06-15-2012, 10:12 AM
Pagi IBT,
Kali ini cuman mw post tentang 2 tools utilitas yang ada di Back|track yaitu chkrootkit dan rkhunter .
Tadi udah sempat search n belum ada thread tentang utility ini, tapi klo emang udah ada yah dihapus aja yah bang admin/momod ..
chkrootkit merupakan utilitas yang dapat melakukan pengecekan terhadap device kita, untuk mengetahui apakah device kita terinfeksi rootkit atau tidak.
okeh langsung sja menuju cara penggunaan tool ini ..
simple aja sih cara pakenya
kalo mau hasil yang lebih simple pake mode quite
mode expert ?
ScreenSOOT
![[Image: chkrootkit.png]](http://i1168.photobucket.com/albums/r482/KhairilUshan/chkrootkit.png)
rkhunter (Hunter Rootkit) adalah tools yang bisa jalan di unix/unix like platform yang bekerja untuk men-scan rootkit, backdoors dan local exploit pada mesin kita.
caranya dengan membandingkan SHA-1 hash.
rkhunter juga dapat melakukan pencarian direktori default dari sang rootkit, mengecek permission yang salah/kurang tebap, file yang tersembunyi, string2 yang mencurigakan di modul kernel, dan lain-lain (Please Googling
).
Okeh cara pakenya .
Bisa buka melalui
perintah untuk menjalankan
more ??
root@bt:~# rkhunter --help
ScreenSOOT
![[Image: rkhunter.png]](http://i1168.photobucket.com/albums/r482/KhairilUshan/rkhunter.png)
rkhunter menyimpan hasil kerja nya di sebuah log file
root@bt:~# cat /var/log/rkhunter.log
Contoh file log hasil scan di kompi saya
Sekian aja mungki, mungkin dibawah bisa menambahkan. Ayo kita explore sama-sama ..
Regard,
RR12
Kali ini cuman mw post tentang 2 tools utilitas yang ada di Back|track yaitu chkrootkit dan rkhunter .
Tadi udah sempat search n belum ada thread tentang utility ini, tapi klo emang udah ada yah dihapus aja yah bang admin/momod ..
chkrootkit merupakan utilitas yang dapat melakukan pengecekan terhadap device kita, untuk mengetahui apakah device kita terinfeksi rootkit atau tidak.
Code:
ROOTKIT on WIKIPEDIA
A rootkit is software that implements stealth capabilities that are designed to hide the existence of certain processes or programs. While some uses of the technology may be beneficial, the most notable usage is by malware seeking to avoid detection by antivirus software.[1] The term rootkit is derived from a concatenation of "root" (the traditional name of the privileged account on Unix operating systems) and the word "kit" (which refers to the software components that implement the tool). On Unix systems, rootkits originally allowed backdoor privileged access to a computer by subverting standard tools like ls; today, the term is used more widely to refer to any software implementing cloaking.[1]okeh langsung sja menuju cara penggunaan tool ini ..
simple aja sih cara pakenya
Code:
root@bt:~# cd /pentest/forensics/chkrootkit/
root@bt:/pentest/forensics/chkrootkit# ./chkrootkitkalo mau hasil yang lebih simple pake mode quite
Code:
root@bt:/pentest/forensics/chkrootkit# ./chkrootkit -qmode expert ?
Code:
root@bt:/pentest/forensics/chkrootkit# ./chkrootkit -xScreenSOOT
rkhunter (Hunter Rootkit) adalah tools yang bisa jalan di unix/unix like platform yang bekerja untuk men-scan rootkit, backdoors dan local exploit pada mesin kita.
caranya dengan membandingkan SHA-1 hash.
rkhunter juga dapat melakukan pencarian direktori default dari sang rootkit, mengecek permission yang salah/kurang tebap, file yang tersembunyi, string2 yang mencurigakan di modul kernel, dan lain-lain (Please Googling
).Okeh cara pakenya .
Bisa buka melalui
Code:
menu >> Backtrack >> Forensics >> AntiVirus Forensics Tools >> rkhunterperintah untuk menjalankan
Code:
root@bt:~# rkhunter --checkmore ??
root@bt:~# rkhunter --help
ScreenSOOT
rkhunter menyimpan hasil kerja nya di sebuah log file
root@bt:~# cat /var/log/rkhunter.log
Contoh file log hasil scan di kompi saya
Code:
[09:42:06] Running Rootkit Hunter version 1.3.8 on bt
[09:42:06]
[09:42:06] Info: Start date is Fri Jun 15 09:42:06 CIT 2012
[09:42:06]
[09:42:06] Checking configuration file and command-line options...
[09:42:06] Info: Detected operating system is 'Linux'
[09:42:06] Info: Uname output is 'Linux bt 3.2.6 #1 SMP Fri Feb 17 10:40:05 EST 2012 i686 GNU/Linux'
[09:42:06] Info: Command line is /bin/rkhunter --check
[09:42:06] Info: Environment shell is /bin/bash; rkhunter is using bash
[09:42:06] Info: Using configuration file '/usr/local/etc/rkhunter.conf'
[09:42:06] Info: Installation directory is '/bin'
[09:42:06] Info: Using language 'en'
[09:42:06] Info: Using '/var/lib/rkhunter/db' as the database directory
[09:42:06] Info: Using '/lib/rkhunter/scripts' as the support script directory
[09:42:06] Info: Using '/usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin /etc/alternatives/gem-bin /usr/local/libexec' as the command directories
[09:42:06] Info: Using '/' as the root directory by default
[09:42:06] Info: Using '/var/lib/rkhunter/tmp' as the temporary directory
[09:42:06] Info: No mail-on-warning address configured
[09:42:06] Info: X will be automatically detected
[09:42:06] Info: Using second color set
[09:42:06] Info: Found the 'basename' command: /usr/bin/basename
[09:42:06] Info: Found the 'diff' command: /usr/bin/diff
[09:42:06] Info: Found the 'dirname' command: /usr/bin/dirname
[09:42:06] Info: Found the 'file' command: /usr/bin/file
[09:42:07] Info: Found the 'find' command: /usr/bin/find
[09:42:07] Info: Found the 'ifconfig' command: /sbin/ifconfig
[09:42:07] Info: Found the 'ip' command: /sbin/ip
[09:42:07] Info: Found the 'ldd' command: /usr/bin/ldd
[09:42:07] Info: Found the 'lsattr' command: /usr/bin/lsattr
[09:42:07] Info: Found the 'lsmod' command: /sbin/lsmod
[09:42:07] Info: Found the 'lsof' command: /usr/bin/lsof
[09:42:07] Info: Found the 'mktemp' command: /bin/mktemp
[09:42:07] Info: Found the 'netstat' command: /bin/netstat
[09:42:07] Info: Found the 'perl' command: /usr/bin/perl
[09:42:07] Info: Found the 'pgrep' command: /usr/bin/pgrep
[09:42:07] Info: Found the 'ps' command: /bin/ps
[09:42:07] Info: Found the 'pwd' command: /bin/pwd
[09:42:07] Info: Found the 'readlink' command: /bin/readlink
[09:42:07] Info: Found the 'stat' command: /usr/bin/stat
[09:42:07] Info: Found the 'strings' command: /usr/bin/strings
[09:42:07] Info: System is not using prelinking
[09:42:07] Info: Using the '/usr/bin/sha1sum' command for the file hash checks
[09:42:07] Info: The hash function field index is set to 1
[09:42:07] Info: No package manager specified: using hash function '/usr/bin/sha1sum'
[09:42:07] Info: Previous file attributes were stored
[09:42:07] Info: Enabled tests are: all
[09:42:07] Info: Disabled tests are: suspscan hidden_ports hidden_procs deleted_files packet_cap_apps
[09:42:07] Info: Including user files for file properties check:
[09:42:07] /etc/rkhunter.conf
[09:42:07] Info: Found ksym file '/proc/kallsyms'
[09:42:07] Info: Using 'date' to process epoch second times.
[09:42:07] Info: Locking is not being used
[09:42:07]
[09:42:07] Starting system checks...
[09:42:08]
[09:42:08] Info: Starting test name 'system_commands'
[09:42:08] Checking system commands...
[09:42:08]
[09:42:08] Info: Starting test name 'strings'
[09:42:08] Performing 'strings' command checks
[09:42:08] Scanning for string /usr/sbin/ntpsx [ OK ]
[09:42:08] Scanning for string /usr/sbin/.../bkit-ava [ OK ]
[09:42:08] Scanning for string /usr/sbin/.../bkit-d [ OK ]
[09:42:08] Scanning for string /usr/sbin/.../bkit-shd [ OK ]
[09:42:08] Scanning for string /usr/sbin/.../bkit-f [ OK ]
[09:42:08] Scanning for string /usr/include/.../proc.h [ OK ]
[09:42:08] Scanning for string /usr/include/.../.bash_history [ OK ]
[09:42:08] Scanning for string /usr/include/.../bkit-get [ OK ]
[09:42:08] Scanning for string /usr/include/.../bkit-dl [ OK ]
[09:42:08] Scanning for string /usr/include/.../bkit-screen [ OK ]
[09:42:09] Scanning for string /usr/include/.../bkit-sleep [ OK ]
[09:42:09] Scanning for string /usr/lib/.../bkit-adore.o [ OK ]
[09:42:09] Scanning for string /usr/lib/.../ls [ OK ]
[09:42:09] Scanning for string /usr/lib/.../netstat [ OK ]
[09:42:09] Scanning for string /usr/lib/.../lsof [ OK ]
[09:42:09] Scanning for string /usr/lib/.../bkit-ssh/bkit-shdcfg [ OK ]
[09:42:09] Scanning for string /usr/lib/.../bkit-ssh/bkit-shhk [ OK ]
[09:42:09] Scanning for string /usr/lib/.../bkit-ssh/bkit-pw [ OK ]
[09:42:09] Scanning for string /usr/lib/.../bkit-ssh/bkit-shrs [ OK ]
[09:42:09] Scanning for string /usr/lib/.../bkit-ssh/bkit-mots [ OK ]
[09:42:09] Scanning for string /usr/lib/.../uconf.inv [ OK ]
[09:42:09] Scanning for string /usr/lib/.../psr [ OK ]
[09:42:09] Scanning for string /usr/lib/.../find [ OK ]
[09:42:09] Scanning for string /usr/lib/.../pstree [ OK ]
[09:42:10] Scanning for string /usr/lib/.../slocate [ OK ]
[09:42:10] Scanning for string /usr/lib/.../du [ OK ]
[09:42:10] Scanning for string /usr/lib/.../top [ OK ]
[09:42:10] Scanning for string /usr/sbin/... [ OK ]
[09:42:10] Scanning for string /usr/include/... [ OK ]
[09:42:10] Scanning for string /usr/include/.../.tmp [ OK ]
[09:42:10] Scanning for string /usr/lib/... [ OK ]
[09:42:10] Scanning for string /usr/lib/.../.ssh [ OK ]
[09:42:10] Scanning for string /usr/lib/.../bkit-ssh [ OK ]
[09:42:10] Scanning for string /usr/lib/.bkit- [ OK ]
[09:42:10] Scanning for string /tmp/.bkp [ OK ]
[09:42:10] Scanning for string /tmp/.cinik [ OK ]
.................. SKIP...............
[09:50:57] Info: End date is Fri Jun 15 09:50:57 CIT 2012Sekian aja mungki, mungkin dibawah bisa menambahkan. Ayo kita explore sama-sama ..
Regard,
RR12
