使用rootkit恶意软件扫描程序(rkhunter)检测恶意软件

时间:2020-01-09 10:38:09  来源:igfitidea点击:

什么是Rootkit恶意软件?
如何执行Rootkit恶意软件扫描程序。
如何在RHEL或者CentOS Linux中检测Rootkit恶意软件。
什么是rkhunter?
如何使用rkhunter在centos中执行rootkit恶意软件扫描程序。
如何在CentOS中检测恶意软件。

在本文中,通过在Linux中使用rootkit恶意软件扫描程序来检测恶意软件。

什么是Rootkit?

为什么我应该担心?

Rootkit是令人讨厌的恶意软件。
他们可以侦听主人的命令,窃取敏感数据,然后将其发送给主人,或者为主人提供方便的后门。
它们被设计为具有隐形功能,可以将自己隐藏在普通视野之外。

有时他们会用自己的Trojan版本替换诸如ls或者ps之类的实用程序,这些实用程序将显示系统上除与rootkit关联的文件或者进程之外的所有文件或者进程。
Rootkit可以感染任何操作系统,甚至是我们钟爱的Linux。

为了植入Rootkit,攻击者必须已经在系统上获得管理特权。
它会影响任何操作系统

Rootkit可以分为两种基本类型。

  • 传统上,rootkit用Trojaned版本替换了二进制文件,例如ls,ifconfig,inetd,killall,login,netstat,passwd,pidof或者ps。
    编写这些木马版本是为了向管理员隐藏某些进程或者信息。

  • 第二种rootkit是可加载内核模块(LKM)。
    内核rootkit被加载为驱动程序或者内核扩展。

两种类型都是一个真正的问题。
如果我们怀疑计算机已被rootkit感染,则需要在系统上运行rootkit检查器以执行rootkit恶意软件扫描程序,并确保文件系统没有受到破坏。

安装rkhunter(rootkit恶意软件扫描程序)

rkhunter是一个Shell脚本,它在本地系统上执行各种检查,以尝试检测已知的rootkit和恶意软件。

它还执行检查以查看命令是否已被修改,系统启动文件是否已被修改以及网络接口上的各种检查,包括对侦听应用程序的检查。

rkhunter可作为EPEL存储库的一部分。
在RHEL/CentOS 7上,我们可以使用以下命令安装EPEL存储库

[root@rhel-7 ~]# rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
Retrieving https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
warning: /var/tmp/rpm-tmp.tmX9As: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
Preparing...                          ################################# [100%]
Updating/installing...
   1:epel-release-7-11                ################################# [100%]

说明:

由于我们是直接从Web下载和安装EPEL repo rpm,因此我们需要主机有效的互联网连接,也可以下载rpm并离线安装。

接下来安装rkhunter rpm

[root@rhel-7 ~]# yum -y install rkhunter

更新Rootkit签名

在开始之前,最好先更新rootkit签名以检测Linux主机中最新发现的恶意软件。

提示:

这再次需要有效的互联网连接。

[root@rhel-7 ~]# rkhunter --update
[ Rootkit Hunter version 1.4.6 ]
Checking rkhunter data files...
  Checking file mirrors.dat                                  [ Updated ]
  Checking file programs_bad.dat                             [ Updated ]
  Checking file backdoorports.dat                            [ No update ]
  Checking file suspscan.dat                                 [ Updated ]
  Checking file i18n/cn                                      [ No update ]
  Checking file i18n/de                                      [ Updated ]
  Checking file i18n/en                                      [ No update ]
  Checking file i18n/tr                                      [ Updated ]
  Checking file i18n/tr.utf8                                 [ Updated ]
  Checking file i18n/zh                                      [ Updated ]
  Checking file i18n/zh.utf8                                 [ Updated ]
  Checking file i18n/ja                                      [ Updated ]

不同类型的Rootkit

Rootkit Hunter可以搜索许多不同类型的rootkit。
以下是部分列表:

5808 Trojan—Variant A
Ambient (ark) Rootkit
Apache Worm
Balaur Rootkit
Beastkit
beX2
BOBKit
CiNIK Worm (Slapper.B variant)
Devil Rootkit
Dica
Dreams Rootkit
Duarawkz Rootkit
Flea Linux Rootkit
FreeBSD Rootkit
GasKit
Heroin LKM
HjC Rootkit
ignoKit
ImperalsS-FBRK
Irix Rootkit
Kitko
Knark
Li0n Worm
Lockit/LJK2
mod_rootme (Apache backdoor)
MRK
Ni0 Rootkit
NSDAP (Rootkit for SunOS)
Optic Kit (Tux)
Oz Rootkit
Portacelo
R3dstorm Toolkit
RH-Sharpe’s Rootkit
RSHA’s Rootkit
Scalper Worm
Shutdown
SHV4 Rootkit
SHV5 Rootkit
Sin Rootkit
Slapper
Sneakin Rootkit
SunOS Rootkit
Superkit
TBD (Telnet BackDoor)
TeLeKiT
T0rn Rootkit
Trojanit Kit
URK (Universal Rootkit)
VcKit
Volc Rootkit
X-Org SunOS Rootkit
zaRwT.KiT Rootkit

带有Rkhunter的Rootkit恶意软件扫描程序

现在,由于我们的签名是最新的,下一个任务将是扫描所有rootkit恶意软件和受影响的文件,因此我们将使用rkhunter执行rootkit恶意软件扫描程序:

[root@rhel-7 ~]# rkhunter -c
[ Rootkit Hunter version 1.4.6 ]
Checking system commands...
  Performing 'strings' command checks
    Checking 'strings' command                               [ OK ]
  Performing 'shared libraries' checks
    Checking for preloading variables                        [ None found ]
    Checking for preloaded libraries                         [ None found ]
    Checking LD_LIBRARY_PATH variable                        [ Not found ]
  Performing file properties checks
    Checking for prerequisites                               [ Warning ]
    /usr/sbin/adduser                                        [ OK ]
    /usr/sbin/chkconfig                                      [ OK ]
    /usr/sbin/chroot                                         [ OK ]
    /usr/sbin/grpck                                          [ OK ]
    /usr/sbin/ifdown                                         [ Warning ]
    /usr/sbin/ifup                                           [ Warning ]
    /usr/sbin/init                                           [ OK ]
	{output trimmed}
	
    /usr/bin/mailx                                           [ OK ]
    /usr/lib/systemd/systemd                                 [ OK ]
	
  Performing system configuration file checks
    Checking for an SSH configuration file                   [ Found ]
    Checking if SSH root access is allowed                   [ Not set ]
    Checking if SSH protocol v1 is allowed                   [ Not set ]
    Checking for other suspicious configuration settings     [ None found ]
    Checking for a running system logging daemon             [ Found ]
    Checking for a system logging configuration file         [ Found ]
    Checking if syslog remote logging is allowed             [ Not allowed ]
  Performing filesystem checks
    Checking /dev for suspicious file types                  [ None found ]
    Checking for hidden files and directories                [ None found ]
[Press  to continue]

System checks summary
=====================
File properties checks...
    Required commands check failed
    Files checked: 123
    Suspect files: 4
Rootkit checks...
    Rootkits checked : 485
    Possible rootkits: 0
Applications checks...
    All checks skipped
The system checks took: 118 minutes and 33 seconds
All results have been written to the log file: /var/log/rkhunter/rkhunter.log
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter/rkhunter.log)

分析Rootkit日志

接下来,我们可以检查日志文件以了解所有"警告"的原因。

[root@rhel-7 ~]# grep -i warning /var/log/rkhunter/rkhunter.log
[11:33:04] Warning: Download of 'mirrors.dat' failed: Unable to determine the latest version number.
[11:33:44] Warning: Download of 'programs_bad.dat' failed: Unable to determine the latest version number.
[11:34:25] Warning: Download of 'backdoorports.dat' failed: Unable to determine the latest version number.
[11:35:05] Warning: Download of 'suspscan.dat' failed: Unable to determine the latest version number.
[11:35:45] Warning: Download of 'i18n.ver' failed: Unable to determine the latest version number.
[11:35:47] Info: Command line is /usr/bin/rkhunter --cronjob --nocolors --report-warnings-only
[11:35:47] Info: No mail-on-warning address configured
[11:35:51] Warning: Checking for prerequisites               [ Warning ]
[11:35:51] Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option
[11:35:51]   /usr/sbin/ifdown                                [ Warning ]
[11:35:51] Warning: The command '/usr/sbin/ifdown' has been replaced by a script: /usr/sbin/ifdown: Bourne-Again shell script, ASCII text executable
[11:35:51]   /usr/sbin/ifup                                  [ Warning ]
[11:35:51] Warning: The command '/usr/sbin/ifup' has been replaced by a script: /usr/sbin/ifup: Bourne-Again shell script, ASCII text executable
[11:35:53]   /usr/bin/egrep                                  [ Warning ]
[11:35:53] Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable
[11:35:53]   /usr/bin/fgrep                                  [ Warning ]
[11:35:53] Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable
Warning: Checking for prerequisites               [ Warning ]
Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option
Warning: The command '/usr/sbin/ifdown' has been replaced by a script: /usr/sbin/ifdown: Bourne-Again shell script, ASCII text executable
Warning: The command '/usr/sbin/ifup' has been replaced by a script: /usr/sbin/ifup: Bourne-Again shell script, ASCII text executable
Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable
Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable

接下来,我们可以继续进行操作,并确定这是否是错误警报,或者是否需要修复或者立即注意。