Shulou(Shulou.com)06/01 Report--

This article focuses on "how to solve Linux backdoor intrusion detection tools and the latest bash vulnerabilities", interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn how to solve Linux backdoor intrusion detection tools and the latest bash vulnerabilities.

What is rootkit?

Rootkit is the most common Trojan horse backdoor tool under the Linux platform. It mainly achieves the purpose of invasion and concealment by replacing system files. This kind of Trojan horse is more dangerous and concealed than ordinary Trojan horse backdoor. Common detection tools and inspection methods are difficult to find this kind of Trojan horse. Rootkit is extremely capable of attack and does great harm to the system. It uses a set of tools to establish backdoors and hide tracks, thus allowing attackers to retain privileges so that it can log in to the system at any time with root privileges.

There are two main types of rootkit: file level and kernel level, which are briefly described below.

1. File-level rootkit

File-level rootkit is generally through program vulnerabilities or system vulnerabilities into the system, by modifying the important files of the system to achieve the purpose of hiding itself. After the rootkit attack on the system, the legitimate files are replaced by Trojans and become shell programs, while the interior is a hidden backdoor program. The system programs that are usually easily replaced by rootkit are login, ls, ps, ifconfig, du, find, netstat, etc., among which the login program is replaced most frequently, because when accessing Linux, the / bin/login program will run, and the system will collect and check the user's account and password through / bin/login, and rootkit makes use of the characteristics of this program. Replace the system's / bin/login with a / bin/login with a root backdoor password, so that an attacker can easily enter the system by entering a set password. At this point, even if the system administrator changes the root password or clears the root password, the attacker can still log in to the system through the root user. Attackers usually carry out a series of attacks after entering the Linux system, the most common of which is to install sniffers to collect important data from the local machine or other servers in the network. By default, there are also some system files in Linux that monitor the actions of these tools, such as the ifconfig command, so attackers will find ways to replace other system files in order to avoid being discovered, such as ls, ps, ifconfig, du, find, netstat, and so on. If these files are replaced, it is difficult to find that rootkit is already running on the system at the system level.

This is the file-level rootkit, which maintains a lot of the system. At present, the most effective defense method is to check the integrity of the important files of the system on a regular basis. If it is found that the files have been modified or replaced, then it is likely that the system has been invaded by rootkit. There are many tools to check the integrity of parts, such as Tripwire, aide and so on. We can check the integrity of the file system periodically through these tools to detect whether the system has been invaded by rootkit.

2. Rootkit at kernel level

Kernel-level rootkit is a more advanced intrusion method than file-level rootkit, which enables the attacker to gain complete control over the underlying layer of the system. In this case, the attacker can modify the system kernel, then intercept the commands submitted to the kernel by the running program, and redirect it to the program chosen by the intruder and run the program, that is, when the user wants to run Program A. The kernel modified by the intruder pretends to execute program A when it actually executes program B.

Kernel-level rootkit is mainly attached to the kernel, it does not make any changes to the system files, so it is difficult for general detection tools to detect its existence, so that once the system kernel is implanted into rootkit, the attacker can do whatever he wants to the system without being discovered. At present, there is no good defense tool for kernel-level rootkit, so it is very important to keep the system working within the minimum permissions. As long as the attacker cannot obtain root rights, he will not be able to implant rootkit in the kernel.

2. Rootkit backdoor inspection tool chkrootkit

Chkrootkit is a tool for finding and testing rootkit backdoors in Linux systems. Its official address is http://www.chkrootkit.org/. Chkrootkit is not included in the official CentOS source, so install it manually, but it is also more secure. The following is a brief introduction to the installation process of chkrootkit.

1. Prepare the gcc compilation environment

For CentOS systems, you need to install the gcc compilation environment and execute the following three commands:

The code is as follows:

[root@server ~] # yum-y install gcc

[root@server ~] # yum-y install gcc-c++

[root@server ~] # yum-y install mak

2. Install chkrootkit

For security reasons, it is recommended to download the chkrootkit source code directly from the official website, and then install it, as follows:

The code is as follows:

[root@server ~] # tar zxvf chkrootkit.tar.gz [root@server ~] # cd chkrootkit-*

[root@server ~] # make sense

3. Use chkrootkit

The installed chkrootkit program is located in the / usr/local/chkrootkit directory. Execute the following command to display the detailed usage of chkrootkit:

[root@server chkrootkit] # / usr/local/chkrootkit/chkrootkit-hchkrootkit the meaning of each parameter is as follows.

Parameter meaning

-h displays help information

-v displays version information

-l display test content

-ddebug mode, which displays the relevant instruction program of the detection process.

-Q quiet mode, showing only problematic content

-x advanced mode, displaying all test results

-r dir sets the specified directory as the root directory

-p dir1:dir2:dirN specifies the directory where system commands are used for chkrootkit detection-n directories that skip the NFS connection

The use of chkrootkit is relatively simple, and the detection system can be started automatically by executing the chkrootkit command directly. Here are the test results of a system:

The code is as follows:

[root@server chkrootkit] # / usr/local/chkrootkit/chkrootkitChecking `ifconfig'... INFECTED

Checking `ls'... INFECTED

Checking `login'... INFECTED

Checking `netstat'... INFECTED

Checking `ps'... INFECTED

Checking `top'... INFECTED

Checking `sshd'... Not infected

Checking `syslogd'... Not tested

Checking `tar'... Not infected

Checking `tcpd'... Not infected

Checking `tcpdump'... Not infected

Checking `telnetd'... Not found

As can be seen from the output, the ifconfig, ls, login, netstat, ps, and top commands of this system have been infected. For rootkit-infected systems, the safest and most effective way is to back up data and reinstall the system.

4. Shortcomings of chkrootkit

Chkrootkit uses some system commands in the process of checking rootkit, so if the server is hacked, the dependent system commands may also have been replaced by the intruder, and the detection results of chkrootkit will become completely unreliable. In order to avoid this problem of chkrootkit, you can back up the system commands used by chkrootkit before the server is opened to the public, and use the original system commands of the backup to let chkrootkit detect rootkit when needed. This process can be achieved by doing the following:

The code is as follows:

[root@server ~] # mkdir / usr/share/.commands [root@server ~] # cp `which-skip-alias awk cut echo find egrep id head ls netstat ps strings sed uname` / usr/share/.commands [root@server ~] # / usr/local/chkrootkit/chkrootkit-p / usr/share/.commands/ [root@server share] # cd / usr/share/

[root@server share] # tar zcvf commands.tar.gz. Rm [root@server share] # rm-rf commands.tar.gz

The above operation is to create a hidden file under / usr/share/, and then back up the system commands used by chkrootkit to this directory. For security reasons, you can compress and package the. directory, and then download it to a safe place for backup. If the server is invaded later, you can upload the backup to any path on the server, and then specify this path for detection through the "- p" parameter of the chkrootkit command.

Third, rootkit backdoor detection tool RKHunter

RKHunter is a professional tool to detect whether the system is infected with rootkit, it executes a series of scripts to confirm whether the server has been infected with rootkit. According to official sources, what RKHunter can do are:

MD5 check test to check if there are any changes to the file

Detect binary and system tool files used by rootkit

Detect the signature of a Trojan horse program

Detect whether the file properties of commonly used programs are abnormal

Test the test related to the system

Detect hidden files

Detect suspicious core module LKM

Detect the listening port that the system has started

The installation and use of RKHunter are described in detail below.

1. Install RKHunter

The official web address of RKHunter is http://www.rootkit.nl/projects/rootkit_hunter.html. It is recommended to download RKHunter from this website. The version downloaded here is rkhunter-1.4.0.tar.gz. The installation of RKHunter is very simple, and the process is as follows:

The code is as follows:

[root@server ~] # ls

Rkhunter-1.4.0.tar.gz

[root@server ~] # pwd

/ root

[root@server ~] # tar-zxvf rkhunter-1.4.0.tar.gz [root@server ~] # cd rkhunter-1.4.0

[root@server rkhunter-1.4.0] #. / installer.sh-layout default-install

The default installation of RKHunter is used here, and the rkhunter command is installed in the / usr/local/bin directory.

2. Use the rkhunter instruction

The rkhunter command has many parameters, but it is very simple to use, and you can show the usage of this command by running rkhunter directly. Here is a brief introduction to several parameter options commonly used in rkhunter.

The common parameters and meanings of [root@server ~] # / usr/local/bin/rkhunter-helpRkhunter are shown below.

Parameter meaning

-c,-check required parameter to test the current system

-configfile uses specific configuration files

-cronjob runs periodically as a cron task

-sk,-skip-keypress automatically completes all tests, skips keyboard input-summary displays statistics of test results

-update detects updated content

-V,-version displays version information

-versioncheck detects the latest version

The following is an example of testing a system through rkhunter:

[root@server rkhunter-1.4.0] # / usr/local/bin/rkhunter-c [Rootkit Hunter version 1.4.0]

# the following is the first part, first check the system commands, mainly to detect the system binaries, because these files are most vulnerable to rootkit attacks. Displaying the word OK indicates that it is normal, while displaying Warning indicates that there is an exception, which requires attention, while displaying the word "Not found" is generally ignored.

The code is as follows:

Checking system commands...

Performing 'strings' command checks

Checking 'strings' command [OK]

Performing 'shared libraries' checks

Checking for preloading variables [None found]

Checking for preloaded libraries [None found]

Checking LD_LIBRARY_PATH variable [Not found]

Performing file properties checks

Checking for prerequisites [Warning]

/ usr/local/bin/rkhunter [OK]

/ sbin/chkconfig [OK]

... . (slightly) .

[Press to continue]

# the following is the second part, which mainly detects common rootkit programs and displays "Not found" to indicate that the system is not infected with this.

The code is as follows:

RootkitChecking for rootkits...

Performing check of known rootkit files and directories55808 Trojan-Variant A [Not found]

ADM Worm [Not found]

AjaKit Rootkit [Not found]

Adore Rootkit [Not found]

APa Kit [Not found]

Apache Worm [Not found]

Ambient (ark) Rootkit [Not found]

Balaur Rootkit [Not found]

BeastKit Rootkit [Not found]

BeX2 Rootkit [Not found]

BOBKit Rootkit [Not found]

... . (slightly) .

[Press to continue]

# the following is the third part, mainly some special or additional detections, such as rootkit file or directory detection, malware detection, and specified kernel module detection

The code is as follows:

Performing additional rootkit checks

Suckit Rookit additional checks [OK]

Checking for possible rootkit files and directories [None found]

Checking for possible rootkit strings [None found]

Performing malware checks

Checking running processes for suspicious files [None found]

Checking for login backdoors [None found]

Checking for suspicious directories [None found]

Checking for sniffer log files [None found]

Performing Linux specific checks

Checking loaded kernel modules [OK]

Checking kernel module names [OK]

[Press to continue]

# the following is the fourth part, which mainly detects the network, system port, system startup file, system user and group configuration, SSH configuration, file system, etc.

The code is as follows:

Checking the network...

Performing checks on the network ports

Checking for backdoor ports [None found]

Performing checks on the network interfacesChecking for promiscuous interfaces [None found]

Checking the local host...

Performing system boot checks

Checking for local host name [Found]

Checking for system startup files [Found]

Checking system startup files for malware [None found]

Performing group and account checks

Checking for passwd file [Found]

Checking for root equivalent (UID 0) accounts [None found]

Checking for passwordless accounts [None found]

... . (slightly) .

[Press to continue]

# the following is the fifth part, which mainly detects the application version

The code is as follows:

Checking application versions...

Checking version of GnuPG [OK]

Checking version of OpenSSL [Warning]

Checking version of OpenSSH [OK]

# here is the last part, which is actually a summary of the output above, through which you can get a general idea of the security status of the server directory.

The code is as follows:

System checks summary

=

File properties checks...

Required commands check failed

Files checked: 137

Suspect files: 4

Rootkit checks...

Rootkits checked: 311

Possible rootkits: 0

Applications checks...

Applications checked: 3

Suspect applications: 1

The system checks took: 6 minutes and 41 seconds

In the Linux terminal to use rkhunter to detect, the biggest advantage is that each test result has a different color display, if it is green that there is no problem, if it is red, then it will attract attention. In addition, in the process of performing the detection above, after each part of the detection is completed, you need to use the Enter key to continue. If you want the program to run automatically, you can execute the following command:

[root@server ~] # / usr/local/bin/rkhunter-check-skip-keypress at the same time, if you want the detection program to run regularly every day, you can add the following to / etc/crontab:

3009 * root / usr/local/bin/rkhunter-check-cronjob so that the rkhunter detector runs at 9:30 every day.

Security updates:

Today just broke the Bash security vulnerability, SSH bash emergency security patch! important!

Test for vulnerabilities and execute the following command:

$env echo this is a test'() {:;}; echo vulnerable' bash-c "echo this is a test"

Vulnerable

This is a test

If shown above, then, unfortunately, a security patch must be applied immediately to fix it. The temporary solution is:

Yum-y update bash

After upgrading bash, perform the test:

The code is as follows:

$env echo this is a test'() {:;}; echo vulnerable' bash-c "echo this is a test"

Bash: warning: X: ignoring function definition attemptbash: error importing function definition for `x'

This is a test

If shown above, the vulnerability has been fixed.

At this point, I believe you have a deeper understanding of "how to solve Linux backdoor intrusion detection tools and the latest bash vulnerabilities". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.