📄 chkrootkit

📁 linux中经典的rootkit的检测工具功能超强可以查杀上百种rootkit
💻
📖 第 1 页 / 共 5 页
字号:
上一页 1 2 3 45
    STATUS=${NOT_INFECTED}    CMD=`loc in.identd in.identd $pth`    if [ ${?} -ne 0 ]; then       return ${NOT_FOUND}    fi    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        return 5    fi    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1    then        STATUS=${INFECTED}    fi    return ${STATUS}}chk_init () {    STATUS=${NOT_INFECTED}    INIT_INFECTED_LABEL="UPX"    CMD=`loc init init $pth`    if [ ${?} -ne 0 ]; then       return ${NOT_FOUND}    fi    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        return 5    fi    if ${strings} -a ${CMD} | ${egrep} "${INIT_INFECTED_LABEL}" > /dev/null 2>&1    then        STATUS=${INFECTED}    fi    return ${STATUS}}chk_pop2 () {    STATUS=${NOT_INFECTED}    CMD=`loc in.pop2d in.pop2d $pth`    if [ ${?} -ne 0 ]; then       return ${NOT_FOUND}    fi    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        return 5    fi    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1    then        STATUS=${INFECTED}    fi    return ${STATUS}}chk_pop3 () {    STATUS=${NOT_INFECTED}    CMD=`loc in.pop3d in.pop3d $pth`    if [ ${?} -ne 0 ]; then        return ${NOT_FOUND}    fi    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        return 5    fi    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1    then        STATUS=${INFECTED}    fi    return ${STATUS}}chk_write () {    STATUS=${NOT_INFECTED}    CMD=`loc write write $pth`    WRITE_ROOTKIT_LABEL="bash|elite$|vejeta|\.ark"    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        expertmode_output "${ls} -l ${CMD}"        return 5    fi    if ${strings} -a ${CMD} | ${egrep} "${WRITE_ROOTKIT_LABEL}" | grep -v locale > /dev/null 2>&1    then        STATUS=${INFECTED}    fi    if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1    then        STATUS=${INFECTED}    fi    return ${STATUS}}chk_w () {    STATUS=${NOT_INFECTED}    CMD=`loc w w $pth`    W_INFECTED_LABEL="uname -a"    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        expertmode_output "${ls} -l ${CMD}"        return 5    fi    if ${strings} -a ${CMD} | ${egrep} "${W_INFECTED_LABEL}" > /dev/null 2>&1    then        STATUS=${INFECTED}    fi    return ${STATUS}}chk_vdir () {    STATUS=${NOT_INFECTED}    CMD=`loc vdir vdir $pth`    VDIR_INFECTED_LABEL="/lib/volc"    if [ ! -r ${CMD} ]; then        return ${NOT_FOUND}    fi    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        expertmode_output "${ls} -l ${CMD}"        return 5    fi    if ${strings} -a ${CMD} | ${egrep} "${VDIR_INFECTED_LABEL}" > /dev/null 2>&1    then        STATUS=${INFECTED}    fi    return ${STATUS}}chk_tar () {    STATUS=${NOT_INFECTED}    CMD=`loc tar tar $pth`    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${ls} -l ${CMD}"        return 5    fi    if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1    then        STATUS=${INFECTED}    fi    return ${STATUS}}rexedcs () {    STATUS=${NOT_INFECTED}    CMD=`loc in.rexedcs in.rexedcs $pth`    if [ "${?}" -ne 0 ]       then        if [ "${QUIET}" != "t" ]; then echo "not found"; fi        return ${NOT_FOUND}    fi    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        return 5    fi    STATUS=${INFECTED}    return ${STATUS}}chk_mail () {    STATUS=${NOT_INFECTED}    CMD=`loc mail mail $pth`    if [ "${?}" -ne 0 ]       then        return ${NOT_FOUND}    fi    [ "${SYSTEM}" = "HP-UX" ] && return $NOT_TESTED    MAIL_INFECTED_LABEL="sh -i"    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        expertmode_output "${ls} -l ${CMD}"        return 5    fi    if ${strings} -a ${CMD} | ${egrep} "${MAIL_INFECTED_LABEL}" > /dev/null 2>&1    then        STATUS=${INFECTED}    fi    if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1    then        STATUS=${INFECTED}    fi    return ${STATUS}}chk_biff () {    STATUS=${NOT_INFECTED}    CMD=`loc biff biff $pth`    if [ "${?}" -ne 0 ]       then        return ${NOT_FOUND}    fi    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        expertmode_output "${ls} -l ${CMD}"        return 5    fi    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1    then        STATUS=${INFECTED}    fi    if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1    then        STATUS=${INFECTED}    fi    return ${STATUS}}chk_egrep () {    STATUS=${NOT_INFECTED}    EGREP_INFECTED_LABEL="blah"    CMD=`loc egrep egrep $pth`    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        expertmode_output "${ls} -l ${CMD}"        return 5    fi    if ${strings} -a ${CMD} | ${egrep} "${EGREP_INFECTED_LABEL}" > /dev/null 2>&1    then        STATUS=${INFECTED}    fi    return ${STATUS}}chk_grep () {    STATUS=${NOT_INFECTED}    GREP_INFECTED_LABEL="givemer"    CMD=`loc grep grep $pth`    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        expertmode_output "${ls} -l ${CMD}"        return 5    fi    if ${strings} -a ${CMD} | ${egrep} "${GREP_INFECTED_LABEL}" > /dev/null 2>&1    then        STATUS=${INFECTED}    fi    if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1    then        STATUS=${INFECTED}    fi    return ${STATUS}}chk_find () {    STATUS=${NOT_INFECTED}    FIND_INFECTED_LABEL="/dev/ttyof|/dev/pty[pqrs]|^/prof|/home/virus|/security|file\.h"    CMD=`loc find find $pth`    if [ "${?}" -ne 0 ]       then        return ${NOT_FOUND}    fi    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        return 5    fi    if ${strings} -a ${CMD} | ${egrep} "${FIND_INFECTED_LABEL}" >/dev/null 2>&1    then       STATUS=${INFECTED}    fi    return ${STATUS}}chk_rlogind () {    STATUS=${NOT_INFECTED}    RLOGIN_INFECTED_LABEL="p1r0c4|r00t"    CMD=`loc in.rlogind in.rlogind $pth`    if [ ! -x "${CMD}" ]; then          CMD=`loc rlogind rlogind $pth`       if [ ! -x "${CMD}" ]; then           return ${NOT_FOUND}       fi    fi    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        return 5    fi    if ${strings} -a ${CMD} | ${egrep} "${RLOGIN_INFECTED_LABEL}" >/dev/null 2>&1    then       STATUS=${INFECTED}    fi    return ${STATUS}}chk_lsof () {    STATUS=${NOT_INFECTED}    LSOF_INFECTED_LABEL="^/prof"    CMD=`loc lsof lsof $pth`    if [ ! -x "${CMD}" ]; then         return ${NOT_FOUND}    fi    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        return 5    fi    if ${strings} -a ${CMD} | ${egrep} "${LSOF_INFECTED_LABEL}" >/dev/null 2>&1    then       STATUS=${INFECTED}    fi    return ${STATUS}}chk_amd () {    STATUS=${NOT_INFECTED}    AMD_INFECTED_LABEL="blah"    CMD=`loc amd amd $pth`    if [ ! -x "${CMD}" ]; then         return ${NOT_FOUND}    fi    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        return 5    fi    if ${strings} -a ${CMD} | ${egrep} "${AMD_INFECTED_LABEL}" >/dev/null 2>&1    then       STATUS=${INFECTED}    fi    return ${STATUS}}chk_slogin () {    STATUS=${NOT_INFECTED}    SLOGIN_INFECTED_LABEL="homo"    CMD=`loc slogin slogin $pth`    if [ ! -x "${CMD}" ]; then         return ${NOT_FOUND}    fi    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        return 5    fi    if ${strings} -a ${CMD} | ${egrep} "${SLOGIN_INFECTED_LABEL}" >/dev/null 2>&1    then       STATUS=${INFECTED}    fi    return ${STATUS}}chk_cron () {    STATUS=${NOT_INFECTED}    CRON_INFECTED_LABEL="/dev/hda|/dev/hda[0-7]|/dev/hdc0"    CMD=`loc cron cron $pth`    if [ "${?}" -ne 0 ]; then          CMD=`loc crond crond $pth`    fi    if [ "${?}" -ne 0 ]       then        return ${NOT_FOUND}    fi    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        return 5    fi    if ${strings} -a ${CMD} | ${egrep} "${CRON_INFECTED_LABEL}" >/dev/null 2>&1    then       STATUS=${INFECTED}    fi    return ${STATUS}}chk_ifconfig () {    STATUS=${INFECTED}    CMD=`loc ifconfig ifconfig $pth`    if [ "${?}" -ne 0 ]; then        return ${NOT_FOUND}    fi    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        return 5    fi    IFCONFIG_NOT_INFECTED_LABEL="PROMISC"    IFCONFIG_INFECTED_LABEL="/dev/tux|/session.null"    if ${strings} -a ${CMD} | ${egrep} "${IFCONFIG_NOT_INFECTED_LABEL}" \    >/dev/null 2>&1    then       STATUS=${NOT_INFECTED}    fi    if ${strings} -a ${CMD} | ${egrep} "${IFCONFIG_INFECTED_LABEL}" \    >/dev/null 2>&1    then       STATUS=${INFECTED}    fi    return ${STATUS}}chk_rshd () {    STATUS=${NOT_INFECTED}    case "${SYSTEM}" in       Linux) CMD="${ROOTDIR}usr/sbin/in.rshd";;       FreeBSD) CMD="${ROOTDIR}usr/libexec/rshd";;       *) CMD=`loc rshd rshd $pth`;;    esac    if [ ! -x ${CMD} ] ;then       return ${NOT_FOUND}    fi    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        return 5    fi    RSHD_INFECTED_LABEL="HISTFILE"    if ${strings} -a ${CMD} | ${egrep} "${RSHD_INFECTED_LABEL}" > /dev/null 2>&1    then        STATUS=${INFECTED}        if ${egrep} "^#.*rshd" ${ROOTDIR}etc/inetd.conf >/dev/null 2>&1 -o \            ${ls} ${ROOTDIR}etc/xinetd.d/rshd >/dev/null 2>&1 ; then           STATUS=${INFECTED_BUT_DISABLED}        fi    fi    return ${STATUS}}chk_tcpdump () {   STATUS=${NOT_INFECTED}   TCPDUMP_I_L="212.146.0.34:1963";   OPT=-an   if ${netstat} "${OPT}" | ${egrep} "${TCPDUMP_I_L}"> /dev/null 2>&1; then      STATUS=${INFECTED}   fi   return ${STATUS}}chk_tcpd () {    STATUS=${NOT_INFECTED}    TCPD_INFECTED_LABEL="p1r0c4|hack|/dev/xmx|/dev/hdn0|/dev/xdta|/dev/tux"    [ -r ${ROOTDIR}etc/inetd.conf ] &&    CMD=`${egrep} '^[^#].*tcpd' ${ROOTDIR}etc/inetd.conf | _head -1 | \         ${awk} '{ print $6 }'`    if ${ps} auwx | ${egrep} xinetd | ${egrep} -v grep >/dev/null 2>&1;  then       CMD=`loc tcpd tcpd $pth`    fi    [ -z "${CMD}" ] && CMD=`loc tcpd tcpd $pth`    [ "tcpd" = "${CMD}" ] && return ${NOT_FOUND};    if [ "${EXPERT}" = "t" ]; then        expertmode_output "${strings} -a ${CMD}"        return 5    fi    if ${strings} -a ${CMD} | ${egrep} "${TCPD_INFECTED_LABEL}" > /dev/null 2>&1    then
上一页 1 2 3 45
💿 文件大小 37 K
👤 上传用户 sjb545893912
📂 所属分类 Linux/Unix编程
🏷️ 相关标签

#rootkit #linux #检测
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -