最後更新: 2017-09-26

目錄

• rkhunter
• unhide

rkhunter - Rootkit Hunter

安裝:

apt-get install rkhunter

Check Version

rkhunter -V

Rootkit Hunter 1.4.2

使用:

rkhunter --update

rkhunter --checkall

Checking binaries

• /bin/*
• /sbin/*
• /usr/bin/*
• /usr/sbin/*

Configure File

/etc/rkhunter.conf

/etc/rkhunter.conf.local

-C, --config-check

use rootkits

--update         # to check if there is a later version of any of its text data files.

[ Rootkit Hunter version 1.4.2 ]

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ No update ]
  Checking file programs_bad.dat                             [ No update ]
  Checking file backdoorports.dat                            [ No update ]
  Checking file suspscan.dat                                 [ No update ]
.........

-c, --check      # tells rkhunter to perform various checks

.........

System checks summary
=====================

File properties checks...
    Required commands check failed
    Files checked: 131
    Suspect files: 4

Rootkit checks...
    Rootkits checked : 378
    Possible rootkits: 0

Applications checks...
    All checks skipped

The system checks took: 1 minute and 20 seconds

All results have been written to the log file: /var/log/rkhunter/rkhunter.log

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter/rkhunter.log)

log file

/var/log/rkhunter/rkhunter.log

unhide

原理

• 對比 program ps 與 fs /proc 的不同
• 對比 program netstat 與 /proc 的不同

使用:

unhide-linux26 proc
unhide-linux26 sys
unhide-linux26 brute

unhide-tcp