rootkit 검색 프로그램 rkhunter-1.2.9.tar.gz

by ADMINPLAY posted Sep 22, 2009
?

단축키

Prev이전 문서

Next다음 문서

ESC닫기

크게 작게 위로 아래로 댓글로 가기 인쇄

루트킷 검사 프로그램중 하나인 rkhunter에 대해서 적어보고자 한다.

기존에 자주 사용되던 chrootkit의 경우 사용자가 직접 확인해 줘야 하고, 새로운 루트킷 발견시 업데이트등이 되지 않았으나 rkhunter의 경우 프로그램내에 업데이트 옵션이 내장되어 있다.

 

해당 프로그램 홈페이지는

http://www.rootkit.nl/

이며 이제 설치부터 사용까지 진행해 보도록 하자.

 

[root@localhost home]# wget http://jaist.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.2.9.tar.gz

 

[root@localhost home]# tar -zxvpf rkhunter-1.2.9.tar.gz
rkhunter-1.2.9/
rkhunter-1.2.9/files/
rkhunter-1.2.9/files/contrib/
rkhunter-1.2.9/files/contrib/README.txt
rkhunter-1.2.9/files/contrib/run_rkhunter.sh
rkhunter-1.2.9/files/CHANGELOG
rkhunter-1.2.9/files/LICENSE
rkhunter-1.2.9/files/README
rkhunter-1.2.9/files/WISHLIST
rkhunter-1.2.9/files/backdoorports.dat
rkhunter-1.2.9/files/check_modules.pl
rkhunter-1.2.9/files/check_port.pl
rkhunter-1.2.9/files/check_update.sh
rkhunter-1.2.9/files/defaulthashes.dat
rkhunter-1.2.9/files/filehashmd5.pl
rkhunter-1.2.9/files/filehashsha1.pl
rkhunter-1.2.9/files/md5blacklist.dat
rkhunter-1.2.9/files/mirrors.dat
rkhunter-1.2.9/files/os.dat
rkhunter-1.2.9/files/programs_bad.dat
rkhunter-1.2.9/files/programs_good.dat
rkhunter-1.2.9/files/rkhunter
rkhunter-1.2.9/files/rkhunter.conf
rkhunter-1.2.9/files/rkhunter.spec
rkhunter-1.2.9/files/showfiles.pl
rkhunter-1.2.9/files/development/
rkhunter-1.2.9/files/development/createfilehashes.pl
rkhunter-1.2.9/files/development/createhashes.sh
rkhunter-1.2.9/files/development/createhashesall.sh
rkhunter-1.2.9/files/development/osinformation.sh
rkhunter-1.2.9/files/development/rkhunter.8
rkhunter-1.2.9/files/development/rpmhashes.sh
rkhunter-1.2.9/files/development/rpmprelinkhashes.sh
rkhunter-1.2.9/files/development/search_dead_sysmlinks.sh
rkhunter-1.2.9/files/testing/
rkhunter-1.2.9/files/testing/rkhunter.conf
rkhunter-1.2.9/files/testing/rootkitinfo.txt
rkhunter-1.2.9/files/testing/stringscanner.sh
rkhunter-1.2.9/files/tools/
rkhunter-1.2.9/files/tools/README
rkhunter-1.2.9/files/tools/update_client.sh
rkhunter-1.2.9/files/tools/update_server.sh
rkhunter-1.2.9/installer.sh

 

 

[root@localhost rkhunter-1.2.9]# ./installer.sh
Rootkit Hunter installer 1.2.5 (Copyright 2003-2005, Michael Boelen)


Under active development by the Rootkit Hunter project team. For reporting
bugs, updates, patches, comments and questions see: rkhunter.sourceforge.net

Rootkit Hunter comes with ABSOLUTELY NO WARRANTY. This is free
software, and you are welcome to redistribute it under the terms
of the GNU General Public License. See LICENSE for details.

---------------
Starting installation/update

Checking  /usr/local... OK
Checking file retrieval tools... /usr/bin/wget
Checking installation directories...
- Checking /usr/local/rkhunter...Created
- Checking /usr/local/rkhunter/etc...Created
- Checking /usr/local/rkhunter/bin...Created
- Checking /usr/local/rkhunter/lib/rkhunter/db...Created
- Checking /usr/local/rkhunter/lib/rkhunter/docs...Created
- Checking /usr/local/rkhunter/lib/rkhunter/scripts...Created
- Checking /usr/local/rkhunter/lib/rkhunter/tmp...Created
- Checking /usr/local/etc...Exists
- Checking /usr/local/bin...Exists
Checking system settings...
    - Perl... OK
Installing files...
Installing Perl module checker... OK
Installing Database updater... OK
Installing Portscanner... OK
Installing MD5 Digest generator... OK
Installing SHA1 Digest generator... OK
Installing Directory viewer... OK
Installing Database Backdoor ports... OK
Installing Database Update mirrors... OK
Installing Database Operating Systems... OK
Installing Database Program versions... OK
Installing Database Program versions... OK
Installing Database Default file hashes... OK
Installing Database MD5 blacklisted files... OK
Installing Changelog... OK
Installing Readme and FAQ... OK
Installing Wishlist and TODO... OK
Installing RK Hunter configuration file... Skipped (no overwrite)
 >>>
 >>> PLEASE NOTE: inspect for update changes in /usr/local/etc/rkhunter.conf.1179292941
 >>> and apply to rkhunter.conf before running Rootkit Hunter.
 >>>
Installing RK Hunter binary... OK
Configuration already updated.

Installation ready.
See /usr/local/rkhunter/lib/rkhunter/docs for more information. Run 'rkhunter' (/usr/local/bin/rkhunter)

이상과 같이 설치가 되며 실행 프로그램은 /usr/local/bin/rkhunter 에 설치된다.

 

 

[root@localhost rkhunter-1.2.9]# rkhunter --help

Rootkit Hunter 1.2.9, Copyright 2003-2006, Michael Boelen

Under active development by the Rootkit Hunter project team. For reporting
bugs, updates, patches, comments and questions see: rkhunter.sourceforge.net

Rootkit Hunter comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to redistribute it under the terms of the GNU General
Public License. See LICENSE for details.


Valid parameters:
--checkall (-c)           : Check system
--createlogfile <file>*   : Create logfile (file is optional, defaults to
                          : /var/log/rkhunter.log)
--cronjob                 : Run as cronjob (removes colored layout)
--display-logfile         : Show logfile at end of the output
--help (-h)               : Show this help
--nocolors*               : Don't use colors for output
--report-mode*            : Don't show uninteresting information for reports
--report-warnings-only*   : Show only warnings (lesser output than --report-mode,
                          : more than --quiet)
--skip-application-check* : Don't run application version checks
--skip-keypress (-sk)*    : Don't wait after every test (non-interactive)
--quick*                  : Perform quick scan (instead of full scan)
--quiet*                  : Be quiet (only show warnings)
--update                  : Run update tool and check for database updates
--version                 : Show version and quit
--versioncheck            : Check for latest version

--bindir <bindir>*        : Use <bindir> instead of using default binaries
--configfile <file>*      : Use different configuration file
--dbdir <dir>*            : Use <dbdir> as database directory
--rootdir <rootdir>*      : Use <rootdir> instead of / (slash at end)
--tmpdir <tempdir>*       : Use <tempdir> as temporary directory

Explicit scan options:
--allow-ssh-root-user*    : Allow usage of SSH root user login
--disable-md5-check*      : Disable MD5 checks
--disable-passwd-check*   : Disable passwd/group checks
--scan-knownbad-files*    : Perform besides 'known good' check a 'known bad' check
--check-deleted           : Perform 'deleted files' check
--check-listen            : Perform 'listening applications' check

Multiple parameters are allowed
*) Parameter can only be used with other parameters
이상과 같은 옵션이 있으며 자주 사용하는 옵션으로는 -c 와 --update , --createlogfile <file>*   옵션이다.

 

rk1.jpg

 

이상과 같이 프로그램 구동시 칼라로 정상 프로그램과 이상 프로그램에 대한 정보를 확인시켜 준다.

 

현재 Centos 4.4 이상 버전에서는 kill 과 find 파일에 대한 md5 체크 에러가 발생한다(2007.05.16)

rk2.jpg

 

rootkit 에 대해서도 당연히 검사를 하며, BAD 발생시 --createlogfile 옵션을 사용하면 해당 감염 및 설치된 파일에 대한 경로를 모두 확인할수 있다.

 

 


rk3.jpg
 
네트워크 감염 여부 및 시스템 부팅 스크립트등에 대해서 검사하는 부분이다.
 
 
 

rk4.jpg
 
서버의 application 버전 체크 및 이전 검사이후 변경 및 삭제된 사용자 계정에 대한 검사가 진행된다.
ssh 설정 파일에 대한 검사 역시 진행된다.
 
 
 

rk5.jpg

해당 프로그램 완료후 체크시 BAD가 발생한 부분에 대한 총 결과를 보여준다.
 
 
 
 
rkhunter -c --createlogfile  옵션을 사용하여 검사할 경우
 
/var/log/rkhunter.log 가 생성되며
 
and you are welcome to redistribute it under the terms of the GNU General
Public License. See LICENSE for details.
[15:01:46] Info: Shell /bin/bash
[15:01:46] ------------------------ Configuration check --------------------------
[15:01:46] Parsing configuration file (/usr/local/etc/rkhunter.conf)
[15:01:46] Info: No mail-on-warning address configured
[15:01:46] Info: Using /usr/local/rkhunter/lib/rkhunter/tmp as temporary directory
[15:01:46] Info: Using /usr/local/rkhunter/lib/rkhunter/db as database directory
[15:01:46] Info: Using '/usr/sbin /usr/bin /usr/local/bin /usr/local/sbin /bin /sbin /sw/bin /usr/local/libexec /usr/libexec' as binary directory
[15:01:46] -------------------------- Application scan ---------------------------
[15:01:46] Found /usr/sbin/lsof
[15:01:47] Found /usr/sbin/prelink
[15:01:46] Found /usr/bin/find
[15:01:46] Found /usr/bin/lsattr
[15:01:46] Found /usr/bin/md5sum
[15:01:46] Found /usr/bin/stat
[15:01:46] Found /usr/bin/strings
[15:01:46] Found /usr/bin/wget
[15:01:46] Found /usr/bin/readlink
[15:01:46] Found /usr/bin/perl (version 5.8.5)
[15:01:47] Found /bin/ls
[15:01:47] Found /bin/ps
[15:01:47] Found /sbin/ip
[15:01:47] Found /sbin/ifconfig
[15:01:47] Found /sbin/lsmod
[15:01:47] Info: WGET found
[15:01:47] Info: NMAP not found
[15:01:47] Info: LSOF found
[15:01:47] Info: ip found
[15:01:47] Application scan ended
[15:01:47] ---------------------------- System checks ----------------------------
[15:01:48] Info: kernel is 2.6
[15:01:48] Info: Found /etc/redhat-release
[15:01:49] Info: Full OS name = CentOS release 4.4 (Final)
[15:01:49] Info: OS ID = 724
[15:01:49] Info: Found MD5 command /usr/bin/md5sum
[15:01:49] Info: Perl version 5.8.5 found
[15:01:49] Info: Perl module Digest::MD5 installed (version 2.33).
[15:01:49] Info: Using perl module Digest::MD5 to verify MD5 hashes
[15:01:50] Info: using /usr/local/rkhunter/lib/rkhunter/tmp as temporary directory
[15:01:49] Info: UID is zero (root)
[15:01:49] Info: ksyms file check will be skipped (/proc/ksyms not available on this system)
[15:01:49] ---------------------------- File checks -----------------------------
[15:01:49] Checking /usr/local/rkhunter/lib/rkhunter/db/md5blacklist.dat... OK
[15:01:49] Checking /usr/local/rkhunter/lib/rkhunter/db/mirrors.dat... OK
[15:01:49] Checking /usr/local/rkhunter/lib/rkhunter/db/programs_bad.dat... OK
[15:01:49] Checking /usr/local/rkhunter/lib/rkhunter/db/programs_good.dat... OK
[15:01:50] ------------------------------ Selftests ------------------------------
[15:01:50] Strings selftest: scanning for string /usr/sbin/ntpsx... OK
[15:01:50] Strings selftest: scanning for string /usr/lib/.../ls... OK
[15:01:50] Strings selftest: scanning for string /usr/lib/.../netstat... OK
[15:01:50] Strings selftest: scanning for string /usr/lib/.../lsof... OK
이상과 같이 스캔 파일 경로 및 이상이 발견된 파일들에 대한 모든 정보를 확인 가능하다.