2.1 a Rootkit detection

  • chkrootkit

    Usage: Wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz tar ZXVF chkrootkit. Tar. Gz CD chkrootkit 0.52 make sense # check if no error is reported./chkrootkit

rkhunter

Usage: Wget tar ZXVF - https://nchc.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.4/rkhunter-1.4.4.tar.gz Gz CD rkhunter-1.4.4. / Installer. sh --install rkhunter-1.4.4Copy the code

2.2 Virus detection and killing

  • Clamav installation method one:

    1, install zlib: wget nchc.dl.sourceforge.net/project/lib… Tar -zxvf zlib-1.2.7.tar.gz CD zlib-1.2.7 # yum install gcc CFLAGS=”-O3 -fPIC” ./configure –prefix= /usr/local/zlib/ make && make install

    2. Add user group Clamav and group member Clamav: groupadd clamav useradd -g Clamav -s /bin/false -c “Clam AntiVirus” Clamav

    Install Clamav tar — ZXVF clamav-0.97.6.tar.gz CD clamav-0.97.6. /configure –prefix=/opt/ Clamav –disable Clamav -with-zlib=/usr/local/zlib make make install

    4, configuration Clamav mkdir/opt/Clamav/logs mkdir/opt/Clamav/updata touch/opt/Clamav/logs/freshclam log touch /opt/clamav/logs/clamd.log cd /opt/clamav/logs chown clamav:clamav clamd.log chown clamav:clamav freshclam.log

    5, ClamAV use: / opt/clamav. / bin/freshclam upgrade the virus/clamscan – h to see the corresponding help information. The/home/clamscan – r scan all the user’s home directory is used. / clamscan – r – bell – I/bin Scans the bin directory and displays the scan results for the files in question

Installation Method two:

Clamscan-r /etc --max-dir-recursion=5 -l /root /etc/clamclamav. log clamscan -r /bin --max-dir-recursion=5 -l /root/binclamav.log clamscan -r /usr --max-dir-recursion=5 -l /root/usrclamav.log Clamscan -r --remove /usr/bin/bsd-port Clamscan -r --remove /usr/bin/clamscan -r --remove /usr/local/zabbix/sbin --remove /usr/local/zabbix/sbin # to check the log FOUND that cat/root/usrclamav. Log | grep FOUNDCopy the code

2.3 webshell killing

The Linux version:

Hippo webshell killing: http://www.shellpub.com deep convinced webshell website back door: http://edr.sangfor.com.cn/backdoor_detection.htmlCopy the code

2.4 RPM check

System integrity can be verified by RPM -va to check all RPM packages to see which commands are replaced:

./rpm -Va > rpm.log
Copy the code

If everything is checked correctly, no output will be generated. If there are any inconsistencies, they will be displayed. The output format is an 8-bit string, each character representing the result of the comparison between the file and an attribute in the RPM database. (dot) indicates that the test passed.

The details of the eight verification items are as follows: S Whether the file size is changed. M Whether the file type or the file permission (RWX) is changed. 5 Whether the MD5 check of the file is changed. Whether the slave code changes the path of file L Whether the owner of file U is changed Whether the owner group of file G is changed Whether the modification time of file T is changedCopy the code

If the command is replaced and if restored:

File extraction and restoration cases: RPM -qf /bin/ls Run the following command to query the software package to which the ls command belongs: mv /bin/ls/TMP Missing the illusion of the ls command rpm2cpio/MNT/cdrom/Packages/coreutils - 8.4-19. El6. I686. RPM | cpio - idv. / bin/ls to extract the RPM package the ls command to the current directory under the/bin/ls of cp /root/bin/ls /bin/ Copy the ls command to the /bin/ directory to repair the file lossCopy the code

2.5 Linux Security Check Script

Github Project address:

Github.com/grayddq/GSc…

Github.com/ppabc/secur…

github.com/T0xst/linux