Linux (X86) 자료실 - 포기하지 않으면 실패하지 않는다!
Vote Modify Delete Forward Prev Next List

  작성자   : 조성환 [ ladmin ] 추천: 2549, 수정: 2, 조회: 8250, 줄수: 222, 분류: Etc.
chkrootkit 설치 (컴파일) 및 사용 방법

chkrootkit이란 시스템에 루트킷(rootkit)이 설치되었는지 여부를 손쉽게 체크할 수 있는 프로그램으로 chkrootkit은 일반적인 루트킷뿐 아니라, 커널기반의 루트킷, worm까지도 탐지가 가능하다.

관련 문서 참조
http://coffeenix.net/data_repository/html/Chkrootkit.html




<설치 및 사용법>

http://www.chkrootkit.org/  에서 최신 버젼의 chkrootkit 을 다운로드 한다.


[root@ipstor1ccnuoe src]# ls
chkrootkit-0.47  chkrootkit-0.47.tar

[root@ipstor1ccnuoe src]# cd hkrootkit-0.47

[root@ipstor1ccnuoe chkrootkit-0.47]# ls
ACKNOWLEDGMENTS  chkdirs.c     chkproc.c   chkrootkit.lsm  chkwtmp.c  ifpromisc.c  README             README.chkwtmp
check_wtmpx.c    chklastlog.c  chkrootkit  chkutmp.c       COPYRIGHT  Makefile     README.chklastlog  strings.c



(컴파일)

[root@ipstor1ccnuoe chkrootkit-0.47]# make sense
gcc -DHAVE_LASTLOG_H -o chklastlog chklastlog.c
gcc -DHAVE_LASTLOG_H -o chkwtmp chkwtmp.c
gcc -DHAVE_LASTLOG_H   -D_FILE_OFFSET_BITS=64 -o ifpromisc ifpromisc.c
gcc  -o chkproc chkproc.c
gcc  -o chkdirs chkdirs.c
gcc  -o check_wtmpx check_wtmpx.c
gcc -static  -o strings-static strings.c
gcc  -o chkutmp chkutmp.c



[root@ipstor1ccnuoe chkrootkit-0.47]# ls

ACKNOWLEDGMENTS  chkdirs     chklastlog.c  chkrootkit      chkutmp.c  COPYRIGHT    Makefile           README.chkwtmp
check_wtmpx      chkdirs.c   chkproc       chkrootkit.lsm  chkwtmp    ifpromisc    README             strings.c
check_wtmpx.c    chklastlog  chkproc.c     chkutmp         chkwtmp.c  ifpromisc.c  README.chklastlog  strings-static




(chkrootkit 명령으로 서버 OS rootkit 유무 확인)

[root@ipstor1ccnuoe chkrootkit-0.47]# ./chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not infected
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not infected
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not infected
Checking `rshd'... not infected
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not infected
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.6.1/i386-linux/.packlist

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for HKRK rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... /proc/6674/fd: No such file or directory
/proc/6741/fd: No such file or directory
/proc/6749/fd: No such file or directory
/proc/6750/fd: No such file or directory
/proc/6758/fd: No such file or directory
/proc/6795/fd: No such file or directory
/proc/6959/fd: No such file or directory
eth0: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... unable to open lastlog-file lastlog
Checking `chkutmp'...  The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID          PID TTY    CMD
! root         1820 tty1   /sbin/mingetty tty1
! root         1821 tty2   /sbin/mingetty tty2
! root         1822 tty3   /sbin/mingetty tty3
! root         1823 tty4   /sbin/mingetty tty4
! root         1824 tty5   /sbin/mingetty tty5
! root         1825 tty6   /sbin/mingetty tty6
chkutmp: nothing deleted

[root@ipstor1ccnuoe chkrootkit-0.47]#



참고로 해당 검사 결과 메시지는 다음과 같습니다.

*********************************************************
infected : rootkit 으로 변형되었음을 의미한다. (해킹당함)
not infected : rootkit 의 변형이 없음을 의미한다.
not tested : 검사를 수행하지 못함을 의미한다.
not found : 검사한 command 가 없음을 의미한다.
*********************************************************


[root@ipstor1ccnuoe chkrootkit-0.47]# ./chkrootkit -h
Usage: ./chkrootkit [options] [test ...]
Options:
       -h                show this help and exit (사용할수 있는 옵션을 보여준다)
       -V                show version information and exit (chkrootkit 버전정보를 보여준다)
       -l                show available tests and exit (사용가능한 test 들을 보여준다)
       -d                debug (debug 모드로 자세한 화면을 보여준다)
       -q                quiet mode (quiet 모드로 변조된 정보만 보여준다)
       -x                expert mode (전문가 모드로 strings 결과를 보여준다)
       -r dir            use dir as the root directory (디렉토리 이하에 대해 체크한다)
       -p dir1:dir2:dirN path for the external commands used by chkrootkit (복수개의 디렉토리에서 체크한다)
       -n                skip NFS mounted dirs (NFS mounted 디렉토리를 제외하고 보여준다)




* rootkit 이 변경되었을때의 조치

: 해당 시스템이 해킹을 당해 공격자가 루트 권한을 획득하였을 가능성이 높으므로
트로이잔으로 변경된 명령어들을 찾아 원래것으로 바꾸어줄 수 있으나 가장 안전한 방법은
시스템을 재설치하고 관련 취약점등을 패치하고 불필요한 서비스등을 중지하는 등의 조치를 취해
시스템을 안전하게 사용하는것이 바람직하다.




이전: 시스템 로그 관리, System Log Daemon (강추)
다음: 리눅스 방화벽 프로그램 iptables [초강추]
2007/05/04(00:28) from 59.30.129.220
CrazyWWWBoard 2000

Vote Modify Delete Forward Prev Next List
(c) Nobreak Technologies, Inc.