RE: Rootkit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> On Tuesday 23 October 2007 23:16:47 Jordi Prats wrote:
> > But it does check for some listening ports. There is not a 
> better tool 
> > for that?
> >
> > Maybe a combination of chkrootkit -d with some AV? Any 
> recomendation?
> >
> 
> Secondly, you do not need for chkrootkit to do that, just 
> netstat -putan | grep -i listen will do the trick. In fact, I 
> have set up a small script which run that every hour and send 
> an email with the results to my account, I'm a wee paranoic, 
> I know, but... :-)
> 

Jordi, one of the tools I use is a small pearl script (see below) that collects data in various ways and creates text files from them in whatever directory you want.  I then use a shell script that diffs the output of that script with the output from an hour ago with:

    diff -a -b -B -p -r -u /home/backup/files /data/

After that output is mailed to me (only if there is a difference) I move the files I just created over to the directory I check against the next time I run the script:

    echo "Backing up config files..." >> /home/mike/backup-ids.log
    rsync -a --delete /data/* /home/backup/files >> /home/mike/backup-ids.log 2>> /home/mike/backup-ids.err
    echo "" >> /home/mike/backup-ids.log

This allows you to use root kit hunters (ckrootkit & rkhunter) as well as simple tools like the listen script Manuel uses....


+++++++++++++++++++++++++++++++++

#!/usr/bin/perl -w

use strict;

my %Cmds;
my $host = qw(MyHostName);
my $user = "root";

chdir "/data";

my @md5files = qw(/bin/login
                  /usr/bin/passwd
                  /bin/ps);


my ($Second, $Minute, $Hour, $Day, $Month, $Year, $WeekDay, $DayOfYear, $IsDST) = localtime(time);

if ($Hour == 8) {
    $Cmds{'disk.usage'} = "df -lk";
}

$Cmds{'md5sigs'} = "md5sum @md5files";
$Cmds{'suidfiles'} = "find / -type f -perm +6000 |xargs ls -l";
$Cmds{'cron.root'} = "crontab -l -u root";
#$Cmds{'chkroot'} = "/usr/bin/chkrootkit";
$Cmds{'/dev/null'} = "/usr/local/bin/rkhunter --update";
$Cmds{'rootkithunt'} = "/usr/local/bin/rkhunter -c --noappend-log --sk --nocolors";
$Cmds{'iptables'} = "/sbin/iptables --list";
$Cmds{'listening'} = "netstat -putan | grep -i listen";

### main loop ###
for my $file (keys %Cmds) {
    my $cmd = $Cmds{$file};

    ### run each command on $host and print the
    ### output to $file
    &run_command($cmd, $file, $host);
}
exit 0;

sub run_command() {
    my ($cmd, $file, $host) = @_;

    my ($stdout, $stderr, $exit) = system($cmd." > $file");
    return;
}

++++++++++++++++++++++++++++++++++

No virus found in this outgoing message.
Checked by AVG Free Edition. 
Version: 7.5.503 / Virus Database: 269.15.6/1086 - Release Date: 10/22/2007 7:57 PM
 


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux