📄 chkrootkit

📁 linux中经典的rootkit的检测工具功能超强可以查杀上百种rootkit
💻
📖 第 1 页 / 共 5 页
字号:
${ROOTDIR}/usr/include/file.h ${ROOTDIR}usr/include/proc.h \${ROOTDIR}/usr/include/syslogs.h ${ROOTDIR}/usr/include/chk.h"       ### Optickit       expertmode_output "${find} ${ROOTDIR}usr/bin -name xchk -o -name xsf"       ### T.R.K       expertmode_output "${find} ${ROOTDIR}usr/bin -name soucemask -o -name ct"       ### MithRa's Rootkit       expertmode_output "${find} ${ROOTDIR}usr/lib/locale -name uboot"       ### OpenBSD rootkit v1       if [ "$SYSTEM" != "SunOS" -a ! -f /usr/lib/security/libgcj.security ]          then          expertmode_output "${find} ${ROOTDIR}usr/lib/security"       fi       ### LOC rootkit       expertmode_output "${find} ${ROOTDIR}tmp -name xp -o -name kidd0.c"       ### Romanian rootkit       expertmode_output "${ls} ${ROOTDIR}usr/include/file.h \${ROOTDIR}usr/include/proc.h ${ROOTDIR}usr/include/addr.h \${ROOTDIR}usr/include/syslogs.h"      ## HKRK rootkit      ${egrep} "\.hk" ${ROOTDIR}etc/rc.d/init.d/network 2>/dev/null      ## Suckit rootkit      expertmode_output "${strings} ${ROOTDIR}sbin/init | ${egrep} HOME"      expertmode_output "cat ${ROOTDIR}proc/1/maps | ${egrep} init."      expertmode_output "cat ${ROOTDIR}dev/.golf"      ## Volc rootkit      expertmode_output "${ls} ${ROOTDIR}usr/bin/volc"      expertmode_output "${find} ${ROOTDIR}usr/lib/volc"      ## Gold2 rootkit      expertmode_output "${ls} ${ROOTDIR}usr/bin/ishit"      ## TC2 Worm      expertmode_output "${ls} ${ROOTDIR}usr/bin/util ${ROOTDIR}usr/info \${ROOTDIR}usr/sbin/initcheck ${ROOTDIR}usr/sbin/ldb"      ## Anonoiyng rootkit      expertmode_output "${ls} ${ROOTDIR}usr/sbin/mech* ${ROOTDIR}usr/sbin/kswapd"      ## ZK rootkit      expertmode_output "${ls} ${ROOTDIR}etc/sysconfig/console/load*"      ## ShKit      expertmode_output "${ls} ${ROOTDIR}lib/security/.config ${ROOTDIR}etc/ld.so.hash"      ## AjaKit      expertmode_output "${find} ${ROOTDIR}lib -name .ligh.gh"      expertmode_output "${find} ${ROOTDIR}dev -name tux"      ## zaRwT      expertmode_output "${find} ${ROOTDIR}bin -name imin -o -name imout"      ## Madalin rootkit      expertmode_output "${find} ${ROOTDIR}usr/include -name icekey.h -o \-name iceconf.h -o -name iceseed.h"      ## Fu rootkit      expertmode_output "${find} ${ROOTDIR}sbin ${ROOTDIR}bin \      ${ROOTDIR}usr/include -name xc -o -name .lib -o name ivtype.h"      ## Kenga3 Rookit      expertmode_output "${find} ${ROOTDIR}usr/include/. ."      ## ESRK Rookit      expertmode_output "${ls} -l ${ROOTDIR}usr/lib/tcl5.3"      ## rootedoor      for i in `$echo ${PATH}|tr -s ':' ' '`; do         expertmode_output "${ls} -l ${ROOTDIR}${i}/rootedoor"      done      ## ENYE-LKM      expertmode_output "${ls} -l ${ROOTDIR}etc/.enyeOCULTAR.ko"      ### shell history file check      if [ ! -z "${SHELL}" -a ! -z "${HOME}" ]; then      expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history \ -size 0"      expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history \ \( -links 2 -o -type l \)"      fi      return 5   ### expert mode ends here   fi   ###   ### suspicious files and sniffer's logs   ###   suspects="usr/lib/pt07 usr/bin/atm tmp/.cheese /dev/ptyzx dev/ptyzy \usr/bin/sourcemask dev/ida dev/xdf1 dev/xdf2 usr/bin/xstat \tmp/982235016-gtkrc-429249277 usr/bin/sourcemask /usr/bin/ras2xm \usr/sbin/in.telnet sbin/vobiscum  usr/sbin/jcd usr/sbin/atd2 usr/bin/.etc \etc/ld.so.hash sbin/init.zk usr/lib/in.httpd usr/lib/in.pop3d"   dir="var/run/.tmp lib/.so usr/lib/.fx var/local/.lpd dev/rd/cdb"   files=`${find} ${ROOTDIR}dev -type f -exec ${egrep} -l "^[0-5] " {} \;`   if [ "${files}" != "" ]; then      echo      echo ${files}   fi   for i in ${dir}; do      if [ -d ${ROOTDIR}${i} ]; then         echo         echo "Suspect directory ${i} FOUND! Looking for sniffer logs"            files=`${find} ${ROOTDIR}${i}`         echo         echo ${files}      fi   done   for i in ${suspects}; do      if [ -f ${ROOTDIR}${i} ]; then         echo "${ROOTDIR}${i} "         files="INFECTED"      fi   done   if [ "${files}" = "" ]; then        if [ "${QUIET}" != "t" ]; then echo "no suspect files"; fi   fi   if [ "${QUIET}" != "t" ]; then \      printn "Searching for sniffer's logs, it may take a while... "; fi   files=`${find} ${ROOTDIR}dev ${ROOTDIR}tmp ${ROOTDIR}lib ${ROOTDIR}etc ${ROOTDIR}var \   ${findargs} \( -name "tcp.log" -o -name ".linux-sniff" -o -name "sniff-l0g" -o -name "core_" \) \   2>/dev/null`   if [ "${files}" = "" ]   then      if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi   else      echo      echo ${files}   fi   ### HiDrootkit   if [ "${QUIET}" != "t" ]; then printn \      "Searching for HiDrootkit's default dir... "; fi   if [ -d ${ROOTDIR}var/lib/games/.k ]   then      echo "Possible HiDrootkit installed"   else      if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi   fi   ### t0rn   if [ "${QUIET}" != "t" ]; then printn\      "Searching for t0rn's default files and dirs... "; fi   if [ -f ${ROOTDIR}etc/ttyhash -o -f ${ROOTDIR}sbin/xlogin -o \        -d ${ROOTDIR}usr/src/.puta  -o -r ${ROOTDIR}lib/ldlib.tk -o \        -d ${ROOTDIR}usr/info/.t0rn ]   then      echo "Possible t0rn rootkit installed"   else      if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi   fi   ### t0rn v8   if [ "${QUIET}" != "t" ]; then \      printn "Searching for t0rn's v8 defaults... "; fi   [ -d ${ROOTDIR}lib ] && LIBS=${ROOTDIR}lib   [ -d ${ROOTDIR}usr/lib ] && LIBS="${LIBS} ${ROOTDIR}usr/lib"   [ -d ${ROOTDIR}usr/local/lib ] && LIBS="${LIBS} ${ROOTDIR}usr/local/lib"   if [ `find ${LIBS} -name libproc.a 2> /dev/null` ]   then      echo "Possible t0rn v8 \(or variation\) rootkit installed"   else      if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi   fi   ### Lion Worm   if [ "${QUIET}" != "t" ]; then \      printn "Searching for Lion Worm default files and dirs... "; fi   if [ -d ${ROOTDIR}usr/info/.torn -o -d ${ROOTDIR}dev/.lib -o \        -f ${ROOTDIR}bin/in.telnetd -o -f ${ROOTDIR}bin/mjy ]   then         echo "Possible Lion worm installed"   else      if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi   fi   ### RSHA rootkit   if [ "${QUIET}" != "t" ]; then \      printn "Searching for RSHA's default files and dir... "; fi   if [ -r "${ROOTDIR}bin/kr4p" -o -r "${ROOTDIR}usr/bin/n3tstat" \-o -r "${ROOTDIR}usr/bin/chsh2" -o -r "${ROOTDIR}usr/bin/slice2" \-o -r "${ROOTDIR}usr/src/linux/arch/alpha/lib/.lib/.1proc" \-o -r "${ROOTDIR}etc/rc.d/arch/alpha/lib/.lib/.1addr" \-o -d "${ROOTDIR}etc/rc.d/rsha" \-o -d "${ROOTDIR}etc/rc.d/arch/alpha/lib/.lib" ]   then      echo "Possible RSHA's rootkit installed"   else      if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi   fi   ### RH-Sharpe rootkit   if [ "${QUIET}" != "t" ]; then \      printn "Searching for RH-Sharpe's default files... "; fi   if [ -r "${ROOTDIR}bin/lps" -o -r "${ROOTDIR}usr/bin/lpstree" \-o -r "${ROOTDIR}usr/bin/ltop" -o -r "${ROOTDIR}usr/bin/lkillall" \-o -r "${ROOTDIR}usr/bin/ldu" -o -r "${ROOTDIR}usr/bin/lnetstat" \-o -r "${ROOTDIR}usr/bin/wp" -o -r "${ROOTDIR}usr/bin/shad" \-o -r "${ROOTDIR}usr/bin/vadim" -o -r "${ROOTDIR}usr/bin/slice" \-o -r "${ROOTDIR}usr/bin/cleaner" -o -r "${ROOTDIR}usr/include/rpcsvc/du" ]   then      echo "Possible RH-Sharpe's rootkit installed"   else      if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi   fi   ### ark rootkit   if [ "${QUIET}" != "t" ]; then printn \      "Searching for Ambient's rootkit (ark) default files and dirs... "; fi   if [ -d ${ROOTDIR}dev/ptyxx -o -r "${ROOTDIR}usr/lib/.ark?" -o \        -d ${ROOTDIR}usr/doc/"... " ]; then      echo "Possible Ambient's rootkit \(ark\) installed"   else      if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi   fi   ### suspicious files and dirs   DIR="${ROOTDIR}usr/lib"   [ -d ${ROOTDIR}usr/man ] && DIR="$DIR ${ROOTDIR}usr/man"   [ -d ${ROOTDIR}lib ] && DIR="$DIR ${ROOTDIR}lib"   if [ "${QUIET}" != "t" ]; then printn \      "Searching for suspicious files and dirs, it may take a while... "; fi   files=`${find} ${DIR} -name ".[A-Za-z]*" -o -name "...*" -o -name ".. *"`   dirs=`${find} ${DIR} -type d -name ".*"`   if [ "${files}" = "" -a "${dirs}" = "" ]      then      if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi   else      echo      echo ${files}      echo ${dirs}   fi   ### LPD Worm   if [ "${QUIET}" != "t" ]; then \      printn "Searching for LPD Worm files and dirs... "; fi   if ${egrep} "^kork" ${ROOTDIR}etc/passwd > /dev/null 2>&1  || \ ${egrep} "^ *666 " ${ROOTDIR}etc/inetd.conf > /dev/null 2>&1 ;      then         echo "Possible LPD worm installed"      elif [ -d ${ROOTDIR}dev/.kork -o -f ${ROOTDIR}bin/.ps -o  \-f ${ROOTDIR}bin/.login ]; then      echo "Possible LPD worm installed"      else      if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi   fi   ### Ramem Worm   if [ "${QUIET}" != "t" ]; then \      printn "Searching for Ramen Worm files and dirs... "; fi   if [ -d ${ROOTDIR}usr/src/.poop -o -f \        ${ROOTDIR}tmp/ramen.tgz -o -f ${ROOTDIR}etc/xinetd.d/asp ]   then      echo "Possible Ramen worm installed"   else      if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi   fi   ### Maniac rootkit   if [ "${QUIET}" != "t" ]; then \      printn "Searching for Maniac files and dirs... "; fi   files=`${find} ${ROOTDIR}usr/bin -name mailrc`   if [ "${files}" = "" ]; then      if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi   else     echo "${files}"   fi   ### RK17 rookit   if [ "${QUIET}" != "t" ]; then \      printn "Searching for RK17 files and dirs... "; fi   CGIDIR=""   for cgidir in www/httpd/cgi-bin www/cgi-bin var/www/cgi-bin \var/lib/httpd/cgi-bin usr/local/httpd/cgi-bin usr/local/apache/cgi-bin \home/httpd/cgi-bin /usr/local/apache2 ;   do        [ -d ${ROOTDIR}${cgidir} ] && CGIDIR="$CGIDIR ${ROOTDIR}${cgidir}"   done   files=`${find} ${ROOTDIR}bin -name rtty -o -name squit && \${find} ${ROOTDIR}sbin -name pback && \${find} ${ROOTDIR}usr/man/man3 -name psid 2>/dev/null && \${find} ${ROOTDIR}proc -name kset 2> /dev/null && \${find} ${ROOTDIR}usr/src/linux/modules -name autod.o -o -name soundx.o \2> /dev/null && \${find} ${ROOTDIR}usr/bin -name gib -o -name ct -o -name snick -o -name kfl  2> /dev/null`BACKDOORS="number.cgi void.cgi psid becys.cgi nobody.cgi bash.zk.cgi alya.cgi \shell.cgi alin.cgi httpd.cgi linux.cgi sh.cgi take.cgi bogus.cgi alia.cgi all4one.cgi \zxcvbnm.cgi secure.cgi ubb.cgi"   files=""   for j in ${CGIDIR}; do      for i in ${BACKDOORS}; do	[ -f ${j}/${i} ] && files="${files} ${j}/${i}"      done   done   if [ "${files}" = ""  ]; then     if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi   else     echo "${files}"   fi   ### Ducoci rootkit   if [ "${QUIET}" != "t" ]; then \      printn "Searching for Ducoci rootkit... "; fi   files=`${find} . ${CGIDIR} -name last.cgi`   if [ "${files}" = ""  ]; then      if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi   else     echo "${files}"   fi   ### Adore Worm   if [ "${QUIET}" != "t" ]; then printn "Searching for Adore Worm... "; fi   files=`${find} ${ROOTDIR}usr/lib ${ROOTDIR}usr/bin -name red.tar -o \-name start.sh -o -name klogd.o -o -name 0anacron-bak -o -name adore`   if [ "${files}" = "" ]; then      if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi   else     echo "${files}"     files=`${find} ${ROOTDIR}usr/lib/lib ${ROOTDIR}usr/lib/libt 2>/dev/null`     [ "${files}" != "" ] && echo ${files}   fi   ### ShitC Worm   if [ "${QUIET}" != "t" ]; then printn "Searching for ShitC Worm... "; fi   files=`${find} ${ROOTDIR}bin -name homo -o -name frgy -o -name dy || \${find} ${ROOTDIR}usr/bin -type d -name dir || \${find} ${ROOTDIR}usr/sbin -name in.slogind`   if [ "${files}" = "" ]; then      if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi   else     echo "${files}"   fi   ### Omega Worm   if [ "${QUIET}" != "t" ]; then printn "Searching for Omega Worm... "; fi   files=`${find} ${ROOTDIR}dev -name chr`   if [ "${files}" = "" ]; then      if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi   else     echo "${files}"   fi   ### China Worm (Sadmind/IIS Worm)   if [ "${QUIET}" != "t" ];then printn "Searching for Sadmind/IIS Worm... "; fi   files=`${find} ${ROOTDIR}dev/cuc 2> /dev/null`   if [ "${files}" = "" ]; then      if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi   else     echo "${files}"   fi   ### MonKit   if [ "${QUIET}" != "t" ];then printn "Searching for MonKit... "; fi   files=`${find} ${ROOTDIR}lib/defs ${ROOTDIR}usr/lib/libpikapp.a \2> /dev/null`   if [ "${files}" = "" ]; then      if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi   else     echo "${files}"   fi   ### Showtee   if [ "${QUIET}" != "t" ];then printn "Searching for Showtee... "; fi   if [ -d ${ROOTDIR}usr/lib/.egcs ] || \      [ -d ${ROOTDIR}usr/lib/.kinetic ] || [ -d ${ROOTDIR}usr/lib/.wormie ] || \      [ -f ${ROOTDIR}usr/lib/liblog.o ] || [ -f ${ROOTDIR}usr/include/addr.h ] || \      [ -f ${ROOTDIR}usr/include/cron.h ] || [ -f ${ROOTDIR}usr/include/file.h ] || \      [ -f ${ROOTDIR}usr/include/proc.h ] || [ -f ${ROOTDIR}usr/include/syslogs.h ] || \      [ -f ${ROOTDIR}usr/include/chk.h ]; then         echo "Warning: Possible Showtee Rootkit installed"      else      if  [ "${QUIET}" != "t" ]; then echo "nothing found"; fi   fi   ###   ### OpticKit   ###   if [ "${QUIET}" != "t" ];then printn "Searching for OpticKit... "; fi   files=`${find} ${ROOTDIR}usr/bin/xchk ${ROOTDIR}usr/bin/xsf \2> /dev/null`   if [ "${files}" = "" ]; then      if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi   else     echo "${files}"   fi   ### T.R.K   files=""   if [ "${QUIET}" != "t" ];then printn "Searching for T.R.K... "; fi   files=`${find} ${ROOTDIR}usr/bin -name xchk -o -name xsf >/dev/null 2>&1`   if [ "${files}" = "" ]; then      if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi   else     echo "${files}"   fi   ### Mithra's Rootkit   files=""   if [ "${QUIET}" != "t" ];then printn "Searching for Mithra... "; fi   files=`${find} ${ROOTDIR}usr/lib/locale -name uboot 2> /dev/null`   if [ "${files}" = "" ]; then      if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi   else     echo "${files}"   fi   ### OpenBSD rootkit v1   if [ "${SYSTEM}" != "SunOS" -a ! -f ${ROOTDIR}usr/lib/security/libgcj.security ]; then      files=""      if [ "${QUIET}" != "t" ];then printn "Searching for OBSD rk v1... "; fi      files=`${find} ${ROOTDIR}usr/lib/security 2>/dev/null`      if [ "${files}" = "" -o "${SYSTEM}" = "HP-UX" ]; then         if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi      else        echo "${files}"      fi   fi   ### LOC rootkit   files=""   if [ "${QUIET}" != "t" ];then printn "Searching for LOC rootkit... "; fi   files=`find ${ROOTDIR}tmp -name xp -o -name kidd0.c 2>/dev/null`   if [ "${files}" = "" ]; then      if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi   else     echo "${files}"     loc epic epic $pth   fi   ### Romanian rootkit   files=""   if [ "${QUIET}" != "t" ];then printn "Searching for Romanian rootkit... "; fi   for i in file.h proc.h addr.h syslogs.h; do      if [ -f ${ROOTDIR}usr/include/${i} ]; then         files="$files ${ROOTDIR}usr/include/$i"      fi   done   if [ "${files}" = "" ]; then      if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi   else      echo "${files}"   fi
💿 文件大小 37 K
👤 上传用户 sjb545893912
📂 所属分类 Linux/Unix编程
🏷️ 相关标签

#rootkit #linux #检测
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -