| chkrootkit |
 |
 |
| Friday, 20 July 2007 00:48 | ||||||||||
      
Log to the server with
ssh as root userDownload chkrootkit. # wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gzUnpack the chkrootkit you just downloaded. # tar xvzf chkrootkit.tar.gzgo to that directory # cd chkrootkitCompile # make senseRun # chkrootkit•Receive e-mail everyday with the result chkrootkit
For Root user # crontab -e For any user # crontab -e -u usernameand add •0 3 * * * (./usr/sbin/chkrootkit 2>&1 | mail -s "chkrootkit output" -c
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
,
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
)
* the correct path can be found with which chkrootkit This will run chkrootkit at 3:00 am every day, and e-mail the output to
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
and copies to
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
and
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
"Checking `bindshell'... INFECTED (PORTS: 465)" This is normal and NOT really a rootkit.
Nota If you ever get a positive alarm, you can try to remove the rootkit, but all professionals would advice you to reinstall the server from scratch, and restore a previous backup (that mean saving nothing from server as soon as the rootkit is revealed....) chkrootkit
Powered by !JoomlaComment 3.20
3.20 Copyright (C) 2007 Alain Georgette / Copyright (C) 2006 Frantisek Hliva. All rights reserved."
|
||||||||||
| Last Updated on Friday, 20 July 2007 00:55 |
Tags
| Another articles: |
|---|
|
| Powered By relatedArticle |
