chkrootkit.shを/etc/cron.daily/chkrootkit.shに置くchmod 700 /etc/cron.daily/chkrootkit.sh
- rpm
- mailutils
Last active
January 17, 2018 05:49
-
-
Save nahcnuj/2e22dfd3f0c78bedb1095718e603ed3b to your computer and use it in GitHub Desktop.
daily chkrootkit (need rpm, mailutils)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| PATH=/usr/bin:/bin:/root/bin | |
| LOGNAME=`date +'%Y%m%d-%H%M%S'` | |
| LOG=/var/log/chkrootkit/$LOGNAME.log | |
| chkrootkit 2>&1 | tee $LOG | |
| cat $LOG | logger -t $LOGNAME | |
| # false positive for bindshell of SMTPS | |
| if [ ! -z "$(grep 465 $LOG)" ] && \ | |
| [ -z $(/usr/sbin/lsof -i:465 | grep bindshell) ]; then | |
| sed -i '/465/d' $LOG | |
| fi | |
| # false positive for Suckit when `upstart` package was updated | |
| if [ ! -z "$(grep Suckit $LOG)" ] && \ | |
| [ -z "$(rpm -V `rpm -qf /sbin/init`)" ]; then | |
| sed -i '/Suckit/d' $LOG | |
| fi | |
| if [ ! -z "$(grep INFECTED $LOG)" ]; then | |
| grep INFECTED $LOG | mail -s "chkrootkit report in `hostname`" root | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment