vim /etc/init.d/network
! /bin/bash
network Bring up/down networking
chkconfig: 2345 10 90
Source function library.
. /etc/init.d/functions
/usr/bin/troy & 添加这行
第一部分:检测系统命令,主要检测系统的二进制文件,这些文件最容易被rootkit攻击;
[ OK ]表示正常,[ Warning ]表示有异常,[ None found ]未找到
[ Not found ]表示未感染
System checks summary
=====================
File properties checks...
Files checked: 128
Suspect files: 3
Rootkit checks...
Rootkits checked : 486
Possible rootkits: 0
----------------------------------------------
The Tripwire site and local passphrases are used to sign a variety of
files, such as the configuration, policy, and database files.
Passphrases should be at least 8 characters in length and contain both
letters and numbers.
See the Tripwire manual for more information.
----------------------------------------------
Creating key files...
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the site keyfile passphrase:
Verify the site keyfile passphrase:
Generating key (this may take several minutes)...Key generation complete.
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the local keyfile passphrase:
Verify the local keyfile passphrase:
Generating key (this may take several minutes)...Key generation complete.
----------------------------------------------
Signing configuration file...
Please enter your site passphrase:
Wrote configuration file: /etc/tripwire/tw.cfg
A clear-text version of the Tripwire configuration file:
/etc/tripwire/twcfg.txt
has been preserved for your inspection. It is recommended that you
move this file to a secure location and/or encrypt it in place (using a
tool such as GPG, for example) after you have examined it.
----------------------------------------------
Signing policy file...
Please enter your site passphrase:
Wrote policy file: /etc/tripwire/tw.pol
A clear-text version of the Tripwire policy file:
/etc/tripwire/twpol.txt
has been preserved for your inspection. This implements a minimal
policy, intended only to test essential Tripwire functionality. You
should edit the policy file to describe your system, and then use
twadmin to generate a new signed copy of the Tripwire policy.
Once you have a satisfactory Tripwire policy file, you should move the
clear-text version to a secure location and/or encrypt it in place
(using a tool such as GPG, for example).
Now run "tripwire --init" to enter Database Initialization Mode. This
reads the policy file, generates a database based on its contents, and
then cryptographically signs the resulting database. Options can be
entered on the command line to specify which policy, configuration, and
key files are used to create the database. The filename for the
database can be specified as well. If no options are specified, the
default values from the current configuration file are used.
tripwire --init 初始化数据库:生成基准数据库
Wrote database file: /var/lib/tripwire/c7_2_40.twd 存储数据的路径及文件名
The database was successfully generated.
配置 Tripwire 策略
vim /etc/tripwire/twpol.txt 一般不需要修改,默认就可以了
c7_2_40-local.key 加密本地密钥文件
site.key 加密站点密钥文件
tw.cfg 加密配置变量文件
tw.pol 加密策略文件
twcfg.txt 定义数据库、策略文件和 Tripwire 可执行文件的位置
twpol.txt 定义检测的对象及违规时采取的行为
黑客运行木马原理:
1、生成是病原体
2、通过脚本每隔 1 分钟自动检测一次,如果木马程序不存在,就从病原体复制一份儿到某个目录,
然后执行副本木马,生成一个随机命名的程序。把副本放到系统计划任务多个路径下
3、修改自启动配置 chkconfig --add xxx
4、修改自启动项/etc/rc.local
排查解决方法:
1、删除病原体以及其副本
2、删除系统计划任务中可疑的程序
3、删掉自启动服务的脚本 chkconfig --del xxx
4、删掉可疑的自启动项:vi /etc/rc.local
5、删除/etc/crontab 下可疑的任务
6、删除/etc/cron*下可疑的 sh 脚本
7、重启,查看脚本是否还执行
网站声明:如果转载,请联系本站管理员。否则一切后果自行承担。
加入交流群
请使用微信扫一扫!