루트킷 검사 프로그램중 하나인 rkhunter에 대해서 적어보고자 한다.
기존에 자주 사용되던 chrootkit의 경우 사용자가 직접 확인해 줘야 하고, 새로운 루트킷 발견시 업데이트등이 되지 않았으나 rkhunter의 경우 프로그램내에 업데이트 옵션이 내장되어 있다.
해당 프로그램 홈페이지는
이며 이제 설치부터 사용까지 진행해 보도록 하자.
[root@localhost home]# wget http://jaist.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.2.9.tar.gz
[root@localhost home]# tar -zxvpf rkhunter-1.2.9.tar.gz
rkhunter-1.2.9/
rkhunter-1.2.9/files/
rkhunter-1.2.9/files/contrib/
rkhunter-1.2.9/files/contrib/README.txt
rkhunter-1.2.9/files/contrib/run_rkhunter.sh
rkhunter-1.2.9/files/CHANGELOG
rkhunter-1.2.9/files/LICENSE
rkhunter-1.2.9/files/README
rkhunter-1.2.9/files/WISHLIST
rkhunter-1.2.9/files/backdoorports.dat
rkhunter-1.2.9/files/check_modules.pl
rkhunter-1.2.9/files/check_port.pl
rkhunter-1.2.9/files/check_update.sh
rkhunter-1.2.9/files/defaulthashes.dat
rkhunter-1.2.9/files/filehashmd5.pl
rkhunter-1.2.9/files/filehashsha1.pl
rkhunter-1.2.9/files/md5blacklist.dat
rkhunter-1.2.9/files/mirrors.dat
rkhunter-1.2.9/files/os.dat
rkhunter-1.2.9/files/programs_bad.dat
rkhunter-1.2.9/files/programs_good.dat
rkhunter-1.2.9/files/rkhunter
rkhunter-1.2.9/files/rkhunter.conf
rkhunter-1.2.9/files/rkhunter.spec
rkhunter-1.2.9/files/showfiles.pl
rkhunter-1.2.9/files/development/
rkhunter-1.2.9/files/development/createfilehashes.pl
rkhunter-1.2.9/files/development/createhashes.sh
rkhunter-1.2.9/files/development/createhashesall.sh
rkhunter-1.2.9/files/development/osinformation.sh
rkhunter-1.2.9/files/development/rkhunter.8
rkhunter-1.2.9/files/development/rpmhashes.sh
rkhunter-1.2.9/files/development/rpmprelinkhashes.sh
rkhunter-1.2.9/files/development/search_dead_sysmlinks.sh
rkhunter-1.2.9/files/testing/
rkhunter-1.2.9/files/testing/rkhunter.conf
rkhunter-1.2.9/files/testing/rootkitinfo.txt
rkhunter-1.2.9/files/testing/stringscanner.sh
rkhunter-1.2.9/files/tools/
rkhunter-1.2.9/files/tools/README
rkhunter-1.2.9/files/tools/update_client.sh
rkhunter-1.2.9/files/tools/update_server.sh
rkhunter-1.2.9/installer.sh
[root@localhost rkhunter-1.2.9]# ./installer.sh
Rootkit Hunter installer 1.2.5 (Copyright 2003-2005, Michael Boelen)
Under active development by the Rootkit Hunter project team. For reporting
bugs, updates, patches, comments and questions see: rkhunter.sourceforge.net
Rootkit Hunter comes with ABSOLUTELY NO WARRANTY. This is free
software, and you are welcome to redistribute it under the terms
of the GNU General Public License. See LICENSE for details.
---------------
Starting installation/update
Checking /usr/local... OK
Checking file retrieval tools... /usr/bin/wget
Checking installation directories...
- Checking /usr/local/rkhunter...Created
- Checking /usr/local/rkhunter/etc...Created
- Checking /usr/local/rkhunter/bin...Created
- Checking /usr/local/rkhunter/lib/rkhunter/db...Created
- Checking /usr/local/rkhunter/lib/rkhunter/docs...Created
- Checking /usr/local/rkhunter/lib/rkhunter/scripts...Created
- Checking /usr/local/rkhunter/lib/rkhunter/tmp...Created
- Checking /usr/local/etc...Exists
- Checking /usr/local/bin...Exists
Checking system settings...
- Perl... OK
Installing files...
Installing Perl module checker... OK
Installing Database updater... OK
Installing Portscanner... OK
Installing MD5 Digest generator... OK
Installing SHA1 Digest generator... OK
Installing Directory viewer... OK
Installing Database Backdoor ports... OK
Installing Database Update mirrors... OK
Installing Database Operating Systems... OK
Installing Database Program versions... OK
Installing Database Program versions... OK
Installing Database Default file hashes... OK
Installing Database MD5 blacklisted files... OK
Installing Changelog... OK
Installing Readme and FAQ... OK
Installing Wishlist and TODO... OK
Installing RK Hunter configuration file... Skipped (no overwrite)
>>>
>>> PLEASE NOTE: inspect for update changes in /usr/local/etc/rkhunter.conf.1179292941
>>> and apply to rkhunter.conf before running Rootkit Hunter.
>>>
Installing RK Hunter binary... OK
Configuration already updated.
Installation ready.
See /usr/local/rkhunter/lib/rkhunter/docs for more information. Run 'rkhunter' (/usr/local/bin/rkhunter)
이상과 같이 설치가 되며 실행 프로그램은 /usr/local/bin/rkhunter 에 설치된다.
[root@localhost rkhunter-1.2.9]# rkhunter --help
Rootkit Hunter 1.2.9, Copyright 2003-2006, Michael Boelen
Under active development by the Rootkit Hunter project team. For reporting
bugs, updates, patches, comments and questions see: rkhunter.sourceforge.net
Rootkit Hunter comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to redistribute it under the terms of the GNU General
Public License. See LICENSE for details.
Valid parameters:
--checkall (-c) : Check system
--createlogfile <file>* : Create logfile (file is optional, defaults to
: /var/log/rkhunter.log)
--cronjob : Run as cronjob (removes colored layout)
--display-logfile : Show logfile at end of the output
--help (-h) : Show this help
--nocolors* : Don't use colors for output
--report-mode* : Don't show uninteresting information for reports
--report-warnings-only* : Show only warnings (lesser output than --report-mode,
: more than --quiet)
--skip-application-check* : Don't run application version checks
--skip-keypress (-sk)* : Don't wait after every test (non-interactive)
--quick* : Perform quick scan (instead of full scan)
--quiet* : Be quiet (only show warnings)
--update : Run update tool and check for database updates
--version : Show version and quit
--versioncheck : Check for latest version
--bindir <bindir>* : Use <bindir> instead of using default binaries
--configfile <file>* : Use different configuration file
--dbdir <dir>* : Use <dbdir> as database directory
--rootdir <rootdir>* : Use <rootdir> instead of / (slash at end)
--tmpdir <tempdir>* : Use <tempdir> as temporary directory
Explicit scan options:
--allow-ssh-root-user* : Allow usage of SSH root user login
--disable-md5-check* : Disable MD5 checks
--disable-passwd-check* : Disable passwd/group checks
--scan-knownbad-files* : Perform besides 'known good' check a 'known bad' check
--check-deleted : Perform 'deleted files' check
--check-listen : Perform 'listening applications' check
Multiple parameters are allowed
*) Parameter can only be used with other parameters
이상과 같은 옵션이 있으며 자주 사용하는 옵션으로는 -c 와 --update , --createlogfile <file>* 옵션이다.
이상과 같이 프로그램 구동시 칼라로 정상 프로그램과 이상 프로그램에 대한 정보를 확인시켜 준다.
현재 Centos 4.4 이상 버전에서는 kill 과 find 파일에 대한 md5 체크 에러가 발생한다(2007.05.16)
rootkit 에 대해서도 당연히 검사를 하며, BAD 발생시 --createlogfile 옵션을 사용하면 해당 감염 및 설치된 파일에 대한 경로를 모두 확인할수 있다.
ssh 설정 파일에 대한 검사 역시 진행된다.
Public License. See LICENSE for details.
[15:01:46] ------------------------ Configuration check --------------------------
[15:01:46] Parsing configuration file (/usr/local/etc/rkhunter.conf)
[15:01:46] Info: No mail-on-warning address configured
[15:01:46] Info: Using /usr/local/rkhunter/lib/rkhunter/tmp as temporary directory
[15:01:46] Info: Using /usr/local/rkhunter/lib/rkhunter/db as database directory
[15:01:46] Info: Using '/usr/sbin /usr/bin /usr/local/bin /usr/local/sbin /bin /sbin /sw/bin /usr/local/libexec /usr/libexec' as binary directory
[15:01:46] -------------------------- Application scan ---------------------------
[15:01:46] Found /usr/sbin/lsof
[15:01:47] Found /usr/sbin/prelink
[15:01:46] Found /usr/bin/find
[15:01:46] Found /usr/bin/lsattr
[15:01:46] Found /usr/bin/md5sum
[15:01:46] Found /usr/bin/stat
[15:01:46] Found /usr/bin/strings
[15:01:46] Found /usr/bin/wget
[15:01:46] Found /usr/bin/readlink
[15:01:46] Found /usr/bin/perl (version 5.8.5)
[15:01:47] Found /bin/ls
[15:01:47] Found /bin/ps
[15:01:47] Found /sbin/ip
[15:01:47] Found /sbin/ifconfig
[15:01:47] Found /sbin/lsmod
[15:01:47] Info: WGET found
[15:01:47] Info: NMAP not found
[15:01:47] Info: LSOF found
[15:01:47] Info: ip found
[15:01:47] Application scan ended
[15:01:47] ---------------------------- System checks ----------------------------
[15:01:48] Info: kernel is 2.6
[15:01:48] Info: Found /etc/redhat-release
[15:01:49] Info: Full OS name = CentOS release 4.4 (Final)
[15:01:49] Info: OS ID = 724
[15:01:49] Info: Found MD5 command /usr/bin/md5sum
[15:01:49] Info: Perl version 5.8.5 found
[15:01:49] Info: Perl module Digest::MD5 installed (version 2.33).
[15:01:49] Info: Using perl module Digest::MD5 to verify MD5 hashes
[15:01:50] Info: using /usr/local/rkhunter/lib/rkhunter/tmp as temporary directory
[15:01:49] Info: UID is zero (root)
[15:01:49] Info: ksyms file check will be skipped (/proc/ksyms not available on this system)
[15:01:49] ---------------------------- File checks -----------------------------
[15:01:49] Checking /usr/local/rkhunter/lib/rkhunter/db/md5blacklist.dat... OK
[15:01:49] Checking /usr/local/rkhunter/lib/rkhunter/db/mirrors.dat... OK
[15:01:49] Checking /usr/local/rkhunter/lib/rkhunter/db/programs_bad.dat... OK
[15:01:49] Checking /usr/local/rkhunter/lib/rkhunter/db/programs_good.dat... OK
[15:01:50] ------------------------------ Selftests ------------------------------
[15:01:50] Strings selftest: scanning for string /usr/sbin/ntpsx... OK
[15:01:50] Strings selftest: scanning for string /usr/lib/.../ls... OK
[15:01:50] Strings selftest: scanning for string /usr/lib/.../netstat... OK
[15:01:50] Strings selftest: scanning for string /usr/lib/.../lsof... OK