{"id":3135,"date":"2023-02-10T09:42:39","date_gmt":"2023-02-10T00:42:39","guid":{"rendered":"https:\/\/www.kinryo.net\/?p=3135"},"modified":"2023-06-07T15:06:22","modified_gmt":"2023-06-07T06:06:22","slug":"%ef%bc%95%ef%bc%9arootkit%e3%81%ae%e3%82%a4%e3%83%b3%e3%82%b9%e3%83%88%e3%83%bc%e3%83%ab","status":"publish","type":"post","link":"https:\/\/www.kinryo.net\/?p=3135","title":{"rendered":"\uff15\uff1arootkit\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb"},"content":{"rendered":"

\u53c2\u8003\uff1ahttps:\/\/centossrv.com\/almalinux\/chkrootkit.shtml
\n#<\/span> git clone https:\/\/github.com\/Magentron\/chkrootkit.git\u3000\u3000\u2190 <\/span><\/span>rootkit\u306e\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9
\n#<\/span> cp chkrootkit\/chkrootkit \/usr\/local\/bin\/\u3000\u3000\u2190 <\/span><\/span>\u4fdd\u5b58\u5834\u6240\u306e\u5909\u66f4
\n<\/span>#<\/span> rm -rf chkrootkit\u3000\u3000\u2190 <\/span><\/span>\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u305fchkrootkit\u3092\u524a\u9664 <\/span>
\n#<\/span> chkrootkit | grep INFECTED\u3000\u3000\u2190 <\/span><\/span>chkrootkit\u5b9f\u884c<\/span><\/span>
\nChecking `chsh’…<\/span> INFECTED<\/span><\/strong>
\n\u3042\u308a\u3083\u30fc\u3001chsh\u304c\u6c5a\u67d3\u3055\u308c\u3066\u3044\u308b\uff01almalinux\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u305f\u3070\u304b\u308a\u306a\u306e\u3067\u3001\u8aa4\u691c\u77e5\u3060\u3068\u306f\u601d\u3046\u304c\u3001chsh\u3067\u4f55\u3060\uff1f\u4f7f\u3063\u305f\u3053\u3068\u306f\u7121\u3044\u306e\u3067\u8abf\u3079\u308b\u3068\u3001
\n\u30ed\u30b0\u30a4\u30f3\u6642\u306e\u30b7\u30a7\u30eb\u3092\u5909\u66f4\u3059\u308b\u30b3\u30de\u30f3\u30c9<\/em><\/span>\u3060\u3063\u305f\u3002
\n\u79c1\u306f\u30ed\u30b0\u30a4\u30f3\u30b7\u30a7\u30eb\u3092\u5909\u66f4\u3057\u306a\u3044\u306e\u3067\u3001\u524a\u9664\u3057\u3066\u7f6e\u3044\u305f\u3002\uff08\u5834\u6240\u306f \/usr\/bin\/chsh\uff09
\n\u518d\u5ea6\u30c1\u30a7\u30c3\u30af
\n# <\/span>chkrootkit | grep INFECTED<\/span>
\n\u4eca\u5ea6\u306f\u4f55\u3082\u8868\u793a\u3055\u308c\u306a\u3044\u306e\u3067OK<\/span>
\n\u3042\u308b\u6642\u3001\u30b5\u30d6\u30db\u30b9\u30c8\u306ealmalinux8\u3067\u3084\u3063\u305f\u6642\u3082
\nSearching for Linux.Xor.DDoS … INFECTED<\/span>: Possible Malicious Linux.Xor.DDoS installed
\n\u3068\u306a\u3063\u305f\u306e\u3067\u3001\/tmp\u3092\u8abf\u3079\u308b\u3068ks-script-a4bxme_e\u3068ks-script-x04f19_9\u306b\u5b9f\u884c\u30d5\u30e9\u30b0\u304c\u4ed8\u3044\u3066\u3044\u305f\u306e\u3067\u3001\u305d\u308c\u3092\u5916\u3057\u3001\u518d\u5ea6\u30c1\u30a7\u30c3\u30af\u3057\u305f\u3089\u3001OK\u3060\u3063\u305f\u3002<\/span><\/span><\/p>\n

chkrootkit\u5b9f\u884c\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u6bce\u65e5\u81ea\u52d5\u5b9f\u884c\u3055\u308c\u308b\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3078\u4f5c\u6210<\/span>
\n<\/span>#<\/span> gedit <\/span><\/span><\/span>\/etc\/cron.daily\/chkrootkit<\/span><\/p>\n

#!\/bin\/bash\r\n\r\nLOG=\/tmp\/$(basename ${0})\r\n\r\n# chkrootkit\u5b9f\u884c\r\nchkrootkit > $LOG 2>&1\r\n\r\n# \u30ed\u30b0\u51fa\u529b\r\ncat $LOG | logger -t $(basename ${0})\r\n\r\n# SMTPS\u306ebindshell\u8aa4\u691c\u77e5\u5bfe\u5fdc\r\nif [ ! -z \"$(grep 465 $LOG)\" ] && \\\r\n   [ -z $(\/usr\/sbin\/lsof -i:465|grep bindshell) ]; then\r\n        sed -i '\/465\/d' $LOG\r\nfi\r\n\r\n# upstart\u30d1\u30c3\u30b1\u30fc\u30b8\u66f4\u65b0\u6642\u306eSuckit\u8aa4\u691c\u77e5\u5bfe\u5fdc\r\nif [ ! -z \"$(grep Suckit $LOG)\" ] && \\\r\n   [ -z \"$(rpm -V `rpm -qf \/sbin\/init`)\" ]; then\r\n        sed -i '\/Suckit\/d' $LOG\r\nfi\r\n\r\n# rootkit\u691c\u77e5\u6642\u306e\u307froot\u5b9b\u30e1\u30fc\u30eb\u9001\u4fe1\r\n[ ! -z \"$(grep INFECTED $LOG)\" ] && \\\r\ngrep INFECTED $LOG | mail -s \"chkrootkit report in `hostname`\" root\r\n<\/span><\/span><\/span><\/pre>\n
chkrootkit\u5b9f\u884c\u30b9\u30af\u30ea\u30d7\u30c8\u3078\u5b9f\u884c\u6a29\u9650\u4ed8\u52a0
\n#<\/span> chmod 700 \/etc\/cron.daily\/chkrootkit
\n\u30b3\u30de\u30f3\u30c9\u304c\u6539\u7ac4\u3055\u308c\u305f\u5834\u5408\u306b\u5099\u3048\u3066\u3001\u6c5a\u67d3\u306e\u306a\u3044\u30b3\u30de\u30f3\u30c9\u8ecd\u3092\u4fdd\u5b58\u3057\u3066\u304a\u304f
\n<\/span><\/span>#<\/span> mkdir chkrootkitcmd<\/span>\u3000\u2190\u3000chkrootkit\u4f7f\u7528\u30b3\u30de\u30f3\u30c9\u9000\u907f\u5148\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u4f5c\u6210 <\/span>
\n#<\/span> cp `which –skip-alias awk cut echo egrep find head id ls netstat ps strings sed ssh uname` chkrootkitcmd\/<\/span>\u3000\u2190\u3000chkrootkit\u4f7f\u7528\u30b3\u30de\u30f3\u30c9\u3092\u9000\u907f\u5148\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3078\u30b3\u30d4\u30fc #<\/span> chkrootkit -p \/root\/chkrootkitcmd|grep INFECTED<\/span>\u3000\u2190\u3000\u8a66\u3057\u306b\u9000\u907f\u3057\u305fchkrootkit\u4f7f\u7528\u30b3\u30de\u30f3\u30c9\u3092\u4f7f\u7528\u3057\u3066chkrootkit\u5b9f\u884c
\n#<\/span> zip -r chkrootkitcmd.zip chkrootkitcmd\/ && rm -rf chkrootkitcmd<\/span>\u3000\u2190\u3000chkrootkit\u4f7f\u7528\u30b3\u30de\u30f3\u30c9\u9000\u907f\u5148\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3092\u5727\u7e2e\u3057\u3066\u524a\u9664
\n# <\/span>echo|mail -a chkrootkitcmd.zip -s chkrootkitcmd.zip root<\/span>\u3000\u2190\u3000chkrootkit\u4f7f\u7528\u30b3\u30de\u30f3\u30c9(\u5727\u7e2e\u7248)\u3092root\u5b9b\u306b\u30e1\u30fc\u30eb\u9001\u4fe1
\n#<\/span> rm -f chkrootkitcmd.zip<\/span>\u3000\u2190\u3000chkrootkit\u4f7f\u7528\u30b3\u30de\u30f3\u30c9(\u5727\u7e2e\u7248)\u524a\u9664 <\/span><\/p>\n
 <\/p>\n
<\/span><\/p>\n
<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"
\u53c2\u8003\uff1ahttps:\/\/centossrv.com\/almalinux\/chkrootkit.shtml # git clone https:\/\/github.com\/Magentron\/chkrootkit.git\u3000\u3000\u2190 … \u7d9a\u304d\u3092\u8aad\u3080 →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"sns_share_botton_hide":"","vkExUnit_sns_title":"","_vk_print_noindex":"","sitemap_hide":"","_veu_custom_css":"","veu_display_promotion_alert":"","vkexunit_cta_each_option":"","footnotes":""},"categories":[27],"tags":[],"class_list":["post-3135","post","type-post","status-publish","format-standard","hentry","category-almalinux"],"acf":[],"veu_head_title_object":{"title":"","add_site_title":""},"_links":{"self":[{"href":"https:\/\/www.kinryo.net\/index.php?rest_route=\/wp\/v2\/posts\/3135","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kinryo.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kinryo.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kinryo.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kinryo.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3135"}],"version-history":[{"count":6,"href":"https:\/\/www.kinryo.net\/index.php?rest_route=\/wp\/v2\/posts\/3135\/revisions"}],"predecessor-version":[{"id":3373,"href":"https:\/\/www.kinryo.net\/index.php?rest_route=\/wp\/v2\/posts\/3135\/revisions\/3373"}],"wp:attachment":[{"href":"https:\/\/www.kinryo.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3135"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kinryo.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3135"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kinryo.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3135"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}