chkrootkit(Hướng dẫn sử dụng chương trình chkrootkit) | chkrootkit(Huong dan su dung chuong trinh chkrootkit) - Quản trị net diễn đàn chia sẻ thông tin các thủ thuật mạng, internet bảo mật thông tin dành cho giới IT VIệt hy vọng là nơi bổ ích cho cộng đồng

12-06-2009, 10:49 PM

chkrootkit (http://www.chkrootkit.org/download/) là phần mềm phát hiện rootkit rất hữu hiệu, bạn có thể cài đặt nó trên server của bạn . Phiên bản hiện giờ là chkrootkit-0.48

1. Cài đặt chkrootkit

# tar zxvf chkrootkit.tar.gz
# cd chkrootkit-0.48
# make sense

Chú y: neu thay thieu goi gcc thi ban su dung lenh sau de cai dat gcc

# yum -y install gcc*

# rm chkrootkit.tar.gz

Lập lịch chạy chkrootkit hàng ngày:

# vi /etc/cron.daily/chkrootkit.sh
enter
/bin/bash

lưu lại và thoát

2. Kiễm tra rootkit và gửi thông tin qua email

cd /root/chkrootkit-0.48/
./chkrootkit | mail -s “Daily chkrootkit from Servername” quantrinet@yahoo.com

3. Lập lịch chạy chrootkit

# chmod 755 /etc/cron.daily/chkrootkit.sh
# cd /etc/cron.daily/
# ./chkrootkit.sh

4. read the README file for more infomations

quantrinet.com

**adminphuong** · 01-08-2009, 02:24 PM

Chkrootkit : bindshell'... INFECTED (PORTS: 465)
Zones:
Linux, SendMail Email Server, Linux Network Security
Hi yah
i have installed Chkrootkit, and when i am trying to scan server its saying :

bindshell'... INFECTED (PORTS: 465)

my examination : 1) Smtp is linsting 465 port,
2) if i stop stmp Chkrootkit will say , bindshell'. Not Infected

losof result

sudo /usr/sbin/lsof -P -n -i | grep 465
sendmail 21631 root 1u IPv4 44507 TCP 78.xxx.xx.xxx:465->xx.xx.25.xxx:62189 (ESTABLISHED) -> I know this IP
sendmail 21631 root 4u IPv4 44507 TCP 78.xxx.xxx.xxx:465->xx.xx.25.xxx:62189 (ESTABLISHED) -> i know this IP
sendmail 21631 root 7u IPv4 44507 TCP 78.xx.xx.xxxx:465->xx.xx.25.xx:62189 (ESTABLISHED) -> i know this
sendmail 25822 root 4u IPv4 45586 TCP *:465 (LISTEN) ->>>>>>> what does this mean ??

is there anyting to worry about ??
----- Added 01-08-2009 at 01:24 PM -----
yah i belived so

From this site : http://www.chkrootkit.org/faq/#7
I'm running PortSentry/klaxon. What's wrong with the bindshell test?

If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp).

and from this site http://forum.qmailrocks.org/showthread.php?t=6817
this comments

Just as an FYI, if you are using an SSL SMTP service on port 465 like some of us are, it most likely will result in the following false positive if you run chkrootkit:

Checking `bindshell'... INFECTED (PORTS: 465)

12-06-2009, 10:49 PM	#1
hoctinhoc Guest Trả Lời: n/a	chkrootkit(Hướng dẫn sử dụng chương trình chkrootkit) chkrootkit (http://www.chkrootkit.org/download/) là phần mềm phát hiện rootkit rất hữu hiệu, bạn có thể cài đặt nó trên server của bạn . Phiên bản hiện giờ là chkrootkit-0.48 1. Cài đặt chkrootkit # tar zxvf chkrootkit.tar.gz # cd chkrootkit-0.48 # make sense Chú y: neu thay thieu goi gcc thi ban su dung lenh sau de cai dat gcc # yum -y install gcc* # rm chkrootkit.tar.gz Lập lịch chạy chkrootkit hàng ngày: # vi /etc/cron.daily/chkrootkit.sh enter /bin/bash lưu lại và thoát 2. Kiễm tra rootkit và gửi thông tin qua email cd /root/chkrootkit-0.48/ ./chkrootkit \| mail -s “Daily chkrootkit from Servername” quantrinet@yahoo.com 3. Lập lịch chạy chrootkit # chmod 755 /etc/cron.daily/chkrootkit.sh # cd /etc/cron.daily/ # ./chkrootkit.sh 4. read the README file for more infomations quantrinet.com

01-08-2009, 02:24 PM	#2
adminphuong Administrator Gia nhập: Jul 2009 Trả Lời: 152	Lỗi của Chkrootkit Chkrootkit : bindshell'... INFECTED (PORTS: 465) Zones: Linux, SendMail Email Server, Linux Network Security Hi yah i have installed Chkrootkit, and when i am trying to scan server its saying : bindshell'... INFECTED (PORTS: 465) my examination : 1) Smtp is linsting 465 port, 2) if i stop stmp Chkrootkit will say , bindshell'. Not Infected losof result sudo /usr/sbin/lsof -P -n -i \| grep 465 sendmail 21631 root 1u IPv4 44507 TCP 78.xxx.xx.xxx:465->xx.xx.25.xxx:62189 (ESTABLISHED) -> I know this IP sendmail 21631 root 4u IPv4 44507 TCP 78.xxx.xxx.xxx:465->xx.xx.25.xxx:62189 (ESTABLISHED) -> i know this IP sendmail 21631 root 7u IPv4 44507 TCP 78.xx.xx.xxxx:465->xx.xx.25.xx:62189 (ESTABLISHED) -> i know this sendmail 25822 root 4u IPv4 45586 TCP :465 (LISTEN) ->>>>>>> what does this mean ?? is there anyting to worry about ?? ----- Added 01-08-2009 at 01:24 PM ----- yah i belived so From this site : http://www.chkrootkit.org/faq/#7 I'm running PortSentry/klaxon. What's wrong with the bindshell test? If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp). and from this site http://forum.qmailrocks.org/showthread.php?t=6817 this comments Just as an FYI, if you are using an SSL SMTP service on port 465 like some of us are, it most likely will result in the following false positive if you run chkrootkit: Checking `bindshell'... INFECTED (PORTS: 465) Last edited by adminphuong; 01-08-2009 at 02:24 PM.. Lý do: Hệ thống tự động gộp 2 bài viết liền nhau của bạn !*

Chia Sẽ Kinh Nghiệm Về IT