如何处理所谓的 chkrootkit 假阳性

tag-icon tag-icon chkrootkit
如何处理所谓的 chkrootkit 假阳性

apt-install在新安装的 Ubuntu 服务器 16.04.3 中安装了 chkrootkit。chkrootkit
在第一次运行后发现了可疑文件和目录:

Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found: 
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/noentry/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_time/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_time/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/file/.htaccess /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/file/.htpasswd /lib/modules/4.4.0-87-generic/vdso/.build-id /lib/modules/4.4.0-96-generic/vdso/.build-id
/lib/modules/4.4.0-87-generic/vdso/.build-id /lib/modules/4.4.0-96-generic/vdso/.build-id

我注意到三年前 stackexchange 上的另一个用户发现了同样的误报,并发布了Chkrootkit 发现许多可疑文件和目录,并且 /sbin/init 已感染

常见问题解答 8chkrootkit 官方网站声明他们不能将误报列入白名单,因为攻击者可能会利用这一点,因为他知道 chkrootkit 会忽略某些文件和目录。

您建议如何处理这一长串的文件和目录?我如何检查它们是否为误报?如果它们是误报,是否有任何方法可以将这些文件与其原始内容进行比较(就像使用 的包一样dpkg -V)?

答案1

你可以使用 debsums 来验证你的软件包

sudo apt install debsums

然后

sudo debsums

默认情况下,它会跳过配置文件,以包含它们

sudo debsums -a

要仅显示错误,请使用 -s 标志

sudo debsums -as

有关详细信息和其他选项,请参阅 man debsums

http://manpages.ubuntu.com/manpages/zesty/en/man1/debsums.1.html

If  you  are  looking  for  an integrity checker that can run from safe
       media, do integrity checks on checksum  databases  and  can  be  easily
       configured  to  run periodically to warn the admin of changes see other
       tools such as: aide, integrit, samhain, or tripwire.

这些工具(aide、integrit、samhain 或 tripwire)应该在全新安装/已知良好的系统上安装/初始化,并且最好从实时媒体运行,因为破解工具可以在破解的系统上击败这些工具。

相关内容