{"id":1426,"date":"2019-01-06T13:46:49","date_gmt":"2019-01-06T04:46:49","guid":{"rendered":"http:\/\/www.kinryo.net\/?p=1426"},"modified":"2019-01-06T13:46:52","modified_gmt":"2019-01-06T04:46:52","slug":"9%ef%bc%9arootkit%e6%a4%9c%e7%9f%a5%e3%83%84%e3%83%bc%e3%83%ab%e5%b0%8e%e5%85%a5chkrootkit","status":"publish","type":"post","link":"https:\/\/www.kinryo.net\/?p=1426","title":{"rendered":"9\uff1arootkit\u691c\u77e5\u30c4\u30fc\u30eb\u5c0e\u5165(chkrootkit)"},"content":{"rendered":"\n<pre class=\"wp-block-preformatted\">schkrootkit\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<br># wget ftp:\/\/ftp.pangeia.com.br\/pub\/seg\/pac\/chkrootkit.tar.gz<br>chkrootkit.tar.gz\u3092\u5c55\u958b\u3059\u308b<br># tar zxvf chkrootkit.tar.gz<br>\u5b9f\u884c\u30d5\u30a1\u30a4\u30eb\u3092\/bin\u306b\u79fb\u52d5\u3059\u308b<br># mkdir -p ~\/bin &amp;&amp; mv chkrootkit-0.50\/chkrootkit ~\/bin<br>\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u305f\u30d5\u30a1\u30a4\u30eb\u3068\u5c55\u958b\u5148\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30fc\u3092\u524a\u9664<br># rm -f chkrootkit.tar.gz<br># rm -rf chkrootkit-0.50<br><br>chkrootkit\u306e\u5b9f\u884c<br># chkrootkit | grep INFECTED<br>\u5909\u306a\u30d5\u30a1\u30a4\u30eb\u304c\u7121\u3051\u308c\u3070\u3001\u4f55\u3082\u8868\u793a\u3055\u308c\u306a\u3044\u304c<br>Searching for Linux.Xor.DDoS \u2026 <strong>INFECTED<\/strong>: Possible Malicious Linux.Xor.DDoS installed<br>\u3068\u8868\u793a\u3055\u308c\u305f\uff01\uff01<br>\u79c1\u306e\u5148\u751f\u306ecentossrv.com\u306e\u8cea\u554f\u63b2\u793a\u677f\u306b\u3082\u540c\u69d8\u306e\u66f8\u304d\u8fbc\u307f\u304c<a href=\"https:\/\/centossrv.com\/patio\/centossrv.cgi?read=3066\">https:\/\/centossrv.com\/patio\/centossrv.cgi?read=3066<\/a><br>\u3053\u3053\u3092\u898b\u308b\u3068\u3001\u3069\u3046\u3082\u8aa4\u691c\u77e5\u307f\u305f\u3044\u3060\u3002<br># find \/tmp -executable -type f<br>\/tmp\/ks-script-DuXVBx \u3068\u8868\u793a\u3055\u308c\u305f\u3002<br>\u3053\u306eks-script-DuXVBx\u306e\u5b9f\u884c\u6a29\u9650\u3092\u5916\u3057\u3066\u3001\u518d\u5ea6<br># chkrootkit | grep INFECTED<br>\u3067\u306f\u4f55\u3082\u8868\u793a\u3055\u308c\u306a\u304b\u3063\u305f\u3002<br>\u6bce\u65e5chkrootkit\u3092\u52d5\u304b\u3059\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u4f5c\u308b<br># gedit \/etc\/cron.daily\/chkrootkit<br><br>#!\/bin\/sh<br>PATH=\/usr\/bin:\/bin:\/root\/bin<br>LOG=\/tmp\/$(basename ${0})<br># chkrootkit\u5b9f\u884c<br>chkrootkit > $LOG 2>&amp;1<br># \u30ed\u30b0\u51fa\u529b<br>cat $LOG | logger -t $(basename ${0})<br># SMTPS\u306ebindshell\u8aa4\u691c\u77e5\u5bfe\u5fdc<br>if [ ! -z \"$(grep 465 $LOG)\" ] &amp;&amp; \\<br>   [ -z $(\/usr\/sbin\/lsof -i:465|grep bindshell) ]; then<br>        sed -i '\/465\/d' $LOG<br>fi<br># upstart\u30d1\u30c3\u30b1\u30fc\u30b8\u66f4\u65b0\u6642\u306eSuckit\u8aa4\u691c\u77e5\u5bfe\u5fdc<br>if [ ! -z \"$(grep Suckit $LOG)\" ] &amp;&amp; \\<br>   [ -z \"$(rpm -V <code>rpm -qf \/sbin\/init<\/code>)\" ]; then<br>        sed -i '\/Suckit\/d' $LOG<br>fi<br># rootkit\u691c\u77e5\u6642\u306e\u307froot\u5b9b\u30e1\u30fc\u30eb\u9001\u4fe1<br>[ ! -z \"$(grep INFECTED $LOG)\" ] &amp;&amp; \\<br>grep INFECTED $LOG | mail -s \"chkrootkit report in <code>hostname<\/code>\" root<br><br>\u3053\u308c\u3067\u4e07\u304c\u4e00 rootkit\u304c\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3055\u308c\u5834\u5408\u306f\u30e1\u30fc\u30eb\u304c\u6765\u308b\u3002<br>\u3053\u306e\u5f8c\u3001<a href=\"https:\/\/centossrv.com\/chkrootkit.shtml\">https:\/\/centossrv.com\/chkrootkit.shtml<\/a><br>\u3092\u53c2\u8003\u306b\u30b3\u30de\u30f3\u30c9\u7fa4\u306e\u9000\u907f\u3092\u884c\u3063\u3066\u304a\u304f\u3002<br><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>schkrootkit\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb# wget ftp:\/\/ftp.pangeia.com.br\/pub\/seg\/pac\/chkrootkit.tar.gzchkrootkit.tar.gz\u3092\u5c55\u958b\u3059\u308b# tar zxv &hellip; <a href=\"https:\/\/www.kinryo.net\/?p=1426\">\u7d9a\u304d\u3092\u8aad\u3080 <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"sns_share_botton_hide":"","vkExUnit_sns_title":"","_vk_print_noindex":"","sitemap_hide":"","_veu_custom_css":"","veu_display_promotion_alert":"","vkexunit_cta_each_option":"","footnotes":""},"categories":[16],"tags":[],"class_list":["post-1426","post","type-post","status-publish","format-standard","hentry","category-centos7"],"acf":[],"veu_head_title_object":{"title":"","add_site_title":""},"_links":{"self":[{"href":"https:\/\/www.kinryo.net\/index.php?rest_route=\/wp\/v2\/posts\/1426","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kinryo.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kinryo.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kinryo.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kinryo.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1426"}],"version-history":[{"count":4,"href":"https:\/\/www.kinryo.net\/index.php?rest_route=\/wp\/v2\/posts\/1426\/revisions"}],"predecessor-version":[{"id":1430,"href":"https:\/\/www.kinryo.net\/index.php?rest_route=\/wp\/v2\/posts\/1426\/revisions\/1430"}],"wp:attachment":[{"href":"https:\/\/www.kinryo.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1426"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kinryo.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1426"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kinryo.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1426"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}