Chkrootkit - Como determinar se o sistema está infectado com rootkit

No artigo você vai encontrar perguntas como: o que é rootkit? Como instalar o chkrootkit? Como executar o chkrootkit? Achei rootkit, o que fazer? Quais são os rootkits, worms e LKMs detectados atualmente? Vulnerabilidades e exposições comuns do chkrootkit.

[ Hits: 22.608 ]

Por: Perfil removido em 12/04/2017


Licença, livros, artigos e pessoas que contribuíram para o projeto



Informações de Licença

Chkrootkit é um software livre. As informações da licença estão disponíveis no arquivo COPYRIGHT do chkrootkit:
Alguns livros e artigos que mencionam chkrootkit:
  • Linux Security Cookbook, published by O'Reilly, by Daniel J. Barrett, Robert G. Byrnes and Richard Silverman. chkrootkit is mentioned on chapter 9.
  • Security Warrior, published by O'Reilly, by Anton Chuvakin and Cyrus Peikari. chkrootkit is mentioned on chapter 10 and chapter 19.
  • Network Security Hacks, published by O'Reilly, by Andrew Lockhart. hack #99 shows how to use chkrootkit to determine the extent of a compromise.
  • Malware: Fighting Malicious Code, published by Prentice Hall PTR, by Ed Skoudis and Lenny Zeltser. chkrootkit is mentioned on chapers 1, 2 and 3.
  • (German) Intrusion Detection für Linux-Server, by Ralf Spenneberg. chkrootkit is described in chapter 16.
  • Linux Troubleshooting Bible, by Christopher Negus and Thomas Weeks. chkrootkit is mentioned on chapter 10.

As seguintes pessoas contribuíram para o projeto chkrootkit:
  • Agustin Navarro (debug help)
  • Alberto Courrege Gomide (debug help)
  • Andre Gustavo de Carvalho Albuquerque (debug, performance and Solaris patches)
  • Dave Ansalvish (Solaris debug help)
  • Bruno Lopes (debug help)
  • Daniel Lafraia (source code addition)
  • Josh Karp (debug help for Solaris 8)
  • Klaus Steding-Jessen (debug, lots of good suggestions and LKM check Perl code)
  • Paulo C. Marques F. (debug help)
  • Pedro Vazquez (lots of good suggestions)
  • Richard Eisenman (Red Hat support)
  • Manfred Bartz (debug help)
  • Luiz E. R. Cordeiro (debug help)
  • Vince Hillier (debug help)
  • Steve Campbell (Solaris bug fixes)
  • Strashimir Mihnev (new rootkit)
  • Patrick Duane Dunston (Adore LKM detection)
  • Rudolf Leitgeb (chklastlog bug fix)
  • Marcos Aguinaldo Forquesato (Solaris debug)
  • scz (check_wtmpx code)
  • Yaroslav Polyakov (inetdconf function)
  • Andreas Tirok (chklastlog patch)
  • Sean D. True (strings.c)
  • Leif Neland (duarawkz rootkit)
  • Kaveh Goudarzi (Pizdakit rootkit)
  • m0xx (monkit and Bobkit rootkits)
  • Bob Grabowsky and Mihai Sandu (t0rn v8.0 variant)
  • Razvan Cosma (new rootkit)
  • Kostya Kortchinsky (chkproc patch)
  • Frank Haverkamp (new rookit)
  • Ludovic Drolez (new rootkit)
  • Dan Irwin (new rootkit)
  • Anton Chuvakin (new rootkit)
  • Steve Collins (new rootkit)
  • Indra Kusuma (new rootkit)
  • Mark Newby (new rootkit)
  • anonymous (new rootkit)
  • Gerard van Wageningen (chklastlog.c)
  • Morohoshi Akihiko, Kostya Kortchinsky and Aaron Sherman (chkproc.c)
  • Andrey Chernomyrdin (new rootkit)
  • Razvan Cosma (new rootkit)
  • zeno (new rootkits)
  • Hal Pomeranz (chkdirs.c)
  • marc (Bug report)
  • Piete Brooks (patches for chkrootkit)
  • Kostya Kortchinsky (chkproc Solaris port)
  • Jan Brinham (chkrookit additions)
  • Paulo Rodrigo (Bug report)
  • Andreas Unterluggauer (Bug report)
  • Mihnea Stoenescu (ideas for chkrootkit)
  • Anton Chuvakin (new rootkit)
  • Russ Reynaga (SunOS debug/tests)
  • ymailer (lots of rootkits)
  • Junichi Murakami (Adore detection method)
  • Gerard Breiner (HP-UX Port)
  • Andrea Barbieri (SunOS debug)
  • Matthew Deatherage (Bug report)
  • Eduardo Bacchi Kienetz (Slapper-B detection)
  • aka br (SiN Rootkit)
  • Ymailer (shv4, Big and Aquatica)
  • Eduardo Bacchi (shv4)
  • T. Tanaka (bug fix)
  • Jan Iven (suckit tests)
  • Rob Thomas
  • Michael Griego (chkproc NPTL threading mechanisms patch)
  • Marcel Haman (aditional Suckit detection)
  • Andreas Grundle (Volc Rookit)
  • Bejamin Molitor (Gold2 Rookit)
  • James Mackinnon (TC2 Worm)
  • Joshua J Robinson (Anonoying Rootkit)
  • Bill Orvis (ZK Rootkit)
  • Thomas Davidson (BSDI support)
  • Bill DuPree (chkproc.c fix)
  • Jeremy H. Brown (-r option corrections)
  • Jason Montleon (bug report)
  • Djony W Tambosi (bug report)
  • Benjamin Schudz (bug report)
  • Eugene Tsyrklevich (bug report)
  • Michael Dorrington (web page)
  • Ragnar Rova (write test fix)
  • Chris Campbell (C++ comments causing problems on old Solaris compilers)
  • Markus Alt (Typo)
  • Egon Eckert (tcpd test at debian)
  • Silvio and nacho (zaRwT rootkit)
  • Lantz Moore (promisc test on Linux kernels 2.[46].x)
  • Marcel Haman (another Suckit sign)
  • Alfred (found sniffer in another area (/usr/lib))
  • Ymailer (several CGI backdoors)
  • Dietrich Raisin (del counter fix in chkwtmp.c)
  • Patrick Gosling (tnfs function improvement)
  • Mikhail Zotov (bug report)
  • Michael Schwendt (patches)
  • Yukio Yamada (bug report)
  • h0nIng (Fu rootkit)
  • Jeff Kuehn (bug report)
  • Jeremy Miller (chkutmp)
  • Cristine Hoepers (chkrootkit homepage redesign using valid strict XHTML)
  • Ighighi X (chkutmp)
  • Jeromie Andrei (chkwtmp)
  • Aaron Harwood
  • Yjesus(unhide) (chkproc.c)
  • Slider/Flimbo (chkproc.c)
  • UnSpawn (error reports)
  • Milan Kerslager (new rootkits signs)
  • Gary Funk (new rootkits signs)
  • Florian Gleixne (Solaris bug report and patch)
  • Andre Russ (bug report and crontab patch)
  • Michael Schwendt (OpenBSDrk v1 false positives on linux boxes)
  • Johann Burkard (r57 backdoor report)
  • Lieven De Keyzer (bug report)
  • Bartosz Lis (bug report and patch)
  • Ken Olum (bug report)
  • Steve Pirk (Slackware crontab bug report and patch)
  • Scott A. McIntyre (nice ideas)
  • Lorenzo Patocchi (new rootkit signs)
  • NIDE, Naoyuki (Bug report in chkdirs.c)
  • Steve Pirk (Bug report in slackware's crontab)
  • Michael Schwendt (Bug report and patch)
  • Michael Grant (Bug report and patch)
  • Ondrej Svetlik (new rk)
  • Enrico Zini (Bug report and patch)

Página anterior     Próxima página

Páginas do artigo
   1. O que é rootkit
   2. Achei rootkit, o que fazer?
   3. Licença, livros, artigos e pessoas que contribuíram para o projeto
   4. Vulnerabilidades e exposições comuns do chkrootkit
Outros artigos deste autor

Os navegadores "leves" que de leves não tem nada

JSP - Parte 1

Introdução ao Protocolo Internet - IP

Instalando o Linux Ubuntu 8.04 Hardy Heron

DragonLinux - Distro levíssima

Leitura recomendada

Acessando o Linux via SSH através do Android

Procedimento para descoberta de chave WEP

Rootkit: Uma nova ameaça?

Criando VPN com o PFSense

Vírus em Linux?

  
Comentários
[1] Comentário enviado por Freud_Tux em 12/04/2017 - 09:30h

Bom texto!

A melhor dica, com toda a certeza, foi em relação em retirar a máquina da rede e executar um sistema "live" com o chkrootkit para atestar a saúde da máquina.
Poderia ter indicado alguns sistemas que venham com o chkrootkit já instalado, pois, facilitaria a vida, e evitaria que a máquina alvo seja logada a internet de qualquer forma, pois, dependendo do rootkit, ele pode se alojar dentro da partição ESP, e de algum modo, tentar acessar o sistema live usando a Internet. Prevenir nesse caso é melhor do que remediar.

Favoritado ;)

T+
-------------------------------------------------------------------------------------------------------------------------------------------------
Noob:"[...]Sou muito noob ainda usando o terminal, então preciso de ajuda "mastigada", pra operá-lo."
zhushazang: "Sou velho e meus dentes desgastados. Estude linux www.guiafoca.org";

[2] Comentário enviado por pinguintux em 14/04/2017 - 09:09h

Parabéns pelo excelente artigo. Muito bem montado, objetivo e esclarecedor. Já adicionei aos favoritos!

[3] Comentário enviado por rodriguessouzape em 04/05/2017 - 16:09h

muito bom

[4] Comentário enviado por killuaz em 01/06/2017 - 18:59h

Me ajudem!! oq significa isso? pegou no scan.
in /var/run/utmp !
! RUID PID TTY CMD
! 3;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel- 0 3;3,13,3553;3,14,3553;3,15,3553;4,3;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel- 553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel-
! 3;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel- 0 3;3,13,3553;3,14,3553;3,15,3553;4,3;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel- 553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel-
! 3;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel- 0 3;3,13,3553;3,14,3553;3,15,3553;4,3;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel- 553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel-
! 3;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel- 0 3;3,13,3553;3,14,3553;3,15,3553;4,3;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel- 553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel-
! 4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel-token=11F6EB8A391CAD 3553 3;3,15,3553;4,0,3553;4,1,3553;4,2,4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel-token=11F6EB8A391CAD 3;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel-token=11F6EB8A391CAD


Contribuir com comentário




Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts