFECTEDChecking `ps'... INFECTEDChecking `top'... INFECTEDChecking `sshd'... not infectedChecking `syslogd'... not testedChecking `tar'... not infectedChecking `tcpd'... not infectedChecking `tcpdump'... not infectedChecking `telnetd'... not found

The output shows that the ifconfig, ls, login, netstat, ps, and top commands of the system have been infected. For systems infected with rootkit, the safest and most effective way is to reinstall the system by backing up data.

4. disadvantages of chkrootkit

Chkrootkit uses some system commands during rootkit check. Therefore, if the server is hacked, the system commands on which it depends may have been replaced by intruders, in this case, the detection results of chkrootkit become completely untrusted. To avoid the chkrootkit issue, you can back up the system commands used by chkrootkit before the server is open to the outside, use the original backup system command as needed to let chkrootkit detect rootkit. This process can be achieved through the following operations:

123456

[root@server ~]# mkdir /usr/share/.commands[root@server ~]# cp `which --skip-alias awk cut echo find egrep id head ls netstat ps strings sed uname` /usr/share/.commands[root@server ~]# /usr/local/chkrootkit/chkrootkit -p /usr/share/.commands/[root@server share]# cd /usr/share/[root@server share]# tar zcvf commands.tar.gz .commands[root@server share]# rm -rf commands.tar.gz

The above operation creates a. commands hidden file under/usr/share/, and then backs up the system commands used by chkrootkit to this directory. For the sake of security, you can. the commands directory is compressed and packaged, and then downloaded to a safe place for backup. If the server is compromised, you can upload the backup to any path on the server, then, use the "-p" parameter of the chkrootkit command to specify this path for detection.

Iii. rootkit backdoor detection tool RKHunter

RKHunter is a professional tool for detecting whether the system is infected with rootkit. It runs a series of scripts to check whether the server is infected with rootkit. In official documents, RKHunter can do the following:

MD5 verification test to check whether the file has been changed

Detects binary and System Tool files used by rootkit

Detect Trojan Horse program signatures

Checks whether file properties of common programs are abnormal.

Test related to the detection system

Detect hidden files

Suspicious core modules LKM

Check the listening port enabled by the System

The following describes how to install and use RKHunter.

1. Install RKHunter

The official website address of RKHunter is: Hangzhou. The RKHunter installation process is as follows:

1234567

[root@server ~]# lsrkhunter-1.4.0.tar.gz[root@server ~]# pwd/root[root@server ~]# tar -zxvf rkhunter-1.4.0.tar.gz [root@server ~]# cd rkhunter-1.4.0[root@server rkhunter-1.4.0]# ./installer.sh --layout default --install

The default installation method of RKHunter is used here. The rkhunter command is installed in the/usr/local/bin directory.

2. Use the rkhunter command

The rkhunter command has many parameters, but it is very simple to use. You can directly run rkhunter to display the usage of this command. The following describes several common Parameter options of rkhunter.

[Root @ server ~] #/Usr/local/bin/rkhunter-help

Common Rkhunter parameters and their meanings are as follows.

Parameter description

-C, -- check: A required parameter, indicating to detect the current system

-- Configfile <file> use a specific configuration file

-- Cronjob runs regularly as a cron task

-- Sk, -- skip-keypress automatically completes all detection and skips keyboard input.

-- Summary: displays statistics of detection results

-- Update: detects updates.

-V, -- version: displays version information.

-- Versioncheck detects the latest version.

The following is an example of detecting a system using rkhunter:

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182

[Root @ server rkhunter-1.4.0]#/Usr/local/bin/rkhunter-c[Rootkit Hunter version 1.4.0]# The following is the first part. First, the system command Check is mainly used to detect system binary files, because these files are most vulnerable to rootkit attacks. "OK" indicates "normal", "Warning" indicates "abnormal", and "Not found" is displayed.Checking system commands... Deming'Strings'CommandChecks Checking'Strings'Command[OK] Deming'Shared libraries'Checks CheckingForPreloading variables [None found] CheckingForPreloaded libraries [None found] Checking LD_LIBRARY_PATH variable [Not found] DemingFileProperties checks CheckingForPrerequisites [Warning] /Usr/local/bin/rkhunter[OK] /Sbin/chkconfig[OK]... (Omitted )....[Press <ENTER>Continue]# The following is the second part. It mainly detects common rootkit programs and displays "Not found", indicating that the system has Not been infected with this rootkit.CheckingForRootkits... Discovery Ming check of known rootkit files and directories 55808 Trojan-Variant A [Not found] ADM Worm [Not found] AjaKit Rootkit [Not found] Adore Rootkit [Not found]APa Kit [Not found] Apache Worm [Not found] Ambient (ark) Rootkit [Not found] Balaur Rootkit [Not found] BeastKit Rootkit [Not found]BeX2 Rootkit [Not found] BOBKit Rootkit [Not found]... (Omitted )....[Press <ENTER>Continue]# The following section describes some special or additional checks, such as detecting rootkit files or directories, malware, and specified kernel modules. Ming additional rootkit checks Suckit Rookit additional checks [OK] CheckingForPossible rootkit files and directories [None found] CheckingForPossible rootkit strings [None found] Padding malware checks Checking running processesForSuspicious files [None found] CheckingForLogin backdoors [None found] CheckingForSuspicious directories [None found] CheckingForSniffer log files [None found] Discovery Ming Linux specific checks Checking loaded kernel modules [OK] Checking kernel module names [OK][Press <ENTER>Continue]# The fourth part is the network, system Port, System Startup File, system user and group configuration, SSH configuration, file system, and so on.Checking the network... Padding checks on the network ports CheckingForBackdoor ports [None found] Parameter Ming checks on the network interfaces CheckingForPromiscuous interfaces [None found]CheckingLocalHost... Padding system boot checks CheckingForLocalHost name [Found] CheckingForSystem startup files [Found] Checking system startup filesForMalware [None found] Grouping group and account checks CheckingForPasswdFile[Found] CheckingForRoot equivalent (UID 0) accounts [None found] CheckingForPasswordless accounts [None found]... (Omitted )....[Press <ENTER>Continue]# The fifth part is to check the application version.Checking application versions... Checking version of GnuPG [OK] Checking version of OpenSSL [Warning] Checking version of OpenSSH [OK]# The following is the last part. This part is actually a summary of the above output. Through this summary, you can get a general idea of the security status of the server directory.System checks summary==================================File properties checks... Required commands check failed Files checked: 137 Suspect files: 4Rootkit checks... Rootkits checked: 311 Possible rootkits: 0Applications checks... Applications checked: 3 Suspect applications: 1The system checks took: 6 minutes and 41 seconds In Linux, rkhunter is used for detection. The biggest advantage is that the detection results of each item are displayed in different colors. If it is green, it is OK. If it is red, that will attract attention. In addition, you must press Enter to continue after each part is detected. To enable the program to run automatically, run the following command: [Root @ server ~] #/Usr/local/bin/rkhunter -- check -- skip-keypress If you want the detection program to run regularly on a daily basis, you can add the following content to/etc/crontab: 30 09 *** root/usr/local/bin/rkhunter -- check -- cronjob In this way, the rkhunter detection program runs at every day.