chkrootkit

linux中经典的rootkit的检测工具 功能超强 可以查杀上百种rootkit

#! /bin/sh
# -*- Shell-script -*-

# $Id: chkrootkit, v 0.47 2006/10/10
CHKROOTKIT_VERSION='0.47'

# Authors: Nelson Murilo <nelson@pangeia.com.br> (main author) and
#          Klaus Steding-Jessen <jessen@cert.br>
#
# (C)1997-2006 Nelson Murilo, Pangeia Informatica, AMS Foundation and others.
# All rights reserved

### workaround for some Bourne shell implementations
unalias login > /dev/null 2>&1
unalias ls > /dev/null 2>&1
unalias netstat > /dev/null 2>&1
unalias ps > /dev/null 2>&1
unalias dirname > /dev/null 2>&1

# Workaround for recent GNU coreutils
_POSIX2_VERSION=199209
export _POSIX2_VERSION

# Native commands
TROJAN="amd basename biff chfn chsh cron crontab date du dirname echo egrep \
env find fingerd gpm grep hdparm su ifconfig inetd inetdconf identd init \
killall  ldsopreload login ls lsof mail mingetty netstat named passwd pidof \
pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd \
tcpdump top telnetd timed traceroute vdir w write"

# Tools
TOOLS="aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper z2 chkutmp"

# Return Codes
INFECTED=0
NOT_INFECTED=1
NOT_TESTED=2
NOT_FOUND=3
INFECTED_BUT_DISABLED=4

# Many trojaned commands have this label
GENERIC_ROOTKIT_LABEL="^/bin/.*sh$|bash|elite$|vejeta|\.ark"

######################################################################
# tools functions

#
# 55808.A Worm
#
w55808 (){
   W55808_FILES="${ROOTDIR}tmp/.../a ${ROOTDIR}tmp/.../r"
   STATUS=0

   for i in ${W55808_FILES}; do
      if [ -f ${i} ]; then
         STATUS=1
      fi
   done
   if [ ${STATUS} -eq 1 ] ;then
      echo "Warning: Possible 55808 Worm installed"
   else
      if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
         return ${NOT_INFECTED}
   fi
}

#
# SLAPPER.{A,B,C,D} and the multi-platform variant
#
slapper (){
   SLAPPER_FILES="${ROOTDIR}tmp/.bugtraq ${ROOTDIR}tmp/.bugtraq.c"
   SLAPPER_FILES="$SLAPPER_FILES ${ROOTDIR}tmp/.unlock ${ROOTDIR}tmp/httpd \
   ${ROOTDIR}tmp/update ${ROOTDIR}tmp/.cinik ${ROOTDIR}tmp/.b"
   SLAPPER_PORT="0.0:2002 |0.0:4156 |0.0:1978 |0.0:1812 |0.0:2015 "
   OPT=-an
   STATUS=0
   file_port=

   if ${netstat} "${OPT}"|${egrep} ^tcp|${egrep} "${SLAPPER_PORT}"> /dev/null 2>&1
      then
      STATUS=1
      [ "$SYSTEM" = "Linux" ] && file_port=`netstat -p ${OPT} | \
         $egrep ^tcp|$egrep "${SLAPPER_PORT}" | awk '{ print  $7 }' | tr -d :`
   fi
   for i in ${SLAPPER_FILES}; do
      if [ -f ${i} ]; then
	 file_port=$file_port $i
         STATUS=1
      fi
   done
   if [ ${STATUS} -eq 1 ] ;then
      echo "Warning: Possible Slapper Worm installed ($file_port)"
   else
      if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
         return ${NOT_INFECTED}
   fi
}

scalper (){
   SCALPER_FILES="${ROOTDIR}tmp/.uua ${ROOTDIR}tmp/.a"
   SCALPER_PORT=2001
   OPT=-an
   STATUS=0

   if ${netstat} "${OPT}" | ${egrep} "0.0:${SCALPER_PORT} "> /dev/null 2>&1; then
      STATUS=1
   fi
   for i in ${SCALPER_FILES}; do
      if [ -f ${i} ]; then
         STATUS=1
      fi
   done
   if [ ${STATUS} -eq 1 ] ;then
      echo "Warning: Possible Scalper Worm installed"
   else
      if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
         return ${NOT_INFECTED}
   fi
}

asp (){
    ASP_LABEL="poop"
    STATUS=${NOT_INFECTED}
    CMD=`loc asp asp $pth`

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${egrep} ^asp ${ROOTDIR}etc/inetd.conf"
        expertmode_output "${strings} -a ${CMD}"
        return 5
    fi

    if ${egrep} "^asp" ${ROOTDIR}etc/inetd.conf >/dev/null 2>&1; then
        echo "Warning: Possible Ramen Worm installed in inetd.conf"
        STATUS=${INFECTED}
    fi
    if [ ${CMD} = "asp"  -o ${CMD} = "${ROOTDIR}asp" ]; then
        if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
        return ${NOT_INFECTED}
    fi
    if ${strings} -a ${CMD} | ${egrep} "${ASP_LABEL}" >/dev/null 2>&1; then
       echo "INFECTED"
       STATUS=${INFECTED}
    else
        if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
        return ${NOT_INFECTED}
    fi
    return ${STATUS}
}

sniffer () {
    if [ "${ROOTDIR}" != "/" ]; then
      echo "not tested"
      return ${NOT_TESTED}
    fi

    if [ "$SYSTEM" = "SunOS" ]; then
       return ${NOT_TESTED}
    fi

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "./ifpromisc" -v
        return 5
    fi
    if [ ! -x ./ifpromisc ]; then
      echo "not tested: can't exec ./ifpromisc"
      return ${NOT_TESTED}
    else
      [ "${QUIET}" != "t" ] && ./ifpromisc -v || ./ifpromisc -q
    fi
}

chkutmp() {
    if [ ! -x ./chkutmp ]; then
      echo "not tested: can't exec ./chkutmp"
      return ${NOT_TESTED}
    fi
    if ./chkutmp
    then
      if [ "${QUIET}" != "t" ]; then echo "chkutmp: nothing deleted"; fi
    fi

}

z2 () {
    if [ ! -x ./chklastlog ]; then
      echo "not tested: can't exec ./chklastlog"
      return ${NOT_TESTED}
    fi

    WTMP=`loc wtmp wtmp "${ROOTDIR}var/log ${ROOTDIR}var/adm"`
    LASTLOG=`loc lastlog lastlog "${ROOTDIR}var/log ${ROOTDIR}var/adm"`

    if [ ! -f $WTMP -a ! -f $LASTLOG ]; then
       echo "not tested: not found wtmp and/or lastlog file"
       return ${NOT_TESTED}
    fi

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "./chklastlog -f ${WTMP} -l ${LASTLOG}"
        return 5
    fi

    if ./chklastlog -f ${WTMP} -l ${LASTLOG}
    then
      if [ "${QUIET}" != "t" ]; then echo "chklastlog: nothing deleted"; fi
    fi
}

wted () {
    if [ ! -x ./chkwtmp ]; then
      echo "not tested: can't exec ./chkwtmp"
      return ${NOT_TESTED}
    fi

   if [ "$SYSTEM" = "SunOS" ]; then
       if [ ! -x ./check_wtmpx ]; then
          echo "not tested: can't exec ./check_wtmpx"
       else
          if [ "${EXPERT}" = "t" ]; then
             expertmode_output "./check_wtmpx"
              return 5
          fi
	  if [ -f ${ROOTDIR}var/adm/wtmp ]; then
             if ./check_wtmpx
                then
                if [ "${QUIET}" != "t" ]; then \
                   echo "check_wtmpx: nothing deleted in /var/adm/wtmpx"; fi
             fi
	  fi
       fi
   else
       WTMP=`loc wtmp wtmp "${ROOTDIR}var/log ${ROOTDIR}var/adm"`

       if [ "${EXPERT}" = "t" ]; then
          expertmode_output "./chkwtmp -f ${WTMP}"
          return 5
       fi
    fi

    if ./chkwtmp -f ${WTMP}
    then
      if [ "${QUIET}" != "t" ]; then echo "chkwtmp: nothing deleted"; fi
    fi
}
bindshell () {
PORT="114|145|465|511|600|1008|1524|1999|1978|2881|3049|3133|3879|4000|4369|5190|5665|6667|10008|12321|23132|27374|29364|30999|31336|31337|37998|45454|47017|47889|60001|7222"
   OPT="-an"
   PI=""
   if [ "${ROOTDIR}" != "/" ]; then
     echo "not tested"
     return ${NOT_TESTED}
   fi

   if [ "${EXPERT}" = "t" ]; then
       expertmode_output "${netstat} ${OPT}"
       return 5
   fi
   for P in `echo $PORT | ${sed} 's/|/ /g'`; do
      if ${netstat} "${OPT}" | ${egrep} "^tcp.*LIST|^udp" | ${egrep} \
"[.:]${P}[^0-9.:]" >/dev/null 2>&1
      then
         PI="${PI} ${P}"
      fi
   done
   if [ "${PI}" != "" ]
   then
      echo "INFECTED (PORTS: $PI)"
   else
      if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
   fi
}

lkm ()
{
    prog=""
    if [  \( "${SYSTEM}" = "Linux"  -o \( "${SYSTEM}" = "FreeBSD" -a \
       `echo ${V} | ${awk} '{ if ($1 > 4.3) print 1; else print 0 }'` -eq 1 \) \) -a "${ROOTDIR}" = "/" ]; then
      [ ! -x ./chkproc ] && prog="./chkproc"
      [ ! -x ./chkdirs ] && prog="$prog ./chkdirs"
      if [ "$prog" != "" ]; then
#        echo "not tested: can't exec $prog"
        return ${NOT_TESTED}
      fi

      if [ "${EXPERT}" = "t" ]; then
         [ -r /proc/ksyms ] &&  ${egrep} -i "adore|sebek" < /proc/ksyms 2>/dev/null
         [ -d /proc/knark ] &&  ${ls} -la /proc/knark 2> /dev/null
         PV=`$ps -V 2>/dev/null| $cut -d " " -f 3 |$awk -F . '{ print $1 "." $2 $3 }' | ${awk} '{ if ($0 > 3.19) print 3; else if ($0 < 2.015) print 1; else print 2 }'`
         [ "$PV" = "" ] &&  PV=2
         [ "${SYSTEM}" = "SunOS" ] && PV=0
         expertmode_output "./chkproc -v -v -p $PV"
         return 5
      fi

      ### adore LKM
      [ -r /proc/ksyms ] && \
      if `${egrep} -i adore < /proc/ksyms >/dev/null 2>&1`; then
         echo "Warning: Adore LKM installed"
      fi

      ### sebek LKM (Adore based)
      [ -r /proc/ksyms ] && \
      if `${egrep} -i sebek < /proc/ksyms >/dev/null 2>&1`; then
         echo "Warning: Sebek LKM installed"
      fi

      ### knark LKM
      if [ -d /proc/knark ]; then
         echo "Warning: Knark LKM installed"
      fi
         PV=`$ps -V 2>/dev/null| $cut -d " " -f 3 |$awk -F . '{ print $1 "." $2 $3 }' | ${awk} '{ if ($0 > 3.19) print 3; else if ($0 < 2.11) print 1; else print 2 }'`
      [ "$PV" = "" ] &&  PV=2
      [ "${SYSTEM}" = "SunOS" ] && PV=0
      if [ "${DEBUG}" = "t" ]; then
           ${echo} "*** PV=$PV ***"
      fi
      if ./chkproc -p ${PV}
      then
           if [ "${QUIET}" != "t" ]; then echo "chkproc: nothing detected"; fi
      else
       echo "chkproc: Warning: Possible LKM Trojan installed"
      fi
    else
        if [ "${QUIET}" != "t" ]; then echo "chkproc: not tested"; fi
    fi
}

aliens () {
   if [ "${EXPERT}" = "t" ]; then
        ### suspicious files
        FILES="usr/bin/sourcemask usr/bin/ras2xm usr/sbin/in.telnet \
sbin/vobiscum  usr/sbin/jcd usr/sbin/atd2 usr/bin/.etc usr/bin/xstat \
 etc/ld.so.hash"

        expertmode_output "${find} ${ROOTDIR}dev -type f"
        expertmode_output "${find} ${ROOTDIR}var/run/.tmp"
        expertmode_output "${find} ${ROOTDIR}usr/man/man1/lib/.lib"
        expertmode_output "${find} ${ROOTDIR}usr/man/man2/.man8"
        expertmode_output "${find} ${ROOTDIR}usr/man/man1 -name '.. *'"
        expertmode_output "${find} ${ROOTDIR}usr/share/locale/sk"
        expertmode_output "${find} ${ROOTDIR}usr/lib/dy0"
        expertmode_output "${find} ${ROOTDIR}tmp -name 982235016-gtkrc-429249277"

        for i in ${FILES}; do
           expertmode_output "${ls} ${ROOTDIR}${i} 2> /dev/null"
        done
        [ -d  ${ROOTDIR}lib/.so ] && expertmode_output "${find} ${ROOTDIR}lib/.so"
        [ -d "${ROOTDIR}usr/include/.. " ] && expertmode_output ${find} "${ROOTDIR}usr/include/.. "
        [ -d ${ROOTDIR}usr/lib/.fx ] && expertmode_output ${find} ${ROOTDIR}usr/lib/.fx
        [ -d ${ROOTDIR}var/local/.lpd ] && expertmode_output ${find} ${ROOTDIR}var/local/.lpd
        [ -d ${ROOTDIR}dev/rd/cdb ] && expertmode_output ${find} ${ROOTDIR}dev/rd/cdb

        ### sniffer's logs
        expertmode_output "${find} ${ROOTDIR}dev ${ROOTDIR}usr ${ROOTDIR}tmp \
	${ROOTDIR}lib ${ROOTDIR}etc ${ROOTDIR}var ${findargs} -name tcp.log -o -name \
.linux-sniff -o -name sniff-l0g -o -name core_ -o"
        expertmode_output "${find} ${ROOTDIR}usr/lib -name in.httpd -o \
-name in.pop3d"

        ### t0rn
        expertmode_output "${find} ${ROOTDIR}etc ${ROOTDIR}sbin \
${ROOTDIR}usr/src/.puta ${ROOTDIR}lib ${ROOTDIR}usr/info -name \
ttyhash -o -name xlogin -o -name ldlib.tk -o -name .t?rn"

        LIBS=
        [ -d ${ROOTDIR}lib ] && LIBS="${ROOTDIR}lib"
        [ -d ${ROOTDIR}usr/lib ] && LIBS="${LIBS} ${ROOTDIR}usr/lib"
        [ -d ${ROOTDIR}usr/local/lib ] && \
           LIBS="${LIBS} ${ROOTDIR}usr/local/lib"

        expertmode_output "${find} ${LIBS} -name libproc.a"

        ## Lion Worm
        expertmode_output "${find} ${ROOTDIR}dev/.lib/lib -name 1i0n.sh
2> /dev/null"

        ### ark
        expertmode_output "${find} ${ROOTDIR}dev -name ptyxx"
        expertmode_output "${find} ${ROOTDIR}usr/doc -name '... '"
        expertmode_output "${find} ${ROOTDIR}usr/lib -name '.ark*'"

        ### RK17
        expertmode_output "${find} ${ROOTDIR}bin -name rtty -o -name squit"
        expertmode_output "${find} ${ROOTDIR}sbin -name pback"
        expertmode_output "${find} ${ROOTDIR}usr/man/man3 -name psid 2> /dev/null"
        expertmode_output "${find} ${ROOTDIR}proc -name kset 2> /dev/null"
        expertmode_output "${find} ${ROOTDIR}usr/src/linux/modules -name \
autod.o -o -name soundx.o 2> /dev/null"
        expertmode_output "${find} ${ROOTDIR}usr/bin -name gib -o \
-name ct -o -name snick -o -name kfl"

        CGIDIR=""
        for cgidir in www/httpd/cgi-bin www/cgi-bin var/www/cgi-bin \
var/lib/httpd/cgi-bin usr/local/httpd/cgi-bin usr/local/apache/cgi-bin \
home/httpd/cgi-bin /usr/local/apache2;
        do
           [ -d ${ROOTDIR}${cgidir} ] && CGIDIR="${CGIDIR} ${ROOTDIR}${cgidir}"
        done
BACKDOORS="number.cgi void.cgi psid becys.cgi nobody.cgi bash.zk.cgi alya.cgi \
shell.cgi alin.cgi httpd.cgi linux.cgi sh.cgi take.cgi bogus.cgi alia.cgi all4one.cgi \
zxcvbnm.cgi secure.cgi ubb.cgi"
   for j in ${CGIDIR}; do
      for i in ${BACKDOORS}; do
	[ -f ${j}/${i} ] && echo ${j}/${i}
      done
   done

        ### rsha
        expertmode_output "${find} ${ROOTDIR}bin ${ROOTDIR}usr/bin -name kr4p \
-o -name n3tstat -o -name chsh2"
        expertmode_output "${find} ${ROOTDIR}etc/rc.d/rsha"
        expertmode_output "${find} ${ROOTDIR}etc/rc.d/arch/alpha/lib/.lib \
${ROOTDIR}usr/src/linux/arch/alpha/lib/.lib/"

        ### ShitC Worm
        expertmode_output "${find} ${ROOTDIR}bin ${ROOTDIR}sbin -name home \
-o -name frgy -o -name sy"
        expertmode_output "${find} ${ROOTDIR}usr/bin -type d -name dir"
        expertmode_output "${find} ${ROOTDIR}usr/sbin -type d -name in.slogind"

        ### Omega Worm
        expertmode_output "${find} ${ROOTDIR}dev -name chr"

        ### rh-sharpe
        expertmode_output "${find} ${ROOTDIR}bin ${ROOTDIR}usr/bin -name lps \
-o -name .ps -o -name lpstree -o -name .lpstree -o -name lkillall \
-o -name ldu -o -name lnetstat"
        expertmode_output "${find} ${ROOTDIR}usr/include/rpcsvc -name du"

        ### Adore Worm
        expertmode_output "${find} ${ROOTDIR}usr/lib ${ROOTDIR}usr/bin \
-name red.tar -o -name start.sh -o -name klogd.o -o -name 0anacron-bak \
-o -name adore"
        expertmode_output "${find} ${ROOTDIR}usr/lib/lib"
        expertmode_output "${find} ${ROOTDIR}usr/lib/libt"

        ### suspicious files and dirs
        suspects="/usr/lib/pt07 /usr/bin/atm /tmp/.cheese /dev/ptyzx /dev/ptyzg /usr/bin/sourcemask /dev/ida /dev/xdf* /usr/lib/libx?otps /sbin/init.zk"
        DIR=${ROOTDIR}usr/lib
        [ -d ${ROOTDIR}usr/man ] && DIR="${DIR} ${ROOTDIR}usr/man"
        [ -d ${ROOTDIR}lib ] && DIR="${DIR} ${ROOTDIR}lib"
        [ -d ${ROOTDIR}usr/lib ] && DIR="${DIR} ${ROOTDIR}usr/lib"
        expertmode_output "${find} ${DIR} -name '.[A-Za-z]*'"
        expertmode_output "${find} ${DIR} -type d -name '.*'"
        expertmode_output "${find} ${DIR} -name '...*'"
        expertmode_output "${ls} ${suspects}"

        ### Maniac RK
        expertmode_output "${find} ${ROOTDIR}usr/bin -name mailrc"

        ### Ramen Worm
        expertmode_output "${find} ${ROOTDIR}usr/src/.poop \
${ROOTDIR}tmp/ramen.tgz ${ROOTDIR}etc/xinetd.d/asp"

        ### Sadmind/IIS Worm
        expertmode_output "${find} ${ROOTDIR}dev/cuc"

        ### Monkit
        expertmode_output "${find} ${ROOTDIR}lib/defs"

        ### Showtee
       expertmode_output "${ls} ${ROOTDIR}usr/lib/.egcs \
${ROOTDIR}usr/lib/.wormie \
${ROOTDIR}usr/lib/.kinetic ${ROOTDIR}/usr/lib/liblog.o \
${ROOTDIR}/usr/include/addr.h  ${ROOTDIR}usr/include/cron.h \