Linux入侵检查工具,linux系统入侵检测工具chkrootkit

1、rootkit是linux系统下常见一种木马后门程序,通过替换系统文件来达到隐藏和入侵的目的,攻击能力极强;

linux下容易被替换系统程序有login  ls  ps   ifconfig   du   find   nestat等文件,其中login是最经常被替换的；因为linux登录,无论远程还是本地,都必须要启动/bin/login来收集并核对用户的账号和密码；

系统管理员修改密码,攻击者还是可以登录系统的；

常见的检测工具有：tripwirte         aide        chkrootkit

下载： wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

编译：make  sense

挪目录： cp -r chkrootkit-* /usr/local/chkrootkit

删除源文件：rm -fr chkrootkit-0.53

编译是报错：

[root@fenye2019 chkrootkit-0.53]# make sense

cc -static  -o strings-static strings.c

/usr/bin/ld: cannot find -lc

collect2: error: ld returned 1 exit status

make: *** [strings-static] Error 1

解决：yum install glibc-static

[root@fenye2019 src]# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

[root@fenye2019 chkrootkit-0.53]# make sense

cc -DHAVE_LASTLOG_H -o chklastlog chklastlog.c

cc -DHAVE_LASTLOG_H -o chkwtmp chkwtmp.c

cc -DHAVE_LASTLOG_H -D_FILE_OFFSET_BITS=64 -o ifpromisc ifpromisc.c

cc -o chkproc chkproc.c

cc -o chkdirs chkdirs.c

cc -o check_wtmpx check_wtmpx.c

cc -static -o strings-static strings.c

cc -o chkutmp chkutmp.c

[root@fenye2019 chkrootkit-0.53]# echo $?

0

[root@fenye2019 src]# cp -r chkrootkit-* /usr/local/chkrootkit

[root@fenye2019 src]# rm -fr chkrootkit-0.53

直接运行可以对系统进行检测： /usr/local/chkrootkit/chkrootkit

[root@fenye2019 local]# /usr/local/chkrootkit/chkrootkit

Searching for anomalies in shell history files... nothing found

Checking `asp'... not infected

Checking `bindshell'... not infected

Checking `lkm'... not tested: can't exec

Checking `rexedcs'... not found

Checking `sniffer'... not tested: can't exec ./ifpromisc

Checking `w55808'... not infected

Checking `wted'... not tested: can't exec ./chkwtmp

Checking `scalper'... not infected

Checking `slapper'... not infected

Checking `z2'... not tested: can't exec ./chklastlog

Checking `chkutmp'... not tested: can't exec ./chkutmp

Checking `OSX_RSPLUG'... not tested