Intrusion detection system (chkrootkit)

The so-called rootkit, is a kind of intruders often used tool.

Such tools are usually very secret and revealing the user, through such tools, the intruder has set up a system to always intrusion, or that the system for real-time control. Therefore, we use free software to build chkrootkit intrusion detection systems, to ensure that the system is installed a rootkit. Chkrootkit in monitoring the rootkit has been installed, you need to use some of the operating system itself. But don't rule out a scenario that intruders targeted have already used the chkrootkit can modify the system command allows chkrootkit can't monitor the rootkit, so as to achieve even system installed chkrootkit can't detect the rootkit presence, which still has control of the system, to achieve the purpose of the invasion. In that case, use the chkrootkit build intrusion monitoring system will lose any meaning. To this end, we had just been installed in the operating system, or the server is open before it began. chkrootkit Also, before opening the server, back up the system command using chkrootkit, in some necessary (suspected system command has been modified, and so on), so that the initial backup chkrootkit use system commands work. Install chkrootkit first to download and install the chkrootkit tool. Root @ localhost ~] # wgetftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz ← download chkrootkit--03: 05: 31--ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz= > would chkrootkit.tar.gz ' Resolvingftp pangeia.com .br...200.239.53.35Connectingtoftp pangeia.com .br | 200.239.53.35 |: 21 ...connected.Logginginasanonymous ... Loggedin!==>SYST... Done. == > PWD...done. == > TYPEI...done. == > CWD/pub/seg/pac...done. == > PASV...done. == > retrchkrootkit.tar.gz ...done.Length: 37,140 (36K) (unauthoritative) 100% [=== ==== ===== ===== ====== ====== ====== ====== >] 37, 1405.67K/sETA00: 0003: 05: 46 (5.30KB/s)-would chkrootkit.tar.gz ' saved [37140] root @ localhost ~] # tarzxvfchkrootkit.tar.gz ← expand compressed source root @ localhost ~] # cdchkrootkit * ← into chkrootkit source directory root @ localhost chkrootkit-0.46a] # makesense ← compile root @ localhost chkrootkit-0.46a] # cd. .. ← Back to upper directory root @ localhost ~] # cp-rchkrootkit-*/usr/local/chkrootkit ← copy the compiled file is located in the root directory to the specified location @ localhost ~] # rm-rfchkrootkit * ← deleting legacy source code directory and related files to test whether the chkrootkit and then test the chkrootkit to run properly. Root @ localhost ~] # cd/usr/local/chkrootkit ← into the root directory of the chkrootkit @ localhost chkrootkit] #./chkrootkit | grepINFECTED ← test run chkrootkit wait a moment ... If you do not see the words "INFECTED", which appear directly on the command line prompt all OK! root @ localhost chkrootkit] # cd ← return to root user directory so that the monitoring automation using chkrootkit ShellScript to write a script, the script for monitoring automation chkrootkit. If a rootkit is found, send a message to notify the root user, and will run results saved in/var/log/messages file. Root @ localhost ~] # vichkrootkit ← build automatically run chkrootkit script #!/bin/bas PATH =/usr/bin:/binTMPLOG = would mktemp would # Runthechkrootkit/usr/local/chkrootkit/chkrootkit > $ TMPLOG # Outputthelogcat $ TMPLOG | logger-tcHkrootkit # bindsheofSMTPSllHowtodosomewrongsif [!-z "$ (grep465 $ TMPLOG)] & & \ [-z $ (/usr/sbin/lsof-i: 465 | grepbindshell)]; tensed-i '/465/d ' $ TMPLOGi # Iftherootkithavebeenfound, mailroot [!-z" $ (grepINFECTED $ TMPLOG) '] & $ & \grepINFECTED TMPLOG | mail-s "chkrootkitreportin would hostname would" rootrm-f $ TMPLOGroot @ localhost ~] # chmod700chkrootkit ← gives the script can be executed with root @ localhost permissions ~] # mvchkrootkit/etc/cron.daily/← will script to run automatically every day in the directory associated with the system command chkrootkit backup as described in the preface, when use of the system command chkrootkit is an intruder changes, monitoring the rootkit chkrootkit will fail. Therefore, we use the chkrootkit in advance of system commands for backup when needed with the backup of the original order for chkrootkit detect the rootkit. For example, suppose you have a backup uploaded to root directory as follows: root @ localhost ~] # tarzxvf/root/commands.tar.gz ← unlocking compress command backup root @ localhost ~] #/usr/local/chkrootkit/chkrootkit-p/root/commands | grepINFECTED ← backup command to run chkrootkit and then running after removing the legacy file.