Backdoor Detection Tool RkhunterRkhunter is the main function of detecting rootkit;MD5 Check test, check the file for changesDetecting binary and System tool files used by rootkitsDetect the signature of a Trojan horse programDetects if the file attributes of a common program are abnormalTesting system-related testsDetecting hidden filesDetection of suspicious core modules lkmDetecting the listening port that the system has startedRkhunter Download: wget https://sourceforge.net/projects/
Rkhunter is a tool for professional detection systems to infect rootkits:Rkhunter-1.4.2.tar.gzInstall directly after decompression:#./installer.sh--layout Defualt--install#rkhunter--help#rkhunter-C-C,--check check the Local systemThe detailed log of the test results is retained by default at:/var/log/rkhunter.logSkip input Enter, auto run #
We know that to obtain all the permissions of a master machine, we need to obtain the permissions of the Super administrator root of the master machine! As a result, hackers generally want to gain root privileges by using the arbitrary method. So how can we get root privileges? The simplest method is to use the root kit tool program of the streaming on the network to initiate an intrusion.
Because the root kit tool is easy to obtain, it ensures that the host machines of our general users will n
compromised, you can upload the backup to any path on the server, then, use the "-p" parameter of the chkrootkit command to specify this path for detection.
Iii. rootkit backdoor detection tool RKHunter
RKHunter is a professional tool for detecting whether the system is infected with rootkit. It runs a series of scripts to check whether the server is infected with rootkit. In official documents,
connectivity, find IP addresses with too many connections, and so on.5. IftopMonitoring TCP connection real-time network traffic, can analyze the traffic flow and sorting, find out the traffic anomaly IP address.6. NethogsMonitor the network traffic used by each process and sort from high to low to facilitate the process of finding traffic anomalies.7. StraceTrace the system calls performed by a process to analyze the operation of the Trojan.8. StringsA printable string in the output file that
Linux Rootkit detection method based on memory Analysis0x00 Introduction
A Linux server finds an exception. For example, it is determined that the Rootkit has been implanted, but the routine Rootkit detection method by O M personnel is invalid. What else can we do in this situation?
Figure 1 Linux Server implanted with Rootkit
Figure 2 general process of system command execution in Linux0x01 Rootkit implementation and detection methods
Generally, Rootkit can be detected in the following wa
Linux Rootkit detection method based on memory Analysis0x00 Introduction
A Linux server finds an exception. For example, it is determined that the Rootkit has been implanted, but the routine Rootkit detection method by O M personnel is invalid. What else can we do in this situation?
Figure 1 Linux Server implanted with Rootkit
All html files with hidden links cannot be seen by ls.
Use the absolute ls-al path, which can be viewed but cannot be deleted.
The uid and gid of these hidden chains a
caused by executing it. Update your definition regularly to provide the most comprehensive protection.
Start ClamAV
ClamTk: GUI of your anti-virus application
If you do not like working from a terminal, you can choose to install a GUI named ClamTk for ClamAV. This GUI can be easily installed using the Add/Remove Applications tool in Ubuntu. After the installation is complete, click Applications> System Tools> Virus plugin to run it.
After updating the virus definition, you can start ClamAV. To
Rkhunter official website is: http://www.rootkit.nl/projects/rootkit_hunter.htmlRkhunter is a tool for professional detection systems to infect rootkits, using scripts to confirm that the system is infected with the functionality that Rootkit,rootkit can achieve:"1" MD5 verification test, check whether the file has been changed"2" detects binary and System tool files used by rootkiit"3" detects the signature of a Trojan horse program"4" detection syst
Among the official sources, rootkit Hunter can do things such as detecting rootkit programs, detecting backdoor procedures, and host-side suite checking issues. Official Downloads: Project:http://www.rootkit.nl/projects/rootkit_hunter.htmlDownload:http://downloads.sourceforge.net/rkhunter/rkhunter-1.4.2.tar.gz?use_mirror=jaist Decompression Installation: Extract#tar-ZXVF
original system commands of the backup to allow Chkrootkit to detect the rootkit when needed. 2. Rootkit Backdoor Detection Tool Rkhunter Rkhunter is a professional detection system that infects rootkit tools by executing a series of scripts to confirm that the server is infected with a rootkit. In the official information, Rkhunter can do things such as: MD5 c
Basic preparation--command tamper-proof and command loggingMany hackers invade the operating system, will do two common operations unset history and replace the command file (or the corresponding link library file), for these two points to do a record shelllog and Check that the link library class files and command files have changed recently .Rootkithunter#安装$sudo wget https://jaist.dl.sourceforge.net/project/rkhunter/
program to control your computer, so your computer is living under the control of others, but usually you will not find, unless your computer becomes a member of the network and is launched to attack others, or, Hackers borrow your computer to do something, to make your computer slow or abnormal phenomenon, so that you have the opportunity to find, if you want to early detection, early treatment, you should regularly use check the Rootkit program to scan!On Ubuntu, as far as spring trade knows,
application
If you do not like working from a terminal, you can choose to install a GUI named ClamTk for ClamAV. This GUI can be easily installed using the Add/Remove Applications tool in Ubuntu. After the installation is complete, click Applications> System Tools> Virus plugin to run it.
After updating the virus definition, you can start ClamAV. To manually scan your main folder, go to the terminal prompt and enterclamscan. CompleteclamscanCommand, you will see a report about how many director
/rcx.d/Invalid link3. Kill the process and execute the fileKillall EZYMIVAVHQRm-f/USR/BIN/EZYMIVAVHQAfter a few minutes the inspection found the system back to normal.Install the Rkhunter inspection system:https://sourceforge.net/projects/rkhunter/TAR-XF rkhunter-1.4.2.tar.gzCD rkhunter-1.4.2SH installer.sh--installTo
Chkrootkit | grep infected! User 24306 pts/0 grep infectedFind the specified TTY process: PS aux | grep pts/0RkhunterRkhunter--check detection. If there is a red warning message, please check carefully if you have already been recruited.View generated logs: Cat/www.qixoo.qixoo.com/var/log/rkhunter.log | grep WarningTechnology sharingAutomatically send reportsDetect and send notification messages at 5 points per dayCrontab-e* 5 * * */usr/local/rkhunter
Thanks to Liu shipping in practice
First, I would like to introduce this one-year-old hacker, who is expected to become a non-mainstream brain hacker after the 90 s.
I have waited for four months for article 9, which is of the quality .. Promise not to despise him .. We can never find the poor cool-Performance of MM...
Recently I have followed the rootkit in linux. in linux, rk is divided into application layer and kernel layer. er, I simply read rkhun
logical operator (!) Add this alias.
tecmint ALL=(ALL) ALL,!nopermit
If a group (such as debian) is allowed to run some root permission commands, such as adding or deleting users ).
cmnd_Alias permit =/usr/sbin/useradd,/usr/sbin/userdel
Then, add permissions to the debian group.
debian ALL=(ALL) permit
23. Install and enable SELinux
SELinux indicates Security-Enhanced Linux, which is a kernel-level Security module.
# yum install selinux-policy
Install SElinux poli
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.