chkrootkit

---

2014-10-20 by dongnan

开始之前

Rootkit 恶意软件的统称，这类软件可隐藏自身以及指定的文件、进程、网络、链接、端口等信息。

Chkrootkit 是一款用来在Uniux(like)/Linux系统下检测 rootkit 的软件。

官网介绍

安装

# RHEL/CentOS
yum install chkrootkit

使用

列出可用的测试

chkrootkit -l
/usr/lib64/chkrootkit-0.49/chkrootkit: tests: aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper z2 chkutmp OSX_RSPLUG amd basename biff chfn chsh cron crontab date du dirname echo egrep env find fingerd gpm grep hdparm su ifconfig inetd inetdconf identd init killall  ldsopreload login ls lsof mail mingetty netstat named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd timed traceroute vdir w write

专家模式

chkrootkit -x | more
#...省略


chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
....省略
Checking `OSX_RSPLUG'... not infected

命令帮助

chkrootkit -v

Usage: /usr/lib64/chkrootkit-0.49/chkrootkit [options] [test ...]
Options:
        -h                show this help and exit
        -V                show version information and exit
        -l                show available tests and exit
        -d                debug
        -q                quiet mode
        -x                expert mode
        -r dir            use dir as the root directory
        -p dir1:dir2:dirN path for the external commands used by chkrootkit
        -n                skip NFS mounted dirs