中文名叫”Rootkit猎手”, 可以发现大约58个已知的rootkits和一些嗅探器和后门程序. 它通过执行一系列的测试脚本来确认你的机器是否已经感染rootkits. 比如检查rootkits使用的基本文件, 可执行二进制文件的错误文件权限, 检测内核模块等等. Rootkit Hunter由Michael Boelen开发, 是开源(GPL)软件.目前最新版本1.4.2
官方现在地址:http://sourceforge.net/projects/rkhunter/
一.rkhunter安装
下载的是最新版本的1.4.2
#wget -S http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Frkhunter%2F&ts=1397456404&use_mirror=jaist
现在完成后只需要解压,运行./install.sh即可
#tar zxvf rkhunter-1.4.2.tar.gz
#cd rkhunter-1.4.2
# ./installer.sh –install #一般没有错误很快会完成
点击(
此处
)折叠或打开
-
Checking
system
for
:
-
Rootkit Hunter
installer
files
:
found
-
A
web
file
download command
:
wget found
-
Starting update
:
-
Checking installation
directory
“/usr/local”
:
it exists and
is
writable
.
-
Checking installation directories
:
-
Directory
/
usr
/
local
/
share
/
doc
/
rkhunter
–
1
.
4
.
2
:
exists and
is
writable
.
-
Directory
/
usr
/
local
/
share
/
man
/
man8
:
exists and
is
writable
.
-
Directory
/
etc
:
exists and
is
writable
.
-
Directory
/
usr
/
local
/
bin
:
exists and
is
writable
.
-
Directory
/
usr
/
local
/
lib64
:
exists and
is
writable
.
-
Directory
/
var
/
lib
:
exists and
is
writable
.
-
Directory
/
usr
/
local
/
lib64
/
rkhunter
/
scripts
:
exists and
is
writable
.
-
Directory
/
var
/
lib
/
rkhunter
/
db
:
exists and
is
writable
.
-
Directory
/
var
/
lib
/
rkhunter
/
tmp
:
exists and
is
writable
.
-
Directory
/
var
/
lib
/
rkhunter
/
db
/
i18n
:
exists and
is
writable
.
-
Directory
/
var
/
lib
/
rkhunter
/
db
/
signatures
:
exists and
is
writable
.
-
Installing check_modules
.
pl
:
OK
-
Installing filehashsha
.
pl
:
OK
-
Installing stat
.
pl
:
OK
-
Installing readlink
.
sh
:
OK
-
Installing backdoorports
.
dat
:
OK
-
Installing mirrors
.
dat
:
OK
-
Installing programs_bad
.
dat
:
OK
-
Installing suspscan
.
dat
:
OK
-
Installing rkhunter
.
8
:
OK
-
Installing ACKNOWLEDGMENTS
:
OK
-
Installing CHANGELOG
:
OK
-
Installing FAQ
:
OK
-
Installing
LICENSE
:
OK
-
Installing README
:
OK
-
Installing language support files
:
OK
-
Installing ClamAV signatures
:
OK
-
Installing rkhunter
:
OK
-
Installing rkhunter
.
conf
in
no
–
clobber mode
:
OK
-
>
>
>
-
>
>
>
PLEASE NOTE
:
inspect
for
update changes
in
“/etc/rkhunter.conf.6525”
,
-
>
>
>
and apply to either
“/etc/rkhunter.conf”
or your local
configuration
-
>
>
>
file
before running Rootkit Hunter
.
-
>
>
>
- Update complete
二.检测系统是否感染后门或恶意软件
安装完成后运行rkhunter会出现帮助信息
2.查杀后门执行命令:
rkhunter –check
只显示报警信息可以运行
rkhunter -c –rwo (report-warnings-only,只显示报警信息)
扫描完成后会生成一份日志存放在/var/log/rkhunter.log
3.在线升级rkhunter
漏洞
, 所以经常更新该
数据库
非常重要, 你可以通过下面命令来更新该数据库: