> On Tuesday 23 October 2007 23:16:47 Jordi Prats wrote: > > But it does check for some listening ports. There is not a > better tool > > for that? > > > > Maybe a combination of chkrootkit -d with some AV? Any > recomendation? > > > > Secondly, you do not need for chkrootkit to do that, just > netstat -putan | grep -i listen will do the trick. In fact, I > have set up a small script which run that every hour and send > an email with the results to my account, I'm a wee paranoic, > I know, but... :-) > Jordi, one of the tools I use is a small pearl script (see below) that collects data in various ways and creates text files from them in whatever directory you want. I then use a shell script that diffs the output of that script with the output from an hour ago with: diff -a -b -B -p -r -u /home/backup/files /data/ After that output is mailed to me (only if there is a difference) I move the files I just created over to the directory I check against the next time I run the script: echo "Backing up config files..." >> /home/mike/backup-ids.log rsync -a --delete /data/* /home/backup/files >> /home/mike/backup-ids.log 2>> /home/mike/backup-ids.err echo "" >> /home/mike/backup-ids.log This allows you to use root kit hunters (ckrootkit & rkhunter) as well as simple tools like the listen script Manuel uses.... +++++++++++++++++++++++++++++++++ #!/usr/bin/perl -w use strict; my %Cmds; my $host = qw(MyHostName); my $user = "root"; chdir "/data"; my @md5files = qw(/bin/login /usr/bin/passwd /bin/ps); my ($Second, $Minute, $Hour, $Day, $Month, $Year, $WeekDay, $DayOfYear, $IsDST) = localtime(time); if ($Hour == 8) { $Cmds{'disk.usage'} = "df -lk"; } $Cmds{'md5sigs'} = "md5sum @md5files"; $Cmds{'suidfiles'} = "find / -type f -perm +6000 |xargs ls -l"; $Cmds{'cron.root'} = "crontab -l -u root"; #$Cmds{'chkroot'} = "/usr/bin/chkrootkit"; $Cmds{'/dev/null'} = "/usr/local/bin/rkhunter --update"; $Cmds{'rootkithunt'} = "/usr/local/bin/rkhunter -c --noappend-log --sk --nocolors"; $Cmds{'iptables'} = "/sbin/iptables --list"; $Cmds{'listening'} = "netstat -putan | grep -i listen"; ### main loop ### for my $file (keys %Cmds) { my $cmd = $Cmds{$file}; ### run each command on $host and print the ### output to $file &run_command($cmd, $file, $host); } exit 0; sub run_command() { my ($cmd, $file, $host) = @_; my ($stdout, $stderr, $exit) = system($cmd." > $file"); return; } ++++++++++++++++++++++++++++++++++ No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.503 / Virus Database: 269.15.6/1086 - Release Date: 10/22/2007 7:57 PM