Chkrootkit - Como determinar se o sistema está infectado com rootkit

No artigo você vai encontrar perguntas como: o que é rootkit? Como instalar o chkrootkit? Como executar o chkrootkit? Achei rootkit, o que fazer? Quais são os rootkits, worms e LKMs detectados atualmente? Vulnerabilidades e exposições comuns do chkrootkit.

[ Hits: 23.631 ]

Por: Perfil removido em 12/04/2017


Licença, livros, artigos e pessoas que contribuíram para o projeto



Informações de Licença

Chkrootkit é um software livre. As informações da licença estão disponíveis no arquivo COPYRIGHT do chkrootkit:
Alguns livros e artigos que mencionam chkrootkit:
  • Linux Security Cookbook, published by O'Reilly, by Daniel J. Barrett, Robert G. Byrnes and Richard Silverman. chkrootkit is mentioned on chapter 9.
  • Security Warrior, published by O'Reilly, by Anton Chuvakin and Cyrus Peikari. chkrootkit is mentioned on chapter 10 and chapter 19.
  • Network Security Hacks, published by O'Reilly, by Andrew Lockhart. hack #99 shows how to use chkrootkit to determine the extent of a compromise.
  • Malware: Fighting Malicious Code, published by Prentice Hall PTR, by Ed Skoudis and Lenny Zeltser. chkrootkit is mentioned on chapers 1, 2 and 3.
  • (German) Intrusion Detection für Linux-Server, by Ralf Spenneberg. chkrootkit is described in chapter 16.
  • Linux Troubleshooting Bible, by Christopher Negus and Thomas Weeks. chkrootkit is mentioned on chapter 10.

As seguintes pessoas contribuíram para o projeto chkrootkit:
  • Agustin Navarro (debug help)
  • Alberto Courrege Gomide (debug help)
  • Andre Gustavo de Carvalho Albuquerque (debug, performance and Solaris patches)
  • Dave Ansalvish (Solaris debug help)
  • Bruno Lopes (debug help)
  • Daniel Lafraia (source code addition)
  • Josh Karp (debug help for Solaris 8)
  • Klaus Steding-Jessen (debug, lots of good suggestions and LKM check Perl code)
  • Paulo C. Marques F. (debug help)
  • Pedro Vazquez (lots of good suggestions)
  • Richard Eisenman (Red Hat support)
  • Manfred Bartz (debug help)
  • Luiz E. R. Cordeiro (debug help)
  • Vince Hillier (debug help)
  • Steve Campbell (Solaris bug fixes)
  • Strashimir Mihnev (new rootkit)
  • Patrick Duane Dunston (Adore LKM detection)
  • Rudolf Leitgeb (chklastlog bug fix)
  • Marcos Aguinaldo Forquesato (Solaris debug)
  • scz (check_wtmpx code)
  • Yaroslav Polyakov (inetdconf function)
  • Andreas Tirok (chklastlog patch)
  • Sean D. True (strings.c)
  • Leif Neland (duarawkz rootkit)
  • Kaveh Goudarzi (Pizdakit rootkit)
  • m0xx (monkit and Bobkit rootkits)
  • Bob Grabowsky and Mihai Sandu (t0rn v8.0 variant)
  • Razvan Cosma (new rootkit)
  • Kostya Kortchinsky (chkproc patch)
  • Frank Haverkamp (new rookit)
  • Ludovic Drolez (new rootkit)
  • Dan Irwin (new rootkit)
  • Anton Chuvakin (new rootkit)
  • Steve Collins (new rootkit)
  • Indra Kusuma (new rootkit)
  • Mark Newby (new rootkit)
  • anonymous (new rootkit)
  • Gerard van Wageningen (chklastlog.c)
  • Morohoshi Akihiko, Kostya Kortchinsky and Aaron Sherman (chkproc.c)
  • Andrey Chernomyrdin (new rootkit)
  • Razvan Cosma (new rootkit)
  • zeno (new rootkits)
  • Hal Pomeranz (chkdirs.c)
  • marc (Bug report)
  • Piete Brooks (patches for chkrootkit)
  • Kostya Kortchinsky (chkproc Solaris port)
  • Jan Brinham (chkrookit additions)
  • Paulo Rodrigo (Bug report)
  • Andreas Unterluggauer (Bug report)
  • Mihnea Stoenescu (ideas for chkrootkit)
  • Anton Chuvakin (new rootkit)
  • Russ Reynaga (SunOS debug/tests)
  • ymailer (lots of rootkits)
  • Junichi Murakami (Adore detection method)
  • Gerard Breiner (HP-UX Port)
  • Andrea Barbieri (SunOS debug)
  • Matthew Deatherage (Bug report)
  • Eduardo Bacchi Kienetz (Slapper-B detection)
  • aka br (SiN Rootkit)
  • Ymailer (shv4, Big and Aquatica)
  • Eduardo Bacchi (shv4)
  • T. Tanaka (bug fix)
  • Jan Iven (suckit tests)
  • Rob Thomas
  • Michael Griego (chkproc NPTL threading mechanisms patch)
  • Marcel Haman (aditional Suckit detection)
  • Andreas Grundle (Volc Rookit)
  • Bejamin Molitor (Gold2 Rookit)
  • James Mackinnon (TC2 Worm)
  • Joshua J Robinson (Anonoying Rootkit)
  • Bill Orvis (ZK Rootkit)
  • Thomas Davidson (BSDI support)
  • Bill DuPree (chkproc.c fix)
  • Jeremy H. Brown (-r option corrections)
  • Jason Montleon (bug report)
  • Djony W Tambosi (bug report)
  • Benjamin Schudz (bug report)
  • Eugene Tsyrklevich (bug report)
  • Michael Dorrington (web page)
  • Ragnar Rova (write test fix)
  • Chris Campbell (C++ comments causing problems on old Solaris compilers)
  • Markus Alt (Typo)
  • Egon Eckert (tcpd test at debian)
  • Silvio and nacho (zaRwT rootkit)
  • Lantz Moore (promisc test on Linux kernels 2.[46].x)
  • Marcel Haman (another Suckit sign)
  • Alfred (found sniffer in another area (/usr/lib))
  • Ymailer (several CGI backdoors)
  • Dietrich Raisin (del counter fix in chkwtmp.c)
  • Patrick Gosling (tnfs function improvement)
  • Mikhail Zotov (bug report)
  • Michael Schwendt (patches)
  • Yukio Yamada (bug report)
  • h0nIng (Fu rootkit)
  • Jeff Kuehn (bug report)
  • Jeremy Miller (chkutmp)
  • Cristine Hoepers (chkrootkit homepage redesign using valid strict XHTML)
  • Ighighi X (chkutmp)
  • Jeromie Andrei (chkwtmp)
  • Aaron Harwood
  • Yjesus(unhide) (chkproc.c)
  • Slider/Flimbo (chkproc.c)
  • UnSpawn (error reports)
  • Milan Kerslager (new rootkits signs)
  • Gary Funk (new rootkits signs)
  • Florian Gleixne (Solaris bug report and patch)
  • Andre Russ (bug report and crontab patch)
  • Michael Schwendt (OpenBSDrk v1 false positives on linux boxes)
  • Johann Burkard (r57 backdoor report)
  • Lieven De Keyzer (bug report)
  • Bartosz Lis (bug report and patch)
  • Ken Olum (bug report)
  • Steve Pirk (Slackware crontab bug report and patch)
  • Scott A. McIntyre (nice ideas)
  • Lorenzo Patocchi (new rootkit signs)
  • NIDE, Naoyuki (Bug report in chkdirs.c)
  • Steve Pirk (Bug report in slackware's crontab)
  • Michael Schwendt (Bug report and patch)
  • Michael Grant (Bug report and patch)
  • Ondrej Svetlik (new rk)
  • Enrico Zini (Bug report and patch)

Página anterior     Próxima página

Páginas do artigo
   1. O que é rootkit
   2. Achei rootkit, o que fazer?
   3. Licença, livros, artigos e pessoas que contribuíram para o projeto
   4. Vulnerabilidades e exposições comuns do chkrootkit
Outros artigos deste autor

Instalando fontes true type no Linux via Kcontrol

Configurando um servidor DNS e DHCP na rede

Quem disse que micro velho não presta?

Usando tabelas no editor de textos do OpenOffice

VPN com openVPN no Slackware 11

Leitura recomendada

Fazendo sua conexão remota por SSH mais segura

Proxy reverso e balanceamento de carga utilizando o Pound

Alta Disponibilidade com LVS

Rootsh - Auditando/monitorando o root e demais usuários do GNU/Linux

Instalação do Snort + BASE no Debian Etch pelos fontes

  
Comentários
[1] Comentário enviado por Freud_Tux em 12/04/2017 - 09:30h

Bom texto!

A melhor dica, com toda a certeza, foi em relação em retirar a máquina da rede e executar um sistema "live" com o chkrootkit para atestar a saúde da máquina.
Poderia ter indicado alguns sistemas que venham com o chkrootkit já instalado, pois, facilitaria a vida, e evitaria que a máquina alvo seja logada a internet de qualquer forma, pois, dependendo do rootkit, ele pode se alojar dentro da partição ESP, e de algum modo, tentar acessar o sistema live usando a Internet. Prevenir nesse caso é melhor do que remediar.

Favoritado ;)

T+
-------------------------------------------------------------------------------------------------------------------------------------------------
Noob:"[...]Sou muito noob ainda usando o terminal, então preciso de ajuda "mastigada", pra operá-lo."
zhushazang: "Sou velho e meus dentes desgastados. Estude linux www.guiafoca.org";

[2] Comentário enviado por pinguintux em 14/04/2017 - 09:09h

Parabéns pelo excelente artigo. Muito bem montado, objetivo e esclarecedor. Já adicionei aos favoritos!

[3] Comentário enviado por rodriguessouzape em 04/05/2017 - 16:09h

muito bom

[4] Comentário enviado por killuaz em 01/06/2017 - 18:59h

Me ajudem!! oq significa isso? pegou no scan.
in /var/run/utmp !
! RUID PID TTY CMD
! 3;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel- 0 3;3,13,3553;3,14,3553;3,15,3553;4,3;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel- 553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel-
! 3;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel- 0 3;3,13,3553;3,14,3553;3,15,3553;4,3;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel- 553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel-
! 3;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel- 0 3;3,13,3553;3,14,3553;3,15,3553;4,3;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel- 553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel-
! 3;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel- 0 3;3,13,3553;3,14,3553;3,15,3553;4,3;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel- 553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel-
! 4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel-token=11F6EB8A391CAD 3553 3;3,15,3553;4,0,3553;4,1,3553;4,2,4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel-token=11F6EB8A391CAD 3;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel-token=11F6EB8A391CAD


Contribuir com comentário




Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts