Rootkit Hunter 恶意程序查杀

恶意程序，恶意代码检测,主要用来检测常规后门程序

下载：https://pkgs.org/search/rkhunter

安装：rpm -ivh rkunter*

Installed: #需要先安装 lsof.x86_64 0:4.82-4.el6 mailx.x86_64 0:12.4-7.el6

检测系统：

rkhunter -h #查看参数

-c #检测系统

--sk #跳过键盘输入

exp: rkhunter -c --sk

[root@m0p ~]# rkhunter -h

Usage: rkhunter {--check | --unlock | --update | --versioncheck |

--propupd [{filename | directory | package name},...] |

--list [{tests | {lang | languages} | rootkits | perl | propfiles}] |

--config-check | --version | --help} [options]

Current options are:

--append-log Append to the logfile, do not overwrite

--bindir <directory>... Use the specified command directories

-c, --check Check the local system

-C, --config-check Check the configuration file(s), then exit

--cs2, --color-set2 Use the second color set for output

--configfile <file> Use the specified configuration file

--cronjob Run as a cron job

(implies -c, --sk and --nocolors options)

--dbdir <directory> Use the specified database directory

--debug Debug mode

(Do not use unless asked to do so)

--disable <test>[,<test>...] Disable specific tests

(Default is to disable no tests)

--display-logfile Display the logfile at the end

--enable <test>[,<test>...] Enable specific tests

(Default is to enable all tests)

--hash {MD5 | SHA1 | SHA224 | SHA256 | SHA384 | SHA512 |

NONE | <command>} Use the specified file hash function

(Default is SHA1, then MD5)

-h, --help Display this help menu, then exit

--lang, --language <language> Specify the language to use

(Default is English)

--list [tests | languages | List the available test names, languages,

rootkits | perl | rootkit names, perl module status

propfiles] or file properties database, then exit

-l, --logfile [file] Write to a logfile

(Default is /var/log/rkhunter.log)

--noappend-log Do not append to the logfile, overwrite it

--nocf Do not use the configuration file entries

for disabled tests (only valid with --disable)

--nocolors Use black and white output

--nolog Do not write to a logfile

--nomow, --no-mail-on-warning Do not send a message if warnings occur

--ns, --nosummary Do not show the summary of check results

--novl, --no-verbose-logging No verbose logging

--pkgmgr {RPM | DPKG | BSD | Use the specified package manager to obtain or

SOLARIS | NONE} verify file property values. (Default is NONE)

--propupd [file | directory | Update the entire file properties database,

package]... or just for the specified entries

-q, --quiet Quiet mode (no output at all)

--rwo, --report-warnings-only Show only warning messages

--sk, --skip-keypress Don't wait for a keypress after each test

--summary Show the summary of system check results

(This is the default)

--syslog [facility.priority] Log the check start and finish times to syslog

(Default level is authpriv.notice)

--tmpdir <directory> Use the specified temporary directory

--unlock Unlock (remove) the lock file

--update Check for updates to database files

--vl, --verbose-logging Use verbose logging (on by default)

-V, --version Display the version number, then exit

--versioncheck Check for latest version of program

-x, --autox Automatically detect if X is in use

-X, --no-autox Do not automatically detect if X is in use

基于源码编译 #

1.下载 rkhunterwget http://sourceforge.net/projects/rkhunter/files/latest/downloadwget http://download.slogra.com/rootkit/rkhunter-1.4.0.tar.gz

2.安装 rkhuntertar zxf rkhunter-1.4.0.tar.gz && cd rkhunter-1.4.0./installer.sh --layout default --install 注意：没有报错就可以开始进行扫描检测了

3.检测有没有 rootkit

rkhunter --checkall 或 rkhunter -c 如果有出现红色的 Warning,如果没有问题就加到 rkhunter.conf 里的白名单去.可以看 rkhunter --help 里的信息.