📄 chkrootkit

📁 linux中经典的rootkit的检测工具功能超强可以查杀上百种rootkit
💻
📖 第 1 页 / 共 5 页
字号:
    MINGETTY_INFECTED_LABEL="Dimensioni|pacchetto"    CMD=`loc mingetty mingetty $pth`    if [ ! -r ${CMD} ]    then       return ${NOT_FOUND}    fi    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        return 5    fi    if ${strings} -a ${CMD} | ${egrep} "${MINGETTY_INFECTED_LABEL}" \       >/dev/null 2>&1    then       STATUS=${INFECTED}    fi    return ${STATUS}}chk_sendmail () {    STATUS=${NOT_INFECTED}    SENDMAIL_INFECTED_LABEL="fuck"    CMD=`loc sendmail sendmail $pth`    if [ ! -r ${CMD} ]    then       return ${NOT_FOUND}    fi    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        return 5    fi    if ${strings} -a ${CMD} | ${egrep} "${SENDMAIL_INFECTED_LABEL}" \       >/dev/null 2>&1    then       STATUS=${INFECTED}    fi    return ${STATUS}}chk_ls () {    STATUS=${NOT_INFECTED}LS_INFECTED_LABEL="/dev/ttyof|/dev/pty[pqrs]|/dev/hdl0|\.tmp/lsfile|/dev/hdcc|/dev/ptyxx|duarawkz|^/prof|/dev/tux|/security|file\.h"    CMD=`loc ls ls $pth`    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        return 5    fi    if ${strings} -a ${CMD} | ${egrep} "${LS_INFECTED_LABEL}" >/dev/null 2>&1    then       STATUS=${INFECTED}    fi    return ${STATUS}}chk_du () {    STATUS=${NOT_INFECTED}    DU_INFECTED_LABEL="/dev/ttyof|/dev/pty[pqrsx]|w0rm|^/prof|/dev/tux|file\.h"    CMD=`loc du du $pth`    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        return 5    fi    if ${strings} -a ${CMD} | ${egrep} "${DU_INFECTED_LABEL}" >/dev/null 2>&1    then       STATUS=${INFECTED}    fi    return ${STATUS}}chk_named () {    STATUS=${NOT_INFECTED}    NAMED_I_L="blah|bye"    CMD=`loc named named $pth`    if [ ! -r "${CMD}" ]; then       CMD=`loc in.named in.named $pth`       if [ ! -r "${CMD}" ]; then          return ${NOT_FOUND}       fi    fi    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        return 5    fi    if ${strings} -a ${CMD} | ${egrep} "${NAMED_I_L}" \    >/dev/null 2>&1    then       STATUS=${INFECTED}    fi    return ${STATUS}}chk_netstat () {    STATUS=${NOT_INFECTED}NETSTAT_I_L="/dev/hdl0/dev/xdta|/dev/ttyoa|/dev/pty[pqrsx]|/dev/cui|/dev/hdn0|/dev/cui221|/dev/dszy|/dev/ddth3|/dev/caca|^/prof|/dev/tux|grep|addr\.h"    CMD=`loc netstat netstat $pth`    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        return 5    fi    if ${strings} -a ${CMD} | ${egrep} "${NETSTAT_I_L}" \    >/dev/null 2>&1    then       STATUS=${INFECTED}    fi    return ${STATUS}}chk_ps () {   STATUS=${NOT_INFECTED}PS_I_L="/dev/xmx|\.1proc|/dev/ttyop|/dev/pty[pqrsx]|/dev/cui|/dev/hda[0-7]|\/dev/hdp|/dev/cui220|/dev/dsx|w0rm|/dev/hdaa|duarawkz|/dev/tux|/security|^proc\.h"   CMD=`loc ps ps $pth`    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        return 5    fi    if ${strings} -a ${CMD} | ${egrep} "${PS_I_L}" >/dev/null 2>&1    then       STATUS=${INFECTED}    fi    return ${STATUS}}chk_pstree () {    STATUS=${NOT_INFECTED}    PSTREE_INFECTED_LABEL="/dev/ttyof|/dev/hda01|/dev/cui220|/dev/ptyxx|^/prof|/dev/tux|proc\.h"    CMD=`loc pstree pstree $pth`    if [ ! -r "${CMD}" ]    then       return ${NOT_FOUND}    fi    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        return 5    fi    if ${strings} -a ${CMD} | ${egrep} "${PSTREE_INFECTED_LABEL}" >/dev/null 2>&1    then       STATUS=${INFECTED}    fi    return ${STATUS}}chk_crontab () {    STATUS=${NOT_INFECTED}    CRONTAB_I_L="crontab.*666"    CMD=`loc crontab crontab $pth`    if [ ! -r ${CMD} ]       then        return ${NOT_FOUND}    fi    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${CMD} -l -u nobody"        return 5    fi    if  ${CMD} -l -u nobody >/dev/null 2>&1 ; then        printn "Warning: crontab for nobody found, possible Lupper.Worm... "	if ${CMD} -l -u nobody 2>/dev/null  | ${egrep} $CRONTAB_I_L >/dev/null 2>&1	   then           STATUS=${INFECTED}	fi    fi    return ${STATUS}}chk_top () {    STATUS=${NOT_INFECTED}    TOP_INFECTED_LABEL="/dev/xmx|/dev/ttyop|/dev/pty[pqrsx]|/dev/hdp|/dev/dsx|^/prof/|/dev/tux|^/proc\.h"    CMD=`loc top top $pth`    if [ ! -r ${CMD} ]       then        return ${NOT_FOUND}    fi    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        return 5    fi    if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1    then       STATUS=${INFECTED}    fi    return ${STATUS}}chk_pidof () {    STATUS=${NOT_INFECTED}    TOP_INFECTED_LABEL="/dev/pty[pqrs]"    CMD=`loc pidof pidof $pth`    if [ "${?}" -ne 0 ]    then        return ${NOT_FOUND}    fi    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        return 5    fi    if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1    then       STATUS=${INFECTED}    fi    return ${STATUS}}chk_killall () {    STATUS=${NOT_INFECTED}    TOP_INFECTED_LABEL="/dev/ttyop|/dev/pty[pqrs]|/dev/hda[0-7]|/dev/hdp|/dev/ptyxx|/dev/tux|proc\.h"    CMD=`loc killall killall $pth`    if [ "${?}" -ne 0 ]       then        return ${NOT_FOUND}    fi    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        return 5    fi    if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1    then       STATUS=${INFECTED}    fi    return ${STATUS}}chk_ldsopreload() {   STATUS=${NOT_INFECTED}   CMD="${ROOTDIR}lib/libshow.so ${ROOTDIR}lib/libproc.a"   if [ "${SYSTEM}" = "Linux" ]   then      if [ ! -x ./strings-static ]; then        printn "can't exec ./strings-static, "        return ${NOT_TESTED}      fi      if [ "${EXPERT}" = "t" ]; then          expertmode_output "./strings-static -a ${CMD}"          return 5      fi      ### strings must be a statically linked binary.      if ./strings-static -a ${CMD} > /dev/null 2>&1      then         STATUS=${INFECTED}      fi   else     STATUS=${NOT_TESTED}   fi   return ${STATUS}}chk_basename () {   STATUS=${NOT_INFECTED}   CMD=`loc basename basename $pth`   if [ "${EXPERT}" = "t" ]; then       expertmode_output "${strings} -a ${CMD}"       expertmode_output "${ls} -l ${CMD}"       return 5   fi   if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1   then       STATUS=${INFECTED}   fi   [ "$SYSTEM" != "OSF1" ] &&   {      if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1      then         STATUS=${INFECTED}      fi   }   return ${STATUS}}chk_dirname () {    STATUS=${NOT_INFECTED}    CMD=`loc dirname dirname $pth`    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        expertmode_output "${ls} -l ${CMD}"        return 5    fi    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1    then        STATUS=${INFECTED}    fi    if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1    then        STATUS=${INFECTED}    fi    return ${STATUS}}chk_traceroute () {    STATUS=${NOT_INFECTED}    CMD=`loc traceroute traceroute $pth`    if [ ! -r "${CMD}" ]    then       return ${NOT_FOUND}    fi    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        return 5    fi    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1    then        STATUS=${INFECTED}    fi    return ${STATUS}}chk_rpcinfo () {    STATUS=${NOT_INFECTED}    CMD=`loc rpcinfo rpcinfo $pth`    if [ ! -r "${CMD}" ]    then       return ${NOT_FOUND}    fi    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        expertmode_output "${ls} -l ${CMD}"        return 5    fi    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1    then        STATUS=${INFECTED}    fi    if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1    then        STATUS=${INFECTED}    fi    return ${STATUS}}chk_date () {    STATUS=${NOT_INFECTED}    S_L="/bin/.*sh"    CMD=`loc date date $pth`    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        expertmode_output "${ls} -l ${CMD}"        return 5    fi    [ "${SYSTEM}" = "FreeBSD" -a `echo $V | ${awk} '{ if ($1 > 4.9) print 1; else print 0 }'` -eq 1 ] &&    {       N=`${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" | \          ${egrep} -c "$S_L"`       if [ ${N} -ne 2 -a ${N} -ne 0 ]; then          STATUS=${INFECTED}       fi    } ||    {       if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" 2>&1          then          STATUS=${INFECTED}       fi    }    if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1    then        STATUS=${INFECTED}    fi    return ${STATUS}}chk_echo () {    STATUS=${NOT_INFECTED}    CMD=`loc echo echo $pth`    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        expertmode_output "${ls} -l ${CMD}"        return 5    fi    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1    then        STATUS=${INFECTED}    fi    if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1    then        STATUS=${INFECTED}    fi    return ${STATUS}}chk_env () {    STATUS=${NOT_INFECTED}    CMD=`loc env env $pth`    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        expertmode_output "${ls} -l ${CMD}"        return 5    fi    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1    then        STATUS=${INFECTED}    fi    if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1    then        STATUS=${INFECTED}    fi    return ${STATUS}}chk_timed () {    STATUS=${NOT_INFECTED}    CMD=`loc timed timed $pth`    if [ ${?} -ne 0 ]; then       CMD=`loc in.timed in.timed $pth`       if [ ${?} -ne 0 ]; then          return ${NOT_FOUND}       fi    fi    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        return 5    fi    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1    then        STATUS=${INFECTED}    fi    return ${STATUS}}chk_identd () {
💿 文件大小 37 K
👤 上传用户 sjb545893912
📂 所属分类 Linux/Unix编程
🏷️ 相关标签

#rootkit #linux #检测
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -